Why Does the Risk Based Approach Outperform De-risking in Modern Banking?

With over 30 Swiss banks found to have significant shortcomings in their money-laundering controls during FINMA’s 2023 review, how are financial institutions re-evaluating their compliance strategies through a risk-based approach?

The review identified various banking institutions with improper definitions of money laundering risk tolerance, which failed to set necessary exclusions for certain countries and client segments, and also did not establish proper mechanisms for managing exceptions.

Banks must properly align their risk acceptance parameters to ensure they are in compliance with the risk-based approach.

An institution can effectively distribute its resources by defining risk appetite because it lets it focus resources on high-risk activities and maintain streamlined processing for low-risk operations.

Financial Action Task Force (FATF) and other international regulatory entities support the implementation of a risk-based approach for AML compliance.

FATF Recommendation 1 states that parties must assess money laundering and terrorist financing risks that they face, along with establishing adequate protection according to established customer risk levels.

This shift does more than refine compliance as it supports financial inclusion and streamlined operations.

Financial institutions using RBA gain better capabilities to defend against potential threats by developing exclusive AML approaches that advantage both low-risk account holders and minimize negative de-risking effects.

What is a Risk Based Approach AML as Per the Guidelines of FATF and FinCEN?

The risk based approach (RBA) to anti-money laundering compliance asks firms to shape their AML compliance plans according to risks linked with distinct customer profiles and ownership types, along with service products across different regions.

FATF states that implementing an RBA requires three groups, which include countries, their competent authorities, and financial institutions, to evaluate money laundering and terrorist financing risks so that the right resources are allocated and proper mitigation measures are deployed.

Financial Crime Enforcement Network (FinCEN) in the United States expects financial institutions to classify their users based on risk while assessing customer activities and follow up with continuous monitoring to detect suspicious behaviour.

Enhanced due diligence resources get directed to high-risk areas under this system, while basic procedures stay simple for low-risk cases.

Why is the Risk Based Approach Preferred over De-Risking?

Under FATF guidelines for financial institutions, the RBA takes precedence over de-risking because it enables organizations to manage their risks in an effective manner while sustaining inclusive financial services.

FATF defines de-risking as a practice that requires financial institutions to end or limit their business partnerships with clients as a method of avoiding risk instead of controlling it.

This approach tends to drive authentic financial operations toward unregulated systems, which then boost general risks as well as weaken transparency levels.

It enables financial institutions to determine individual customer or transaction risks and then administer suitable risk mitigation strategies.

The method fits resources effectively by directing attention to problematic areas, yet lets low-risk clients keep their financial access.

FATF maintains that institutions must refrain from terminating entire categories of customers via de-risking practices since such practices violate its established standards.

Financial institutions achieve improved money laundering prevention and terrorist financing opposition through the RBA framework, which promotes financial inclusion worldwide.

Step-by-Step Risk Based Approach Implementation: Complete Checklist

Imagine a financial institution working hard to outrun the fight against financial crimes. The process starts with the understanding of every customer who walks through the door.

Instead of scrutinizing all customers in the same direction, the institution looks out for who the customer is, the type of businesses they operate, where they are running it, and how they channelize money.

A customer who is considered a potential PEP (politically exposed person) or runs a heavy business in a high-risk country raises red flags, prompting the team to dig deeper.

Once risks are clear, a financial institution chooses the right path. For someone with little to no risk, a simple check is enough. Standard checks serve to validate the information of people who fall into the moderate risk category.

Enhanced due diligence takes over when suspicious circumstances arise, such as hidden ownership structures. The high-risk status is revealed by AML technology, which offers adverse media screening, warning, and regulatory enforcement screening, among other services.

The system uses AML compliance regtechs to authenticate identities and perform risk assessment of the clients by doing PEP screening, sanctions screening, watchlist screening, warnings, and regulatory enforcement screening.

Risk assessments require continuous monitoring, as entity risk is subject to ongoing updates due to evolving regulations or the entity being involved in any crime or criminal investigation. AML Regtechs provide real-time notifications to inform about the change in risk status.

The foundation of every initiative rests upon building a strong compliance culture that maintains staff members informed and trained for prompt action. The combination of human expertise with technology, along with flexible adaptations to changes, protects institutions and also their customers.

Risk Centric Approach in AML Regulatory Standards

The following regulatory bodies look upon the RBA through a specific lens, which is given below:

Financial Action Task Force (FATF) Recommendations

The FATF’s 2012 recommendations elevated the risk based approach to be a fundamental method when activating AML measures.

All members of the financial sphere, together with designated businesses, must assess risks and determine appropriate mitigation measures based on the nature of their risk.

EU Anti-Money Laundering Directives (AMLD)

4th AMLD (2015) and 5th AMLD (2018) bind both member states and obliged entities to perform customer due diligence through risk based analysis between high-risk and low-risk scenarios.

USA Patriot Act (2001) – Section 352

Financial institutions must develop risk-based AML programs that require internal policies and procedures to detect situations that warrant legitimate examination and subsequent reporting.

Bank Secrecy Act (BSA) – as Amended by the AML Act of 2020

AML compliance programs favor institutions through policies that must incorporate business risk evaluation and risk-based methodology, particularly for customer identification and monitoring systems.

Making the Shift to a Risk Based Approach Over De Risking

Excessive de-risking can lead to financial exclusion among marginalized segments, leading to the denial of opportunities.

For example, financial institutions practicing de-risking may consider immigrants from a war-torn country or one subject to terrorism or violence as high-risk, which results in service denial or offboarding. As a result, the marginalized population faces financial exclusion.

Also, de-risking operations can lead to reduced earnings for financial institutions. For example, a bank in Eastern Europe may choose to de-risk a Russian client on suspicion of their name in any sanctioned list or considering them high risk because Russia is itself a high-risk country.

Notable Cases Revealing the Consequences of Weak Risk-Based AML Compliance

HSBC – $1.9 Billion AML Fine (2012)

It happened due to improper risk-based approach implementation:

• Mexican drug cartels obtained money laundering capabilities through HSBC operations based in the United States, which led to a $1.9 billion fine for the bank.
• Proper risk assessments on high-risk jurisdictions and customers received inadequate attention from the bank.
• Systemwide failures occurred because HSBC did not properly label its customers according to risk rates.
• These events caused significant improvements to both the AML framework and the implementation of risk-based AML systems.

Danske Bank – Estonian Branch Scandal (2007-2015)

They paid over $7 million in fines in the Estonian branch scandal case due to the following reasons:

• Suspicious transactions worth more than €200 billion flowed through the Estonian operations of the bank.
• The company failed to address warning signs as risk limits were enforced inadequately.
• The scandal exposed why AML compliance officers should actively execute risk management controls.

How can Banks and other AML-obligated Sectors Implement a Risk Based Approach?

Financial institutions such as banks, payment service providers, FinTechs, money service businesses, and other AML obligated sectors can apply a structured risk based approach to money laundering to identify, examine, or alleviating all related monetary illegalities.

The complete process is carried out in 9 steps, which are given below step-wise for better understanding of the protocols:

1. Conduct Risk Assessment

Evaluate all possible risks related to:

• Customers (e.g., politically exposed persons, high-net-worth individuals)
• Geography (e.g., high-risk countries or regions)
• Products or Services (e.g., anonymous transactions, virtual currencies)
• Delivery Channels (e.g., online, face-to-face, third parties)

Each risk should be scored depending on its likelihood and potential impact.

2. Categorize Customers and Transactions

Make the group of customers and transactions into categories of

• Low Risk

• Medium Risk

• High Risk

The level of risk assists in deciding the type of due diligence to apply.

3. Apply Risk-Based Due Diligence Measures

Three major types of due diligence are usually implemented depending upon the situation, as given below:

• Simplified Due Diligence (SDD): For low-risk customers.
• Customer Due Diligence (CDD): For standard risk.
• Enhanced Due Diligence (EDD): For high-risk cases, including deeper checks.

4. Implement Risk-Based Controls

Adjust AML controls depending on the risk level:

• More regular transaction monitoring for high-risk customers.
• Strict onboarding checks for risky geographies.
• Continuous review of high-risk customer profiles.

5. Monitor and Review

Set up ongoing monitoring systems to:

• Identify illegal patterns
• Update risk assessments, as consumer behavior usually changes
• Revie controls regularly to make sure they remain effective

6. Train Staff Based on Risk Exposure

Provide training according to staff roles and the risk levels they deal with. For example:

• Frontline staff should identify illegal activity.
• The compliance department requires interpreting risk data and applying controls.

7. Maintain Documentation and Reporting

Financial institutions must keep records of the following:

• Risk based assessment reports
• Due diligence measures taken
• SARs ensure transparency and regulatory compliance

8. Align with Regulatory Guidelines

Following the local and international regulatory measures such as FATF, EU AML directives, and FinCEN. And most importantly, adjust your RBA approach as regulations change with time.

Advanced AML regtech offers accurate data screening so that the exact risk of a customer is ascertained, as it plays an important role in regulatory measures.

9. Use of a Supporting RegTech tool

Use AML screening technology, which offers a 360-degree vetting approach to ensure accurate screening and has advanced PEP screening, sanctions screening, adverse media screening, warnings, and regulatory enforcement screening.

Why is there a Gap in Executing the RBA Approach?

The implementation of the risk based approach (RBA) faces important barriers that prevent its successful deployment.

• Forrester reports that senior executive leadership exists for risk management in 36% of businesses. The absence of executive backing creates barriers when businesses try to dedicate resources to RBA implementation.
• Financial institutions with large operations and a global customer base face difficulty in assessing the risk of customers due to a lack of access to risk assessment engines in the native language of customers. Hence, they face difficulty in ascertaining the accurate level of risk.
• Several departments handle risks independently with no shared coordination, which produces fragmented risk based analysis solutions over an integrated RBA structure.
• The use of obsolete technology systems by organizations becomes an obstacle in performing real-time risk management because it hampers current risk evaluation and monitoring capabilities.
• It happens particularly because legacy risk assessment technology, in which data of PEPs, sanctioned individuals, adverse media, and watchlists, does not update in line with regulatory updates.
• Assessing these problems demands that businesses value RBA implementation by investing resources into the proper execution of leadership programs and personnel development.

How does AML Watcher Help in Preventing De-Risking and implementing the Risk Based Approach?

Organizations struggle with two problems: Unnecessarily blocking low-risk customers, along with losing business connections because they lack clear risk understanding.

De-risking comes out as a serious business problem because financial institutions choose to eliminate entire high-risk sectors instead of implementing sound risk management systems.

AML Watcher helps in the implementation of a risk based approach (RBA) through its proprietary data layer, which helps assess the risk of customers in line with global and jurisdiction-specific anti-money laundering laws.

What is Inside AML Watcher’s Data?

• Access the Global PEP database, which contains 2.6 M+ profiles
• Cover comprehensive data from 235+ countries
• Use data from more than 3500 worldwide watchlists to perform complete screening operations
• Explore detailed information on over 215 international sanctions regimes
• Monitor regulatory enforcement actions and receive timely warnings
• Utilize context-driven sanctions screening, which assists in understanding the scope of each sanction

Real-Time Risk Monitoring

• Assists in ongoing monitoring by updating changes in customers’ risk
• Supports customized risk assessment in line with jurisdiction-specific regulations
• Provides data related to banking regulations and country-specific AML laws

360° Adaptive Risk Assessment

• Helps in reducing unnecessary de-risking by ascertaining accurate risk
• Evaluates entities across diverse regions, languages, and sectors
• Enables customizable risk threshold based on the organization’s risk appetite and jurisdiction-specific regulations
• Promotes informed decision-making instead of generalized restrictions

Advanced Name Matching

• AML Watcher‘s advanced name matching ensures accurate matching
• Helps Screen for aliases, nicknames
• Ensure accurate screening, which takes into account different naming conventions and transliteration rules
• Advanced fuzzy matching to reduce false positives
• Use of unique identifiers such as identity card numbers, passport numbers, or biometric images as input

Customized Risk Profiles

• Customized risk scores to reduce false positives
• Custom risk profiles to ensure sanctions screening in line with risk appetite
• Provide a sanctions list falling within your risk appetite and risk exposure, and ensure accurate screening.