Challenges of Customer Risk Scoring
November 23rd, 2023
Money laundering enables criminal organizations and facilitates crime—it’s a continuing threat to society. Victims of these crimes suffer physical or psychological harm, but it also has far-reaching consequences that affect thousands of people and industries, such as the severe environmental impact from illegal mining, deforestation and wildlife crime or economic impact through reduced tax revenues or bribery. Commonly cited statistics show that anywhere between $2B and $6B are laundered each year, and the success rate for detection is less than impressive. In many studies, the estimates are that less than 1% is detected and even less recovered.
Money Laundering: Everyone’s problem
What financial institutions (FIs) struggle with is not only in detecting the actual suspicious activity but also in identification of all related parties and their associated risks. If FIs can identify all related parties and accurately assess the respective risk, they can monitor their customers better, identify suspicious behavior, complete richer investigations and accurately report any suspicions to the appropriate authorities. Illicit actors don’t have rules when engaged in criminal activity or laundering proceeds of crime, and they don’t care about data privacy legislation or breaching data protection. FIs, on the other hand, must comply with rules and regulations when using customer information and monitoring their customers and counterparties, limiting their ability to identify criminals and fight financial crime. There are strict data privacy regulations that must be adhered to, such as the EU General Data Protection Regulation (GDPR) or Data Protection Act (DPA) in the U.K.
FIs take risk-based approaches when performing due diligence checks on new and existing customers to determine their risk and likelihood of involvement in illicit activities, including money laundering. Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements are laid out in regulations in many jurisdictions across the globe. It’s essential that FIs follow these requirements to effectively fight financial crime and avoid regulatory breaches, which could result in fines or prosecution.
It’s not an easy task. One of the difficulties is that many FIs have very dynamic customer bases. Each customer’s risks can vary significantly. Activity that is deemed to be risky for one customer could be completely acceptable for another. Anyone who has been through the development process of a risk assessment methodology would agree this task is loaded with obstacles. For this reason, we still see very rudimentary risk rating systems today, even in large, well-established organizations.
Three Main Categories of AML Risk
The U.S. Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering (FFIEC BSA/AML) manual only identifies three main categories of inherent AML risk:
- Geographic locations
However, the industry norm for risk rating methodologies often separates customer risk into four main categories:
- Customer Type
- Transactional Activity
Some organizations have expanded beyond those categories to include other metrics such as Network Risk and Channel Risk. Although, it could be argued the additional categories could be included in one of the initial four categories defined by the industry. The point is there’s a lot of leeway given to organizations when developing their programs, as long as it’s sufficient to accurately identify the risk of the customer to the organization.
Develop Strong Risk Assessments
Strong risk assessments come with many challenges. Data acquisition is a key challenge in many areas within AML programs, risk assessment included. Identifying the right data and being able to source it can be a big challenge in developing a strong customer risk assessment model. Internal data, in many cases, is siloed and spread across several banking systems. Furthermore, vast amounts of internal data in many organizations are still paper based. External data can be difficult to ingest into CDD systems and relate to the correct entities. Not only is data gathering a challenge: having the right technology to digitize, clean, analyze and interpret the data can be taxing to many organizations. The wrong technology can result in data being:
- Incorrectly allocated to the wrong customer
- Not allocated to a customer at all
This can result in data not being appropriately risk assessed, which can impact the overall risk scoring of the customer. In the worst-case scenario, this could result in a high-risk customer not being identified and being treated as if they’re low risk.
Assigning Values to Risk Attributes
The next challenge is assigning values to risk attributes. Products such as deposit accounts are riskier than a certificate of deposit or a safe deposit box—but how much riskier? Twice as risky? Four times the risk? The same can be said of wires. International wires potentially pose additional risk and wires to and from high-risk jurisdictions add to the risk. The question is by how much, and is it even across the board for all customers? Is the risk even for larger international manufacturing companies as compared to a small business with little reason for international activities?
Assigning values can get complicated quickly. The more detailed information that you include, and have access to, the more robust your risk assessment methodology will be. However, there are some things to consider: How many data elements do you want to include in your assessment? The more information, the more accurate your assessments can be, but the more complex the methodology becomes. Some data elements may be useful in assessing risk; however, in many cases, the data is unavailable or not available in all instances. This leads to a few more decisions that need to be made. The first one is the decision to include the element in your model or eliminate it altogether because the data is not always available. Removing it could compromise your model’s effectiveness; whereas, including it when the data is not always available also compromises the model. When the data is unavailable, you may choose not to include additional points; however, the absence of a data element doesn’t mean the risk doesn’t exist. There are a lot of considerations when developing a risk model.
Once you have identified your critical data elements, assigned risk to each, and completed your model, you can then test it against your customer base. The moment of truth comes when you can then see the mix of your customer base to determine your categorization of customers between low risk, medium risk, and high risk. There are going to be some adjustments to the model after this step. Regulators will not accept tuning your model to align with your desired mix, it must be reflective of risk. However, you may review to adjust for areas that can indicate high-risk customers who are not inherently high risk, as well as adjust low-risk customers who should be inherently high risk.
Risk Model Validation
The next step in risk model validation is defending it. Model governance and regulatory examiners need to understand the rationale. They will question why certain risk elements score in a particular way and how they compare to others. How can a deposit account score the same as a high-risk wire when they aren’t the same? The best way to approach this is to do an apples-to-apples comparison. Don’t try and defend attributes between risk categories. Compare within a category, such as evaluate a deposit account to a certificate of deposit. This validation needs to be fully documented so there is an audit trail as to what and why decisions were made. This should account for any adjustments that are made, providing a historic log of model thresholds and rationale.
In the end, adjustments are an ongoing activity. Verify that your model is acting as intended. Over time, these are questions to ask:
- What does your customer mix look like?
- Do you need adjustments either to your model or to your customer base?
- Are you adding new products or services, and how do they compare against the others within the category?
Also, look at your Suspicious Activity Report (SAR) filings. Are you filing a larger percentage of SARs on low and medium risk customers and a lesser amount on your high-risk customer base. If so, that could be an indication that your model isn’t really reflecting your customers with the most risk. AML solutions that offer simulation capabilities can greatly reduce the effort in making these types of changes. In many cases, they don’t require a separate environment or require sample data, and they don’t require you to do “before and after” snapshot comparisons. Once your changes are made and results are acceptable, you’ll still need to go through some type of model validation. However, the effort is significantly less than the initial model validation.
Risk Rating Customers: The Next Steps
Have we found the perfect solution for risk-rating customers? As time progresses, so do our technologies and approaches. Tremendous amounts of data accessible. There are many third-party data providers who have access and can provide the risk signal elements FIs seek. There are vendors that aggregate data from multiple sources and provide the ability to link it to the correct customer.
Leveraging technologies such as AI and machine learning, FIs can combine data with knowledge from their existing model. The intelligence gained through AML systems, such as transaction monitoring to determine which risk attributes, when combined with other risk attributes, tends to be the most effective way to determine customer risk.
Industry Example: FI Offering Lending Services
One financial institution that provided lending services to retail clients that I met with is a prime example. They were able to determine that customers from a certain age range, who are looking for an automobile loan with specific terms and come from a distinct group of zip codes, tended to be very high risk for loan defaults.
Loan defaults are a different kind of risk from money laundering, but the concept is the same. Certain risk attributes in combination with others can dramatically escalate the risk of a customer’s propensity to being engaged in potential money laundering activity.
Money laundering is a big business and schemes continue to evolve rapidly. Risk and compliance professionals need to keep pace and evolve with it. Leveraging many of the tools used today and combining them with newer technologies will help FIs become proactive versus reactive and get ahead of criminals. Ideally, FIs need to identify money laundering risk up front before it happens. That starts with accurately identifying potential criminals before they access the financial system through your organization.
For more information on customer risk scoring, go here.