Back in April 2004, Philip Robinson, Sector leader of the Financial Crime team at the UK’s Financial Services Authority (FSA), spoke at an industry conference and introduced the concept of the risk-based approach (RBA) to anti-money laundering. Much of the basis behind this was due to the FSA’s declared perception that a number of firms within the financial services sector “do anti-money laundering not because they understand and support its rationale, but simply because they are required to follow it, initially by law and now also by regulator. And many find it easiest to follow the JMLSG (Joint Money Laundering Steering Group) Guidance Notes, note by note, treating them as prescriptive obligations”.
The important factor one has to bear in mind when developing a RBA is to have a strong and consistent methodology. Often the best way to initiate a programme is to hold a workshop, with attendees from the various business units, compliance and AML unit – it is essential that these parties attend to ensure buy-in throughout the institution.
Once the RBA framework has been developed, then it is important to identify and assess the risks across the organisation, which would chiefly fall under the headings: clients or customer care, products, and jurisdictions From these headings we have to assess the risk impacts.
Taking for example jurisdictions, one would have to look at the country of residence of customers, the country of prime business of customers, the source of funds or destination of funds, and branch locations. One would also have to consider factors such as whether the jurisdiction is a member of FATF (Financial Action Task Force on Money Laundering) or the Egmont Group of Financial Intelligence Units, its Transparency International score, its IMF review status and AML regulations.
This will the enable the firm to come to a jurisdiction risk scoring for each country identified, and essentially score each jurisdiction leading to identification of high, medium and low risk jurisdictions that can be easily understood by the front line of business.
The second part of this process is identifying and assessing the firm’s mitigating controls. For example, one of the areas one would have to assess is transaction monitoring, the sophistication of the systems in place, their functionality and the data generated from the systems.
One could then map the risks to the controls to come to an overall risk-based assessment. For example, a firm may find that (using the example above) its jurisdiction risks are very high, and when assessing mitigating controls that there is no staff training on the subject, the transaction monitoring systems cannot identify jurisdictions and the risk is not covered within the firm’s policies and procedures. The result from a risk-based approach would be that the risks greatly outweigh the mitigating controls. The firm would therefore have to make adjustments to their mitigating controls to balance out the risk.
Of course the opposite could equally apply in that the firm may have little or no exposure to high risk jurisdictions; however, sophisticated transaction monitoring systems are employed, staff training covers dealing with high risk jurisdictions, and the procedure manual covers dealing with high risk jurisdiction.
In this simplified case, clearly the mitigating controls greatly outweigh the risks, so the firm could perhaps relax some of its controls, or make a planned decision to increase its risk appetite.
The risk-based approach is being adopted by many firms within the financial services industry, and clearly the regulator believes that with the restricted resources of many compliance and AML functions within financial services institutions, their resources can be better deployed, rather than trying to cover every potential issue.
In conclusion, a well considered risk-based approach can actually enhance the competitive advantage of a firm, for example in the area of “know your client” when attracting new clients. Firms which continue to pursue a blanket approach to AML will undoubtedly start to suffer as new clients find that starting a relationship elsewhere is much slicker, easier and customer friendly. We predict that customer identification will be the first such battleground, but as RBAs become more complex, further differentials will arise.
Ali Al-Shabibi is a partner, business risk services, Ernst & Young Dubai. He can be contacted at
[email protected]
. Ernst & Young has a presence in 140 countries around the world, including the GCC and Levant, and offers services relating to audit, risk, tax and transactions.
Follow us on
