A risk-based approach to KYC means the ML/TF risks are identified, assessed, and managed through the application of appropriate AML/CFT and KYC controls. Adoption and implementation of a risk-based approach is the requirement of the AML/KYC regulatory framework.
A risk-based approach requires the identification and assessment of high-risk customers, products, channels, and jurisdictions. Based on ML/TF risk assessment, the compliance function designs and implement appropriate AML/CFT and KYC controls, to ensure that regulatory requirements are complied with.
The Risk-Based Approach to KYC
The risk-based approach (RBA) is an effective implementation of the revised FATF International Standards on Combating the Money Laundering (ML) and the Financing of Terrorism and Proliferation, which were adopted in 2012. The FATF has reviewed its earlier 2007 RBA guidance which was for the financial sector, to bring it in line with the new FATF requirements and to reflect the experience gained by public authorities and the private sector over the years in applying the RBA. This revised version focuses on the banking sector, and separate guidance will be developed for the securities sector. The FATF will also review its other RBA guidance papers, all based on the 2003 Recommendations.
The RBA approach to AML/CFT means that the financial institutions are expected to identify, assess and understand the ML/TF risks to which they are exposed and take appropriate AML/CFT measures which are commensurate with risks to mitigate them effectively. When assessing the ML/TF risks, the financial institutions should analyze and seek to understand how the ML/TF risks they identify affect them; the risk assessment, therefore, provides the basis for the risk-sensitive application of AML/CFT measures.
The RBA is not a “zero failure” approach; there may be occasions where an institution has taken all reasonable measures to identify and mitigate AML/CFT risks, but it is still used for ML or TF purposes. The RBA does not exempt the financial institutions from mitigating the ML/TF risks, where these risks are assessed as low during the risk assessment process.
The FATF updated its Recommendations to further strengthen the global safeguards and to further protect the integrity of the financial system by providing governments with stronger tools to take action against financial crime. FATF increased the emphasis on the RBA approach to AML/CFT, to prevent the ML/TF risks and provide effective supervision. Whereas the 2003 Recommendations provided for the application of an RBA in some areas, the 2012 Recommendations considers the RBA to be the essential base of a financial institution’s AML/CFT framework. This is an important requirement that applies to all the relevant FATF Recommendations.
40 Recommendations of FATF
According to the 40 Recommendations of FATF, the RBA approach ‘allows the financial institutions, to adopt a more flexible set of measures to target their resources more effectively and apply preventive measures that are commensurate to the nature of risks, to focus their efforts most effectively. FATF Recommendation 1 sets out the scope of the RBA approach, which applies concerning: who and what should be subject to the AML/CFT regime.
As per the FATF Recommendations 14, the financial institutions should extend their AML/CFT measures to manage and minimize the ML/TF risks. Financial institutions should perform the ML/TF risk assessment identify the existing and potential risks and implement appropriate measures to ensure that AML/CFT policies and programs are effective and implemented at all levels in the organization. The AML/CFT team should perform the risk assessment and acknowledge the degree of discretion allowed under the national RBA and where the ML/TF risks are higher, the enhanced measures must be designed and implemented to mitigate the higher ML/TF risks.
This means that the range, degree, frequency, or intensity of controls conducted are stronger. Where the ML/TF risks are lower, the standard AML/CFT measures may be reduced, which means that each of the required measures has to be applied, but the degree, frequency, or the intensity of the controls conducted will be lighter, as compared to high-risk areas.
Organizations such as financial institutions may conduct risk-based money laundering and terrorist financing assessments, for their customers, products, channels, and geographic areas, with the purpose to develop risk-based AML/KYC policies and procedures. The risk-based AML/KYC processes enable targeting the high-risk customers and products and implementing the required AML/KYC controls, to avoid the risk of occurrence of ML/TF activities. A risk-based approach is prescribed by the regulators, therefore, the MLRO and the AML team, collaborate with the first line of defense, to identify the risk factors, which are embedded in their designed products, services, and the onboarded customers.
Organizations such as banks profile every new customer using their judgment and information obtained through CDD/KYC process, before onboarding. A template of Customer Risk Profiling (CRP) is developed by the organizations to capture the required risk information from each customer. CRP template is used to develop the business and risk profile of the customers, which is also used later during the performance of the ongoing transaction monitoring or ML/TF investigations. The federal banking agencies and regulators, conduct the risk-focused BSA/AML inspections and examinations and tailor their plans and procedures based on the risk profile of each bank.
Common practices for assessing the bank’s risk profile include:
• Leveraging available information, including the bank’s BSA/AML risk assessment, independent testing or audits, analyses and conclusions from previous examinations, and other information available through the off-site monitoring process or a request letter to the bank.
• Contacting banks between examinations or before finalizing the scope of an examination.
• Considering the bank’s ability to identify, measure, monitor, and control risks.
The risk-focused BSA/AML examinations consider a bank’s unique risk profile. Examiners use the risk assessments and independent testing procedures, when planning and conducting the AML/KYC examination for financial institutions, such as banks. Examiners assess the adequacy of a bank’s AML/KYC program and policies, during each inspection and examination. The extent of inspection and examination, to evaluate a bank’s AML program depends on the risk profile of the organization, and the quality of its AML team to identify, measure, monitor, and control ML/TF risks.
The Know Your Customer risk-based approach enables a better customer onboarding compliance program by adjusting verification levels based on risk factors. Low-risk customers are accepted more quickly, whereas higher-risk customers may require additional verification procedures.