AMLD IV has placed emphasis on a risk-based approach to counter financial crime and terrorist financing. Few would argue against this approach. It is not only logical, but also the most practical way forward. The approach appears to be fairly straightforward, consisting of identification, assessment and management risk. However, recent news, analysis and conversation with industry experts suggests it may be more complex than it first seems.
Identification, ranking, risk appetite, prevention and detection are some of the suggested stages and below we look at some of the related issues when putting in place a risk-based approach for AMLD IV.
The first stage of the risk-based approach is the identification of risk. This, in itself, sounds relatively uncomplicated. But … how do you know you that your organisation has identified all relevant risks? If you have a department, or group of people, who identify risk, do you all have the appropriate understanding of what a risk actually is, and are all the identifications relevant?
Once risks have been identified, you will need to rank accounts according to their individual propensity to commit money laundering. In certain instances, there may not be a matrix by which you can measure or quantify a risk. For example, how do you quantify the likelihood of a politically exposed person committing a financial crime or using an organisation in connection with financial crime. Answers may well depend on several criteria, such as ‘do you have a large number of high net worth individuals’ or ‘do you have a high population of accounts from a jurisdiction that is politically sensitive to corruption and bribery’.
This is a simple example of identifying risk and mentions just some of the factors that may provide a metric for assessing likeliness of the risk occurring. In reality, it is more probable that, once you have identified all the risks, there will 10, 20, maybe 30, different causes of that risk to take into account. What was fairly simple at the outset, now seems like a small mountain to climb.
Once they have established the risks and their likely causes, firms will have to develop the appropriate metrics for rating them. Ideally, these need to be modelled to avoid ‘lazy’ answers or people being able to simply answer in a default fashion. For example, with a rating of 1 to 10, respondents may just tick 5 as default. The danger here is that, once the analysis has been carried out to identify the risks and causes, overall best efforts will fall if the ranking is not completed fully and accurately.
An additional line a firm should take is to make a holistic analysis and ask fundamental questions, such as ‘what is the firms appetite for risk’ and ‘what does the level of appetite mean going forward’. AML should be part and parcel of a firm’s overall risk strategy and management process. This will dictate the steps firms can take to increase risk or de-risk according to tolerance.
In terms of prevention, actions to avoid risks will be dictated by the size of the risk, which, in turn, will be determined by several factors, such as firm geography, overall client makeup and transactions. Other factors will include more granular details, such as whether you have met the client face-to-face, the jurisdiction of residence and whether they are a PEP. The individual makeup of the client will influence the prevention to be taken, and this case-by-case basis will result in a much greater initial workload.
Detection requires red flags and issues to be escalated appropriately in a timely manner. This means appropriate training of staff, putting the proper procedures and policies in place and having a dynamic risk assessment framework that adjusts to multiple variables, such as business and client makeup, global events, issues and assessments.
Appropriate, but hard work is required
All of the above should also be assessed, examined and adjusted whenever necessary. This will mean greater external and internal scrutiny, training of staff and an understanding of business strategy – both current and future and the potential impacts – and the implementation of a flexible and adaptable system. As a result, whilst the risk-based approach is logical and understandable, it requires a lot of internal effort. Such an approach also demands a level of foresight when assessing global risk and any changes that may take place to risk levels, and depends on a flexible and adaptable system to keep this information up to date. This will mean a big effort internally and externally but the good news is, once you have that tried and tested system in place, and it’s adaptable and flexible, it will be worth all the hard work.