What is a Risk-Based Approach to AML

Robust, adequate, and appropriate Anti-Money Laundering (AML) policies and procedures protect regulated entities from being misused by criminals to wash their illicit proceeds. A Risk-Based Approach (RBA) is a customised methodology where AML policies, procedures, and controls are designed and implemented by carefully considering and weighing the distinct levels of Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) risks posed by customers and transactions.

This article discusses the following:

• Limitations of checklist-based traditional AML approach
• Financial Action Task Force (FATF) recommendations prescribing RBA
• The core principles to be considered by regulated entities while implementing a risk-based approach to combat ML/FT and PF risks
• The challenges usually faced by regulated entities during RBA implementation
• The benefits of RBA implementation for achieving adequate AML compliance.

The Traditional Checklist-Based AML Approach and Its Limitations

AML compliance is a global requirement. The traditional checklist-based AML compliance framework usually involves rule-based systems and manual review processes.

Usually, AML Compliance follows a traditional ‘one-size-fits-all’ approach, where regulated entities treat all their customers and transactions with the same level of scrutiny. However, these rules and processes are pre-defined and pose multiple challenges. Regulated entities may face difficulties keeping up with emerging ML/TF and PF typologies due to inefficient manual processes. Some of the obvious limitations of checklist-based traditional AML compliance framework include:

• Inefficient: Traditional AML frameworks usually involve manual collection, data entry, verification, validation, processing of customer data, and transactions. Considering the volume of financial transactions, manual processes are inefficient, time-consuming, and prone to errors. Moreover, the complex nature of financial transactions makes it difficult for compliance officers to manage such large volumes of information, resulting in delays in identifying and investigating potential financial crimes.
• Rigid: AML compliance systems must be flexible enough to adapt to emerging ML/TF threats. However, under a traditional system, pre-defined rules are rigid and lacking in flexibility for detecting emerging ML/FT and PF typologies and keeping up with regulatory updates. This adds to the vulnerability of regulated entities to ML/FT and PF risks.
• Costly: Traditional AML systems require a sizable number of resources in terms of finance and human input. It requires firms to invest heavily in employee training and ongoing supervision. Furthermore, manual inspection systems also increase labour costs. This increases operating costs for regulated entities.

Definition of Risk-Based Approach

RBA, in simple terms, involves thorough identification and assessment of the likelihood and the impact of ML/FT and PF risks associated with customers and their financial activities. This approach helps in determining the frequency of ongoing risk assessment, adaptive controls, effective risk mitigation, and compliance measures tailored to the specific risk profiles.

Regulatory Framework and FATF Recommendations for RBA

The regulatory framework of a risk-based approach to AML compliance stems from the recommendations issued by the Financial Action Task Force (FATF). The risk-based AML compliance guidelines are given under the FATF 40 Recommendations.

The Core Principles of a Risk-Based Approach

The core principles concerning the Risk-based approach are:

• Risk factors identification
• Risk assessment
• Controls implementation
• Residual Risk management

1. Risk factors identification:

• Identification of relevant and applicable ML/FT and PF risk factors emerging from customers, geographies, transactions, products, services, technology used, and delivery channels relied upon.
• Exploring the internal and external risk factors such as employee due diligence, operational risks, and political, geopolitical, and diplomatic risks.
• Utilising data-driven analysis, including past cases, latest industry trends, and expert knowledge to identify and mitigate risks.
• Relying on findings published and recommended by internationally valued and recognised bodies such as the Wolfsberg Group, Transparency International, Basel Committee, and the Egmont Group of Financial Intelligence Units (FIUs) to understand the vulnerability of the sector in which the regulated entity operates.
• Relying on the findings and observations as published in the National Risk Assessment of the nation in which the regulated entity operates and has its holdings, subsidiaries, and branch offices, including suppliers and customers.

2. Risk assessment:

• Risk assessment consists of consideration of various ML/FT and PF scenarios and their outcomes to understand the severity of risks.
• Regulated entities must conduct quantitative and qualitative assessments of potential ML/FT and PF risks and their impact.
• Risk assessment facilitates the risk-based development of risk mitigation strategies that are aligned and tailored to the risks specific to the regulated entity, enabling adequate resource allocation and risk mitigation planning.
• Risk assessment helps regulated entities to prioritise risks based on their impact on the level of risk posed by each customer.
• Risk assessment helps define risk appetite, risk tolerance, risk impact assessment from inherent risks and taking risk mitigation measures to bring down the residual risk that forms part of the AML compliance framework for a regulated entity.

3. Controls implementation:

• Developing control measures to mitigate risks to an acceptable level; in simple terms, risk mitigation control measures such as implementing adequate customer due diligence and ongoing monitoring of business relationships help reduce inherent ML/FT and PF risks, often known as residual risk.
• Taking proactive measures to address ML/FT and PF risks before they arise and minimise their impact through preventive, detective, and corrective controls.
• Evaluating the cost-effectiveness of control measures.
• Reviewing and updating ML/FT and PF control measures to adapt to changes in the risk landscape and organisations’ AML compliance objectives.

4. Residual risk management:

• Evaluating and accepting the left-over ML/FT and PF risks that cannot be adequately mitigated, considering the regulated entity’s risk tolerance.
• Continuously monitor the effectiveness of implemented controls and reassess residual risks.
• Transparently communicating residual risks and their management strategies to relevant stakeholders.
• Developing contingency plans to respond effectively to unforeseen events or changes in the event of materialisation of risk.

Benefits of a Risk-Based Approach to AML Compliance

The risk-based approach can be tailored to manage specific risks; it is the most effective way to combat ML/FT and PF activities. Regulated entities can implement AML compliance in a balanced manner by integrating human decisions and technology through RBA.

RBA offers several benefits that contribute to increased efficiency, improved detection and prevention of ML/FT and PF risks and enhanced customer experience.

1. Increased efficiency and cost-effectiveness:

• By following a risk-based approach, regulated entities can prioritise their efforts on higher-risk ML/FT and PF risk customers and areas.
• Through tailoring AML measures to specific ML/FT and PF risk levels. Regulated entities can streamline compliance processes. This involves adopting automation in carrying out AML compliance, such as Customer Due Diligence (CDD) and transaction monitoring, to improve overall operational efficiency and reduce manual workload.
• Prioritising resources based on risk levels and implementing proportional controls to reduce unnecessary compliance costs associated with low-risk customers. This enhances overall cost-effectiveness.

2. Improved prevention and detection of money laundering:

• Regulated entities can develop targeted risk mitigation strategies tailored to address the specific risks the regulated entity faces. This includes implementing enhanced due diligence (EDD) procedures and enhanced reporting mechanisms.
• Through continuous monitoring of transactions and business relationships, regulated entities can adapt their AML controls to evolving threats and regulatory requirements, thereby staying ahead of emerging money laundering typologies.

3. Enhanced customer experience:

• A risk-based approach enables regulated entities to apply lighter compliance requirements to low-risk customers, reducing unnecessary burdens. This enhances the overall customer experience and fosters stronger relationships with compliant customers.
• By streamlining due diligence processes for low-risk customers, regulated entities can expedite the account opening and onboarding process, resulting in shorter wait times and improved customer satisfaction.
• By understanding and categorising customers based on their risk profiles, regulated entities can tailor their services and communications to better meet the needs and preferences of different customer segments, enhancing overall satisfaction and loyalty.

Best Practices in Implementing a Risk-Based AML Program

The risk-based approach must be implemented effectively in alignment with the FATF recommendations. The best practices in implementing a risk-based AML program are as follows:

 

ML/FT and PF risk assessment framework development:

• Developing a strong AML compliance framework that aligns with the regulated entity’s It should fit the business model and risk tolerance level of the respective organisation.

Strong internal controls:

• Establishing strong internal controls proportionate to the identified risks. This includes deploying different due diligence processes, such as simplified, standard, enhanced, or transaction monitoring systems.
• Internal control systems should be able to adapt to evolving risks by implementing continuous monitoring systems to meet the dynamic nature of risk.
• Providing training and awareness to every relevant employee.

Customer risk profiling and Customer Due Diligence (CDD) procedures:

• RBA plays a key role in customer risk profiling and conducting CDD. It helps identify the ML/FT and PF risk levels of each customer.
• High-risk customers should promptly be flagged and monitored frequently. This enables businesses to spot red flags or suspicious behaviour and take necessary freezing and reporting measures.

Ongoing monitoring and reporting:

• The RBA is a continuous process. Regular monitoring ensures that risk levels remain under acceptable thresholds.
• RBA enables to effectively manage residual risks. Those risks that cannot be mitigated can at least be controlled and kept low through effective risk-based AML compliance measures such as enhanced due diligence measures.
• Through ongoing monitoring and regular reporting, organisations can fight illegal activities at an early stage and become highly compliant with international standards.

Regulatory compliance and maintaining records:

• Risk-based approach is an internationally accepted standard for AML compliance. Compliance with RBA is crucial for maintaining a good reputation in the global community.
• Maintaining records as prescribed by the relevant regulator helps businesses cooperate with audit authorities during internal audits. A well-maintained record serves as substantial evidence in cases of ML/FT and PF activities.
• Staying compliant enhances stakeholders’ trust and shows regulated entities’ commitment towards building a safe financial community.

AML software implementation:

• Selecting AML software that aligns with the specific needs and risk profile of the regulated entity.
• Ensuring proper integration of AML software with existing systems and processes.
• Providing comprehensive training to employees on how to use the AML software effectively.
• Regularly assess the performance and effectiveness of the AML software and make necessary adjustments or upgrades as needed.

Challenges in Implementing a Risk-Based Approach

Overall, the risk-based approach to AML compliance offers many benefits, such as flexibility and adaptability. This tailored approach allows regulated entities to stay a step ahead of emerging threats. However, there are certain challenges that need to be addressed:

Objectivity in Risk Assessment:

• It is prudent to assess risks based on factual data and in measurable terms. At times, risk assessment is guided by subjective analysis, which includes individual opinions and biases. This could lead to overestimation or underestimation of risk levels to which a regulated entity might be exposed.

Consistency in Risk Assessment Methodologies:

• As risk-based AML compliance can be tailored, it becomes difficult to maintain a standard risk assessment process across departments and business practices.
• Maintaining consistency in risk assessment methodology is also about maintaining a balance between being highly tolerant of risk and being non-tolerant. Striking a balance between the two can be challenging at times and might put a regulated entity in a vulnerable spot.

Handling Customer Experience:

• One of the objectives of RBA is to enhance customer experience. However, in the case of complex ownership structures or high-risk jurisdictions, the onboarding processes are elaborate, and more documents are requested. This causes inconvenience to customers and can lead to friction in their experience.

Staff Training:

• It is important to provide a comprehensive understanding of different risk levels, evolving regulations, and modern ML/FT and PF techniques. This requires providing training to the staff regularly through a tailored training program.
• Keeping staff up to date with evolving threats and changing technology can be cost and time-intensive, making it challenging.

Investment in AML Software:

• Selecting the right AML software is time-consuming. The cost of investing in AML software can be significant, including licensing fees, customisation, and ongoing updates, especially for small organisations.
• Integrating innovative technology with existing workflows can be challenging. A regulated entity needs to ensure data security and compatibility.
• Overall, AML software can be a long-term resource-intensive investment.

Conclusion

The essence of the Risk-based approach lies in its ability to enhance the effectiveness of AML compliance. The risk-based approach to AML compliance is crucial for forming policies and procedures based on the risk level of customers and transactions. It helps in improving overall efficiency and effectiveness of AML compliance framework. This approach enables regulated entities to optimise resource allocation and minimise errors in complying with legal obligations.

Guided by FATF recommendations, RBA focuses on improved ML/FT and PF risk assessment techniques, CDD, ongoing monitoring, and so on. Adopting RBA comes with challenges like subjectivity and complexity in risk assessment, investment in technology and training, standardisation of risk assessment methods. However, the benefits like improved detection and enhanced customer satisfaction underscore its importance. As the financial landscape evolves, the adaptability and flexibility of RBA remain crucial for maintaining trust and integrity in the financial system.