A risk-based strategy entails identifying, assessing, and managing ML/TF risks by implementing appropriate AML/CFT and KYC procedures. The AML/KYC regulatory framework requires the adoption and execution of a risk-based strategy. ‘This article elaborates on Risk Based Approach In CDD And KYC’.
Customers, goods, channels, and jurisdictions that pose a high risk must be identified and assessed using a risk-based approach. The compliance function creates and implements suitable AML/CFT and KYC procedures based on ML/TF risk assessments to guarantee that regulatory obligations are met.
FATF’s new RBA guideline
The Risk-Based Approach (RBA) effectively implements the revised FATF International Standards on Combating Money Laundering (ML) and Terrorism, adopted in 2012. The FATF has updated its previous RBA guideline for the financial industry from 2007 to align it with the new FATF criteria and to reflect the experience acquired by public agencies and the private sector in implementing the RBA over time.
This updated version focuses on the banking industry, while separate advice for the securities industry will be prepared. The FATF will also conduct a review of its other RBA guideline documents, which are all based on the 2003 Recommendations.
Financial institutions are expected to identify, analyze, and comprehend the ML/TF risks to which they are exposed under the RBA’s AML/CFT strategy, and to implement suitable AML/CFT measures that are commensurate with risks to successfully reduce them. Financial institutions should examine and strive to understand how the ML/TF risks they discover will influence them when analyzing ML/TF risks. Therefore, the risk assessment serves as the foundation for the risk-sensitive deployment of AML/CFT controls.
The RBA is not a “zero failure” approach; there may be occasions where an institution has taken all reasonable measures to identify and mitigate AML/CFT risks, but it is still used for ML or TF purposes. The RBA does not exempt the financial institutions from mitigating the ML/TF risks, which are assessed as low during the risk assessment process.
FATF increased emphasis on RBA
The FATF updated its Recommendations to further strengthen the global safeguards and further protect the financial system’s integrity by providing governments with stronger tools to take action against financial crime. FATF increased the emphasis on the RBA approach to AML/CFT to prevent the ML/TF risks and provide effective supervision. Whereas the 2003 Recommendations provided for the application of an RBA in some areas, the 2012 Recommendations consider the RBA to be the essential base of a financial institution’s AML/CFT framework. This is an important requirement that applies to all the relevant FATF Recommendations.
According to the 40 Recommendations of FATF, the RBA approach allows the financial institutions to adopt a more flexible set of measures to target their resources more effectively and apply preventive measures that are commensurate to the nature of risks, to focus their efforts most effectively.
FATF Recommendation 1 sets out the scope of the RBA approach, which applies concerning: who and what should be subject to the AML/CFT regime.
As per the FATF Recommendation 14, financial institutions should extend their AML/CFT measures to manage and minimize the ML/TF risks. Financial institutions should perform the ML/TF risk assessment to identify the existing and potential risks and implement appropriate measures to ensure that AML/CFT policies and programs are effective and implemented at all levels in the organization.
The AML/CFT team should perform the risk assessment and acknowledge the degree of discretion allowed under the national RBA, and where the ML/TF risks are higher, the enhanced measures must be designed and implemented to mitigate the higher ML/TF risks.
This means that the range, degree, frequency, or intensity of controls conducted are stronger. Where the ML/TF risks are lower, the standard AML/CFT measures may be reduced, which means that each of the required measures has to be applied, but the degree, frequency, or intensity of the controls conducted will be lighter, as compared to high-risk areas.
An effective risk-based regime builds on and reflects the organization’s legal and regulatory approach, the nature, diversity, and maturity of the AML/CFT program, and its risk profile. Banks’ identification and assessment of their own ML/TF risk should consider national risk assessments and take account of the national legal and regulatory framework, including any areas of prescribed significant risk and any mitigation measures defined at the legal or regulatory level. Where ML/TF risks are higher, the financial institutions should apply enhanced due diligence, although national law or regulation might not prescribe exactly how these higher risks are to be mitigated.
The regulatory framework for combating money laundering and terrorist financing is applicable in the form of AML/CFT Regulations as amended from time to time. Keeping because of growing sensitivities on the domestic and international front, there is a need to focus on the areas where related risks are relatively high to allocate resources most effectively. Accordingly, the following guidelines aim to provide an enabling environment for the effective implementation of a risk-based approach considering banks’ internal policies, procedures, risk parameters, and so on.
MLRO and AML team collaboration
Organizations may conduct risk-based money laundering and terrorist financing assessments for their customers, products, channels, and geographic areas to develop risk-based AML/KYC policies and procedures. The risk-based AML/KYC processes enable targeting the high-risk customers and products and implementing the required AML/KYC controls to avoid the risk of occurrence of ML/TF activities. The regulators prescribe a risk-based approach; therefore, the MLRO and the AML team collaborate with the first line of defense to identify the risk factors embedded in their designed products, services, and onboarded customers.
It is always advisable that measures to prevent ML/FT risks are commensurate to the risks identified for effective mitigation. Such risk assessments are generally based on perception, subjective judgment, and organizational experience about the ML/TF risks. In this regard, the major considerations may be the “Quantification of Risk through Risk Matrix,” which quantifies likelihood and impact on two dimensions, thereby categorizing ML/TF risks as low, medium, high, or any appropriate scale. It is important to mention that without proper quantification of risks, it may be difficult to decide which customer qualifies for simplified due diligence (SDD) measures and enhanced due diligence (EDD) measures.
The risk-based approach to supervision enables banks to devote their compliance resources towards the areas of greater ML/TF risks, making it more difficult for criminals to abuse the financial system.
CRP for collecting risk information
Organizations such as banks profile every new customer using their judgment and information obtained through CDD/KYC process before onboarding. A template of Customer Risk Profiling (CRP) is developed by the organizations to capture the required risk information from each customer. CRP template is used to develop the business and risk profile of the customers, which is also used later during the performance of the ongoing transaction monitoring or ML/TF investigations.
The federal banking agencies and regulators conduct the risk-focused BSA/AML inspections and examinations and tailor their plans and procedures based on the risk profile of each bank. Common practices for assessing the bank’s risk profile include:
- Leveraging available information,
- including the bank’s BSA/AML risk assessment,
- independent testing or audits,
- analyses and conclusions from previous examinations,
- and other information available through the off-site monitoring process or a request letter to the bank; contacting banks between examinations or before finalizing the scope of an examination; and considering the bank’s ability to identify, measure, monitor, and control risks.
The risk-focused BSA/AML examinations consider a bank’s unique risk profile. Examiners use the risk assessments and independent testing procedures, when planning and conducting the AML/KYC examination for financial institutions, such as banks. Examiners assess the adequacy of a bank’s AML/KYC program and policies, during each inspection and examination. The extent of inspection and examination, to evaluate a bank’s AML program depends on the risk profile of the organization, and the quality of its AML team to identify, measure, monitor, and control ML/TF risks.
This article elaborates on ‘Risk-Based Approach In CDD And KYC’ and how it entails identifying ML/TF risks by implementing AML/CTF and CDD/KYC procedures. This is required because new and existing customers pose high ML/TF risks.