A Risk-Based Approach to Financial Crime Mitigation
(Part 2) Managing Risk Categories – Building Out Financial Crime Mitigation for the Enterprise
In the first blog in this series, highlighting the Temenos Financial Crime Mitigation (FCM) Cookbook, we looked at the various risk assessments banks and FIs have to take seriously, if their Risk-Based approaches to FCM are to succeed.
Risk categories
The last two FATF revisions in 2010 and 2012 provided guidelines that are more “workable” to FIs and build the basis for national legislations. The RBA now consists of two distinct pillars:
- FATF 2012 names a long list of predicate offences, which impose greater obligations on banks to implement monitoring systems that detect proceeds possibly linked to these offences. Therefore, the questions to answer are: “Are we vulnerable to any of these offences? If yes, what is the magnitude of the vulnerability?”
- 2) Clearly understand regulatory expectations; the fear of regulatory failures can lead to a disproportionate interpretation of the requirements and at the end increase the regulatory risk therefore accurate understanding is key.
- Categorise ML/TF risks; sub-divided into customer, country, products & services, industries and channel risks
- Control and culture; a firm’s inadvertent ML risk can create an environment that allows or promotes money laundering, this includes the potential lack of a sound culture of compliance within an FI. The questions to answer are: “Are there any gaps in our controls that can be exploited by criminals? Do our controls promote an environment where money laundering can slip through?”
Being risk averse and cautious is a viable strategy. However, the fear of regulatory failures can lead to a disproportionate interpretation of the requirements and at the end increase the regulatory risk. The sum of the risks within the four clusters equals the inherent risk of an FI before risk mitigation measures and control effectiveness are applied. The remaining residual risk, which FIs manage with a set of strategic and tactical measures, mirrors the FIs risk appetite.
Generally, there is not a “One-size-fits-all” RBA for all FIs, as business models and associated ML/TF risks greatly vary. However, from the many ways to assess risks the conventional or standard ML risk assessment is the most commonly used approach. This model highlights the variety of recommended controls to mitigate risks in order to reduce the residual risk until it matches the FIs risk appetite. Defining an FIs RBA can be difficult. Hence, thinking in risk scenarios can help to identify the ML and TF risks of business lines, customers, products, services, industries and occupations or distribution channels.
The inherent risk represents the exposure of an FI to ML sanctions before risk mitigating controls and measures are applied. Each of the inherent risk categories include sub-categories with inherent risk factors derived from regulatory guidance, expectations and leading industry best practices. These inherent risk factors can be a combination of qualitative and quantitative criteria (e.g., customer is a PEP, or the number of SARs filed). With the use of parameters and thresholds as well as statistical data, an FI can define and calibrate the risk factors and assign a weighting to each risk factor.
The rest of the FCM Cookbook goes into more detail about Conventional, Standard and other Risk Assessment methodologies as well as the inherent risk caused by the exposure of a Financial Institution before risk-mitigation measures are applied.
The Cookbook also examines in detail the various sub-categories of risk and the circumstances or factors which can add to the inherent risk, like purpose of the account (e.g. savings, foreign deposits, payable through account), actual or anticipated activity in the account, nature of the customer’s business or occupation and other factors. To understand FCM in detail this full Cookbook is essential reading.