In an ever-evolving financial landscape, combating money laundering and terrorist financing demands a dynamic and proactive strategy. This article delves into the Risk-Based Approach, commonly known as 'RBA' to AML/CFT, a vital paradigm shift that enables institutions to target their efforts effectively and stay one step ahead in the fight against financial crime.
First things first, what is a risk-based approach ("RBA")?
RBA to AML/CFT is a strategic and dynamic framework used by reporting institutions (RIs) and regulators to assess, manage, and mitigate the risks associated with money laundering and terrorist financing ("ML/TF").
Instead of applying a one-size-fits-all approach to compliance, the RBA tailors measures based on the specific risk profile of customers, transactions, and products. It involves identifying and prioritising higher-risk areas, allocating resources accordingly, and implementing appropriate controls and due diligence measures. This approach allows RIs to focus their efforts more effectively on areas where the risk of ML/TF is the greatest, making it a more efficient and targeted strategy.
Imagine combating financial crime as a game of chess, but instead of making blind moves, you adopt a RBA.
It's like playing with a strategy that evolves with your opponent's every move. In this financial game, you assess each piece of the puzzle with precision, identifying high-risk pawns from low-risk knights. By understanding the unique traits of each piece (customer's transactions), you can safeguard your kingdom (your organisation) more effectively, making the game of AML/CFT both creative and fun, while ensuring a checkmate against illicit funds.
Why is RBA to AML/CFT important?
The significance of the RBA to AML/CFT lies in its capacity to empower reporting institutions to adopt a proactive stance in preventing illicit activities. Instead of reacting after illegal transactions occur, the RBA enables these institutions to proactively introduce preventive measures, ensuring either the prevention of problematic occurrences or the minimisation of their impact.
Think of the RBA like having a superpower. Instead of waiting for bad stuff to happen, it's like having a crystal ball to see trouble coming. With RBA, institutions can set up defenses and stop potential wrongdoing before it even starts or reduce the damage if it's already in motion. It's like being the superhero of financial security!
RBA at a National Level
At the national level, the RBA to AML/CFT serves as a pivotal strategy in a country's efforts to safeguard its financial system and overall economic integrity. By assessing the unique risk profiles within its jurisdiction, a nation can tailor its regulatory and enforcement measures to effectively combat ML/TF while optimising resource allocation.
For countries to identify, assess and understand the levels of exposure to ML/TF risks, countries typically perform a globally acknowledged process called a National Risk Assessment ("NRA"), which aims to examine the ML/TF related threats that affect the country and identifies ML/TF vulnerabilities across various financial and non-financial sectors.
The NRA serves as a foundation for crafting AML/CFT action plans and policies, aiding policymakers in aligning existing risks with the required strategies and resources to reduce them, and plays a crucial role in promoting accountability and collaborative initiatives to prevent and counter ML/TF.
Malaysia's NRA 2020 marks the fourth (4th) iteration of the country's risk assessment, as Malaysia has pledged to the FATF to perform this assessment every three (3) years. In the NRA 2020, the top five (5) crimes with substantial money laundering threats in the country have been pinpointed, which include:
Fraud, including cheating and illegal investment schemes;
Illicit drug trafficking;
Bribery and corruption;
Smuggling offenses, including evasion of customs and excise duties; and
Organised crimes.
Before we touch on RBA from different aspects, here's a quick summary of the areas we will be discussing further into the article
RBA at an Institutional Level
Regulators including BNM and Securities Commission advise institutions to use RBA in their AML/CFT compliance programmes. What this means is that institutions need to take steps to figure out and document the ML/TF risks they face now or might face in the future upon onboarding of new customers, introduction of new products/services, upcoming geographical presence, change in delivery/distribution channels, etc.
An Institutional ML/TF Risk Assessment ("IRA"), commonly also known as an Enterprise Wide ML/TF Risk Assessment ("EWRA"), is the starting point for using this approach. It helps institutions demonstrate how likely they are to face ML/TF risks and what they are doing to reduce and/or mitigate those risks. Once institutions have the necessary information, they can take appropriate steps to handle the remaining risks in line with their own risk tolerance.
Typically, most institutions conduct an IRA exercise at least once every two (2) years or upon any events that have taken / will be taking place affecting the institution, for example, key amendments to AML/CFT laws and regulations, introduction of new significant AML/CFT control, and introduction of new product/service/channels.
Finally, when concluding the IRA, the impact of the latest available NRA results is taken into consideration to align an institution's action plans accordingly.
RBA at Customer Level
Similar to RBA at national and institutional level, the RBA taken at a customer level is on a smaller scale, whereby mitigating controls and measures are applied upon the point of customer onboarding and ongoing customer monitoring. How appropriate controls and measures are applied to a customer will be based on their ML/TF risk rating, a process more commonly known as 'Customer Risk Profiling' or 'Customer Risk Assessment'.
The reason for customer risk profiling/assessment is so that an institution has a clear picture of the business relationship that will be formed with the customer. This in turns helps the institution determine the level of customer due diligence ("CDD") and the amount of continuous monitoring is required for that customer alone.
For a better understanding of RBA at customer level, we will be looking at it from two (2) aspects - 1. customer onboarding and 2. ongoing monitoring. So let's pretend that your institution is a bank in Malaysia and there are two (2) customers who want to open an account at your bank on the same day.
Customer Onboarding
These two (2) potential customers walk in to your bank, and we will call them Customer 1 and 2, respectively. In the image below, we can see the key information on both these customers after they have filled up the CDD form provided by the bank staff.
The RBA will come into play now that we have the basic key information of these potential customers. Based on information provided by both customers 1 and 2 respectively, these customers are assigned with different ML/TF risk ratings. Why so?
As we can see, Customer 2 possess a higher ML/TF risk compared to Customer 1, considering that Customer 2 is:
Non-Malaysian;
Involved in a business industry that is considered high risk;
A Politically Exposed Person ("PEP");
Requesting for products and/or services that are considered higher risk; and
Only intends to transact / utilise via non face-to-face channels, i.e., online banking.
Now, after the bank conducts its appropriate levels of CDD (e.g., requesting additional information from Customer 2, performs name screening on both customers, etc.), we come to find that both the customers have been approved to be onboarded as customers and Customer 1 is assigned a 'Low' risk, while Customer 2 is assigned 'High' risk.
Ongoing Monitoring
When it comes to ongoing monitoring of the customers, your bank may have different ways of monitoring them due to the difference in risk ratings. As Customer 2 is a 'High' risk customer, more stringent monitoring is placed on them.
Monitoring of customers can come in the form of ongoing customer due diligence ("OCDD"), customer name screening, transaction screening and transaction monitoring. Due to the different in risk ratings, the monitoring thresholds and parameter settings applied will be unique to the customer segment, in accordance with customers' respective risk tiers and the bank's risk appetite.
For example,
- Customer 2 will have to update their customer information more frequent than Customer 1.
- Monitoring of transactions performed by Customer 2 will have a higher prioritisation compared to Customer 1's transactions.
In conclusion, the Risk Based Approach (RBA) is a powerful tool in the fight against financial crime. As we continue to explore this dynamic strategy, we invite you to stay tuned for more valuable AML/CFT related insights. Your questions and feedback are important to us, so please feel free to reach out to us with any queries or thoughts you may have.
Together, we can work towards a safer and more secure financial landscape. Thank you for reading and being a part of our mission.
Also, if you would to know more about RBA to AML/CFT, BNM has generously created an infographic explaining the RBA covering two (2) tiers - one at the institutional level and the other at a customer level. You can find a copy of the infographic here.
Comentarios