Effective Implementation of the Risk-Based Approach

The risk-based approach (RBA), appearing as the first Financial Action Task Force (FATF) Recommendation, is the centerpiece of FATF’s February 2012 revision of its International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation: The FATF Recommendations. The fourth round of mutual reviews will look at not only the technical implementation of the Recommendations, but also the effectiveness of each member country’s anti-money laundering (AML) program. Countries around the world, including Japan, have revised their AML laws to be in line with the revised Recommendations and to prepare for the fourth round of mutual reviews. Many countries are also issuing national level money laundering risk assessments (national risk assessments [NRAs]).

The RBA in Japan

Japan revised its main AML law the “Act on Prevention of Transfer of Criminal Proceeds” (the Act), effective October 2016. Under this revised Act, “[b]usiness [o]perators who are required to conduct verification,” such as banks, are required to undertake a money laundering risk assessment of its own activities, taking into account Japan’s NRA (“Report on the risk of transfer of criminal proceeds”). High-risk transaction types thus identified are to be made subject to stringent customer control measures (enhanced due diligence [EDD]). The high-risk types specifically set forth in Article 4, Section 2 of the revised Act (Identity fraud/false representation or their suspicion, transactions involving Iran or North Korea, transactions with foreign politically exposed persons), and those transactions set out in Article 5 of the Ministerial Ordinance (transactions requiring EDD) are always considered to be high risk, and thus, need to be subject to the following stringent customer control measures:

  • Stringent verification at the time of transaction (for those transactions identified in Article 4, Section 2 of the Act). Verification should be undertaken in every transaction for which verification is required. This includes obtaining additional identification documents and confirming the customer’s source of wealth and income.
  • The results of the investigation—such as by querying customers, or through the investigation of open source information—should be used to decide whether there is any unusual activity and whether a suspicious transaction report (STR) should be filed and verified by an appointed supervisory administrator.
  • An appointed supervisory administrator must approve each transaction.
  • Information must be gathered in a risk-based manner. This information and the analysis performed must be maintained in an easily retrievable manner.
  • There should be ongoing risk-based transaction monitoring.

Stringent customer control measures, such as those listed above, also need to be undertaken in a risk-based manner for high-risk transaction types as identified in the institution’s own money laundering risk assessment. “Business [o]perators who are required to conduct verification” are required to autonomously identify, assess and control its money laundering risk. To this end, any specific controls that are put in place, based on the institution’s industry, type of business, size, risk, etc., is left to the discretion of the institution.

With the revised Act, RBA in anti-money laundering/counter-terrorist financing (AML/CTF) has come to Japan.

Issues in Implementing an RBA

However there are many issues when implementing an RBA. The following represents some of the issues that are faced by a bank that operates across multiple jurisdictions.

1. Coverage of the risk assessment and the extent to which risk mitigation measures should be applied.

  • Should the NRA of the country of incorporation of an institution be applied to the risk assessment of all of its foreign branches/offices?
  • Should risk mitigation measures identified in an enterprise-wide risk assessment be applied equally to all branches/offices?
  • To what extent should the NRA of countries in which the institution has a presence (branch/office) be considered in an enterprise-wide risk assessment/local risk assessment of branches/offices located in another country?

Issues such as those mentioned above are caused in part from FATF Recommendations that are directed, for the most part, toward countries, whereas regulator expectations and best practices call for an enterprise-wide approach. Where an institution operates across multiple jurisdictions, it can be difficult to manage these two differing paradigms.

Actual solutions would differ from institution to institution, depending on their particular circumstances. However, the key concepts are:

  • Undertake an enterprise-wide risk assessment and formulate institution-wide risk mitigation processes.
  • Obtain and analyze the NRA’s of the countries in which the institution has a presence.
  • Centrally monitor and analyze each offices’ local risk assessment results and risk mitigation processes. This should be monitored and analyzed by the head office.
  • Differentiate the risk mitigation processes identified in the enterprise-wide risk assessment and all the local risk assessments to those that should be applied universally and to those that need to be applied only locally.
  • Develop systems, organizations and procedures to make such a centralized process sustainable.

In judging whether risk control measures are sufficient and also, not excessive, requires a good understanding of the involved regulators’ expectations

2. The risk mitigation measures put in place to mitigate risk arising from high-risk transaction types need to be sufficiently robust to prevent the institution from being used for money laundering or the financing of terrorism. However, it must be noted that cutting off a whole industry sector or country due to excessive risk aversion (without proper risk assessment and evaluation)—so-called wholesale de-risking—is not an appropriate response. In judging whether risk control measures are sufficient and also, not excessive (hitting the right balance), requires a good understanding of the involved regulators’ expectations.

De-risking becomes an issue with regards to correspondent banking and money value transfer service (MVTS) transactions. Strong, perhaps excessive, risk aversion arising from the ever-increasing amount of monetary penalty for sanctions and AML violations, and responsibility of individuals being pursued for wrongdoing, is causing entire business sectors and countries to lose access to the global banking system. Please note that the term “de-risking” is used to refer not to the exiting of transactions based on the risk assessment of individual counterparties or business judgements based on cost/benefit analysis including compliance costs, but to the wholesale exiting of sectors deemed to be high risk.

In a statement after the October 2015 Plenary, the FATF stated that the “Implementation by financial institutions should be aimed at managing (not avoiding) risks. What is not in line with the FATF standards is the wholesale cutting loose of entire countries and classes of customers, without taking into account—seriously and comprehensively—their level of money laundering and terrorist financing risk and applicable risk mitigation measures for those countries and customers within a particular sector.” In addition, FATF announced that they are working on guidelines to address this issue.1

In order to make an RBA work, regulators and the private sector need to share an understanding of what is expected of the private sector and what are its capabilities

For the practitioner, undertakings such as this—in order to produce a universally consistent expectation level of all concerned regulators toward the private sector—is highly favorable. In order to make an RBA work, regulators and the private sector (e.g., banks) need to share an understanding of what is expected of the private sector and what are its capabilities. If such understandings do not exist, the private sector will have no choice but to err on the side of safety. Furthermore, there are many regulators, from multiple countries, with (partial) jurisdiction to the business of an institution operating globally. This is one reason to welcome the effort of FATF to formulate guidance in this area and it is hoped that said guidance will be an effective one, both for regulators and the private sector, and that it will be issued soon.

RBA in Economic Sanctions

Economic sanctions measures are geared to interdict proscribed transactions from happening. This is fundamentally different from the detection of suspicious transactions through post-transaction monitoring and the filing of STRs after the fact. This difference in intent leads to the idea that an RBA seems ill-fitting in its application to economic sanctions. This is furthered when one considers that in many cases the wording of laws enacting economic sanctions call for strict liability even if a breach has occurred or not.

Is RBA really unsuited for application to economic sanctions? On a practical level, it must be pointed out that it is not possible to gather all information for all transactions and to investigate them all to the deepest extent possible. Even leaving aside issues of resources and costs, such an endeavor would cripple the international banking system and stop global commerce. Those responsible for economic sanctions policy are starting to speak out. For example, Adam Szubin, the Acting Under Secretary for Terrorism and Financial Intelligence spoke at the November 2015 ABA Money Laundering Enforcement Conference explaining that “[w]e tell financial institutions to take a reasonable risk-based approach that addresses illicit finance risk on a client-by-client basis….None of this means zero tolerance, zero failure, or zero risk…. We know that financial institutions, like humans in general, are not infallible. Infallibility was not the problem in the major bank enforcement actions over the past decade—the problem in these institutions was rampant and willful violation of the law….We believe our risk-based AML/CFT standards are the right ones—for correspondent banking, MSBs, and really all cross-border financial services. Our risk-based approach is a road map for financial institutions seeking to evaluate and manage risk, not an off-ramp for financial institutions seeking to avoid it. The key, at this point, is to help financial institutions navigate that road map.”2

It is crucial, that even in the area of economic sanctions, that appropriate risk controls are put in place based on risk assessment. In other words, that an RBA be taken.

As discussed in the beginning of this section, economic sanctions risk management requires that a transaction be prevented from taking place (or assess blocked), whereas the detection of suspicious transactions is through post-transaction monitoring. However, the risk assessment for economic sanctions risk and money laundering risk share many similarities. Perhaps this should not come as a surprise when one considers that risk assessment is forward-looking. It is an effort to prognosticate the likelihood (risk) of money laundering or transactions that breach economic sanctions from occurring. To be sure, the risk assessment methodology needs to be adjusted accordingly for AML or economic sanctions.


Forging a strong working relationship between regulators and the private sector—through which the private sector can obtain a clear picture of what is expected of them and through which regulators can obtain a good understanding of the capabilities and the limits of private sector players—is the key to making an RBA work effectively in the AML/CTF field. This in turn should benefit the country when facing the fourth round of FATF’s mutual reviews, and most importantly, protect the banking system from being misused by money launderers and terrorists.

Daisuke Nakao, CAMS, chief advisor, Bank of Tokyo-Mitsubishi UFJ, Tokyo, Japan, daisuke_nakao@mufg.jp

The opinions expressed in this article are solely those of the author. The English translation for the terms used in Japanese laws and regulations are based on publicly available material, such as those provided by the Japan Financial Intelligence Center.

  1. “FATF takes action to tackle de-risking,” FATF, October 23, 2015, http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-action-to-tackle-de-risking.html
  2. Adam Szubin, “Remarks by Acting Under Secretary Adam Szubin at the ABA/ABA Money Laundering Enforcement Conference,” November 16, 2015, https://www.treasury.gov/press-center/press-releases/Pages/jl0275.aspx

Leave a Reply