The World of AML Risk Assessment

AML Risk Assessment: A key component to combat money laundering

AML risk assessments are a first step toward protecting a financial institution (FI) from breaching financial crime regulations and stopping criminals from accessing financial services in addition to combatting pervasive money laundering. Recent figures suggest global money laundering transactions are valued at nearly $6 trillion (FCN-GTA.11.2019.Pub-Final. 2 (thefinancialcrimenews.com) ) annually, which is nearly 7 percent of global GDP, according to a 2020 study by Financial Crime News. This is nearly three times the size of previous estimates by the United Nations Office of Drugs and Crime (UNODC) report published in 2011, which estimated that financial crime was worth up to USD 2 trillion, representing 3.4% of global GDP. With an eye-popping increase in financial crime, combined with today’s highly scrupulous regulatory landscape, financial institutions (FIs) need scalable, agile and automated Anti-Money Laundering (AML) compliance programs that can react to new threats quickly and cost-effectively.

In fact, many requirements mandated by FI regulators contain provisions requiring enhancements to AML risk management programs and sanctions compliance. Any effective financial crime compliance program starts with a thorough and detailed AML and sanctions risk assessment.

Not only is a risk assessment an integral aspect of any AML program, it’s also a regulatory requirement in many jurisdictions, representing the first step toward the protection of the financial system and the mitigation of financial crime risk.

To be successful, FIs should regularly assess the AML risks across their entire enterprise, including those risks inherent to their specific business units. There is an expectation that a risk assessment is completed, and then updated, on an annual basis. In many jurisdictions, AML programs are required to adopt a risk-based approach to ensure that controls are proportional to the risk and are able to mitigate the specific risks faced by an organization. In addition, a risk assessment should be conducted when triggered by a noteworthy event.

Risk assessments begin with developing an FI risk profile, including analyzing the efficacy of current controls for risk mitigation and identifying areas susceptible to being targeted by criminals or facilitating money laundering, along with any gaps and limitations. Risk assessments are not “one-size-fits-all.” Instead, they need to put a spotlight on specific factors and categories unique to the FI’s products, services, customers, entities and geographic locations.

FIs should use a sustainable, effective and cost-efficient AML risk assessment process, one that integrates a data-driven approach to understanding risk, especially residual risk where action needs to be taken to mitigate the risk exposure. Such a process should also evolve with the organization ensuring adequate controls, processes and training are in place to mitigate changing risks as the business grows and diversifies.  

Key Risk Indicators in Anti-Money Laundering Efforts

Key Risk Indicators (KRIs) in AML risk assessments are metrics or data points used to measure and monitor potential areas of exposure. These specific risk categories provide institutions with a clear understanding of their risk exposure. They can be used to tailor anti-money laundering programs to address specific money laundering risks effectively. Periodically reviewing and updating KRIs is crucial to prevent money laundering.

Client Risk Indicators

• Number of customers with potential risk scores for money laundering scheme, e.g., Politically Exposed Persons (PEPs), non-resident customers, cash-intensive businesses
• Number of customer relationships established without face-to-face interaction
• Number of accounts with incomplete, missing or outdated Know Your Customer (KYC) information
• Ratio of high-risk customers to total customers

Geographical Risk Indicators

• Volume/value of transactions originating from or destined to high-risk jurisdictions or countries with weak AML or terrorist financing frameworks
• Number of correspondent banking relationships in high-risk jurisdictions

Product/Service Risk Indicators

• Volume/value of wire transfers.
• Volume/value of private banking activities
• Volume of prepaid card transactions or digital wallet activities
• Transactions involving anonymous products/services where usual money laundering occurs

Transaction Behavior Indicators

• Number or volume of rapid funds transfers between multiple accounts
• Number of large cash transactions
• Volume of transactions that are just below reporting thresholds
• Frequency of foreign exchange transactions

Operational Indicators

• Number of system-generated AML alerts
• Number of alerts that result in a Suspicious Activity Report (SAR) or its local equivalent
• Time taken to close AML alerts and report to the financial action task force
• Ratio of false positives in AML alerts
• Frequency of model tuning and below the line testing

Training and Culture Indicators

• Percentage of staff that have completed AML risk assessment training.
• Frequency of AML risk assessment sessions
• Feedback from staff on the effectiveness of AML training

Historical Data and Audit Indicators

• Number of past launder money incidents or breaches
• Results from internal and external AML audits and risk assessments
• Feedback and recommendations from regulators post-inspection

Channels and Delivery Risk Indicators

• Volume/value of online or mobile banking transactions
• Number of new products/services introduced in the market without a prior AML risk assessment
• Frequency of changes in risk of existing products/ services

Effective AML risk assessment approaches should include the following four key components:

1. AML Vision and Strategy Development:

This includes gathering the FI’s existing documentation and understanding its existing AML regulatory coverage and risk management strategy. It is key to define the FI’s expectations and objectives of engaging in a risk assessment and determining its global risk appetite and tolerance. The process includes:

• Discussing short-term and long-term goals of AML transformation
• Understanding the change roadmap related to the financial crime operating model
• Prioritizing areas for assessment and determining weightings for risk factors
• Risk mapping across the entire enterprise and agreeing on which risk factors to assess

2. Regulatory Obligations Analysis:

This involves reviewing, understanding and evaluating existing and future regulatory frameworks specific to the country (or countries) where the FI is doing business. There are several key areas that must be explored, including:

• The FI’s existing commitments to the regulator and any identified risks
• Identifying any existing practices that might breach existing AML regulations
• Ascertaining current and future regulatory change projects, prioritization, and requirements
• Identifying any upcoming regulatory or audit inspections and findings from the inspections
• Understanding the FI’s financial crime regulatory coverage and risk management strategy

3. Financial Crime Policies and Procedures Assessment:

FIs must evaluate and understand existing financial crime governance, policies & procedures and systems & controls. This is a comprehensive effort that includes several key activities, including:

• Reviewing global policies and procedures, both practical and formal
• Evaluating risk coverage assessment and controls documentation and whether existing controls are adequate to address inherent risk of the organization at that point in time
• Reviewing both internal and external audit scope and recommendations
• Identifying backlog of policies and procedures to be implemented

4. Financial Crime Operations Review:

This involves determining and evaluating the current financial crime operational framework, which includes a number of key operational and technical imperatives, among them:

• Understanding the current operational procedures and processes, including customer and transaction monitoring
• Reviewing existing alert management and investigation processes
• Reviewing specific FI products, services, service levels, customers, business units and geographic locations
• Understanding existing and required financial crime management information
• Reviewing the current operating model and identifying risk factors, and taking steps to mitigate risks by communicating and reporting findings on identified issues
• Assessing training requirements across operations and technology

Bottom line, a structured, disciplined and frequent process can help FIs assess their AML risks and current effectiveness to mitigate such risks. For all components outlined above, any gaps must be identified, and, most importantly, action plans must be developed to address these gaps and high-risk areas to implement controls that minimize the residual risk identified in the FI.

Anti-Money Laundering Risk Assessment at NICE Actimize

At NICE Actimize, we can augment and automate your “risk assessment journey.” We’ve made substantial investments in technology to provide FIs with a streamlined and dynamic Know Your Customer (KYC) onboarding process with straight through processing (STP), which provides real-time risk assessments of new customers as data is collected. We have embedded AI at the core to deliver accurate risk scores for each monitored entity, with dynamic alerting capabilities for customers that require further investigation or where additional information is required.

By implementing innovative technology, such as data intelligence, robotic process automation, machine learning, and advanced analytics, to their AML compliance programs, FIs can realize necessary efficiency and productivity gains and effectively reduce the cost of compliance. Our machine learning solutions lower the cost of compliance by automating repetitive elements, reducing false positives by over 40 percent, and in the process, increasing productivity and reducing human error.

Today’s regulatory landscape continues to pressure financial institutions to do even more at the same time as FI compliance functions face cost restraints and an increase in competition requires a reduction in customer touch points to minimize customer friction.

As a result, FIs must continually seek to understand regulator expectations and promote a culture of compliance to mitigate risk and prevent financial crimes through their organization. They need to have consistent internal controls and proactive risk management and mitigation to avoid fines, prosecution, loss of license, and reputational damage. This starts with a rigorous and periodic risk assessment process.