Regulators see risk assessment as a key doctrine of a firm’s anti-money laundering (AML) compliance framework, making a risk-based approach vital. With rising regulatory scrutiny and the resultant hefty fines for noncompliance, customer risk profiling has been brought to the spotlight. Financial institutions must take a proactive risk-based approach and employ adequate KYC (know your customer) processes to future-proof their integrity, resilience and regulatory standing.
What Is a Risk-Based Approach?
The Financial Action Task Force (FATF) defines “risk-based approach” as a process where “countries, competent authorities, and banks identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk.” This approach is commonly applied in various fields, including business, finance, security, and regulatory compliance.
For firms operating in the banking sector, this means enforcing customer risk profiling, a process that involves identifying, mitigating, and monitoring the risks associated with each client relationship. Consequently, organizations must manage their banking clients throughout every stage of their lifecycle - from initial KYC and onboarding through ongoing reviews and offboarding. This can keep financial firms and the wider financial services industry safe from financial crimes such as money laundering and terrorism financing.
To safeguard clients against these risks and to help them with the relevant due diligence implementation efforts, Fenergo’s Client Lifecycle Management solution allows organizations to digitize end-to-end client journeys from onboarding through offboarding. In addition, our Client Onboarding solution automates due diligence, risk scoring, and compliance for streamlined onboarding. For more details on key considerations regarding risk-based approaches to AML and KYC, visit Fenergo's Client Risk Assessments FAQs.
The Three-Step Risk-Based Approach
An effective risk-based approach involves three key steps:
- Identify and assess risk factors
- Mitigate these risk factors by applying relevant management controls
- Monitor and review changes to the residual risk profile
Let's explore each step in more detail.
Step 1: Identify & Assess the Risk
This first step helps organizations understand the breadth and depth of the threats they face. It occurs before conducting Customer Due Diligence (CDD), and determines the client's risk profile. To do so, organizations must gather pertinent information by asking questions, such as:
- What industry does the client operate in?
- What jurisdictions are they operating in?
- What types of transactions are involved?
- Are they cash-intensive businesses?
- What is the volume and value of transactions?
- What types of third parties do they deal with?
- Who are the beneficial owners?
The answers build a holistic client profile, which provide organizations with a panoramic view of potential risks, visualizing risks across multiple areas, including client risk, product/service risk and country risk. Once the risk factors are evaluated, clients are classified into high, medium and low-risk categories. At this stage, companies should introspect and ask themselves if they have the capabilities and expertise to handle the risk? In doing so, organizations can subsequently decide if the client is aligned with their risk appetite and proceed with the engagement or terminate the relationship.
Step 2: Risk Mitigation and Contingency Planning
Step 1 spotlights priority risks, Step 2 lays out a roadmap for their mitigation. Mitigation measures form a diverse toolkit that encompass a range of tactics, from the implementation of risk management controls to the adoption of preventive measures, risk transfer through insurance, and contingency planning:
- Risk management controls: These include Enhanced Due Diligence (EDD) practices, whereby high-risk clients undergo extensive background checks including ongoing transaction monitoring to detect any signs of suspicious activity and sanctions screening to ensure compliance with global watchlists.
- Preventive measures: These are employed in tandem with risk management controls to fortify an organization's defense against potential risks. Measures include the ongoing assessment of potential customer threats, address emerging vulnerabilities, AML training for staff and performing proactive audits to verify protocols are functioning.
- Risk transfer through insurance: This serves as a strategic maneuver to lessen potential financial impacts. For example, organizations can secure cyber insurance as a safety net against the costs of data breaches, or purchase errors and omissions insurance to absorb liability claims.
- Contingency planning: This equips the organization with the necessary knowledge to enhance its readiness for unforeseen events. Examples include emergency response plans for crisis scenarios, and testing incident response procedures through simulations.
Risk mitigation and contingency planning hinges on the effectiveness of the controls within the toolkit. The organization's attention to detail is therefore paramount, as companies will have to introspect and confront certain realities like the effectiveness of their governance structures, their policies and procedures, their KYC and due diligence functionalities, and their integration with other relevant risk assessments. In doing so, companies will gain an unbiased perspective to evaluate their contribution to compliance, risk management, stakeholder confidence, and effective decision-making.
Step 3: Monitor and Review the Residual Risk Profile
This step allows the organization to assess how well its mitigation methods match the identified risks. At the core of this phase lies the concept of residual risk – the risk that remains after inherent risks have been reduced.
Regular monitoring and reviews must occur to detect changes that affect the residual risk profile. To do so, organizations must conduct periodic reviews of their client profiles. These reviews take the form of ongoing screening for sanctions, Politically Exposed Persons (PEPs) and adverse media. They can uncover new, escalation-worthy red flags such as change of ownership, new products/services, new geographies, unusual transactions and more. Higher-risk clients undergo more frequent reviews and any red flags or alerts are escalated for further investigation. As a result, this step ensures the client profiles always align with the company's risk appetite.
Financial institutions should implement ongoing monitoring of the residual risk profiles and periodic reviews to assess the threat landscape and ensure mitigation practices remain pertinent and robust over time.
Risk-Based Approach in Action
In 2021, the UK Financial Conduct Authority (FCA) fined a major bank £264 million for failing to comply with AML regulations. The fine stemmed from the bank’s failure to oversee a commercial client, a jeweler. Despite initial expectations that no cash transactions would occur, around £264 million in cash deposits took place between 2012 and 2016 out of a total of £365 million deposited. Additional issues were identified which the bank failed to investigate, such as large Scottish note deposits in England, musty smelling notes, and individuals acting suspiciously when depositing cash in the banks’ branches.
This case study serves as an example of how a risk-based approach could have prevented regulatory penalties:
- Step 1: Prior to onboarding the commercial jeweler, the bank would have undertaken a thorough risk assessment, which would have recognized jewelers are inherently high-risk client types. This is due to several reasons, mostly because they are cash-intensive businesses and their nature of business is the trade of high value portable assets which are easy to transport, thus making them attractive for crimes such as money laundering. The bank concluded that the client warranted EDD.
- Step 2: Step 1 would have created a cascade of EDD processes. These would have included verifying source of funds and transaction monitoring. Here, it is likely the bank would have discovered the unexpected cash deposits, contrary to initial expectations. This could have led to uncovering illicit money flows.
- Step 3: This step would have triggered ongoing monitoring of the customer's account, examining any anomalies over time. The bank could therefore have identified patterns, consistent irregularities and discrepancies such as large cash deposits, alongside other red flags such as unusual notes and suspicious behavior.
A risk-based approach would have detected suspicious transactions. If the bank had then reported these dubious transactions to the relevant regulators along with the identified discrepancies and anomalies, it is possible the bank could have steered clear of regulatory fines.
Benefits of Risk-Based AML Efforts
A risk-based approach to AML is a proactive rather than a reactive process. It allows financial institutions to redirect their resources toward forward-looking risk assessment and mitigation, instead of focusing on after-the-fact analysis of money laundering. This in turn empowers them to fulfill regulatory requirements, diminishing their susceptibility to financial crimes. The end result could reduce their overall compliance risk, leading to fewer violations and regulatory penalties.
Overall, risk-based approaches are an example of proactive self-regulation and a mature compliance program.
Automate Client Risk Assessment with Fenergo’s KYC’s Risk Engine
Combined with the right technology, organizations can avoid spreading their efforts and budgets thin by automating critical risk-based AML components. Technology solutions that automate risk scoring facilitate more accurate and efficient ongoing monitoring throughout the customer lifecycle, not just at onboarding. Fenergo KYC’s Risk Engine dynamically responds to inputs from a client’s KYC profile to automatically calculate risk assessments. This drives appropriate levels of due diligence, including enhanced measures for higher-risk clients. Fenergo also offers a risk-based approach to KYC compliance that efficiently focuses resources on higher risk clients and ensures lifecycle compliance with local and global KYC regulations.
Implementing a customized, risk-based framework for AML efforts demonstrates a proactive compliance posture. Financial institutions that embrace risk-based AML principles equip themselves to navigate the uncharted waters of evolving illicit finance, reaping benefits in the present while building an adaptable foundation for the future.
Find out how our Know Your Customer solution can improve your customer onboarding process.