The risk-based approach is central to the effective implementation of AML concepts. A risk-based approach means that organizations such as banks and financial institutions identify, assess, and understand the money laundering and terrorist financing risk they are exposed to and take the appropriate mitigation measures following the risk level.
What do we mean by that? How does an AML/CTF compliance program run in an organization daily when you use the risk-based approach?
What Is The Risk-Based Approach?
The operational idea of the risk-based approach is straightforward. You identify the highest compliance risks to your organization; and make them the priority for controls, policies, and procedures. Once your organization’s AML/CTF compliance program reduces those highest risks to acceptable levels, you move on to the next lower risks.
One can see why a risk-based approach is so useful. An organization’s biggest compliance risks will cause the most disruption should they come to pass: time spent on investigations, money spent on regulatory settlements, unwanted headlines, business partnerships jeopardized, and so forth. If there’s one thing senior executives hate, it’s a disruption to their business. So operationally, a risk-based approach makes huge sense.
This flexibility allows for more efficient use of resources. Organizations can decide on the most effective way to mitigate the money laundering and terrorist financing risks they have identified. It enables them to focus their resources and take enhanced measures in situations where the risks are higher, apply simplified measures where the risks are lower, and exempt low-risk activities. The implementation of the risk-based approach will avoid the consequences of inappropriate de-risking behavior.
Regulators advocate a risk-based approach for another reason: It shows that organizations understand the money laundering and terrorist financing risk they are exposed to. On the contrary, if an organization’s local regulator gets the impression that perhaps a particular organization sees AML compliance as a checklist item to put behind it, it puts the organization in a much worse position. Regulators might start questioning the organization’s sincerity about AML compliance and the effectiveness of related measures.
The approach to risk management and risk mitigation necessitates senior management leadership and engagement in the detection and deterrence of money laundering and terrorist financing. Senior management is ultimately accountable for making management decisions regarding policies, procedures, and processes that mitigate and control the risks of money laundering and terrorist financing within a business.
Risk-Based Approach As A Process
A risk-based approach (RBA) is a process that includes the following steps in the context of money laundering and terrorist financing:
- the risk assessment of your business activities based on specific criteria;
- the risk-mitigation process of putting controls in place to deal with identified risks;
- keeping customer identification and, if applicable for your industry, beneficial ownership information current; and
- the ongoing monitoring of high-risk financial transactions
Several specific abilities are required for the ‘risk assessment skill.’ It implies, for example, a strong ability to conduct due diligence on third parties who may become part of your extended company. A third party will invariably introduce some risk, which is fine as long as you understand the nature and scope of the risk.
It also necessitates the ability to keep track of regulatory changes. We may define these as new regulations that affect your business or existing regulations that are becoming more important in terms of enforcement. (Think about the corruption risks ten years ago, or the risk of sanctions today.) It will be necessary to understand how a regulatory change in the outside world affects the criteria for ‘high’ compliance risk in your specific organization.
Perhaps most importantly, you must be able to comprehend the compliance risks posed by your company’s internal processes: new product lines, new incentive compensation schemes, new IT systems, new third parties, and new third-party assignments. All of these factors may have an impact on your compliance risks without requiring any ‘external’ changes.
Compliance officers will need to access more data and analytics to develop these skills to some extent (in many cases, to a large extent). You will also need a good working relationship with other departments within the company so that you are always up to date on internal changes. This implies that the organization’s leaders are in favor of compliance. It is critical that those in other parts of the organization understand that they must always consider the compliance area when making decisions.
Your compliance regime must include an assessment and documentation of money laundering and terrorist financing risks in an appropriate manner for you. This is in addition to the requirements for client identification, record keeping, and reporting. A risk-based approach is a method for identifying potential high risks of money laundering and terrorist financing and developing mitigation strategies.
Existing obligations, such as client identification, will be maintained as a bare minimum. When it comes to situations where enhanced due diligence is required, a risk-based approach principle is to focus your resources where they are most needed to manage risks within your tolerance level. You must decide what is acceptable to you, taking into account the nature of each product or service, the geographical regions where you do business, and the relationships you have with your customers.