The Role of Risk Analyst in AML Compliance

Compliance is teamwork. Here is the article about the role of Risk Analysts in Anti-Money Laundering (AML), Counter Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) compliance. This article expands upon the roles and responsibilities of a Risk Analyst, which bring out the collaborative element of the Risk Analyst’s role, requiring them to coordinate with KYC Analysts, Screening Analysts, Transaction Monitoring Analyst, AML Compliance Officer (AML CO), Chief Risk Officer (CRO), and the remaining members of the AML/CFT and CPF Compliance Team of a Regulated Entity. The article also discusses the skills and qualifications that a Risk Analyst needs to possess to be able to contribute towards better Risk Identification, Risk Treatment, Risk Assessment and Risk Management of money laundering, financing of terrorism, and proliferation financing (ML, FT, and PF) risks to which regulated entities are exposed.

What Is a Risk Analyst?

A Risk Analyst is a professional tasked with the responsibilities pertaining to risk management – ranging from risk identification, risk profiling, risk assessment, and overall risk management through appropriate risk treatment and mitigation.

There are many types of risk analyst roles based on specific industry, market requirements, or specialisation domains, such as Credit Risk Analyst, Market Risk Analyst, Regulatory & Compliance Risk Analyst, and Operational Risk Analyst in the Risk Management domain. The Risk Analyst skills, qualifications, roles, and responsibilities specifically addressed in this article fall in the Regulatory & Compliance Risk Analyst domain category.

A Risk Analyst in AML, CFT, and CPF context is a professional who assists and facilitates Regulated Entities (REs) subject to AML, CFT, and CPF laws to analyse the ML, FT, and PF risks to which the RE is exposed and devise as well as implement ML, FT, and PF risk identification, analysis, profiling, categorisation, and commensurate ML, FT, and PF risk mitigation measures.

Skills and Qualifications of a Risk Analyst

Risk Analysis, in general, or the Risk Analyst profession, is not governed by a single or unified certifying body or association. However, many internationally recognised organisations offer various credentials and designation options.
In the AML/CFT and CPF Risk Management context, the Certified Anti-Money Laundering Specialist (CAMS) designation and Advanced CAMS-Risk Management (CAMS-RM) certification from ACAMS are the most sought after and coveted. Regulated Entities give weightage to such certifications while considering Risk Analyst candidates to ensure that the Risk Analyst possesses the know-how along with the following skills:

Analytical skills: As the role and title suggest, possessing analytical skills is a must for a Risk Analyst. Risk Analysts in the AML domain must be able to assess or examine information pertaining to the Regulated Entity (RE) and RE’s customers to be able to manage ML, FT, and PF risks appropriately. ML, FT and PF Risk Management require the Risk Analyst to be able to identify, assess, and profile the degree of ML, FT and PF risks to which the RE is exposed by being able to conduct Enterprise-Wide Risk Assessment (EWRA) and facilitate in developing an effective ML, FT, and PF Risk Management Framework by helping to establish external as well as internal context in terms of the ML, FT and PF risks posed from the market environment such as geography, customers, technology, products/services on a national, international, and regional context and workflow systems, risks from employees, capabilities in terms of personnel, technology, expertise and systems available, and so on.

Further, analytical skills on the part of a Risk Analyst are also required for risk analysis of ML, FT, and PF risks when identifying, assessing and weighting or categorising the sources and causes of ML, FT, and PF to understand trigger events in terms of compliance failure leading to materialisation or occurrence of ML, FT, and PF risks. Analytical ability is also required when assessing the consequences of risks and determining the qualitative and quantitative aspects of ML, FT, and PF risk to arrive at residual risk and come up with adequate and appropriate risk-centred mitigation or control measures. The analytical skills of a Risk Analyst are most useful when trying to develop ML, FT, and PF risk treatment strategies wherein the RE is required to determine which ML, FT, and PF risks to accept, avoid, reduce, and capitalise.

Attention to detail: In order to achieve quality outcomes of the ML, FT, and PF Risk Management exercise comprising of EWRA, Customer Risk Assessment (CRA) as well as while defining, identifying, and analysing data for deriving risk tolerance, risk appetite and understanding the risk universe of the RE, a Risk Analyst is required to possess the skill of attention to detail. The process of identifying inherent risk from customers, countries and delivery channels, products, services, transactions, staff, and third parties requires a keen eye or attention to detail; any error or missing out on capturing and considering key information here leads to miscalculation of inherent risks leading to errors in the EWRA, which leads to a domino effect of AML compliance failure.

Research skills: ML/FT Risk Analysts must also possess strong research skills because when it comes to information gathering in the context of conducting EWRA, CRA, building risk profiles and devising risk strategies, the risk analyst is required to rely on lots of information and data, which they must ensure is obtained from a reliable source. The ability to identify a reliable source of information requires the ability to research and test or gauge the authenticity of the source of information itself. Further, research skills help the ML/FT risk analyst combine and synthesise information derived for further analysis to build resilient ML, FT, and PF risk management and assessment frameworks.

Scenario building is a strategic concept that deals with creating hypothetical situations based on the information available to create narratives of possible or likely events. An AML Risk Analyst is required to use research skills to develop scenarios for conducting and fulfilling EWRA obligations as scenario development through ML, FT, and PF risk identification helps in arriving at and calculating ML, FT, and PF risk likelihood and risk impact.

Scenario building in the context of AML software is a concept that helps configure alerts and thresholds when using and customising AML software solutions to meet a regulated entity’s specific needs. Accordingly, for configuring or tailoring AML tools or software such as transaction monitoring, CRA and customer risk profiling, name screening for sanctions compliance, Politically Exposed Person (PEP) and adverse media screening, input from risk analysts is required according to risk parameters applicable.

The research skills of ML/FT/PF risk analysts are very useful when attempting to develop scenarios based on the information collected. Research is required to identify and understand scenarios. Accordingly, input based on such research is required from risk analysts to configure scenarios in the AML software or tool based on research, and EWRA carried out so that alert generation from these AML software tools can be automated.

In simple words, research skills of risk analysts are required to configure alert benchmarks according to the risk-based approach for the regulated entity.

Legal knowledge: To ensure a holistic and wholesome evaluation of ML, FT, and PF risks, a risk analyst is required to have sound knowledge of legal requirements concerning the domain of their specialisation.

In the context of ML, FT, and PF risk analysis, evaluation, and management, a risk analyst is required to possess fundamental knowledge of AML, CFT, and CPF laws and compliance requirements of the regulated entity for which they are providing their professional services.

This legal knowledge enables risk analysts to make better decisions based on the outcomes of risk analysis. This decision-making is possible by taking into account the wider context of ML, FT, and PF risks while keeping in view the legal obligations of the regulated entity. Particularly when determining the risk appetite, legal knowledge helps in knowing the regulatory boundaries within which the regulated entity is required to operate, helping risk analysts to determine risk appetite in a more accurate manner.

Also, when defining risk treatment and checking the effectiveness of risk control measures in place, legal knowledge helps risk analysts to configure risk treatment or control measures in such a manner that such controls align with the legal and regulatory requirements, helping the regulated entity to function with minimal residual risks while achieving business goals.

Legal knowledge is required on the part of the risk analyst to be able to understand and fine-tune the ML, FT, and PF risk mitigation measures and strategies in accordance with the varying AML/CFT and CPF legislations and compliance requirements across different jurisdictions in which the regulated entity operates. The AML laws, sanctions, anti-bribery, and corruption risk parameters and requirements differ across nations. The regulatory review mechanism may also differ, giving rise to differences in risk treatment planning.

Thus, legal knowledge is a must-have tool in the risk analyst’s skillset toolbox.

Communication skills: Communication skills are one of the most underrated skills when it comes to assessing the competence of professionals with technical knowledge. A risk analyst can possess top-notch certifications or designations, have sharp analytical skills with a keen eye for detail, have immense legal knowledge, and be seasoned in conducting adequate and on-point research, but none of it can come to tangible fruition for a regulated entity that makes use of the services of ML/FT risk analyst if such a risk analyst is unable to communicate, coordinate, and collaborate with other key AML compliance personnel such as Screening Analyst, KYC Analyst, AML Compliance Officer or Money Laundering Reporting Officer (MLRO), Chief Risk Officer (CRO), and the Senior Management of the regulated entity. The collaborative element of a risk analyst’s skill set is discussed more elaborately in this blog under the heading “The Role of Risk Analyst in AML Compliance”.

The Responsibilities of Risk Analyst in AML Compliance

The responsibilities a Risk Analyst must shoulder in the context of AML Compliance are as follows:

Risk Identification: ML, FT, and PF risk identification is the first step when embarking upon the journey of ML, FT, and PF risk mitigation. Risk Analysts must come up with the right questions and means to ask these right questions to the Senior Management of the entity while determining the parameters for devising EWRA and to its customers, suppliers, and business associates when conducting CRA to identify ML, FT, and PF risk to which RE is exposed to on the tenets of Risk-Based Approach (RBA). Such ML, FT, and PF risk identification exercises can be carried out by the Risk Analyst by formulating tailored questionnaires and templates for ML, FT, and PF risk identification. The risk identification responsibility complements the process of formulating the Customer Risk Profiling questionnaire. The Customer Risk Profiling questionnaire or template helps the risk analyst to attune risk identification questions in accordance and alignment with the outcomes of the EWRA exercise.

Enterprise-Wide Risk Assessment (EWRA): The EWRA process comprises assessing the extent of ML, TF, and PF risks to which an RE is exposed. A Risk Analyst is usually entrusted with the responsibility of conducting EWRA.  While conducting EWRA, the Risk Analyst is required to consider ML, FT, and PF risks emerging from factors such as:

• Customer/business relationship risk from customers to the RE
  • Emanating from the Legal Structure and their Ultimate Beneficial Owners
  • Emanating from the nature of the customer’s business activities
  • Originating from customer’s associations or business connections
• Geographic risk from jurisdictions in which the RE conducts most business operations from or with
  • Such as the Regulatory/Supervisory Framework in that Country
  • Applicable Sanctions Compliance Requirements
  • Reputation of the Country
• Product/Service or Transaction-Related Risk
  • Susceptibility of being misused for ML, FT, or PF (such as precious stones, dual-use goods)
  • Connection with known and emerging ML, FT, or PF typologies
  • Complexity in terms of transactions, layered transactions, etc.
  • Such as the size, volume, or value of transactions
• Channel Related Risk
  • Whether virtual/remote or in-person, the level of involvement of intermediaries
• Technology Related Risk
  • Emerging from reliance on the use of technology which does or does not have globally accepted cybersecurity certifications such as ISO or NIST and the likes
• Other Risks
  • Emerging from market distribution, cluster, etc.

Upon collection of relevant information through questionnaires and commencing the process of EWRA, the risk analyst can assess the ML, TF, and PF risk impact and likelihood of ML, TF, and PF risk event materialisation or occurrence, prepare reports and share data with the AML team for the formulation of AML, CFT, and CPF policies, procedures, systems, and controls.

A risk analyst is also required to ensure that they regularly update and upgrade risk assessment and classification methodology to ensure its alignment with the changing needs of the entity, such as new product or service launches, entry into new markets in new countries, the opening of branch offices and customising branch-wise risk assessment while ensuring alignment with head-office and overall business objectives.

Customer Risk Assessment (CRA): A risk analyst is required to assist the Regulated Entity in fulfilling its CRA obligation. The risk analyst is responsible for conducting CRA and classifying customers into various risk categories, such as high risk, medium risk, or low risk, on the basis of and in alignment with the policies and procedures of the entity.

Risk classification helps the risk analyst to categorise, segregate, and implement ML, FT, and PF control measures such as Customer Due Diligence (CDD), Standard Due Diligence, Simplified Due Diligence (SDD), and Enhanced Customer Due Diligence (ECDD), also referred to as Enhanced Due Diligence (EDD) in some jurisdictions, in a risk-based manner, i.e., applying control measures in proportion with degree of risk posed by the customer.

The risk analyst is required to monitor and review such customer risk classifications regularly while considering changes in the regulatory landscape, as well as internal and external factors impacting such business relationships.

The ML, FT, and PF risk management process requires the risk analyst to develop a risk profile for all customers. This enables the risk analyst to include essential details about every customer in their respective customer profile according to that customer’s risk classification. Details captured in a customer’s risk profile would help the risk analyst compare a customer’s activities and transactions during the span of the business relationship with the intended purpose of the business relationship proposed while establishing the business relationship.

This comparison of customer’s risk profile details and their business transactions by the risk analyst is useful in identifying deviation or inconsistency between customer’s profile and their respective business or transaction patterns, as these deviations or inconsistencies could be indicators of underlying illicit movement of funds for criminal purposes usually resulting in ML, TF, or PF risk for the entity. The identification of deviations is extremely important to identify and report suspicious transactions and activities, requiring the risk analyst to collaborate and coordinate with the transaction monitoring analyst.

Also, in certain events, factors that cause a shift of customers’ risk classification from one category to another, for example, from high to low or vice versa, would necessitate the risk analyst to update the customer’s risk profile accordingly.

Record-keeping: Record-keeping of measures taken by a regulated entity to mitigate is an obligation that risk analysts can help fulfil by contributing towards record keeping of every risk identification, analysis, and control measures they undertake. This includes maintaining records for a specified duration according to relevant regulatory or supervisory bodies. These records include but are not limited to records such as:

• Entire set of EWRA Documents: including but not limited to inherent risk calculations, risk appetite measurement, residual risk formulation, risk likelihood and risk impact assessment, risk rating criteria formation and templates, risk scoring map, risk rating table, EWRA outcomes, reports, supporting and source or reference documentations.
• Entire set of CRA Documents: including customer risk profiling activities with customer details and annexures of copies of customer identification documents.
• Risk mitigation activity calendar: indicating the chronology and periodicity of ML, FT, & PF risk management reviews and activities.
• ML, FT, or PF risk database and risk reports: generated because of risk identification, assessment, and mitigation exercise and resultant correspondences within the organisation.
• ML, FT, or PF risk management committee minutes of the meeting and decision-making records regarding ML, FT, and PF risk management.
• ML, FT, or PF risk register: indicating risk description, risk trigger events, status of implementation of risk mitigation plan, approvals from senior management signing off the commencement or continuation of business relationship with high-risk customers.
• ML, FT, or PF risk movement report: indicating a shift of existing customers from a previously assigned risk score or category, such as high or low, to a newly assigned risk score/category resulting from change in customer profile identified during ongoing monitoring or periodic reviews of business relationships and the resultant change in control measures.
• ML, FT, or PF risk register review report: indicating quarterly, semi-annual, and annual reviews of risk registers and observations or corrective measures, also known as remediation measures, prescribed during AML/CFT and CPF internal, external, as well as regulatory audits.
• ML, FT, or PF risk mitigation workflow: as determined and implemented by the regulated entity.
• ML, FT, or PF risk event reporting: such as Suspicious Activity Report/ Suspicious Transaction Report (SAR/STR) in coordination with the AML compliance team members such as screening analyst, KYC analyst, transaction monitoring analyst, AML Compliance Officer, or MLRO.

The Role of Risk Analyst in AML Compliance

Steering from ML, FT, & PF Risks towards Resilience: The Role of Risk Analyst in AML Compliance – Concluding Thoughts

The Risk Analyst plays a crucial role in the identification, assessment, evaluation, mitigation, and execution of the regulated entity’s ML, Ft, and PF risk mitigation or risk management obligation. The risk analyst’s goal is to safeguard the regulated entity against existing and emerging ML, FT, and PF risks. The use of automation or software solutions facilitates strengthening the efforts of risk analysts in the AML compliance domain.