A risk-based approach to AML is key to effective compliance programs around the world.
Financial institutions face an expanding spectrum of money laundering threats, and modern financial criminals have a range of tools at their disposal to avoid countermeasures put in place to stop them. Accordingly, to balance efficiency and cost needs with compliance obligations, financial institutions must be able to respond to threats on a contextual basis. The most effective way to achieve that objective is to take a risk-based approach, meaning an AML compliance program tailored to the individual levels of risk exposure that each customer presents.
of the Risk-Based Approach
Prior to the introduction of risk-based approaches to AML, banks and financial institutions would manage their compliance obligations using a ‘checkbox’ approach – that is, simply fulfilling a standardized list of AML requirements for every customer. While that standardized approach prevailed in the 1990s, the UK’s Financial Services Authority (FSA), first proposed a “risk-based” approach in its 2000 publication A New Regulator for the New Millennium. The concept of risk-based AML was first implemented in 2007 by the Financial Action Task Force and further codified in its 2012 update to the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation – also known as the ‘40 Recommendations’.
The FATF’s 2012 endorsement of the risk-based approach to AML set the global standard and ensured its ongoing use across all FATF member-states.
of the Risk-Based Approach
In principle, the risk-based approach shifts the focus of AML compliance from post-analysis of data, to proactive judgment. Financial institutions must work on an ongoing basis to understand the money laundering threats they face and deploy commensurate measures to manage their risk exposure.
In practice, this means that customers may be classified individually by their risk exposure – and that ‘higher risk’ customers are under greater levels of AML scrutiny. Broadly, the risk-based approach allows financial institutions to:
- Recognize the existence of risk
- Perform assessments of risk
- Develop and deploy strategies to address risks
Implemented effectively, the risk-based approach allows for a balanced integration of human judgement and smart technology in the AML compliance process.
Accurate risk assessment is central to the risk-based approach, there are two distinct categories of risk that inform financial institutions’ compliance efforts. The first is the idea of geographic risk: the vulnerability to money laundering threats that countries face at a national level. The second is the idea of individual risk, the specific risks that financial institutions face from their clients and how their internal AML process manages that risk. In performing risk assessment, financial institutions must take into account:
- Vulnerability: What money laundering and criminal threats – such as drug trafficking or gambling – is the firm exposed to?
- Infrastructure: Does the firm have blind-spots or administrative gaps that allow money-launderers to thrive?
- Regulations: Does the firm properly understand and satisfy its regulatory obligations?
Business Specifics: Are there more specific risks which the firm might be exposed to – for example, those presented by specific customers, products, or geographic location?
the Risk-Based Approach
In compliance with the FATF recommendations, financial institutions must implement a risk-based AML program that includes a number of important measures, each designed to accurately identify individual customers and clients, and the businesses in which they are involved. In more detail, financial institutions must:
- Develop and implement suitable Know Your Customer (KYC) and Customer Due Diligence (CDD) measures to verify that customers are who they say they are and are being truthful about the business they are engaged in.
- KYC and CDD are foundational principles of risk-based AML: high-risk customers may be subject to enhanced CDD measures for which more identifying information is required.
- Screen new and existing customers against domestic and international sanctions lists such as the United States’ Specially Designated Nationals (SDN) List and the United Nations’ consolidated list.
- Screen against Politically Exposed Persons (PEP) lists: when a client’s political status changes, their money laundering risk profile often also changes.
- Screen for Adverse Media: if a customer is the subject of negative news, anywhere in the world, their AML risk profile may also change.
- Appoint an AML Compliance Officer: the individual appointed to this position must hold sufficient authority within the company to be able to identify and act on money laundering threats.
Ongoing Monitoring: The risk-based approach to AML compliance is a process, which means customers should be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring is important because customers’ risk profiles can change over time. Financial institutions must be able to react to new levels of risk exposure to ensure emerging money laundering threats are identified as quickly as possible.