What is a risk based approach? A risk-based approach means that organizations such as banks and financial institutions identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed and take the appropriate mitigation measures in accordance with the level of risk. How does an AML compliance program run in an organization on a daily basis when using the risk-based approach?
What is a Risk Based Approach?
The operational idea of the risk-based approach is straightforward. You identify the highest compliance risks to your organization; and make them the priority for controls, policies, and procedures. Once your organization’s AML compliance program reduces those highest risks to acceptable levels, you move on to the next lower risks.
One can see why a risk-based approach is so useful. An organization’s biggest compliance risks will cause the most disruption should they come to pass: time spent on investigations, money spent on regulatory settlements, unwanted headlines, business partnerships jeopardized, and so forth. If there’s one thing senior executives hate, it’s a disruption to their business. So operationally, a risk-based approach makes huge sense.
FATF’s New RBA guidelines
The Risk-Based Approach (RBA) effectively implements the revised FATF International Standards on Combating Money Laundering (ML) and Terrorism, adopted in 2012. The FATF has updated its previous RBA guideline for the financial industry from 2007 to align it with the new FATF criteria and to reflect the experience acquired by public agencies and the private sector in implementing the RBA over time.
This updated version focuses on the banking industry, while separate advice for the securities industry will be prepared. The FATF will also conduct a review of its other RBA guideline documents, which are all based on the 2003 Recommendations.
Financial institutions are expected to identify, analyze, and comprehend the ML/TF risks to which they are exposed under the RBA’s AML/CFT strategy, and to implement suitable AML/CFT measures that are commensurate with risks to successfully reduce them. Financial institutions should examine and strive to understand how the ML/TF risks they discover will influence them when analyzing ML/TF risks. Therefore, the risk assessment serves as the foundation for the risk-sensitive deployment of AML/CFT controls.
The RBA is not a “zero failure” approach; there may be occasions where an institution has taken all reasonable measures to identify and mitigate AML/CFT risks, but it is still used for ML or TF purposes. The RBA does not exempt the financial institutions from mitigating the ML/TF risks, which are assessed as low during the risk assessment process.
FATF Increased Emphasis on RBA
The FATF updated its Recommendations to further strengthen the global safeguards and further protect the financial system’s integrity by providing governments with stronger tools to take action against financial crime. FATF increased the emphasis on the RBA approach to AML/CFT to prevent the ML/TF risks and provide effective supervision. Whereas the 2003 Recommendations provided for the application of an RBA in some areas, the 2012 Recommendations consider the RBA to be the essential base of a financial institution’s AML/CFT framework. This is an important requirement that applies to all the relevant FATF Recommendations.
According to the 40 Recommendations of FATF, the RBA approach allows the financial institutions to adopt a more flexible set of measures to target their resources more effectively and apply preventive measures that are commensurate to the nature of risks, to focus their efforts most effectively.
FATF Recommendation 1 sets out the scope of the RBA approach, which applies concerning: who and what should be subject to the AML/CFT regime.
An effective risk-based regime builds on and reflects the organization’s legal and regulatory approach, the nature, diversity, and maturity of the AML/CFT program, and its risk profile. Banks’ identification and assessment of their own ML/TF risk should consider national risk assessments and take account of the national legal and regulatory framework, including any areas of prescribed significant risk and any mitigation measures defined at the legal or regulatory level. Where ML/TF risks are higher, the financial institutions should apply enhanced due diligence, although national law or regulation might not prescribe exactly how these higher risks are to be mitigated.
How Flexible is RBA?
This flexibility allows for more efficient use of resources, as organizations can decide on the most effective way to mitigate the money laundering and terrorist financing risks they have identified. It enables them to focus their resources and take enhanced measures in situations where the risks are higher. They can also apply simplified measures in lower-risk activities. The implementation of the risk-based approach will avoid the consequences of inappropriate de-risking behavior.
Regulators advocate a risk-based approach for another reason: It shows that organizations understand the money laundering and terrorist financing risk to which they are exposed. On the contrary, if an organization’s local regulator gets the impression that perhaps a particular organization sees AML compliance as a checklist item to put behind it, it puts the organization in a much worse position. Regulators might start questioning the organization’s sincerity about AML compliance as well as the effectiveness of related measures.
Your compliance regime must include an assessment and documentation of money laundering and terrorist financing risks in an appropriate manner for you. This is in addition to the requirements for client identification, record keeping, and reporting. A risk-based approach is a method for identifying potential high risks of money laundering and terrorist financing and developing mitigation strategies.