The risk-based approach (RBA) is an essential component to implementing the Financial Action Task Force’s (FATF) Recommendations effectively. Financial institutions (FIs) are expected to identify, assess and understand the money laundering and terrorist financing risks to which they are exposed and take anti-money laundering/counter-terrorist financing (AML/CTF) measures commensurate to those risks to mitigate them effectively.

An RBA¹ can be used for a variety of purposes to mitigate risk factors including the following:

• Identifying gaps or opportunities in anti-money laundering (AML) policies, procedures and processes
• Making informed decisions about risk appetite, implementation of control efforts, allocation of resources and technological expenses
• Assisting management in understanding how the structure of a business unit or business aligns its AML compliance program with its risk profile
• Developing risk mitigation strategies, including applicable internal controls, to lower a business unit’s or business line’s residual risk exposure
• Ensuring senior management is made aware of key risks, control gaps and remediation efforts
• Assisting senior management with strategic decisions related to commercial exits and disposals
• Ensuring regulators are made aware of the key risks, control gaps and remediation efforts across the FI
• Assisting management in ensuring that resources and priorities are aligned with the risk

Identification of Risk Factors

An RBA must identify the following components to understand risk factors:

• Nature of the customer and AML screening (e.g., a natural person or legal entity, a politically exposed person [PEP], Specially Designated Nationals [SDNs]), the industry or the nature of business that the customer is involved with, and the risk level (e.g., cash-intensive, jewelers)
• Counterparty risk, such as foreign correspondent banks, FIs, agents, etc.
• Geographic risk, such as the country of residence as well as the origin and risk factor of the country (e.g., a high-risk country, a sanctioned country, or a highly corrupt country under Transparency International’s Corruption Perception Index and the FATF blacklist).
• Products or services including remittances, foreign exchange or a wages protection system like that of the United Arab Emirates (UAE)
• Delivery channel risk or interface risk, such as products or services offered to non-face-to face customers or online services

Evaluation—Risk Indicators Affect Rating

In an RBA, risk categorization must be allocated and the risk model must interpret qualitative and quantitative scores. RBA methodology must be capable of capturing and profiling the risk as well as the transactional risk of customers’ transactions.

RBA is based on a company’s policies and procedures to implement processes that can effectively manage risk as well as systems and controls. FIs should review the RBA module and make improvements accordingly.

Each indicator impacts the overall risk module. For example, suppose an Iranian customer was onboarded and now wants to remit money through electronic funds transfer to support his family in Iran. In this scenario, Iran is considered a high-risk jurisdiction so the score will be high. Supposing the score given to the country ranges from one to 10, in this case, the score for geographic risk is 10. Next is the score for the customer type. The customer’s purpose is home remittance so the score will be low, around three. Then there is the product or services distribution channel, a wire transfer, which falls under high-risk services. Again, the score will be high, around eight. In this scenario, the overall score is 30 and the customer scored 21. Now suppose a cumulative slab is implemented. According to this slab, one to 15 is low risk, 16 to 22 is medium risk and 23 to 30 is high risk.

In this overall risk score, the customer’s score is 21, which falls under the medium-risk category. When reviewing the whole scenario, the inherent risk of the customer’s nationality and the product or services distribution channel impacted the categorization.

Categories to Consider When Evaluating the Impact

In accordance with the scores mentioned above, the categories below must be considered when evaluating the impact:

• High-risk customers: Enhanced due diligence (EDD) assessed at least annually
• Medium risk customers: Additional due diligence
• Low risk customer: Standard due diligence

EDD for high-risk customers should ensure that a proper “source of funds” and the purpose of the transactions are established. Ultimate beneficial owners (UBOs) must also be known and transparent.² The RBA allowed flexibility to reduce or increase controls based on the customer and the risk they posed.

High-risk relationships (such as PEPs)³ require approval from the senior management compliance officer and the manager in charge as per the Central Bank of the UAE.⁴ Medium-risk customers must be addressed by gathering additional information such as validating their employment with a bank statement or salary slip. For due diligence, simple information must be collected, such as the identification of the customer, the mobile number and address, and so on.

The following businesses are considered high risk as potential sources of money laundering and criminal activities:

• A cash-intensive business (difficulty in identifying unusual activity, no proper record management, inability to verify the source of funds and acting as a front company for terrorist financing)
• An offshore corporation in a tax haven (entity located in countries where transparency is low)
• Exchange houses (weak AML controls)⁵
• Luxury goods dealership (goods used by a launderer during the integration stage)
• Used cars and truck dealers (mostly cash-based transactions and payments to third parties)
• Travel agencies (can be used to launder money)⁶
• Jewel, gem and precious metals dealerships (used by the launderers and arms dealers as payment methods)
• Gatekeepers, accountants, auditors, lawyers and notaries (acting on behalf of UBOs)
• General trading due to multiple business activities

Conclusion

The key purpose of risk assessment is to drive improvements in financial crime risk management by identifying general and specific money laundering risks. RBA is a useful technique to mitigate the organization risk and it is helpful to minimize the countrywide risk. Organizations should implement robust techniques to implement RBA, monitor high-risk customers and conduct stringent EDD, all of which must be core parts of compliance. To meet RBA adequately, firms must also review high-risk customers periodically and understand the risk of its correspondents and respondents. Financial crime risks associated with the predicate offenses must be closely monitored, especially in high-risk customers and businesses.

Muhammad Rizwan Khan, ICA Int. Dip (AML), CAMS-FCI, United Arab Emirates

1. “Guidance for Risk-Based Approach, The Banking Sector,” Financial Action Task Force, October 2014, https://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf
2. Neil Jeans, “Risk-based approach to KYC,” Thomson Reuters, June 15, 2016, https://blogs.thomsonreuters.com/answerson/kyc-risk-based-approach/
3. “FATF Guidance: Politically Exposed Persons (Recommendations 12 and 22), Financial Action Task Force, June 2013, https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf
4. “The Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business,” Central Bank of the U.A.E., February 2018, https://www.centralbank.ae/sites/default/files/2019-01/The%20Standards%20for%20Exchange%20Business%20in%20the%20UAE%20%28Version%201.10%29%20%E2%80%93%2001.03.2018%20for%20Issue%20%28Clean%29.pdf
5. “UAE money exchange houses ordered to raise standards by regulator ― Reuters,” RiskScreen, March 29, 2018, https://www.riskscreen.com/kyc360/news/uae-money-exchange-houses-ordered-raise-standards-regulator/
6. “Financial Crimes Enforcement Network; Anti-Money Laundering Programs for Travel Agencies,” U.S. Department of the Treasury, https://www.treasury.gov/press-center/press-releases/Documents/agents.pdf