As financial authorities adapt to evolving criminal threats, risk assessment has become a foundation of AML/CFT compliance around the world. Banks and financial institutions must understand how to efficiently manage the money laundering and terrorism financing risks they face in a manner that also fulfills their compliance obligations.
Achieving an appropriate balance between compliance and risk management is challenging: accordingly, financial institutions should understand their risk management compliance obligations, relevant best practices, and how to conduct risk assessments when onboarding or screening customers.
What is Compliance Risk Management?
While traditional AML/CFT strategies were built on the post-analysis of money laundering and terrorism financing incidents, financial crime has evolved, with money launderers becoming more sophisticated and exploiting emerging technologies. As a response, authorities now require financial institutions to be proactive about criminal threats by assessing the level of risk that their customers, geographic locations, or industrial sectors in which they operate, pose and adjusting their AML/CFT measures proportionately.
The principle of ‘risk based’ money laundering was introduced in 2009 by the British Financial Services Agency (FSA) and taken up by the Financial Action Task Force (FATF) in 2012. The FATF introduced a requirement for risk based AML in its 40 Recommendations, codifying a compliance obligation for firms to assess money laundering and terrorism financing risk.
The risk-based approach to AML is less focused on the elimination of money laundering threats than it is ensuring that financial institutions implement safeguards to detect and report them. Similarly, risk management is a way for firms to balance their compliance obligations with their budget and resources, organically integrating risk control mechanisms without compromising business and customer service objectives.
Consistency: A consistent understanding of risk-management should serve as the foundation for a financial institution’s risk culture and attitude towards compliance. With that in mind, financial institutions should implement a consistent risk-management framework across every location, line of business, and country in which they operate. The operating model should be formally defined in writing and facilitate forums for senior management to review and discuss risk assessment procedures and outcomes.
Data and technology: AML risk assessment relies on the collection and analysis of large amounts of customer data. Firms can manage those processes more efficiently with technology, automating data feeds to gather risk-related information on customers including adverse media stories or changes to political exposure. Automation not only reduces the need for ad hoc data collection and the possibility of human error but adds accuracy and efficiency to the risk assessment process itself. Data technology is also extremely useful for analyzing and plotting risk trends over time and helping firms better implement risk compliance measures.
Knowledge and expertise: While software and automation can enhance risk management capabilities significantly, the importance of human expertise shouldn’t be underestimated. Effective risk assessments require input from a range of subject matter specialists with direct experience of and engagement with the risks to which the firm is exposed. The knowledge and expertise of employees should be a consideration in both the development of the compliance risk management methodology and the risk assessment process itself.
External input: The AML/CFT risk landscape changes constantly and by necessity risk assessments rely on a knowledge of emerging threats and new regulations. These emergent risk factors may not be known to a firms’ internal compliance employees or detectable by its risk management framework. With that in mind, firms should not only seek to update their internal risk management framework regularly but do so with insight from external sources to ensure sufficient depth and detail in their understanding of emerging compliance issues.
Standards of risk: Effective risk management involves gauging the effectiveness of risk assessment and mediation measures. This means that firms should create standards of risk materiality, including a definition of risk and formalized levels of risk tolerance. Standards should also be applied to the risk mediation process to ensure that firms are not constantly addressing risk ‘symptoms’ such as a high volume of adverse media, but identifying the root causes of compliance issues, such as business relationships in a particularly poorly regulated country. Finally, standards should be established for training and incentivizing employees that work in a compliance function as a way to inform and enhance compliance performance.
Compliance risk management policies should take into account both the individual risk that customers present because of personal liability and the geographic risk presented by the location in which a firm operates. Practical risk assessment measures should reflect that combined threat and inform a firm’s ongoing AML/CFT approach. Accordingly, to ensure regulatory compliance, a risk assessment should involve the following measures:
- Customer due diligence: A foundation of the risk-based approach to AML/CFT, customer due diligence measures (CDD) should enable firms to verify their customers’ identities and the nature of their business, and in doing so accurately establish the level of money laundering risk they present.
- Sanctions screening: Customers should be screened against relevant international sanctions lists. Higher risk customers may require closer scrutiny in order to resolve ambiguous naming conventions or the use of pseudonyms.
- Adverse media screening: Customers with negative news media against them may present a higher risk of money laundering. Firms must be able to collect and analyze those negative stories as they emerge.
- Politically exposed person screening: When customers take on certain political roles that change in status raises their risk of money laundering. Accordingly, risk assessments should pick up on changes to the status of politically exposed persons (PEP).