What is a Risk-Based Approach to AML?

What is a Risk-Based Approach to AML?

Money laundering, the depositing or transferring of funds that come from illicit activity, is a global and growing problem. The United Nations Office on Drugs and Crime (UNODC) estimates that the amount of money laundered annually from criminal activities worldwide is more than 2% of global GDP ($1.7 trillion, in today’s figures). In the Eurojust Report on Money Laundering 2022, the European Union Agency for Criminal Justice Cooperation reports that cases registered with the agency have doubled in the last six years.

Anti-Money Laundering (AML) refers to a wide set of laws and regulations mandating steps that financial institutions and other regulated industries must take to prevent criminals from laundering money. These regulations are designed to ‘counter the financing of terrorism’ (CFT) and other illicit activities. Regulated business must not knowingly or unknowingly aid these activities.

Risk-Based AML and Global Regulation

There are Anti-Money Laundering regulatory bodies with national and international jurisdictions applicable in different geographies around the world: where a company operates determines the local and international regulations it needs to comply with to do business. The Financial Action Task Force (FATF) is the global money laundering and terrorist financing watchdog. This inter-governmental body sets international standards that aim to prevent these illegal activities and the harm they cause to society. As a policy-making body, the FATF works with governments and national regulatory bodies to achieve regulatory reforms and covers more than 200 countries and jurisdictions.

A ‘risk-based approach’ to AML was first proposed by the then UK Financial Services Authority (FSA), now the Financial Conduct Authority (FCA) in 2000 and further defined by the FATF in 2012. As such, the principle of proactive management of risk is the deployment of the right level of security and scrutiny to control these risks.

A risk-based approach to AML:

A payment services company plans to launch a new payment card. The risk assessment should consider:

  • Who is the target customer demographic (individual risk)?
  • What are the target markets and their regulations/regulatory bodies (geographic & regulatory risks)?
  • How will the card be delivered to the customer (channel risk)?
  • What will the card limits be (transaction risk)?
  • Are there any marketing offers (product/service risk) that carry the risk of abuse?

Common AML Risk Factors

A proactive risk-based approach to AML relies on accurate risk assessment. There are distinct areas of risk that regulated industries need to focus on in that assessment:

Individual Risks

Governments are responsible for collecting and maintaining lists of high-risk individuals. These sanctions lists typically include known fraudsters, money launders, terrorists and red-flagged ‘Politically Exposed Persons’ (PEPs) and their associates—individuals assessed as high-risk because of their influence and access to large funds. Checking for high-risk individuals is a Know Your Customer (KYC) regulatory requirement.

Geographic Risks

Governing bodies (such as HM Treasury in the UK or FinCEN in the US) also compile assessments of the risk posed by geographic jurisdictions, flagging unsatisfactory money laundering and terrorist financing controls. Geography determines the laws, regulations, technology, security, data privacy and data accuracy of a business environment, so a proactive risk-based approach to AML needs to take into account the market-specific risk present for a product or service.

Channel Risks

The way a product or service is taken to market can affect the risk. In an increasingly digital economy, internet-mediated sales of products and services carry an inherent risk of identity fraud without a suitably robust digital identity verification and authentication process in place. Meanwhile, third-party services or payments associated with product or service delivery can increase the assessment of risk associated with a transaction.

Transaction Risks

There are a variety of indicators that might red-flag an individual transaction as higher risk. An unusually large transaction or unusual activity that seems to sit outside normal commercial activities might represent a risk factor. Transactions that are complex in nature or involve payment type (cash or cryptocurrency) or routing of payments may also be assessed as higher risk.

How to Implement a Risk-Based Approach to AML

Managing a risk-based approach to AML is like managing any other risks in your business. For example, a health and safety risk management cycle in a factory would typically include identifying and assessing hazards, establishing procedures for safely controlling those dangers and reviewing and reporting on the controls in place. A piece of machinery or manufacturing process may present higher risk of injury; this doesn’t mean that the manufacturer cannot use it, it means that the factory must maintain tight controls over its use to operate safely.

A risk-based approach to AML follows a similar process and the same logic:

1. Identify Business Risks

To identify AML risk, a business must first conduct a review of its product or service portfolio, reflecting common AML risk factors and its own size and complexity, for example:

  • Customers: what do you know about the type of customers for your service?
  • Geography: what is the exposure of the target markets to financial crime?
  • Delivery Channel: how will the product or service be delivered to the customer?
  • Industry: how advanced are the regulations governing your industry?
  • Monetary Value: does your product or service have a high monetary value?
  • Regulatory Controls: how advanced are the regulations in the industry?
  • Product / Service: how much monetary value can be gained?
  • Market: what is the exposure of the market to financial crime?
  • Process Controls: how well do you document and follow your processes as a business?

2. Assessment of the Risks

Central to a risk-based approach to AML is an assessment of a product or service’s exposure to risks occurring and the potential impact. Using a table of risk factors for each product, a business can begin by assigning an ‘unknown’ level of risk until review allows the assignment of ‘low’, ‘medium’ or ‘high’, or the deployment of effective mitigation policies or procedures helps adjust the risk level.

The FATF guide to National Money Laundering and Terrorist Financing Risk Assessment shows how to rank risks using a simple matrix.

A risk-based approach to AML:

A business plans to launch a new crypto exchange. The risk assessment should consider:

  • Who is applying to trade (individual risk)?
  • Where are the customers using the exchange residing (geographic & regulatory risks)?
  • How will the platform be made available and secure (channel risk)?
  • What limits will be placed on any transactions (transaction risk)?
  • Are there any marketing offers (product/service risk) that carry the risk of abuse?

3. Implement Policies Mitigating Risks

Once assessment is complete, a risk-based approach shifts to policies and implementation of solutions to mitigate risks. These should ensure that the right level of scrutiny is applied—a balance that pivots towards security for high risks and towards minimizing customer friction for low risks.

Anti-Money Laundering Technology

Managing and mitigating risk is likely to include an orchestrated combination of solutions and processes to cover different business activities and activity risk profiles. There are a lot of AML tools out there, the best of which will automate risk-assessment for new customers and new transactions in real time.

The key Anti-Money Laundering technologies breakdown into two key categories:

Know Your Customer

Know Your Customer (KYC) refers to the customer due diligence (CDD) and enhanced due diligence (EDD) that regulated companies carry out to ensure their customers are genuine and do not pose an individual risk to the business at the point of onboarding and as part of continuous monitoring during the business relationship.

In an increasingly digital economy, solutions for digital identity verification and identity proofing are always advancing. These technologies can assess whether an identity is genuine and whether the person presenting it is the legitimate owner. They can also assess the risk or reputation of that identity based on past activities and continue to review risk with ongoing monitoring, helping a business to know its customers.

Transaction Monitoring

The process of monitoring a customer’s transactions such as transfers, deposits and withdrawals is known as transaction monitoring. Transaction monitoring solutions are designed to mitigate the risk of money laundering and prevent it before it occurs by monitoring digital transactions across all business channels for suspicious behavior that could indicate money laundering.

The cost of these solutions to the business is a consideration, but one which needs to be weighed against the potential cost of fraudulent activity, fines and reputational damage.

Businesses also need to balance risk mitigation with customer experience when deploying Anti-Money Laundering technologies, flexibly adapting controls for the level of risk an individual customer or transaction is assessed to represent to the business. Speed and convenience matter as much as security for services that inspire trust. Not every customer journey needs to take the most secure route and unnecessary friction that causes prospective customers or transactions to drop should be dialed down.

*This blog was originally published by GBG.

Learn more about the effects of money laundering in our eBook: Following the Money: Preventing Money Mules & Laundering.


Let's Talk Support