When firms identify the level of risk associated with their clients, they must thoroughly assess the risks and mitigate the risks. According to the Financial Action Task Force (FATF), the assessment of risk goes beyond the collection of quantitative and qualitative information and forms the basis for effective risk mitigation and should be updated regularly.
Clients can therefore only be categorised into high,medium, and low levels of risk once a comprehensive risk assessment has been completed. Part of this mitigation process involves the incorporation of an appropriate framework that specifies the controls needed to mitigate the risks effectively. Many firms struggle to identify deficiencies within their client Anti-Money Laundering (AML) risk rating methodologies which could lead to inefficiencies and increased risk.
Rule-based vs.risk-based approach
One of the reasons why many firms struggle to identify deficiencies within their AML risk rating methodologies could be due to the fact that several accountable institutions founded their risk management and compliance programmes (RMCP) on a rule-based approach rather than a risk-based approach. This implies that their focus could be more on compliance and not necessarily on understanding and identifying the risks linked to their business and placing their clients within the overall context of their business risks.
A rule-based approach applies the exact same set of standards to all clients, which is almost a tick-box exercise. When a risk-based approach is followed, the business can have a dedicated focus on their high-risk clients instead of applying the same standard of customer due diligence across the entire client base. Hence, when a risk-based approach is used, time consuming efforts that are assigned to performing due diligence on low-risk clients can be reduced and redirected to high-risk clients. This approach can support business development substantially because the on-boarding process for low-risk clients will become much more efficient. Hence, the basis of an effective RMCP includes a sound financial crime risk assessment which is supported by a robust risk-based approach to compliance.
Changing regulatory landscape
One of the major challenges faced by regulated firms is keeping abreast of the ever-changing regulatory regime. With an increasing number of regulatory bodies, and the changing regulatory landscape, compliance managers find themselves in the firing line more often. Risk and compliance functions are feeling the pressure to be fully versed on all regulatory requirements relevant to their operations to remain compliant with all applicable regulations and laws.
A firm’s customer risk rating methodology must also be flexible enough to incorporate new regulatory requirements such as the ESG agenda which is becoming more prominent. There is an increased expectation to further consider the ESG risks as an integral part of the CRR, in addition to the financial crime compliance risks. This calls for a redesign of the CRR to include the increased ESG risks and influence the entire approach to customer on-boarding and ongoing management throughout the Client Lifecycle Management (CLM) process.
In our experience, some deficiencies could include:
· Firms not fully understanding the significant impact of new regulations on their CRR methodologies.
· The risk of not identifying clients who fall outside of the firm’s risk appetite or categorised as high risk.
· Attributing a higher AML risk rating to a client due to inaccurate risk scoring calculations.
· Insufficient application of all the risk factors as part of the CRR model including risks associated with reliance on third-party Know Your Customer (KYC) vetting.
· Deficient or untested risk weightings for the identified risk factors.
· Application of deficient CRR methodologies.
Lysis Group can assist firms to design, test, calibrate and implement effective CRR methodologies by considering all applicable risk factors, including ESG risks, proportionate to the firm’s profile, their coverage and business model. Lysis can therefore support firms with:
· Reviewing and redesigning of the CRR methodology.
· Operationally enforce ESG requirements, such as those that will be required as part of the KYC process.
· Review of Customer Risk Rating methodologies to encompass any new regulatory requirements.
· Automation of processes proportionate to the firm’s profile, coverage, and business model, driving efficiencies.
· Conducting an impact assessment: testing of the new model to align with the intended impact on the risk profile of the firm’s client base.
· Documentation of processes.
· Implementation and testing of the CRR model in the firm’s business-as-usual environment.