This article was reviewed by Emily Sachs, CAMS
Financial institutions are required by law to implement anti-money laundering (AML) processes to prevent criminals from using their products, services, and platforms to launder money.
While regulators have provided frameworks and guidance around the different components that an AML process should include — for example, Know Your Customer (KYC), Customer Due Diligence (CDD), and transaction monitoring — they have typically refrained from dictating specific measures that all institutions must follow. This provides financial institutions with a lot of flexibility in determining what AML should look like for their situation.
It also creates industry-wide variability, which has a knock-on effect of making the financial industry as a whole more resilient to money laundering threats. Because a bad actor can’t predict what AML procedures and systems a financial institution may have in place, someone who successfully launders money through one financial institution won’t necessarily be successful using those same strategies at another.
Instead of implementing a standard checklist of required processes, regulations advise financial institutions to take a risk-based approach to AML. But what exactly is a risk-based approach, and how do financial institutions go about putting one in place?
What is a risk-based approach to AML compliance?
A risk-based approach (RBA) is an AML process that is informed by a thorough and ongoing risk analysis typically consisting of two prongs: An internal AML risk assessment and a customer risk assessment.
Through an internal AML risk assessment, a financial institution is able to determine the extent to which the business is exposed to various types of money laundering risk. The institution is then able to craft an AML strategy that best aligns with those risks. Businesses typically conduct risk assessments any time their risk profile changes — for example, if they launch a new product or service, merge with another institution, or expand into a new geography.
A customer risk assessment, on the other hand, is designed to evaluate the AML risk posed by each individual customer. The institution can then determine what type of due diligence (standard, simplified, or enhanced) is required to onboard or retain that customer. By taking a risk-based approach, the institution is able to customize the account creation process based on the risk signals they identify during onboarding.
Why is it important to have a risk-based approach to AML?
The bespoke nature of the risk-based approach allows financial institutions to allocate their AML resources in a way that is commensurate with the findings of their risk assessment.
By embracing a risk-based approach to AML, financial institutions are forced to think critically about the different types and levels of money laundering risk that their business is exposed to vs. what types and levels they are willing to tolerate. This increases the internal awareness of those risks and ultimately allows for the implementation of a more nuanced AML strategy that is tailored to the unique strengths, weaknesses, and business opportunities of each institution.
Finally, it should be noted that the concept of risk-based AML originated with the Financial Action Task Force (FATF), which in 2012 called it an “essential foundation” of all anti-money laundering frameworks. The FATF also stated that the risk-based approach is a prerequisite to complying with the organization’s 40 Recommendations.
How to implement a risk-based approach to AML
1. Conduct an AML risk assessment
The first step in implementing a risk-based approach is to conduct an internal AML risk assessment. The purpose of this assessment is to identify the types of money laundering risk your business is subject to, as well as the extent of this exposure. Product risk, service risk, customer risk, and geographic risk should all be thoroughly evaluated.
In conducting your risk assessment, it’s important to consider the money laundering risk posed by a variety of factors, including:
- Your target customer
- The services and products you offer
- The industry you operate within
- The jurisdictions you operate within
- The jurisdictions where your customers are located
- Your average transaction volume
- Your average transaction size
- How you acquire customers
- How you distribute your products and services
- The number of customers you’ve already identified as high-risk
- The findings of internal and third-party or regulatory audits
Armed with the insights gleaned from your risk assessment, it is now possible to compile a list of all of the known money laundering risks your organization is currently exposed to — and prioritize these risks based on the severity of your exposure to each.
2. Determine customer risk
In addition to measuring your organization’s institutional money laundering risk, you must also measure the amount of risk posed by each individual customer that attempts to open an account. This can be achieved by crafting KYC, CDD, identity verification, and transaction monitoring processes that are specifically designed to quantify money laundering risk.
Some questions to consider when assessing customer risk include:
- What is the customer’s stated reason for opening an account?
- What industry does the customer work in?
- What is the customer’s nationality?
- In what jurisdiction is the customer located?
- Is the customer subject to sanctions?
- Is the customer a politically-exposed person (PEP)?
- Does the customer have a record of financial crime?
- What is the customer’s monthly or annual income, and how does this compare to their transaction volume?
3. Determine the best way to control for risk
Just as you wouldn’t try to fight all diseases with a single medication, you shouldn’t try to combat all money laundering risks with the same mitigation strategy. To be effective, risk mitigation must be tailored to the unique types of institutional and customer risk your organization is exposed to.
Therefore, once you have gone through the steps above, the next step is to determine the best means of controlling for each type of risk. Likewise, you must determine where these controls belong — for example, during customer onboarding vs. transaction monitoring vs. record-keeping and reporting, etc.
What does a risk-based approach look like in action?
Once you have conducted your risk assessments and prioritized each risk your business is subject to, the findings of your assessment should trickle down into all of your AML and anti-fraud measures, including:
Know Your Customer
What identity verification methods should you implement during customer onboarding so you will be able to accurately quantify and mitigate customer risk? The exact mix will vary from business to business but may include:
- Government ID verification
- Database verification
- Document verification
- Selfie verification
- Video verification
- Address verification
- Phone verification
Customer due diligence
Not every customer poses the same level of money laundering risk to your organization. So why should they all go through the same due diligence process? Consider the different data and signals that you can collect during customer onboarding to evaluate customer risk and tailor your due diligence to each customer in real time.
What does standard due diligence look like to your business? What about simplified due diligence and enhanced due diligence? Who qualifies for each of these flows?
AML screening checks
What supplemental reports or checks do you need to run during customer onboarding and in follow-up reviews to get a more comprehensive picture of customer risk and to ensure that you want to retain a customer? These may include:
Transaction monitoring
What solutions do you need to have in place to monitor customer transactions and other activity once they have been onboarded? What record-keeping and reporting policies are required to comply with the laws of the jurisdictions in which you operate and in which payments originate/are transmitted? What is the ideal ratio of automation vs. manual review for your business when suspicious activity is detected?
How Persona can help you embrace the risk-based approach
Here at Persona, we understand that no two businesses — and no two customers — have the same risk profile. With our fully-customizable suite of fintech identity solutions, you can tailor your onboarding flows to the realities of your business in order to follow the true spirit of the risk-based approach.
Implement the verification methods that best counter the specific risks your business is exposed to. Decide whether or not you need supplemental reports to enrich your AML and AML processes. Leverage progressive risk segmentation to serve different flows to different customers based on how much risk you detect in real time.
Interested in learning more? Start for free or get a demo today.