Risk-Based Approach to Managing Risk
What is a risk-based approach?
The risk-based approach recognizes that a customer’s profile can be determined at the start of the relationship. However, the profile of a customer’s financial behavior, which allows the FI to identify transactions or activity that may be unusual or suspicious, will build up only over time. The FI should adopt a categorization for risk assessment (low, medium, high, or prohibited). Criteria for each category to determine differing levels and treatments of client identification, verification, additional CDD (enhanced due diligence), information, and monitoring are for nonresident clients or transactions originating from other jurisdictions based on factors and/or information relating to that jurisdiction should be set in advance.
What are the steps in risk-based approach?
A risk-based approach involves a number of discrete steps in ascertaining the most cost-effective and appropriate ways to manage and mitigate the risks of money laundering and terrorist financing faced by an FI. These steps are to identify the money laundering and terrorist financing risks that are pertinent to the FI in relation to its customers, products, delivery channels, and geographic areas of operation.
- Identify the risks.
- Assess the risks.
- Design and put in place controls to manage and reduce risks.
- Monitor and improve the effective operation of the risk-based controls.
Sources of Risks
I. Higher risk
- New accounts (opened other than on a non–face-to-face basis)
- Accounts operated under power of attorney
- Accounts of PEPs
- Accounts where a suspicious activity report has been made to the compliance officer
- Accounts where fraud has previously been attempted
- Accounts operated under trade finance activities
- Accounts operated through correspondent banking relationships
- Foreign exchange and money transfer services
- Occasional transactions for noncustomer(s)
- Wire transfers
- Correspondent banking relationships
II. Medium risk
- Current accounts over 6 months old depending on the assigned risk category
- Accounts offering an overdraft facility
III. Low Risk
- Low-value foreign exchange activity and money transfer services
- Pension schemes
- Salary VFS Payments
Assigning a Risk Score
A risk-based approach serves to balance the cost burden placed on the FI and its customers with a realistic assessment of the threat of the FI being used in money laundering or terrorist financing. A risk-based approach focuses the management of risk on those areas where it is needed and will have the greatest outcome. To assist the overall objective of preventing money laundering and terrorist financing, a risk assessment form should be completed by the compliance officer (usually this is done by the TMS at the time of customer onboarding), providing clear reasoning for justification of the assigned risk category and due diligence. This is completed for all new and high-risk customers and recognizes that the money laundering and terrorist financing threat to the FI varies across customers, products, geographic regions, and delivery channels.
Customer Risk
The customer risk factors relate to types or categories of customers. Certain customer or business relationship categories pose a risk that should be taken into account when assessing the overall level of inherent customer risk. When identifying certain categories of customers as inherently high risk, FIs should also consider the results of the NRA or any Topical Risk Assessment, as well as information from official sources, including the Supervisory Authorities, the FIU, the FATF, MENAFATF and other FSRBs, the Egmont Group, etc.
When assessing the customer risk factors with respect to the business-wide ML/FT risk assessment, an FI can take into account:
- Type of customers: The risks related to retail customers in combination with their product/service needs may be different from those related to high net worth or corporate customers and their respective product/service needs. Likewise, the risks associated with resident customers may be different from those associated with non-resident customers.
- Customer base: FIs with small, homogenous customer bases may face different risks from those with larger, more diverse customer bases. Similarly, FIs targeting growing or emerging markets may face different customer risks than those with more established customer bases.
- Maturity of relationship: FIs that rely on more transactional, occasional, or one-off interactions with their customers may be exposed to different risks from institutions with more repetitive or long-term business relationships.
The specific customer risk factors that FIs should consider, include:
- Categories of business relationships with complex legal, ownership, - direct or indirect group or network structures, or with less transparency with regard to Beneficial Ownership, effective control, or tax residency, may pose different ML/FT risks than those with simpler legal/ownership structures or with greater transparency.
- Categories of Customers involved in highly regulated and supervised activities and those involved inactivities that are unregulated.
- Customers associated with higher-risk persons or professions (for example, foreign PEPs and/or their companies), or those linked to sectors associated with higher ML/FT risks.
- Non-resident entities particularly those with connections to offshore and high-risk jurisdictions.
- Professionals (e.g., lawyers, accountants and TCSPs) acting as introducer or intermediary on behalf of customers or groups of customers (whereby there is no direct contact with the customer).
- High net worth individuals.
- Respondent banks from high-risk countries.
Some of these customer risk factors are also relevant when determining the customer risk classification of an individual customer and the type and extent of customer due diligence to be performed.
Geographic Risk
FIs should consider geographic ML/FT risk factors both from domestically and cross-border sources. These risks arise from: (i) the locations where the FI has offices, branches and subsidiaries and (ii) locations in which the customers reside or conduct their activities. Examples of some of these factors include:
- Regulatory/supervisory framework: Countries with stronger AML/CFT controls present a different level of risk than countries with weaker regulatory and supervisory frameworks, for instance countries identified by the FATF as jurisdictions with weak AML/CFT measures.
- International Sanctions: FIs should consider whether the countries or jurisdictions they deal with are the subject of international sanctions, such as targeted financial sanctions (TFS), UAE, OFAC, UN and EU restrictive measures, that could impact their ML/FT risk exposure and mitigation requirements.
- Reputation: FIs should consider whether the countries or jurisdictions they deal with are associated with higher or lower levels of ML/FT, corruption, and (lack of) transparency (particularly financial and fiscal reporting, criminal and legal matters, and Beneficial Ownership, but also including such factors as freedom of information and the press).
- Combination with customers’ inherent risk factors: FIs should consider the country’s risk in combination with customers risks, including principal residential or operating locations of customers.
Product-, Service-, Transaction-Related Risk
When assessing the inherent ML/FT risks associated with product, service, and transaction types, an FI should take stock of its lines of business, products and services that are more vulnerable to ML/FT abuse. FIs should assess the inherent ML/FT risks of abuse of the products and services by their customers taking into account a number of factors such as their ease for holding and transferring value or their complexity and transparency. Some of the risk factors that FIs should consider, among others, are:
- Typology: FIs should consider whether the product, service, or transaction type is associated with any established ML/FT trends.
- Complexity: Products, services, or transaction types that favour complexity, especially when that complexity is excessive or unnecessary, can often be exploited for the purpose of money laundering and/or the financing of terrorism or illegal organisations. FIs should consider the conceptual, operational, legal, technological and other complexities of the product, service, or transaction type. Those with higher complexity or greater dependencies on the interactions between multiple systems and/or market participants may expose FIs to different types and levels of ML/FT risk than those with lower complexity or with fewer dependencies on multiple systems and/or market participants.
- Transparency and transferability: Situations that favour anonymity can often be exploited for the purpose of ML/FT. FIs should consider the level of transparency and transferability of ownership or control of products, services, or transaction types, particularly in respect of the ability to monitor the identities and the roles/responsibilities of all parties involved at each stage. Special attention should be given to products, services, or transaction types in which funds can be pooled or co-mingled, or in which multiple or anonymous parties can have authority over the disposition of funds, or for which the transferability of Beneficial Ownership or control can be accomplished with relative ease and/or with limited disclosure of information.
- Size/value: Products, services, or transaction types with different size or value parameters or limits may pose different levels of ML/FT risk.
Information on nonresident jurisdiction is based on the Corruption Perception Index by Transparency International (2022 report), together with the requisite guidance from the Financial Action Task Force and other agencies, such as the United Nations, the supervisory authority, and/or the financial intelligence unit. Such information is subject to regular review, - at least annually, by the compliance officer or staff of the compliance department or unit. The results are recorded for each customer and updated on the basis of risk. The customer file and its related documented risk assessment should reflect the justification and reasoning of the assigned risk category, with clear recommendation(s) for the ongoing level of monitoring and the timeline for updating the risk assessment and due diligence details. The FI’s identification program to reflect risk includes:
- standard or enhanced information held with respect to all customers
- standard or enhanced identification and verification requirements for all customers
- enhanced due diligence (obtaining additional information on the customer, obtaining information on the source of funds or wealth of the customer, conducting enhanced monitoring of the business relationship) for higher-risk customers, as determined by the risk assessment
- where appropriate, reduced CDD requirements where the risk of money laundering or terrorist financing has been assessed as being low
- risk-based ongoing monitoring of customer activities and transactions that will enable the FI to ensure that transactions being conducted are consistent with the FI’s knowledge of the customer. Customers assessed to be a higher risk will be subject to enhanced monitoring compared with customers assessed to be a low risk.
In addition, background information will be collected on high-risk customers; politically exposed persons (PEPs); individuals deemed high risk, geographically or otherwise; and companies and/or institutions that trade in or do business related to high-risk commodities. This will also involve obtaining information to substantiate the source of wealth and funds of a high-risk customer.