Risk based approach means that financial institution’s actions taken to prevent money laundering and terrorist financing (ML/TF) should reflect the level of risks that the company is facing. Risk based approach is needed to allocate the resources most effectively and to ensure that the applied risk control measures are sufficient and not excessive.
To apply risk based approach financial institution needs to identify and assess the ML/TF risks that are related to its customers, the services and products that are provided by the firm, the delivery channels and geographic areas of operation. Only when the company properly identifies the risks, it can effectively mitigate them by implementing adequate policies and procedures that correspond to the risk nature and level. The financial institution also needs to assess individual client risk before establishing a business relationship with them. Knowing the individual ML/TF risk level of the particular client will help to determine the level of due diligence that is required.
Risk based approach may be implemented by executing the following actions:
1. Performing Entity Wide Risk Assessment (“EWRA”) and adjusting risk control measures according to the risks identified
EWRA has to performed on a yearly basis. It may also be performed when internal changes (such as changes in customers, products, services, technologies) or external triggers (such as changes in the market, changes in applicable legislation, global or regional challenges) take place. In this process, the customer, product and services, geographic, delivery channels and other risk categories are assessed.
According to the levels of established risks, the Compliance Officer or other responsible employee evaluates if existing control measures are sufficient and, if needed, introduces additional controls. For example, if a company’s geographical risk is high – if there are a lot of clients making payments to high-risk territories – more frequent monitoring of business relationship with clients and transaction monitoring should be introduced. So, more staff resources should be allocated for the monitoring and analysis of transactions, the automatic monitoring systems have to be adjusted to perform more frequent transaction check, the criteria for monitoring should be set accordingly.
EWRA together with the detailed risk control measures has to be clearly documented in the EWRA report that is presented to the Chief Executive Officer and the Management Board.
Compliance Officer or other responsible employee amends the policies, procedures and internal control rules accordingly to the identified shortcomings and required risk control measures.
Additionally, ad hoc risk assessments also should be performed time-to-time, by putting a focus on higher risk areas and the specific control measures that have been implemented to address the given risk.
2. Assessing individual client risk
The KYC (“Know your customer”) specialists have to perform an individual risk assessment of the clients and develop a risk profile of each client before the establishment of a business relationship with every client. While assessing the risk level of the particular client, KYC specialists have to answer the following questions:
- Nature of customer: Legal or natural person? Politically exposed person (“PEP”)? Is the structure of a legal person complicated?
- Geography: How vulnerable is this client to money laundering, based on where is his place of residence, where his business is conducted?
- Activities: What is the kind of activities the client is involved in? Is the business cash-intensive or high risk? Is it possible that the client could be exposed to money laundering threats such as narcotics, arms, or sex traffickers?
- Products: What products offered by our company the client is willing to use? What is the purpose of a business relationship for using these products?
- Regulations: Does this client meet all regulatory obligations? Does he have the required licenses, does he provide all relevant documents and information?
The risk profile of all clients has to be reassessed regularly. The frequency may be determined according to the risk level of the particular client. For example, low – every 2 years, medium – annually, high – every six months.
3. Conducting CDD according to the risk level
According to the risk level of a particular client, the KYC specialist has to decide what level of due diligence is required, how much information is needed to obtain from the client, how often and how precisely the business relationship has to be monitored and how often the risk level of the client should be reassessed. If the risk level is unacceptable, the company does not have to establish a business relationship with the client.
4. Monitoring the client’s business relationship and transactions according to the risk level assigned
Financial institutions may use automatic transaction monitoring systems, as well as a manual check, when needed. According to the risk level of the client, client type, the products used by the clients, specific monitoring rules and threshold settings for different client segments are set. It will help the financial institution to adopt a more analytical approach and improve the quality of transaction monitoring and reducing false positives.