Risk-Based ApproachUnderstanding and Implementaon

Challenges between risk appete and compliance

Prepared by: Karima Touil

Table of Contents

Executive summary ....................................................................................................................................... 1

1.Background ............................................................................................................................................ 2

1.2. Purpose and Scope ........................................................................................................................ 2

1.3. Understanding of RBA ................................................................................................................... 2

2. Definition ............................................................................................................................................... 3

2.1. Components of the Risk-Based Approach and Risk Profiling ......................................................... 4

2.2. Residual Risk Scoring ...................................................................................................................... 8

2.3. Risk-Based Approach vs. Risk Appetite .......................................................................................... 8

3. Implementation Process ....................................................................................................................... 8

3.1. Implementation Stages .................................................................................................................. 9

3.2. Customer Onboarding Lifecycle in the Risk-based Approach ........................................................ 9

3.3. Enhanced Due Diligence in the Risk-Based Approach ................................................................... 9

3.4. Internal Controls .......................................................................................................................... 10

3.5. Challenges Faced by the Financial Institution .............................................................................. 10

4. Risk-Based Approach Compliance Review .......................................................................................... 10

4.1. Reviewer Expectations ................................................................................................................. 10

4.2. Risk Assessment and Ongoing Update ......................................................................................... 11

Conclusion ............................................................................................................................................... 11

References .............................................................................................................................................. 12

Abbreviations and Acronyms .................................................................................................................. 12

Appendix 1 – High-Risk Business Activities - RBA

Appendix 2 - Customer Onboarding Lifecycle in the Risk-Based Approach

Appendix 3 - Customer Risk Assessment Sample

Page 1 of 12

Executive Summary

In today’s emerging risks and challenges, financial institutions, especially in the Middle East, are

exposed to money laundering, terrorist financing and sanctions risks leading to the necessity of

adopting preventive measures that can be enabled in the financial institution to mitigate risks.

Regulators are more aware of the impact of money laundering and the advancements and

evolvement of money laundering methods which parallel to the nature and level of scrutiny

adopted by the regulators to ensure that stringent regulations are complied with and impose

fines on any financial intuition found to be in breach of anti-money laundering (AML) rules.

In a study conducted by Deloitte on anti-money laundering/counter-terrorist financing (AML/CTF) risk management evolution, the trend of fines (Figure 1) has increased reaching record-breaking levels with the fines imposed on banks, such as BNP Paribas that was fined $8.9

billion for noncompliance with AML rules and sanctions breach.

Page 2 of 12

Figure 1: Trend of fine and penalties 2003-2004 (Deloitte study on AML/CTF risk management evolutions)

These fines were an eye-opener to the financial institutions required to enhance their control

measures to mitigate AML/CTF risks, as set out by relevant rules and regulations.

Certainly new technologies in the field may provide more advanced ways and establish features

to implement a risk-based approach within financial institutions. This will help financial

institutions to better monitor client and transactional behavior; and in order to do so, the

financial institution must have a good understanding of the requirements to implement such

tools.

Background

The aim of this paper is to share experiences in implementing customer risk assessment from one

of the leading banks in the United Arab Emirates (UAE) with AML professionals.

This paper will take the readers through the steps that have been followed in the implementation

process of the risk-based approach during the initial onboarding phase in all banking groups and

the various challenges faced during and post implementation, as well as the point of view of audit

in terms of the requirements and the approach.

1.2. Purpose and Scope

The purpose of this paper is to highlight the steps of developing and implementing a risk-based

approach in a financial institution including sharing the expectation of the regulators and

auditors.

The targeted audiences are mainly AML professionals that would like to implement the RBA in

financial institutions or that had already integrated a similar approach.

1.3. Understanding of RBA

Page 3 of 12

The term “risk” can be defined as a “combination of the likelihood of an adverse event (hazard, harm) occurring, and of the potential magnitude of the damage caused” (the incident itself, the number of people affected and the severity of the damage for each).1 Considering the aforementioned factors, financial institutions should understand that the risk-based approach is a quantitative methodology that will not eliminate the risk; however, it will enable the understanding of risks with the aim of mitigating the impact which requires identification of risk factors, classification and scoring. 2. Definition: What is a risk-based approach? In 2007, the Financial Action Task Force (FATF) had introduced a guidance called “Risk-Based

Approach to Combating Money Laundering and Terrorist Financing” outlining the importance of

implementing the risk-based approach as part of the AML program in banking and other

industries.

FATF guidance aim was to emphasize identifying the risk-based approach framework and the applicable principals that can be considered by a country in parallel to the local authorities and financial intelligence units (FIUs). In addition to the series of RBA guidance targeting different sectors such as dealers in precious metals and stones, trust and company service providers (TCSPs), accountants; real estate agents and other banking products such as prepaid cards, mobile payments and Internet-based payment services as well as virtual currencies, the revised FATF 40 Recommendations in 2012 stressed the following on assessing and identifying risks: “countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and combating the financing of terrorism (AML/CFT) regime and the implementation of risk based measures throughout the FATF Recommendations.”2 FATF is one of the advisory bodies that highlight the best practices and international standards in the aim of guiding financial institutions in combating money laundering and terrorist financing. Whereas the risk-based approach has been as well recommended and guided by regulatory bodies such as European Union (EU) directives, Financial Conduct Authority (FCA), Dubai Financial Services Authority (DFSA) and others. According to FATF guidance, published on October 2014, “RBA to AML/CFT means that countries, competent authorities and financial institutions are expected to identify, assess and

1 “Introducing a Risk-Based Approach to Regulate Businesses,” World Bank Group, 2014, http://www-wds.worldbank.org/external/default/WDSContentServer/WDSP/IB/2014/09/18/000333037_20140918121617/Rendered/PDF/907540BRI0Box30d0approach0Sept02013.pdf 2 FATF revised 40 recommendations 2012, Recommendation No. 1 Assessing risks & applying a risk-based approach

Page 4 of 12

understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.”3 It has also been recommended in FATF revised recommendations the implementation of RBA stating that “By adopting a risk-based approach, competent authorities and financial institutions are able to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate to the risks identified.” 4 The risk-based approach has been as well reflected earlier by the Wolfsberg Group in one of their guidance in 2006, specifically in terms of clients’ risk assessment and the type of risks a financial institution should consider during the implementation of such approach and stressing the basis of a reasonably designed risk-based approach5. However, it has been clearly highlighted that there was no universally agreed and accepted methodology that prescribes the nature and extent of a risk-based approach, leaving the financial institution to decide on the methodology they want to use based on the analysis of the risk and the risk management framework. All advisory bodies have agreed on the context of the risk-based approach as a methodology to assess and measure risks to provide a quantitative results to assist in the decision making process towards the level of risk or threat. By using this method, the risk mitigation plan can be set by implementing controls to mitigate these risks and establish the risk levels for the ongoing due diligence on customers. 2.1. Components of the risk-based approach and risk profiling:

The revised FATF Recommendation 1 advises on how to identify and assess ML/TF risks and

ensure that the determined measures to prevent or mitigate them are adequate to the defined

risks and the regulatory environment. It states that “Countries should identify, assess, and

understand the money laundering and terrorist financing risks for the country, and should take

action, including designating an authority or mechanism to coordinate actions to assess risks, and

apply resources, aimed at ensuring the risks are mitigated effectively. “Countries should identify,

assess, and understand the money laundering and terrorist financing risks for the country, and

should take action, including designating an authority or mechanism to coordinate actions to

assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.”

3 FATF Guidance, RISK-BASED APPROACH GUIDANCE FOR THE BANKING SECTOR 4 FATF, June 2007, Guidance On The Risk-Based Approach To Combating Money Laundering And Terrorist Financing 5 The Wolfsberg Group, 2006, Wolfsberg risk based approach guidance.

Page 5 of 12

It is essential to understand that there is no such blue print that draws the implementation of the

risk-based approach in the financial institution; however, FATF Recommendation 1 can be

considered the groundwork towards the implementation of the risk-based approach:

Figure 2 – Risk based approach implementation Groundwork6

The main question that comes across during the process is:

What are the main components which drive a risk assessment by the financial institution?

During the initial onboarding process or in the know your customer (KYC) level, the main

indicators that constitute any money laundering or terrorist financing risk are the nature of the

customer (potential client), customer background, industry or business activities and the

products and services provided by the financial institution. These components will assist in

determining the level of risk that can be from high to low depending of the gravity or the threat

attributed to any of these components.

The Wolfsberg risk-based approach guidance has provided an insight on the approach by

identifying these components that can assist in measuring the risk. Industry risk related to

business activities in which the customer is involved. “Money laundering risks may be measured

using various categories, which may be modified by risk variables. The most commonly used risk

criteria are: country risk customer risk and services risk.”7

Based on Wolfsberg’ s guidance on a risk-based approach, risk factor identification or indicators

that can allow the assessment and measurement of the level of risk can be summarized in the

following diagram:

6 FATF recommendations, Recommendation No.1, 2012 7 Wolfsberg Statement, Guidance on a Risk Based Approach for Managing Money Laundering Risks, 2006

•Identify the risk factors

Identify

•Assess the level of risk

Assess•Understandthe impactof the risk

Understand

•Mitigation plan

Take action

Page 6 of 12

Figure 3 – Risk-Based Approach: Risk Factors

Identifying these risk factors will assist in defining the weightage (weighted risk level) by listing

each component and attributing a rating that will allow the risk rating.

In order to define the customer risk, the financial institution should understand the nature of the

customer that should be defined based on its vulnerability to money laundering and terrorist

financing (e.g., the AML/CTF risk would be higher for nonresident customers than for residents).

Identifying the risk level of the financial institution customers can be challenging in countries

where there is no clear definition on high risk customers or activities. However, there are

international organizations that have advised on the type of customers susceptible to be used by

money launderers and terrorist financiers; such as FATF recommendations, Wolfsberg principals,

the EU Third Directive,8 and BSA/AML Risk assessment guidance9 which can be adopted as best

practices.

These customers can be classified depending on their link to money laundering and customers,

where the structure or nature of the entity or relationship makes it difficult to identify the

underlying beneficial owners, and their vulnerability to the risk of money laundering and terrorist

financing, such as money services businesses, PEPs, cash incentive businesses, trusts,

8 https://eiopa.europa.eu/Publications/Reports/JC_2011_096__AMLTF_2011_05_-_UBO_Report_.pdf 9 http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_005.htm

•Nature of business activities

• Related activities

• Type of account and/or facility

• Account currency

• Previous banking relationship

• Country of residence

• Country of incorpration

• Customer background.

• AML system check.

• Political affiliations if (PEPs)…

Customer Country

IndustryProducts

& Services

Page 7 of 12

gatekeepers (lawyers, accountants), offshore companies charities/NGOs, and others. It is

challenging to identify high-risk customers based on all the facts and circumstances, including the

question of whether the industry they are in is susceptible to money laundering and terrorist

financing. Therefore a thorough understanding of all the risks associated with the customers

should be obtained prior providing a risk rate.

On the other hand, the country risk can be identified based on several aspects such as:

Countries not having adequate AML/CTF systems

Countries subject to sanctions, embargoes issued by the U.N., EU and OFAC

Countries having significant levels of corruption or other criminal activities such as

narcotics, arm dealing, human trafficking, illicit diamond trading, etc.

Countries identified to support terrorist activities, or have designated terrorist

organizations operating within their country

High-risk countries have been identified similarly by many regulatory and advisory bodies based

on certain characteristics as stated above which can assist in understanding the level of risk such

as the level of stability and corruption, terrorist and criminal activity.

Similarly, some organization has developed country risk rating index or tools which can be used

as during the implementation of the risk-based approach such as AML & Sanction Atlas™ -

Country Risk Ratings10 and Basel AML Index11.On the other hand, the industry risk as part of the

risk-based approach and CIP will allow the bank to measure the level of risk posed by the

customers’ business activities and enable the bank staff to understand the regulatory

and sanctions risk involved in dealing with high risk industry.

The customer business activities risk, which has been identified by the Central Bank of

the UAE in Circular No 2922/2008 and International Advisory bodies such as FATF,

Wolfsberg principals, etc. can be utilized to set the risk grading which has been identified

based on the following criteria:

Vulnerability to money laundering and terrorist financing

Activities prohibited or restricted by sanctions and embargo regimes imposed

by the U.N., EU and OFAC

Legitimate businesses that can be exposed to financial crimes such as tax

evasion, corruption, human and drug trafficking, arm dealing, etc.

10 promontorycs.com/images/products/ingrid/amlpop.pdf 11 http://index.baselgovernance.org/index/home

Page 8 of 12

FATF’s 40 Recommendations and other advisory bodies have defined the businesses that are

vulnerable to money laundering and terrorist financing which can be legitimate business and can

be used by money launderers and terrorist financers as a means to conceal illegal activities.

I have gathered a list of these businesses in Appendix 1, in order to provide more insight on which

businesses are considered high risk.

As far as the products and services concerned the risk attributes can be identified based on their

vulnerably to money laundering and terrorist financing.

Products/services that allow unlimited third-party transactions (such as demand deposit

accounts), those that operate with limited transparency, Internet banking, call accounts, and

those that may involve significant international transactions such as correspondent banking,

private banking, e-banking, politically exposed persons (PEPs) can be determined as high risk and

require further scrutiny compared to other banking products where the risk can be mitigated

easily.

As the categories are defined, the next step is to develop a risk assessment by calculating each

risk factor based on the level of impact and threat attributed giving the weightage and risk scoring

that will enable the classification of risk.

2.2. Residual Risk Scoring:

Attributing the risk rating should be in a numerical format. The financial institution can choose

ranges from 1 to 5 with 1 being the lowest and 5 being the highest or they can choose

percentages and use the weighted average to determine the level of risk as depicted in the

example below:

100% 80% 60% 40% 20%

5 4 3 2 1

Very High High Medium Medium Low Low

The weight assigned to each of the input categories (individually or in combination) to ascertain

the overall risk rating of each client is judgmental and based on the risk factors stated earlier.

This rating will also determine the level of due diligence and mitigation process that the financial

institution can adopt to mitigate the compliance risk.

Page 9 of 12

2.3. Risk-Based Approach vs. Risk Appetite:

Developing a risk-conscious environment can be challenging, however, the ability of the financial

institution to balance between strategic objectives with the amount of risk that the financial

institution is willing to take on pursuit of value and profit is challenging and dynamic.

The financial institution that tends to take adverse risk should demonstrate a high level of

scrutiny and enhanced due diligence (EDD) tools that will allow compliance with AML/CTF

obligations. However, this can increase the cost of compliance and regulator concerns on the

level of compliance.

3. Implementation process:

During the implementation process, it is important for the financial institution to plan the

process to eliminate gaps that can lead to negative observations from the regulators.

3.1. Implementation stages:

The first step is the base of implementing RBA and should cover all aspects by identifying the risk

factors and setting up risk scoring. While this stage can become more critical during the

implementation phase, utilizing an automated tool can ease the task and assist in the creation of

workflows and allow the integration of RBA with the financial institution’s customer onboarding

process. However, the implementation and roll out timelines may vary depending on the

processes, core systems and size of the financial institution.

3.2. Customer onboarding lifecycle in the risk-based approach:

This process may vary by institution; however, the basics are similar. In addition to ticking the

boxes and following the usual process from the KYC, CIP and CAP, another attribute will be added

to risk score the customer. Based on the score, the mitigation plan will be set and EDD will be

upon the nature of risks which may vary from implementing additional questionnaires,

undertaking, declarations, UBO verification. The same has been described in Appendix 2.

3.3. Enhanced Due Diligence in the Risk Based Approach:

EDD can be accomplished in several forms such as questionnaires, additional search tools, and

other required documentation, depending on the processes and controls as well as the scoring.

Identify risks and

risk rating

1Integrating with KYC process

2Training

and awareness

3Ongoing

due diligence

4

Continious update

5

Page 10 of 12

The financial institution awareness of the risk should justify the approval provided in the initial

onboarding. In the example provided below, the approval matrix sets out the level of risk

attributed to an authority level that will provide approval based upon justification and EDD

controls in the financial institution:

Risk scoring 5 4 3 2 1

Risk level Very High High Medium Medium Low Low

Due diligence

level EDD

Simplified due diligence

CDD

Approval AML

committee MLRO Unit head Relationship manager/officer

EDD based on risk rating score:

Due diligence level Description of the financial institution EDD process

CDD In the instance of low-risk scoring, the financial institution will adopt the regular KYC procedures.

Simplified due diligence

Simplified due diligence will assist the financial institution to justify and satisfy the risk component by requesting further information.

EDD EDD in a high risk instance should be conducted through a thorough search on the potential customer whether in Google or other search engines, and questionnaires designed for individuals and entities and even PEPs.

3.4. Internal controls:

Financial institutions should set up processes and controls that will better guide business units to

ensure adherence to better understand the financial institution’s AML program.

These controls can be in the form of policies, standard operating procedures, or can be systematic

in the AML system and other means if any of the previous cannot be implemented.

3.5. Challenges faced by the financial institution:

There are several challenges that the financial institution may face during the implementation process that may delay or prevent an assessor from attributing the correct risk scoring and may also not be able to successfully mitigate the risk:

The risk indicators assessment should be based on appropriate risk considerations and

the methodology should be properly documented.

Attributing insufficient weight without considering other factors.

Page 11 of 12

Using waivers on certain types of customers or products can put the financial institution

at risk.

Not considering the UBO in the risk scoring.

Inability to properly risk score products and services.

4. Risk-based approach compliance review:

Reviewing the risk-based approach can be as important as the implementation itself. It will study

all components and the action taken by the financial institution from senior management to IT.

4.1. Reviewer expectations:

From an audit point of view, the level of awareness and the ability to manage the risks is essential.

The reviewer should be able to identify the logic of classifying the risk and the risk scoring.

The ideal situation is for the financial institution to have narrative guidance on each risk

factor describing the process and highlighting the decision-making process; all of which

should be set and approved by senior management.

Related policy should be drafted including roles and responsibilities and the training

should be documented and kept.

Adopting an automated risk based approach process that has the capability of creating an

automated risk scoring and re-profiling in addition to account opening approval work

flow. Currently almost all automated AML system providers such as SAS, Oracle, Fenergo,

Nice actimize, EastNest… have a built in customer risk profiling provision with similar

approach.

Ability in managing the risk model.

4.2. Risk Assessment and ongoing update

The risk scoring and level of risk is a manual process and should be updated regularly to avoid

falling into underrating the customer risk factors, which will negatively affect the KYC and due

diligence process in the initial onboarding stage.

Financial institutions should take into consideration EDD and automation of the risk-based

approach in order to have an MIS tool that will assist in understanding the rate of high-risk

instances and determining the required enhancement in current controls or training needs in

certain areas.

Page 12 of 12

5. Sample of Customer Risk Assessment Matrix:

The sample case in Appendix 3 will illustrate all the points stressed out in this white paper and

will enable readers to have an understanding on the process of the risk-based approach.

Conclusion

The risk based approach (RBA) is considered by regulatory and advisory bodies an important

element in the initial customer onboarding process where any financial Institution can establish

a risk assessment strategy to mitigate and assess the risks involved in dealing with high-risk

customers and the ongoing due diligence required.

Nevertheless, implementing such an approach involves a comprehensive analysis and profound

knowledge in AML standards and KYC international norms and standards.

Although benchmarking the risk-based approach in the onboarding process in any financial

service institution can be challenging, the implementation process where the requirement of

measuring the level of risks versus the risk appetite that the financial institution is adopting, as

well as the regulatory environment in the country, all need to be considered in order to properly

assess the risk associated with each and every customer.

Page 13 of 12

References:

Financial Action Task Force - www.fatf-gafi.org

FATF 40 Recommendations

The World Bank - www.worldbank.org

International Monetary Fund - www.imf.org,

The Wolfsberg Group - www.wolfsberg-principles.com

Transparency International - www.transparency.org

Financial Crimes Enforcement Network (FinCen) - www.fincen.gov

AML-CFT risk management framework evolutions, Deloitte & Touche Financial Advisory Services Pte Ltd, 2015.

Other website resources:

www.baselgovernance.org

www.knowyourcountry.com

Index.baselgovernance.org

Abbreviations and Acronyms:

AML Anti-Money Laundering

CTF Counter Terrorist Financing

CDD Customer Due Diligence

EU European Union

EDD Enhanced Due Diligence

FATF Financial Action Task Force.

FCA Financial Conduct Authority: statutory regulator of most financial services providers under the Financial Services and Markets Act 2000.

MSB Money Service Business

PEP Politically Exposed Person

RBA Risk based approach

Appendix 1 High Risk business Activities – Risk Based Approach

List of high risk business activities that are considered to be potential source of money laundering

and criminal activities:

Appendix 2

Customer onboarding lifecycle in the risk based approach

Appendix 3 Customer Risk Assessment

Date DD-MM-YY Business Unit Corporate Banking

Customer Introduced by Head of Wealth Management Relationship Manager

XBZ

Customer Name: XYZ General Trading Free Zone Company

Risk Factors Risk Description Rating range

Description Risk Rating

Customer type Nature of the customer 1 to 5 General trading company dealing in export and import of Oil and Gas

4

AML screening result AML screening result that in case of a match against SDN name or in relation to a financial crime

1 to 5 Customer being involved in Iran trading 5

Nationality /Country of incorporation

Country where the company is registered or incorporated

1 to 5 British Virgin Island 4

Country of residence Country where the company is residing

1 to 5 United Arab Emirates 1

Business Activity Type of business activities involved 1 to 5 Export and Import 4

UBO Ultimate beneficial owner nationality

1 to 5 Iran 4

Partners (select the one from higher risk country)

Partner nationality 1 to 5 Iran 4

Financial Products & Services

Type of banking product (to be) used by the customer

1 to 5 LC facility 3

Remarks:

Risk Scoring 4

Approval Authority MLRO

Due diligence level EDD