Risks change over time – there are changes to your customer base, your products and services, your business practices, and the law. In the digital age, it is vital businesses adapt to the changing landscape by integrating a risk-based approach (RBA). RBA means organisations, institutions, or authoritative bodies understanding the various money laundering and terrorist financing risks to which they are exposed and apply anti-money laundering (AML) and counter financing of terrorism (CFT) measures. This allows businesses to apply measures proportionate to the level of risk, ensuring the use of resources effectively to the extent that would ensure mitigation of these risks.
In response to the mounting concern over money laundering, global regulatory bodies like the Financial Action Task Force (FATF) and Asia/Pacific Group on Money Laundering (APG) have been established. The Task Force is responsible for examining the global ML procedures and trends for creating and evaluating the regulatory measures. The FATF currently comprises 37 member jurisdictions and two regional organisations, representing most major financial centres in all parts of the globe. APG consists of 41 member jurisdictions, focused on ensuring that its members effectively implement the international standards against ML/TF.
In Australia, the Australian Transaction Reports and Analysis Centre (AUSTRAC) is responsible for regulating financial institutions and their involvement with for money laundering and terrorism financing. In 2018, the Australian Government undertook a Royal Commission that investigated the misconduct within the banking, superannuation and financial services industry. Over the years since the findings of the Royal Commission, the Australian Government and regulators have been implementing the recommendations and taking a more active approach to enforcement. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 206 (AML/CTF Act) and AML/CTF Rules, many requirements for reporting entities are risk based and still not prioritised – resulting in non-compliance.
What is risk?
Risk is the chance of something happening and the degree of damage or loss that may result if it transpires.
What is risk management?
Risk management is the process of recognising risks and developing methods to both reduce and manage those risks. It is the identification, evaluation, and prioritisation of risks followed by applying resources to minimise, monitor, and control the probability or impact of unfortunate events.
In a risk management process, risks are assessed against the chance of them occurring (likelihood) and the amount of loss or damage (impact) that may result if they do happen.
Which risks do businesses need to manage?
Businesses face the risk of exploitation for money laundering, terrorism financing, and other serious crimes. These risks can be categorised as ML/TF risks.
Managing risk does not mean operating in a completely risk-free environment – this is not realistic. However, businesses must identify the opportunities of threats and then find the best ways to reduce and manage them. This should be in proportion to the company’s size, the possible risks, and the available resources. You can’t be 100% safe, but you can do everything possible to protect yourself and your customers.
Steps for Risk Management
Identifying and assessing the level of ML/TF risk is the first thing you must do because it determines what measures you need to include in your program. The ML/TF risk assessment enables you to develop an AML/CTF program with appropriate steps to protect your business or organisation from being exploited by criminals. Once a program is in place, you need to set controls to mitigate and manage these risks.
Understanding the four steps to help manage ML/TF and regulatory risks:
1. Identify risks
Identifying ML/TF risks is not the same for every business, customer, or transaction. You must consider the risks posed by each customer type, especially if some are politically exposed persons (PEPs), the products or services offered, the jurisdiction in which the business operates, and the delivery channel/methods (face-to-face or online).
2. Assess and Measure Risks
Once risks are identified, they need to be assessed and measured in terms of the chance (likelihood) it will occur and the severity or amount of loss or damage (impact) which may result if it does happen. The risk level associated with each event is a combination of the likelihood that the event will occur and its impact.
A risk matrix can be used to combine the likelihood and impact to obtain a risk score. The risk score may be used to aid decision-making and help decide what action to take given the overall risk.
3. Apply controls for risk management
Once the risks have been identified and assessed, the systems and controls in place need to be flexible and conditional – proportionate to the level of risk presented. To manage these risks, continual and periodic customer identification procedures should occur throughout every stage of the customer relationship. A multi-layered program is a proactive approach for Customer Due Diligence that involves controls like identity verification, document authentication, global screening and remediation.
Examples of risk reduction or controls could be:
- Denying onboarding customers who wish to transact with high-risk countries
- Setting up transaction amounts and frequency limits for high-risk products
- Set up different customer risk categories for enhanced customer due diligence
- Update and re-verify customer information on a regular and periodic basis
- Implement event-triggers to flag suspicious activity or a change in risk category
4. Monitor and review effectiveness
Risk assessment is a proactive process of regularly evaluating whether the set AML/CTF program is working correctly. If not, required improvements need to be figured out and put changes in place. This will help keep the program effective and meet the regulatory requirements. Monitoring is not limited to identifying, mitigating, or managing the risks posed by individual customers. Ongoing monitoring should also identify risk patterns across customers for mitigating and managing risks at a business level.
There is no ‘one-size-fits-all’ AML/CTF program. Each reporting entity is different and has its own unique set of ML/TF risks. You must develop a program that is tailored to meet your specific needs, risks and characteristics. This approach provides efficient and effective use of resources minimising compliance costs and burden on customers. With greater resilience to respond to new and emerging risks as ML/TF methods change, giving you the flexibility to decide how to meet your obligations and to develop stronger and/or additional controls when necessary.
Author Sara Singh Tak, Data Zoo Marketing Specialist
About Data Zoo
Our industry-leading KYC remediation solution is built with features to make proactive compliance easy. Experience unparalleled match rates through our unique data cleansing tool. Configure your matching logic and data processing workflow to meet different obligations. Verify over 100 records per second, with your file returned in 72 hours.