AML/CFT Risk Management at RE level

By

 

According to the paper  'Customer Due Diligence' published by Basel Committee on Banking Supervision in 2001, the inadequacy or absence of KYC standards can subject banks to serious customer and counterparty risks, especially reputational, operational, legal and concentration risks. It is worth noting that all these risks are interrelated. However, any one of them can result in significant financial cost to banks (e.g. through the withdrawal of funds by depositors, the termination of inter-bank facilities, claims against the bank, investigation costs, asset seizures and freezes, and loan losses), as well as the need to divert considerable management time and energy to resolving problems that arise.


Reputational risk poses a major threat to banks, since the nature of their business requires maintaining the confidence of depositors, creditors and the general marketplace. Reputational risk is defined as the potential that adverse publicity regarding a bank’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution. Banks are especially vulnerable to reputational risk because they can so easily become a vehicle for or a victim of illegal activities perpetrated by their customers. They need to protect themselves by means of continuous vigilance through an effective KYC programme. Assets under management, or held on a fiduciary basis, can pose particular reputational dangers.


Operational risk can be defined as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. Most operational risk in the KYC context relates to weaknesses in the implementation of banks’ programmes, ineffective control procedures and failure to practise due diligence. A public perception that a bank is not able to manage its operational risk effectively can disrupt or adversely affect the business of the bank.


Legal risk is the possibility that lawsuits, adverse judgements or contracts that turn out to be unenforceable can disrupt or adversely affect the operations or condition of a bank. Banks may become subject to lawsuits resulting from the failure to observe mandatory KYC standards or from the failure to practise due diligence. Consequently, banks can, for example, suffer fines, criminal liabilities and special penalties imposed by supervisors. Indeed, a court case involving a bank may have far greater cost implications for its business than just the legal costs. Banks will be unable to protect themselves effectively from such legal risks if they do not engage in due diligence in identifying their customers and understanding their business.


Supervisory concern about concentration risk mostly applies on the assets side of the balance sheet. As a common practice, supervisors not only require banks to have information systems to identify credit concentrations but most also set prudential limits to restrict banks’ exposures to single borrowers or groups of related borrowers. Without knowing precisely who the customers are, and their relationship with other customers, it will not be possible for a bank to measure its concentration risk. This is particularly relevant in the context of related counterparties and connected lending.


On the liabilities side, concentration risk is closely associated with funding risk, particularly the risk of early and sudden withdrawal of funds by large depositors, with potentially damaging consequences for the bank’s liquidity. Funding risk is more likely to be higher in the case of small banks and those that are less active in the wholesale markets than large banks. Analysing deposit concentrations requires banks to understand the characteristics of their depositors, including not only their identities but also the extent to which their actions may be linked with those of other depositors. It is essential that liabilities managers in small banks not only know but maintain a close relationship with large depositors, or they will run the risk of losing their funds at critical times.


Customers frequently have multiple accounts with the same bank, but in offices located in different countries. To effectively manage the reputational, compliance and legal risk arising from such accounts, banks should be able to aggregate and monitor significant balances and activity in these accounts on a fully consolidated worldwide basis, regardless of whether the accounts are held on balance sheet, off balance sheet, as assets under management, or on a fiduciary basis.


Both the Basel Committee and the Offshore Group of Banking Supervisors are fully convinced that effective KYC practices should be part of the risk management and internal control systems in all banks worldwide. National supervisors are responsible for ensuring that banks have minimum standards and internal controls that allow them to adequately know their customers. Voluntary codes of conduct4 issued by industry organisations or associations can be of considerable value in underpinning regulatory guidance, by giving practical advice to banks on operational matters. However, such codes cannot be regarded as a substitute for formal regulatory guidance.


From a risk management perspective, before about 2005, AML/CFT compliance shortcomings generally did not trigger substantive civil and criminal enforcement actions against banks. Over the last 10 years there has been an increasing emphasis on AML/CFT compliance, civil enforcement actions, civil penalties, and criminal prosecutions (deferred and not deferred). This change in emphasis and approach to enforcement of relevant regulations was a result of governments viewing AML/ CFT compliance as part of the jurisdiction’s national security infrastructure versus the earlier view of AML/CFT compliance as more of a bank internal matter. This shift of prominence and approach to risk management expectations has had substantial effects within jurisdictions as well as across the globe’s financial activities. For example, increasing compliance costs, new risk/reward calculation for financial relationships, and the resultant phenomena of de-risking. This shift has affected several global banks, which have been subject to varying types of civil and criminal sanctions (financial penalties and remedial regulatory actions) and required to substantially enhance of their AML/CFT programs. In addition, FATF’s new mutual evaluation standards, implemented in 2014, which include an effectiveness assessment, have increased pressure on emerging market jurisdictions to reassess and enhance portions of their own AML/CFT infrastructure and internal requirements.

As a result, governments and financial sector supervisors worldwide have increasingly emphasized the importance of having a strong culture of AML/CFT compliance within their financial sector and its leadership, including the Board of Directors, senior management, middle management, and owners of banks regardless of size, complexity, or region. This increasing emphasis and attention on compliance and financial and criminal penalties (including potential individual liability against AML officers and others) has impacted the cost of AML/CFT compliance and banks’ risk appetites. It also had a direct follow-on affect in the provision of correspondent banking services (for example, de-risking).






Source: IFC

Risk Management is one of the components of KYC Policy along with a) Customer Acceptance Policy; b) Customer identification Procedures; and c) Monitoring of Transactions for the purpose of AML/CFT compliance.

 

Some terms to remember

 

Risk Factors – Means variables that, either on their own or in combination, may increase or decrease the ML/TF/PF risk posed by an individual business relationship or occasional transaction.

 

Risk Management – The process that includes the recognition of ML/TF/PF risks, the assessment of these risks, and the development of methods to manage and mitigate the risks that have been identified.

Inherent Risk – The intrinsic risk of an event or circumstance that exists before the application of controls or mitigation measures.

Residual Risk – The level of risk that remains after the implementation of mitigation measures and controls.

Likelihood – The chance of the risk being present.

 

Customer Identification & Profiling and its periodic updation dealt with earlier posts form part and parcel of Risk Management. The RE starts with relevant NRA report and the analysis of Threat, Vulnerability (Ability to Combat), Risk Impact as applicable to the business segment in which it operates.

Further, banks should have appropriate ongoing risk management systems for identifying and applying enhanced CDD to PEPs, customers who are close relatives of PEPs, and accounts of which a PEP is the ultimate beneficial owner

 

The five essential steps of a Risk Management Process are

  1. Identify the Risk
  2. Analyze the Risk
  3. Evaluate or Rank the Risk
  4. Treat the Risk
  5. Monitor and Review the Risk

These aspects are discussed in the same order below:


1. AML/CFT Risk Identification

 

KYC risk rating system is a vital tool used by financial institutions to evaluate the level of money laundering risk associated with a particular customer. By assessing the factors mentioned above, companies can detect high-risk customers and take appropriate measures to prevent fraudulent activities

A RBA to AML/CFT means that countries, competent authorities and financial institutions8, are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.  When assessing ML/TF risk, countries, competent authorities, and financial institutions should analyse and seek to understand how the ML/TF risks they identify affect them; the risk assessment therefore provides the basis for the risk-sensitive application of AML/CFT measures.

 The RBA is not a “zero failure” approach; there may be occasions where an institution has taken all reasonable measures to identify and mitigate AML/CFT risks, but it is still used for ML or TF purposes. 

 A RBA does not exempt countries, competent authorities and financial institutions from mitigating ML/TF risks where these risks are assessed as low.

DEVELOPING A COMMON UNDERSTANDING OF THE RBA

The effectiveness of a RBA depends on a common understanding by competent authorities and banks of what the RBA entails, how it should be applied and how ML/TF risks should be addressed. In addition to a legal and regulatory framework that spells out the degree of discretion, banks have to deal with the risks they identify, and it is important that competent authorities and supervisors in particular issue guidance to banks on how they expect them to meet their legal and regulatory AML/CFT obligations in a risk-sensitive way. Supporting ongoing and effective communication between competent authorities and banks is an essential prerequisite for the successful implementation of a RBA.

FATF’s RBA for banking business revolves around risk factors arising from parameters linked to Customer, Transaction, Products & Services, Channels, Jurisdictions


2. Analyse the Risk

  

The inadequacy or absence of KYC standards can subject the Bank to serious customer and counter party risks especially reputational, operational, legal and concentration risks.

 

Reputational Risk is defined as “the potential that adverse publicity regarding the Bank’s business practices and associations, whether accurate or not, will cause a loss of confidence in the integrity of the institution”.

 

Operational Risk can be defined as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events”.

 

Legal Risk is “the possibility that lawsuits, adverse judgments or contracts that turn out to be unenforceable can disrupt or adversely affect the operations or condition of the Bank”.

 

Concentration Risk although mostly applicable on the assets side of the balance sheet, may affect the liabilities side as it is also closely associated with funding risk, particularly the risk of early and sudden withdrawal of funds by large depositors, with potentially damaging consequences for the Bank’s liquidity.

 According to FATF Methodology, Risk is a function of threat, vulnerability and consequences assessed by risk based approach. So Banks and financial institutions need to guard themselves being not used by illegal elements in any manner. From licensing new institutions the regulators need to carefully guard against misuse of the financial system and laws of the country. The context of risk management at the firm level is set by the National Risk Assessment and the risk score applicable from the national point of view.

Risk Management at entity level has to be examined in the light of National Risk Assessment of the country in which it is domiciled. So MNCs will have to consider the NRA of countries where they have presence. RBI has insisted on Group-wide policies and cooperation to foster a culture of AML/CFT compliance without tipping off.

 

Sector-Specific Risk Factors in KYC Risk Rating

In the financial industry, KYC Risk Rating requires sector-specific considerations. Customizing KYC Risk Rating to address these factors ensures effective risk assessment, compliance, and security within the financial sector, promoting a robust risk-based approach. Different sectors have unique risk factors that demand specialized attention in the customer identification process:


  • Customer Risk Rating in Banking:
    • High Transaction Volume
    • Correspondent Banking
    • Politically Exposed Persons (PEPs)
  • Customer Risk Rating in the Insurance Sector:
    • Complex Ownership Structures
    • Policy Lapse Risk
    • High-Value Claims
  • Customer Risk Rating in Investment Funds:
    • Lack of Control over Fund Activities
    • Offshore Funds
    • Complex Investment Strategies
  • Customer Risk Rating in the Cryptocurrency Sector:
    • Anonymity and Pseudonymity
    • Rapid International Transactions
    • Lack of Regulatory Clarity

Each sectoral regulator bring up relevant guidelines for REs under it. 

Sector Assessment

Supervisors can adopt the following methodology when assessing the overall sectoral risk. First, the supervisor will have to assess the likelihood (threats and vulnerabilities) that ML or TF can occur in a (sub)sector. Per sector the supervisor can rate several (inherent) risk factors: cash intensity of the sector, unknown/unclear sources of funds, manner of client contact, entities with operations in high risk countries, client base (e.g., non-resident, high net worth clients, or corporate clients with complex structures), and amount of international business. Additionally, also more objective factors can be used, such as size of the sector, turnover, number of entities. This rating does not take into account the control measures that individual entities have in place. The supervisors can rate the factors in the following way:

Second, the supervisor will have to rate the impact if in a (sub)sector ML or TF indeed occurs. There are different ‘levels’ of impact that have to be considered: the financial-economic and reputational impact on an entity, on the sector, on the supervisor, and on the country. This rating will be subjective as it is difficult to quantify this impact.

A risk assessment of several (sub)sectors that are obliged under the AML/CFT Law could result in a matrix as below. The matrix below is an example for several sectors. Such a matrix can be developed by all AML/CFT supervisors in a country, but a supervisor should at least make such a matrix for those sectors under its remit. Once such a matrix is developed, a supervisor can determine at a tactical level which sectors need more intense or frequent attention, which supervisory methods can be used to mitigate the risks and which resources need to be allocated. 

 Besides supervisory methods as onsite and offsite supervision, supervisors can also use communication as a tool to influence behavior of entities. By using the matrix, the supervisor can tailor its communication efforts, for instance by having a seminars for lower risk sectors, but direct or roundtable discussions for higher risk sectors. Also, by means of newsletters, communiqués or cooperation with the sector associations supervisory efforts can be tailored. 



Needless to say that the sectors in the upper right quadrant will need more intense and frequent supervisory efforts, such as onsite visits, awareness raising and cooperation with associations. The sectors in the lower right quadrant where the likelihood is higher but the impact low, can for instance be supervised with less intensity or in a lower frequency. The sectors in the upper left quadrant where the likelihood is low but the impact high should ML/TF occur, can be supervised through offsite methods and awareness can be raised through seminars. The sectors in the lower left quadrant can be supervised in a very light touch -offsite- manner. An assessment of the ML/TF risks per (sub)sector should be reviewed and where necessary revised periodically. 

The Interpretive Note to FATF Recommendation 26 states that supervisors should have access to all relevant information on the specific domestic and international risks associated with customers, products and services of the supervised entities. The frequency and intensity of AML/CFT supervision of financial institutions should be based on the ML/TF risks, and the policies, internal controls and procedures associated with the institution, as identified by the supervisor’s assessment of the institution’s risk profile, and on the ML/TF risks present in the country. Interpretive Note to Recommendation 28 similarly requires supervisors to take into account the ML/TF risk profile of DNFBPs when assessing AML/CFT compliance of DNFBPs. Supervisors should understand the risk present in a supervised entity. Based on this, supervisors should establish a risk profile of the entities under their supervision based on a risk rating methodology. For larger entities, a supervisor should make an individual risk profile. For smaller entities that are similar, supervisors can make a risk profile that applies to a group of similar entities.

 



The NRA comes out with risk spectrum of all major segments susceptible to ML/FT threats .This along with sectoral risk assessment forms the base for the RE level  risk assessment

 AML risk scoring model depends heavily on the industry in which the company operates, the customer base it serves and the company’s appetite for risk:

  • Industry

Banks need to tailor the AML risk scoring model. They need to do this to reflect the risks relevant to account-based relationships. This is because other industries, such as insurance, cannot use the identical model.

  • Customer portfolio

The AML risk scoring methodology used for scoring retail customers cannot apply to corporate customers/Legal Entities

  • Risk Appetite

Imagine that the bank has been present in the country for many decades. It is likely to have a large proportion of low-risk customers. Therefore it makes sense for it to have a lower risk appetite. However, smaller institutions tend to have a higher risk appetite, so they can expand and survive in such an environment



Risk appetite is the amount of risk an organization is willing to take on to achieve its goals, while risk tolerance is the maximum risk an organization is willing to take on for each type of risk.

Here are some things to consider about risk appetite and risk tolerance: 

·         Risk appetite

This is a broad statement about the level of risk an organization is willing to accept. It's influenced by factors such as company culture, industry, and the organization's financial strength. Risk appetite can change over time, and it's important to periodically assess risks against risk criteria. 

·         Risk tolerance

This is the maximum risk an organization is willing to take on for each type of risk. Risk tolerance levels can be classified as risk-averse, conservative, or aggressive. 

·         Alignment

Risk appetite and tolerance should be aligned with an organization's goals and objectives. 

·         Setting risk appetite

In some organizations, the board of directors sets the risk appetite. The appropriate level depends on the nature of the work and the objectives being pursued. 

·         Risk appetite statement


A risk appetite statement should consider the perspectives of all stakeholders and address the implications of current practices and strategies. It should also define the acceptable level of uncertainty or volatility. 


Risk Spectrum development

Risk – The likelihood of an event and its consequences. In the context of money laundering/terrorist financing (ML/TF), risk means:

• At the national level: threats and vulnerabilities presented by ML/TF that put at risk the integrity of India’s financial system and the safety and security of the country.

• At the reporting entity level: threats and vulnerabilities that put the reporting entity at risk of being used to facilitate ML/TF.


Threat – Person or group of people, an object, or an activity with the potential to cause harm. In the ML/TF context, a threat could be criminals, facilitators, their funds or even terrorist groups.

Vulnerability – Elements of a business that may be exploited by the threat or that may support or facilitate its activities. In the ML/TF context, vulnerabilities could be weak controls within a reporting entity, offering high risk products or services, etc.

Consequence – The impact or harm that ML/TF/PF may cause, such as the impact on reputation and imposition of regulatory sanctions. Impact: this refers to the seriousness of the damage that would occur if the ML/TF risk materialises (i.e., threats and vulnerabilities).

Risk Based Approach – An approach whereby competent authorities and firms identify, assess, and understand the ML/TF/PF risks to which they are exposed to and take AML/CFT/CFP measures commensurate to the identified risks to mitigate them effectively. Risk Factors – Means variables that, either on their own or in combination, may increase or decrease the ML/TF/PF risk posed by an individual business relationship or occasional transaction.

Categorise  and Prioritise Risks

The second stage is apportionment of identified risks into risk factor categories, usually five – namely, business nature/size[Customer, Transaction], product/service, geographical locations, distribution channels/business practice, and customer base profile then rating them accordingly using a well calibrated risk matrix (likelihood vis a-vis potential impact). Some of the factors may be apportioned with vulnerabilities only or threats only – or both where reasonably so. For example, geographic location and customer profile may reasonably be about threats since they are external factors, whereas product/service and business practice/delivery channels may be suited for vulnerabilities only since it is an internal factor. Assess each category individually, considering the specific vulnerabilities and threats associated with them.

Detailed Analysis of The Risks

(a) Once a reporting entity has identified the risk, the next step of the risk assessment process entails a more detailed analysis of the data obtained during the identification stage to accurately assess ML/TF risk.

(b) This step involves evaluating data pertaining to the reporting entity’s activities (e.g., number of domestic and international transactions, types of customers, geographic locations of the reporting entity’s business area and customer transactions).

(c) This detailed analysis is ultimately important because within any type of product/service or category of customer there will be clients who pose varying levels of risk. This gives management a better understanding of the reporting entity’s risk profile in order to develop the appropriate policies, procedures, and processes to mitigate the overall risk.

(d) Additionally, institutions should undertake an impact analysis and develop a likelihood versus impact matrix to help determine the level of effort or monitoring required for the identified inherent risks.

(e) Institutions can also use a risk matrix as a method of assessing risk in order to identify the risk categories that are in the low-risk zone, those that carry somewhat higher, but still acceptable risk, and those that carry a high or unacceptable risk of money laundering and terrorism financing. In classifying the risk, an entity, considering its specificities, may also define additional levels of ML and TF risk. A risk matrix is not static; it changes as the circumstances of the entity change.


Once identifying the risk factors in all five  categories, it’s time to create the risk spectrum for available scenarios and determine their risk level


3. Evaluate the Risk

AML risk scoring is a model used by financial and other institutions to assess the level of money laundering risk associated with a particular customer. By assessing the different factors, companies can identify high-risk customers and take appropriate measures to prevent fraudulent activities.

There is no single anti money laundering (AML) risk scoring model or methodology that fits for all organizations because the business context across all organizations is different- No ‘one-size fit all’ approach works.

Assessing Products and Services Risk

 

(a) Entities should consider the potential ML/TF & PF associated with each of their specific products or service. An organisation will seek to identify their portfolio of product types and assign an inherent score to each, based on its general inherent characteristics and the degree of ML/TF & PF risks present.

(b) In undertaking this assessment, all products and services should be included in identification of their inherent risks, rationale, mitigation controls, scores, weights, and the residual risk. It is, therefore, important that specified parties can demonstrate how they bring different indicators to bear on a given scenario to reach an appropriate risk classification. Below are some of the factors to consider when doing product risk analysis. 

• Does the product enable third parties who are not known to the institution to make use of it?

• Does the product allow for third party payments?

• To what extent does the product provide anonymity to customers?

• To what extent is the usage of the product subject to parameters set by the entity e.g., value limits, duration limits, transaction limits, etc. or to what extent is the usage of the product subject to penalties when certain conditions are not adhered to?

• Does the usage of the product entail structured transactions such as periodic payments at fixed intervals, or does it facilitate an unstructured flow of funds?

• Does the firm understand the risks associated with its new or innovative product or service, in particular, where this involves the use of new technologies or payment methods.

• The reporting entity should determine to what extent are products or services cash intensive e.g., in the case of microlenders.

Product Risk Example


Assess Delivery (Distribution) Channels Risk

 

(a) Examine the distribution channels, such as online platforms, branches, and third-party agents.

(b) Identify vulnerabilities related to data security, fraud prevention and compliance within each distribution channel.

(c) Since REs have various modes of transaction and distribution of their products and services, it is equally important to assess whether and to what extent do methods of delivery, such as non-face to face or the involvement of third parties, including intermediaries/agents could increase the inherent risk of ML/TF & PF.

(d) In conducting an institutional risk assessment, REs are required to list all the delivery channels, identify inherent risks, rationale, mitigation/controls, scores, weights used and the residual risk. Some factors to consider include:

• Is the product offered to prospective clients directly or through intermediaries?

• Any agents and or intermediaries the specified party might use and the nature of their relationship with the entity.

• Are prospective clients onboarded through direct interaction or through intermediaries/agents?

• Do clients transact by engaging with the institution directly or through intermediaries/agents?

• Where clients interact through intermediaries/agents, are the intermediaries/agents subject to licensing and/or other regulatory requirements?

• Whether the customer physically present for identification purposes. If they are not, whether the firm,

            Considered if there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity.

Used a reliable form of non-face-to-face CDD; and

Taken steps to prevent impersonation or identity fraud.

Channel RiskExample



Assess Geographical Location Risk

 

(a). Entities should identify domestic and international geographic locations that may pose financial crime risks in their operations. Geographic location risks may also be assessed with respect to the location of customers, business division, line or branch, and may also include its subsidiaries, affiliates, and offices, both domestically and internationally. It is important to consider United Nations Security Council (UNSC) sanctions lists, political conditions, and national and international crime statistics from reputable organisations.

 

(b) Each case should be evaluated individually when assessing the risks associated with doing business, such as:

• Is the client domiciled in Botswana or in another country or does the client operate/do business in another country?

• Countries that are subject to international sanctions, embargoes or similar measures issued by credible organisations such as the UNSC and the Financial Action Task Force (FATF).

• Countries identified by credible organisations as lacking appropriate AML/CFT laws, regulations, and other measures.

• Any country identified by the FATF as having strategic AML/CFT deficiencies.

• Countries identified by credible sources as providing funding or support for terrorist activities or that have designated terrorist organizations operating within them.

• Countries identified by credible sources as having significant levels of corruption, source of narcotics, human trafficking and other criminal activities.

(c) A rural area where customers are known to the community could present a lesser risk compared to a large urban area where there are different classes of customers with various risks. However, this is not to imply rural areas are inherently low risk, remote areas with proximity to international borders may be prone to other risks such as drug trafficking and influx of foreign currencies. Criminal elements may also choose to stay under the radar in a smaller or less economically active area.

(d) When undertaking this assessment, the institution is required to identify risks and explain the risk scoring allocated to each geographical area highlighted. The assessment should also indicate: Mitigation/ Controls, Scores (Risk Level), Weights used and the Residual Risk.

Jurisdictional Risk Example



1

FATF

Call for Action(Black List)

Increased Monitoring(Grey List)

Compliant

2

Transparency International Corruption Index

 

 

 

 

 

 

 

 

 

Each dimension of risk is attributed weights and scores with consideration of both quantitative and qualitative factors

Other Qualitative Risk Factors

 (a) Entities should also assess additional risk factors that can have an impact on operational risks and contribute to an increasing or decreasing likelihood of breakdowns in key AML/CFT controls.

 (b) Qualitative risk factors that directly or indirectly affect inherent risk factors may include:

 

• Significant strategy and operational changes.

• Structure of ownership/ business e.g., presence of subsidiaries.

• National Risk Assessments.

 

If a reporting entity identifies situations that represent a high risk for ML/TF/PF activities, it should control these risks by implementing mitigation measures.

 

Weights and Scoring

(a) Due to the nature of each institution’s unique business activities, products and services (including transactions), client base and geographic footprint, a risk-based approach is used to calculate inherent risks. Each risk factor is usually assigned a score which reflects the associated level of risk. Each risk area may then be assigned a weight which reflects the level of importance in the overall risk calculation relative to other risk areas.

(b) The weight assigned to each of these risk categories (individually or in combination) in assessing the overall risk of potential money laundering may vary from one institution to another, depending on their respective circumstances. Consequently, an institution will have to make its own determination as to the risk weights and scores to assign to the different risk

Pl also refer to Risk-based Approach toCustomer Due Diligence where  the five components are analysed for differing levels of risk. 

4. Treat the Risk

It is worth noting that all these risks are interrelated. Any one of them can result in significant financial cost to the Bank as well as the need to divert considerable management time and energy to resolve problems that arise. Customers frequently have multiple accounts with the Bank, but in offices located at different places. To effectively manage the reputational, operational and legal risk arising from such accounts, Bank shall aggregate and monitor significant balances and activity in these accounts on a fully consolidated basis, whether the accounts are held as on balance sheet, off balance sheet or as assets under management or on a fiduciary basis. Branches should exercise ongoing due diligence with respect to the business relationship with every customer and closely examine the transactions in order to ensure their transactions are consistent with their knowledge about the customers, customers’ business and risk profile, the source of funds / wealth. The Board of Directors of the Bank shall ensure that an effective KYC/AML/CFT programme is put in place by establishing appropriate procedures and ensuring their effective implementation. It shall cover proper management oversight, systems and controls, segregation of duties, training of staff and other related matters.


 The BCBS paper Sound management of risks related to moneylaundering and financing of terrorism published in 2017 is discussed along with FATF guidelines in which  the three lines of defence proposed are

1.      The front office , the customer facing activity of the Business Unit working under Policies and Procedures approved by the bank’s  Board

2.      Principal officer responsible for Compliance, Training and

3.      Independent audit  


 

Risk Mitigation

(a) The reporting entity must develop and implement policies and procedures to mitigate the ML/TF/PF risks they have identified through their institutional risk assessments. The mitigation measure should include;

• Internal policies, procedures and controls to fulfil obligations under the FI Act.

• Adequate screening procedures to ensure high standards when hiring employees.

• Ongoing training for officers and employees to make them aware of the laws relating to money laundering, the financing of terrorism or proliferation.

• Policies and procedures to prevent the misuse of technological developments including those related to electronic means of storing and transferring funds or value;

 • Mechanisms for preventing money laundering, financing of terrorism or proliferation, or any other serious offence.

• Independent audit arrangements to review and verify compliance with and effectiveness of the measures taken in accordance with the FI Act.

• Risk based approach to managing ML/TF/PF risks identified.

• Customer identification procedures.

• Record keeping and retention.

• Reporting procedures.

• Confidentiality requirements and procedures.

• Transaction monitoring systems; and

• Adequate screening procedures for customers against relevant sanctions lists.

• Enhanced identification, verification and ongoing due diligence procedures with respect to customers who have been identified as high risk customers.

Residual Risk

(a) Once both the inherent risk and the effectiveness of the internal control environment have been considered, the residual risk should be determined.

(b) Residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall

strength of the risk management activities/controls. The residual risk rating is used to indicate whether the ML/TF risks within the institution are being adequately managed. (c) It is possible to apply a 3-tier rating scale, to evaluate the residual risk on a scale of High, Moderate and Low. Alternatively, another rating scale could also be used, for example a 5-point scale of Low, Low to Moderate, Moderate, Moderate to High, and High.

Assessing and Measuring Risks

(a) Once the risks have been identified , each risk needs to be assessed and measured in terms of the chance (likelihood) it will occur and the severity or amount of loss or damage (impact) which may result if it does occur.

(b) The risk level associated with each event is a combination of the likelihood that the event will occur and the impact it could have.

Likelihood x Impact = Risk Level

Likelihood

(i) Likelihood refers to the potential of a particular risk occurring in the business.

(ii) Three levels of likelihood are provided as examples, but there may be more than three for the business.

• Very likely: Almost certain – it will probably occur several times a year

• Likely: High probability it will happen once a year

• Unlikely: Unlikely but not impossible.

(iii) The likelihood levels above may not cover every scenario and are not prescriptive. They may be extended depending on risk management methodology adopted by an entity.


Probability

1

2

3

4

5

Description

Rare

Unlikely

Probable

Almost

Certain


Impact

         i.            Impact refers to the seriousness of the damage which could occur if the risk happens.

        ii.            The reporting entity knows its business and is in the best position to know how it would be affected by any impacts. What impacts may affect it and how those impacts would affect it. Some examples of impacts to think about could include:

• How the business would be affected by a financial loss from a crime.

• The risk that a particular transaction may result in a terrorist act and loss of life.

• The risk that a particular transaction may result in funds being used for any of the following: corruption, bribery, tax evasion, drug trafficking, human trafficking, illegal arms trading, terrorism, theft, or fraud.

Note that these do not cover every scenario and are not prescriptive. Three levels of impact are shown here, but the reporting entity can have as many as necessary for its business:

    • Major: Severe damage

    • Moderate: Moderate level of damage

    • Minor: Minimal damage.

(iii) Once an entity assesses the likelihood and impact of each risk, it can then determine the inherent risk level based on these two factors. The following is an example of how a reporting entity can use a risk matrix to determine the inherent risk level posed by customers.

(iv) Similar to likelihood, impact levels may also vary depending on other considerations by an entity.

The 5 level Impact Assessment is as follows:

Catastrophic

5

Major

4

Moderate

3

Minor

2

Insignificant

1



Risk Matrix

(a) The risk matrix can be used to combine the likelihood and impact to obtain a risk score (inherent risk level). The inherent risk level may be used to aid decision making and help in deciding what action to take.

(b) How the inherent risk score is derived can be seen from the risk matrix shown below. Three levels of risks are shown (Low, Medium and High), but there can be more than three, if necessary.



Apply Controls to Manage Risks

 The response/control to the risk will depend on the level of risk as shown in the table below.



This step is about determining how to manage the risks identified and assessed. Managing ML/TF/PF risks involves applying systems and controls. Examples of risk reduction or controls could be;

(a) Setting transaction limits for high-risk products (for example limiting the amounts or frequency of transactions).

(b) Having a management approval process for higher-risk products or customers.

(c) A process to place customers in different risk categories and apply different identification and verification methods.

(d) Rejecting customers who wish to transact with a high-risk country. The following table provides an example of how the information recorded could be.


(i)It is important to keep in mind that if a customer, transaction or country is identified as high risk it does not necessarily mean that criminal activity is occurring or will occur.

 (ii) The opposite is also true. Just because a customer or transaction is seen as low risk, this does not mean the customer or transaction is not involved in criminal activity. Knowledge of the business and common sense should be applied to the risk management process.

5.Monitor & Review the Risk

 

(a) Once documented, the reporting entity should develop a method to regularly evaluate whether its AML/CFT/P programme is working correctly and effectively. If not, it needs to work out what needs to be improved and put changes in place. This will help keep the programme effective and meet the requirements of the PML Act 2002.

(b) Keeping records and regularly doing an evaluation of a reporting entity’s risk and AML/CFT/P programme is essential. Risks change over time, for example, changes to the reporting entity’s customer base, its products and services, its business practices and the regulatory requirements.

 

Continual Improvement

 

Implement a process for continual improvement by regularly reviewing and updating the risk assessment to adapt to changing threats and vulnerabilities.

 

Training and Awareness

Train employees and stakeholders on the importance of risk management and ensure awareness of the institutions risk assessment findings and strategies.

External Feedback

 

Seek external feedback from regulators, auditors, and industry peers to gain insights and best practices to enhance your risk assessment process.

 

REPORTING OF MONEY LAUNDERING/ TERRORIST FINANCING/ PROLIFERATION FINANCING RISK ASSESSMENT RESULTS

 

(a)    The results of the ML/TF/PF risk assessment should be presented to senior management and the board and communicated by the Compliance Officer to all business units and the control functions of the institution. The report should clearly indicate proposed action points to be adopted by the institution.

(b)   The Institutional ML/TF/PF Risk Assessments that will be developed by the REs should be approved and signed off by the board of directors or senior management and be reviewed at such intervals as required by the board or by changes in the regulatory environment. REs shall provide to the supervisory authority a report on the latest results of its MT/TF/PF risk assessment as and when required.



Happy Reading,


Those who read this also read:

1. National Risk Assessment (NRA) Framework

2. Risk-based Approach in Customer Due Diligence-FATF

3. Introduction & Overview: Customer Risk Profile

4. IBA WGR on AML/CFT 2010: Alert Generation




Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more