The Evolution Of The Risk Based Approach in AML

Assessing customer risk is key to preventing crime within the finance sector. Many financial services organizations use a risk based approach with Customer Due Diligence (CDD) to mitigate fraud-related risk specifically. A risk based approach is beneficial for most businesses, especially when watchdog organizations, such as the Financial Action Task Force (FATF) and the Financial Conduct Authority (FCA), openly support this approach. 

Financial institutions must consider how to meet regulatory compliance requirements to improve the accuracy and safety of financial transactions. The Know Your Customer (KYC) and Anti Money Laundering (AML) frameworks clearly assign businesses, organizations, and financial service providers the responsibility of verifying the authenticity and accuracy of customer identities. In doing so, they must also assess each customer’s risk profile and carry out necessary measures. This guide will dive into the history and evolution of the risk based approach within AML processes, as well as how you can safeguard your organisation.

The Evolution of AML Frameworks and the Risk Based Approach

The earliest AML frameworks were developed in the 1970s, before our modern digital age. These implemented a “one size fits all” approach, requiring organizations to adhere to rules to mitigate money laundering activities. However, creating a single set of compliance requirements to be upheld across all organizations proved insufficient and ineffective. 

Not all businesses are equally susceptible to money laundering or terrorism financing. Some are more likely to be a risk than others, requiring a higher level of due diligence. Furthermore, not all customers or sectors possess the same risk. Politically Exposed Persons (PEPs), for example, required far more attention and focus than others. Some transactions were also higher risk than others, and pinpointing those was critical.

The UK’s Financial Services Authority (now the FCA) established the proportionality concept, which encouraged institutions to focus their attention (and money) on mitigating the most expensive risks. In 2007, the FATF created a set of standards to follow, including 40 recommendations in its Risk Based Approach (RBA). Specifically, it required financial institutions to have specific but more flexible measurements to utilize their resources more effectively at true targets to their operations. Instead of blanket statements, they enabled organizations to focus on those areas of risk most likely to impact their course of business.

In 2012, the FATF updated this approach again, incorporating it as the foundation of AML compliance mandates. Jurisdictions around the world adopted the risk-based approach, leading to many organizations across financial services integrating this approach into their KYC processes. At this time, the FATF

“The risk-based approach is central to the effective implementation of the FATF Recommendations. A risk-based approach means that countries, competent authorities, and banks identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk,” states FATF.

What Does a Risk-Based Approach Look Like?

Customer risk management is complex but essential. A robust and effective KYC approach is essential to reducing costs while meeting regulatory requirements. However, such methods can be time-consuming and can drain customer experience expectations.

Risk Profiling

Risk profiling is one form of verification of a customer’s identity. It considers customer risk scoring based on customer behavior. Risk profiling focuses on a full assessment of each customer, transaction, and business relationship based on factors identified as potential risks. It categorizes those customers based on their assigned level of risk based on their behavior, nature of the activity, and other risk profile factors.

Some of the most common components of a risk-based analysis include:

• Geographical factors: High-risk countries or jurisdictions with well-recognized AML/CFT concerns, such as terrorism-heavy locations or areas where previous crime has occurred.
• Customer type: PEPs, non-resident customers, complex business structures, or cash-intensive operations can also factor into risk assessment.
• Transaction patterns: Unusual, complex, or high-frequency transactions could signal risks, such as a sudden shift in account usage or high transaction values not commonly associated with the account.
• Source of funds: Known high-risk sources or unexplained income streams, often those that are on the perceived watchlist.
• Industry or occupation: Certain sectors (e.g., cryptocurrency, gaming, or import/export) may carry higher risks and must be considered.
• Lighting and Depth Perception: AI models can also use light reflection and shadows to detect liveness. Human faces reflect light differently than a flat photo or video would. 

Robust risk-based KYC approaches will incorporate strategies that specifically address key areas based on your customers. Ultimately, a whole view of the customer across all of these areas can offer insight. The Council of Europe states in their Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism implementation statement that a risk based approach means that nations, governments, and the private sector should be well aware of money laundering and terrorist financing threats, and the extent of these threats amongst different sectors, nations, and scopes of activity.

The Council states that the FATF Recommendations promote a risk-based approach at three levels:

1. National Level: Countries should assess and share ML/TF risks with authorities and the private sector.
2. State Authorities: Supervisors should focus on specific risks and allocate resources efficiently.
3. Private Sector: Businesses should tailor AML/CFT measures to their own risks and client profiles.

Customer Due Diligence

Customer Due Diligence (CDD) focuses specifically on applying a higher level or enhanced security based on the risk level of the customer, utilizing, for example, the data within their risk profile. There are two noted types of CDD that could be applicable based on the organization’s specific activities:

Standard CDD: The most common standard for customer due diligence is basic customer due diligence, which involves limited identification and verification. This standard applies to nearly all accounts and customers within the financial industry and is the baseline measurement. It is applied for low-risk customers.

Enhanced Due Diligence (EDD): Applied for high-risk customers or situations, enhanced due diligence goes further. It involves more in-depth background checks, interviews, or third-party verification to mitigate risks because there is some level of concern present.

CDD can be flexible in terms of application and function. The scope of CDD typically includes the following:

• Verification of an identity through government-issued ID checks.

• Understanding the occupation or the business purpose of the relationship being established.

• Assessing the ownership structures or financial interests of the customer or company.

• Determining the intended use of services or accounts if approved.

Each of these factors helps build a risk profile and provides more customer risk management strategies. CDD is a common and flexible method for scrutinizing risky customers more thoroughly. Understanding a customer’s risk profile allows a financial institution to better understand their risks to business applications. For more on Customer Due Diligence, read “What is Customer Due Diligence (CDD)?”

Ongoing Monitoring

It is a mistake to believe that risk assessment ends once an account is opened and transactions begin. Continuously monitoring customer activity is essential to identifying what is “normal” for that customer and what is not. This enables improved reaction to suspicious activity or non-compliant transactions. This enhanced due diligence and customer risk assessment protects financial institutions and other businesses in the long term.

Monitoring is a process that requires organizations to adapt to changes in customer behavior. For example, if a customer has numerous large transactions coming in and going out that are new to them, it may be wise to investigate those transactions. A sudden change in the customer’s financial situation can also be notable.

One of the best resources for ongoing monitoring is the inclusion of automated transaction monitoring tools. While many organizations continue to use manual processes, these methods are largely prone to errors. Automated transaction monitoring tools also speed up the process, enabling more real-time responses.

One area of opportunity that could substantially increase efficiency gains is in the automated trigger-based Ongoing Due Diligence (ODD) of clients.

“One area of opportunity that could substantially increase efficiency gains is in the automated trigger-based Ongoing Due Diligence (ODD) of clients. In practice, most FIs are conducting manual client reviews on a periodic basis. These manual reviews are time-consuming, provide (relatively) limited added value to mitigating money laundering risks, and negatively impact client satisfaction and data privacy,” shares Deloitte. Learn more about the benefits of ongoing monitoring in our blog, “What is an Ongoing Monitoring Process?”

The Benefits of a Risk-Based Approach

A risk-based approach is sensible and effective for most financial institutions, especially when it relates to AML processes. Some of its key benefits include:

• Improved customer experience, alleviating frustrating steps from non-risk-based clients.
• Efficient allocation of resources, allowing financial and human resources to be applied to truly high-risk concerns.
• Enhanced financial crime detection because there are better resources and more accurate and timely actionable steps taken.
• Alignment with regulatory requirements, reducing the risk of costly fines.
• Scalability and flexibility allow institutions to adjust their focus as new risks emerge or circumstances change, enabling them to “stay ahead” of threats.
• Improved reputation with fewer compliance-related or highly visible fraudulent attempts.

Higher-risk customers may require additional verification procedures.

“The Know Your Customer risk-based approach enables a better customer onboarding compliance program by adjusting verification levels based on risk factors. Low-risk customers are accepted more quickly, whereas higher-risk customers may require additional verification procedures,” shares Financial Crime Academy.

Implementing ComplyCube’s Solutions

ComplyCube’s platform can power organizations with a strong risk-based AML process. If your organization is not assigning resources based on risk-based strategies, now is the time to learn how to do so efficiently. ComplyCube is ideally positioned to provide companies with the tools to facilitate robust, accurate, time-efficient, and cost-effective risk-based solutions for mitigating customer risk. For more information on ComplyCube’s services, reach out to their expert compliance team.