By Meredith Beeston (FINTRAIL Solutions) and Allison Spagnolo (FINTRAIL Solutions).
Adopting a risk-based approach is the foundation of best-in-class anti-financial crime practice. Your anti-financial crime (“AFC”) risk assessment should be one of the cornerstones of that practice.
While financial crime risk professionals are familiar with the AFC risk assessment, also known as the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) risk assessment in the U.S., it can be easy to underestimate its true value in the risk management framework. Risk assessments often feel like a chore or little more than a check-the-box exercise to please your regulator. The AFC risk assessment, however, is one of the most powerful tools you have to reduce your exposure to financial criminals and should be designed to grow and evolve to match any new vulnerabilities. A properly-executed AFC risk assessment will close gaps in your compliance program and identify the appropriate policies, procedures and controls that should be implemented to protect your firm and your customers. To help you design a risk assessment of your own, we’ve gone “back to basics” and drawn on our experience with FinTechs to unpack the fundamentals of a modern and effective risk assessment . This post will explore features common to all AFC risk assessments and offer practical advice about how to design one for your company.
What is an AFC Risk Assessment?
In most jurisdictions, AFC risk assessments are indeed a regulatory requirement. The U.S. Bank Secrecy Act (“BSA”), the EU’s 4th Anti-Money Laundering Directive (“4MLD”), and the Financial Action Task Force (“FATF”) all require periodic internal risk assessments. Consider, though, that this particular regulatory requirement can also be an opportunity to meaningfully guide your entire AFC framework and not just a task to complete to avoid regulatory displeasure.
AFC risk assessments also serve as:
A map of vulnerabilities: It is important to understand the ways in which a criminal might seek to misuse your product. It is much better to proactively identify and address potential vulnerabilities instead of discovering them as part of a “post-mortem.”
A resource plan. Once you know where your vulnerabilities lie, you can consider the controls you need to tackle them, giving you the opportunity to better strategize how to divide up your company’s finite resources. For instance, which RegTech products are most worth the investment? What skills do you need in your next AML analyst? The answers to these questions will be resolved in the risk assessment.
A development strategy. In the FinTech sector, growth and innovation are a daily feature of the business. Your AFC risk assessment can and should guide these efforts - helping you select which jurisdictions are best for expansion, which product features offer the most potential with the least risk, and which customer segments to market to next.
A dialogue. Much like your company itself, your AFC risk assessment has to evolve. It should change to reflect insights and feedback from your senior management, auditors, consultants, banking partners and regulators. Each risk assessment - and its results - offers an opportunity to dialogue with relevant stakeholders about the future of the AFC risk assessment, resourcing and compliance program.
How do I Create an AFC Risk Assessment?
At their core, AFC risk assessments can be summarized in one essential formula:
INHERENT RISK - CONTROL EFFECTIVENESS = RESIDUAL RISK
Let’s break down each of these factors in a bit more detail.
Inherent risks are the financial crime risks you face before you apply any of your existing (or if you’re just starting off, planned) AML controls. At a high level, your inherent risks generally fall into three categories:
Who your customers are
What geographies you serve
Your unique product and delivery features
Then, you will need to develop criteria or questions about the specific financial crime risks your company and customers are exposed to in each area. While it is important to initially consider the broad categories of financial crime risk (e.g., money laundering, terrorist financing, and fraud), you will likely want to generate more granular questions. For instance, if you offer a prepaid card targeting students, you will want to specifically address the risk of money mule activity occurring on your platform. In another example, if you offer a direct debit service, you will want to consider how vulnerable your product is to transaction laundering.
You should be able to analyze the data you gather across your company. While many FinTechs we deal with have a single office or product, over time, your approach to gathering data to establish inherent risk will need to evolve. For instance, for a FinTech with branches in Europe, the United States and Asia, instead of asking, “Are you aware of any high risk or medium-high risk-rated customers in a branch’s customer population?,” the risk assessment should ask, “Provide the number of high-risk customers in each branch.”
Where appropriate and where the information is available, the risk assessment should also seek volumes (i.e. with respect to transaction data and SAR data). This will help to accurately reflect financial crime exposure.
Based on the responses in the inherent risk portion of the risk assessment, an inherent risk score is generated. It is typically along the “Low,” “Medium,” and “High” spectrum. There is no one-size-fits-all calculation of the inherent risk score, and some institutions will develop simple scoring while others will create complex weighting systems. The key is that your methodology is clearly explained and can be replicated when you update your risk assessment.
Control effectiveness refers to the capacity of the specific processes and systems you have in place to mitigate each identified risk. As with inherent risk, granularity is important here. The control effectiveness portion of the risk assessment should be tailored, so that each relevant control is assessed against the corresponding risk, and impartial, so that controls are accurately represented in their effectiveness. For instance, if the control effectiveness topic is “Payment Alert Investigations” and the inherent risk is related to the processing of a sanctioned payment, you may want to consider: “Do the procedures covering alert handling address what documentation should be collected to support the investigation of sanctions screening payment alerts?”
As with inherent risk, you want to allow for as much impartiality as possible in assessing control effectiveness, and to rely on clear data when it is available (such as false positive rates, rates of false IDs that pass KYC, etc.).
It is important to have an understanding as to whether each control effectiveness topic has meaningfully addressed each inherent risk, both precisely and with a wider understanding of your overall control landscape. If you have multiple products or branches, you may want to be able to draw comparisons across your company. Like with inherent risk, there is no one way to measure control effectiveness; the key is that your methodology is clear, objective and justifiable.
Residual risk is the risk that remains once all your controls are in place. In other words, it is what you are left with after identifying inherent risk and applying your mitigating control effectiveness. It is unlikely that residual risk will be “Low” across the board, but that is normal and expected. Your residual risk score will help shape the broader financial crime risk appetite of your business. Knowing this risk level gives you the opportunity to consider issues such as whether your company is comfortable with a “Medium” residual sanctions risk when expanding into certain jurisdictions.
AFC risk assessments are designed to be complex and comprehensive, so it is not possible to provide an in-depth breakdown of an example here. However, even through the brief case study below, you can see why completing an AFC risk assessment provides a clear benefit to a FinTech:
A FinTech planning to offer individuals an app-based foreign exchange service, loaded through debit cards and bank transfers, decides to conduct an AFC risk assessment prior to going live with its pilot.
Risks and Vulnerabilities
The FinTech discovers a range of inherent risks to which it is exposed, with particularly alarming scores linked to potential sanctions evasion, attempted payments to sanctioned individuals or companies, financing acts of international terrorism through purported charitable donations, and money laundering connected to narcotics or human trafficking.
The FinTech uses the inherent risk analysis to shape its controls in order to obtain an acceptable level of residual risk. The controls are designed to go beyond comprehensive monitoring and screening and robust KYC and adverse media checks. The company also limits the geographic scope of its product to non-sanctioned countries with lower levels of money laundering/terrorist financing risk, and designs its expansion plan so that geographic risk is added only incrementally. This increases confidence in the product, which allows it to be signed off by all relevant stakeholders.
Things to Remember
Here are a few key lessons to take away:
AFC risk assessments are not “out of the box.” They should reflect the nature, size and scale of your business. If your business is just starting up, you can start with a simple risk assessment!
AFC risk assessments should make sense. There is no need for over-complicating the questions or the scoring. You want to be able to communicate it easily across your company.
AFC risk assessments evolve. While this is certainly true as it relates to your business growth, it is likewise true in relation to the evolving typologies that criminals try. If you learn about an emerging risk from a reliable source, consider adding it to your next risk assessment.
AFC risk assessments do not result in perfect scores. You will never have zero risks. Rather, it is more important to be aware of the risk levels you do have and develop a comfortable risk appetite in response.
AFC risk assessments are all about the details. Be sure the risk assessment is as useful to you as possible, keeping in mind all the ways it can add value beyond a simple regulatory requirement.
Help and Resources
If you have any other questions related to your AFC risk assessment or how to execute it, do not hesitate to reach out to FINTRAIL Solutions in the U.S. or FINTRAIL in the UK. If you are interested in further improving your risk assessment, here are a few key resources to consider:
Financial Action Task Force Money laundering and terrorist financing risks: The resource provides a series of useful links to countries’ national AML/CTF risk assessments, as well as to narrower typologies identified by FATF. National risk assessments will give you an idea of the particular risks considered to be of most importance in a particular country.
The Wolfsberg FAQs on Risk Assessments: These Frequently Asked Questions are in-depth responses to common risk assessment inquiries. Remember, though, the risk assessment format and methodology that will work best for you will depend on your company’s unique characteristics (e.g., size, scale, and overall offering).
ACAMS’ Auditing and Updating an AML Risk Assessment: This white paper describes about how a risk assessment should be reviewed and revised within a major banking institution, though there are still plenty of lessons for the FinTech sector.