Welcome to the How to Comply with the AML/CTF Act Series!
If you haven’t been introduced to the series, check out this post:
Taking a Risk-Based Approach
In 2007, the Financial Action Task Force (FATF) had introduced guidance called “Risk-Based Approach to Combating Money laundering and Terrorist Financing”.
As a whole, this document outlines the purpose of taking a risk-based approach to AML/CTF compliance whilst providing insights and guidance on how a financial institution or services can effectively implement a risk-based approach with high-level principles and procedures. Since this document has been diffused among the financial sector, taking a risk-based approach has developed into a standard and crucial piece for building effective AML programs.
Over time this guidance has evolved and will continue to change and update
According to FATF guidance, published on October 2014, “RBA to AML/CFT means that countries, competent authorities and financial institutions are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively.”
In the FATF recommendations, it has been clearly highlighted that there is no universally agreed and accepted methodology to prescribe the nature and extent of a risk-based approach, leaving the financial institution to decide on the methodology they want to use based on the analysis of the risk and the risk management framework. This provides a financial institution with a degree of autonomy to customise their approach to suit their offering, yet at the same time forces a certain level of understanding to be met before compliance can be achieved.
At bronID it is our goal to lift the overall level of AML/CTF compliance understanding across the entire financial sector. We will do this by setting high compliance standards for each unique designated service and provide an automated end to end solution for achieving your AML/CTF obligations.
It is important to understand the difference between taking a risk-based approach for conducting a risk-based assessment and when implementing the mitigation strategies such as assessing and updating the ML/TF risk posed by a customer. One assessment helps to inform the other yet should be treated as mutually exclusive processes.
Building your Customer Risk Matrix
Before we start building your Customer Risk Matrix, first we must understand the terms more broadly and the necessary steps required for a customer risk matrix to establish.
Put simply, a customer risk matrix is a tool for placing your customer into different risk buckets, these are generally listed as low, medium and high risk, with the scope for additional variations within these risk buckets.
The initial risk score given to a customer via your customer risk matrix can depend on many factors such as; the results of initial customer due diligence, PEPs and Sanctions screening and demographics. Additionally, you should assess the customer interaction risk: this is a function of the product, how you are delivering it and the customer risk.
So how do I establish my customer risk matrix?
A Customer Risk Assessment procedure follows these four steps:
- the customer’s risks based on their customer profile (such as country of residence, demographics, the source of funds, watchlist checks)
- Customer Interaction Risks = Customer Risk x Product Risk
Assess the likelihood and severity of these risks
Understand your businesse’s relationship with these risks
Mitigate the risks with policy and procedures outlined in your AML program.
In order to define the customer risk, the financial institution should first know their customer, with this information a designated service is then able to then categorise the customer’s risk based on the vulnerability to money laundering and terrorist financing and perform EDD if necessary. (e.g. the AML/CTF risk a PEP customer poses should be higher because these individuals have more exposure to predicate offences such as corruption)
Considering the factors outlined when you Conduct an AML/CTF risk assessment, financial institutions should understand that the risk-based approach is a quantitative methodology that will not eliminate the risk; however, it will enable the understanding of risks with the aim of mitigating the impact which requires identification of risk factors, classification and scoring.
KYC & KYB checks
As explained in the previous blog post on Know Your Customer. Performing these checks should be done initially and updated on regular intervals depending on the risk that customer represents. If there are any material changes to the customer it is best practice is to update your customer risk profile.
PEP and Sanction Watchlist Checks
Performing a PEP (politically exposed persons) and Sanctions check is often bundled up with the KYC procedures.
The results from querying these global databases inform whether the individual or company you are beginning a business relationship with requires additional risk mitigation strategies.
If an individual or company appears on one of these global watch lists the AML/CTF Rules proposes they are automatically a high-risk customer and should be treated as such in accordance with your AML operation manual.
Under Australia’s AML/CTF Rules, politically exposed persons (PEPs) are individuals who occupy a prominent public position or functions in a government body or international organisation, both within and outside Australia. This definition also extends to their immediate family members and close associates.
The AML/CTF Rules define three categories of PEPs:
- Domestic PEPs are individuals who hold a prominent public position or function in an Australian government body
- Foreign PEPs are individuals who hold a prominent public position or function in a government body of a foreign country.
- International organisation PEPs are individuals who hold a prominent public position or function in an international organisation.
So what do I do when I identify one of my customers as a PEP…?
Enhanced Due Diligence
Some suggestions on Enhanced Due Diligence procedures can be found in the previous post Know Your Customer.
The Customer Risk Matrix
Here is a visual example of what your risk matrix may look like
“Risk should be understood as the combination of the likelihood of an adverse event (hazard, harm) occurring, and of the potential magnitude of the damage caused (itself combining the number of people affected, and severity of the damage for each).” World Bank RBA
Perform Due Diligence based on the matrix above
Ready Reckoner + CDD (Customer Due Diligence):
In the instance of low-risk scoring, the financial institution will adopt the regular KYC procedures.
Simplified Due Diligence
Simplified due diligence will assist the financial institution to justify and satisfy the risk component by requesting further information.
Enhanced Due Diligence
Enhanced Due Diligence in a high-risk instance should be conducted through a thorough search on the potential customer in various search engines and outlets of information to determine and better understand the customer’s risk. Requesting information from the customer via questionnaires designed for individuals and entities and even PEPs is an additional method of EDD.
Each of these mitigation controls should be well documented when you Design your AML program
Update the Risk Profiles of your Customers
People change, products change, your risk matrix will change, this is the reality.
Updating your risk matrix when you make changes internally, such as adding an additional product or method of delivery is easier to monitor as these changes are within your control.
External changes are more complex and you should be prepared to update your customer risk profiles regularly. Monitoring and managing external risks to your business can be difficult to stay on top of. For example, one of your low/medium customers has recently become an Australian PEP, this material change to the customer will require you to do additional due diligence, and in this case, enhanced due diligence, yet how do you know when this happens without asking?
Establish procedures for updating risk profiles of your customers based on significant triggers, such as material changes to the customer details, new knowledge from PEPs and sanctions screening and/or behavioural changes to the way a customer interacts with your product.
How can bronID help?
Matching the policies and procedures outlined in your AML program with the customer due diligence actions taken can be automated by utilising the bronID AML portal tools such as KYC/KYB checks and Customer Risk Assessments. Having both of these compliance tools in the one platform will display a more complete picture of your compliance obligations to any regulator. Providing evidence of your risk mitigation is particularly relevant to the yearly compliance report issued by AUSTRAC.
The team at bronID sees an opportunity to solve the problem many financial institutions and services have in maintaining an updated risk profile of their customers.
By building an end to end solution for compliance bronID can establish methods for maintaining risk mitigation strategies based on a dynamic risk assessment of both a designated service and its customers. Whenever you make a change to your business, this will trigger a reassessment of how your customer fit into this risk matrix, similarly, if your customer makes a material change you can be notified that their risk score needs to be updated. Dynamically updating these scores builds a far more compliant approach to your AML/CTF Act obligations and will instil confidence when executing the required and prescribed mitigation strategies.
It’s important to have an adaptable ML/TF risk profile mechanism for your customer too. Monitoring these changes can be a real challenge let alone a frustrating experience for your customer every time you need to re-collect their information to re-verify them. The bronID app allows an individual and company to create persistent identity wallets for their verified identity attributes, once they have ownership of and can manage their identity attributes independently, sharing updates in real time can be automated.
Refer a user to bronID as a feature to improve your customer risk assessment’s accuracy.
bronID is interoperable with multiple financial services, therefore allowing for a customers risk score to be evaluated and carried between financial institutions. With this capability, it becomes possible to establish a more holistic risk assessment of a customer, one which pulls upon the assessments of multiple financial services and cooperatively contributes to the overall risk rating of a customer.