Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

It’s time for a risk-based approach to KYC

Neil Jeans | August 16, 2016

When know-your-customer (KYC) and anti-money-laundering (AML) legislation came onto the scene in the early 1990s, one might say it lacked finesse—it was highly prescriptive in nature, leaving little room for interpretation and forced banks and financial institutions (FIs) to tick the boxes of compliance controls. Within a decade, it started to become clear that one size actually didn’t fit all.

These regulations, originally based on the risks and controls related to retail banking, simply didn’t fit other business models, such as private, institutional, or investment banking and wealth management. But because compliance isn’t optional, all businesses had to comply as best they could, even if that meant shoehorning retail AML control concepts to fit their own business models while potentially missing the real risks to which they were exposed. The end result was that compliance efforts frequently failed to meet regulatory expectations. That is, until the risk-based approach (RBA) to managing risk came along.

Imagine a compliance environment where the controls match the actual risk. That was the goal of RBA—a more flexible and rational approach, shifting the focus to banks and financial institutions demonstrating they were addressing actual risks that AML controls exposed, rather than simply ticking (sometimes irrelevant) boxes hoping to satisfy the regulator. Prior to RBA, controls were black and white regardless of circumstances. The RBA allowed flexibility to reduce or increase controls based on the customer and the risk they posed.

While the RBA made life easier in some ways, it made it harder in others. Firms were expected to understand and assess the specific risks they faced and have a deeper understanding of risk in general. The new approach also required a degree of interpretation and individualization by firms and their compliance departments.

In 2007, the Financial Action Task Force (FATF) stepped in with its first attempt at implementing an RBA, issuing a paper which stated:

“By adopting a risk-based approach, competent authorities and financial institutions are able to ensure that measures to prevent or mitigate money laundering and financing threats are commensurate to the risks identified. This will allow resources to be allocated in the most efficient ways. The principle is that resources should be directed in accordance with priorities so that the greatest risks receive the highest attention. The alternative approaches are that resources are either applied evenly, so that all financial institutions, customers, products, etc., receive equal attention, or that resources are targeted, but on the basis of factors other than the risk assessed. This can inadvertently lead to a ‘tick box’ approach with the focus on meeting regulatory needs rather than combating money laundering or financing threats.”

The intention of the RBA was clear: to create more pragmatic processes. The result was somewhat different, with highly complex processes emerging in many instances as a direct result of individual interpretation of the new guidelines. This led to widespread confusion throughout the industry.

The FATF then revised its guidelines in 2010. The Expert Working Group advising the FATF on the risk-based approach and FATF Recommendations in 2010 said:

“As a basic principle, financial institutions and DNFBPs (Designated Non-Financial Businesses and Professions) should be required to take steps to identify and assess their money laundering/financing threat risks for customers, countries or geographic areas, and products/services/transactions/delivery channels. Additionally, they should have policies, controls and procedures in place to effectively manage and mitigate their risks, which should be approved by senior management and be consistent with national requirements and guidance.”

This language was materially different from the 2007 FATF paper and signaled a seismic shift in clarity over what RBA means. 2010 was also the first time the FATF articulated the concept of “effective” risk-based controls, and this definition also makes national legislators responsible for defining what is deemed to be effective.

Despite being issued in 2010, this concept is still filtering through: Regulators around the world are increasingly using the language of “effectiveness” in their dialogue with industry. Effectiveness has further been pushed up the agenda of national regulators as the FATF’s fourth round of mutual evaluations specifically focuses on “effective in practice” assessments.

In 2012, as part of their revision of the 40 Recommendations, the FATF issued a further definition regarding the RBA requiring countries to assess and understand their money-laundering/financing-threat risks and to designate an authority to coordinate actions to assess and mitigate risks using a risk-based approach. It also noted that countries should require reporting entities to assess and take effective action to mitigate their money-laundering/financing-threat risks.

The 2010 and 2012 definitions delivered largely positive results: By focusing on understanding money-laundering/financing-threat risk and then deploying effective controls to manage and mitigate those risks, the current guidelines are far more “workable” and therefore much more useful to banks and FIs grappling with a constantly increasing regulatory burden.

Two pillars of risk assessment
This evolution in the RBA has resulted in two distinct pillars of risk assessment. First, on a country-by-country basis, each individual government needs to understand their vulnerability to money laundering through national risk assessments. Social demographics are, of course, unique to each country, so this exercise in understanding your environment forms an important pillar in a successful AML strategy.

Second, against the context of national risk, each FI must complete its own internal risk assessment, tailoring its money-laundering/financing-threat risk management program around this. However, these internal assessments can be quite complex, particularly when individual interpretation of guidelines is thrown into the mix.

With that in mind, what risks need to be addressed? There are four main categories of risk to consider:

Vulnerability. The first category concerns the vulnerability of a specific business operation. FATF 2012 sets out a lengthy list of offenses, and firms must guard against each and every one of these. Compliance professionals should be asking questions such as, “Are we vulnerable to, for example, people smuggling or drug trafficking?”

Create an environment that promotes money laundering? The second category centers on the risk of a bank or FI inadvertently creating an environment that promotes or allows money laundering. Questions to ask include, “Do our controls create an environment where the money launderer can thrive? Are there any gaps in our controls that a money launderer could exploit?”

More specific risks. The risks above are general in nature, and the third category comprises a selection of more specific risks, including:

Customer risk. Banks and FIs must have adequate KYC processes in place to ensure they understand whom they’re doing business They must fully understand the risks posed by a particular person or entity, including politically exposed person (PEP) risk and sanction risk.

Product vulnerability. Certain products are naturally more attractive to money launderers than For example, a checking account offers more scope for laundering than a fixed-term deposit. Factors such as the availability and flexibility of a product could make it inherently risky from a money- laundering perspective.

Geographic risk. Not all countries carry the same risks, and banks and FIs need to be aware of the specific risk environments where they do business. Operating in high money-laundering and/or financing-threat risk countries means that a more stringent control environment could be necessary.

Regulatory risk. The fourth and final category is regulatory risk. There is always the risk that banks and FIs don’t adequately measure up to regulatory expectations. The stakes are high, and the financial and reputational fallout from compliance breaches is well-documented. Regulatory risk is sometimes poorly understood and inconsistently addressed. This risk often keeps compliance professionals awake at night and, just possibly, takes their collective eye off identifying the business-specific risks outlined above. The fear of regulatory failure could well be driving a disproportionate interpretation of what is required and, perversely, contributing to increased regulatory risk.

What’s hampering risk-based approach?
Over the last decade, compliance professionals have joined the C-suite as the “new” importance of this “hot topic” has resulted in a drive to keep the institution safe. At the same time, there is often a tendency to overly complicate processes. The risk with that complexity is that the controls implemented are not commensurate with actual risk, which was the original aim of RBA.

It is clear from the FATF 2012 guidelines and the evolution of RBA that while this fresh approach has been widely implemented, it is not well understood. Processes have not been fully formed and, in some cases, are driving the wrong outcomes. Despite all the efforts of FATF, local regulators and entire compliance teams, there are still some cases where there are inadequate controls in place to manage and mitigate money-laundering/financing-threat risk.

The fact that current regulations were originally based on the risks and controls relating to retail banking has unintentionally created regulatory barriers to the effective deployment of an RBA in many sectors. The more progressive regulatory regimes recognize this and are striving to address the polarized nature of legislation and regulation to create regulatory environments where a truly risk-sensitive regime can be sustained.

Legislation around AML and RBA was also largely written in the pre-digital age when access to the data that helps firms understand and document risk was limited. There is now a plethora of data available, but many organizations struggle to take advantage of this. Solutions are becoming widely available to help firms harness the power of information to drill down and find the risks they need to be considering.

Back to simplicity
RBA as a concept remains sound—and it is far superior to the tick-box approach it has replaced. What’s needed is simplicity of assessment and application, because the very real risk faced by firms is that they may spend vast amounts of time and effort creating a control environment that complies with regulations but doesn’t actually manage the real risks they face—all while inadvertently contributing to increased regulatory risk.

Here’s an alternative approach: Focus on simplicity—on identifying and managing the actual money- laundering/financing-threat risks a firm faces—and deploy controls that are proportionate to those risks. The result will be that firms will automatically comply with the aim and philosophy of the vast majority of AML regulations.