What is a risk-based approach to AML?
Daniel Lane
Money laundering, the depositing or transferring funds that come from illicit activity, is a global and growing problem. The United Nations Office on Drugs and Crime (UNODC) estimates that the amount of money laundered from criminal activities worldwide annually is in excess of 2% of global GDP ($1.7 trillion, in today’s figures). In the Eurojust Report on Money Laundering 2022, the European Union Agency for Criminal Justice Cooperation reports that cases registered with the agency have doubled in the last six years.
Anti-Money Laundering (AML) refers to a wide set of laws and regulations mandating steps that financial institutions and other regulated industries must take to prevent criminals from laundering money. These regulations are designed to ‘counter the financing of terrorism’ (CFT) and other illicit activities. Regulated business must not knowingly or unknowingly aid these activities.
“Anti-Money Laundering (AML) refers to a wide set of laws and regulations mandating steps that financial institutions and other regulated industries must take to prevent criminals from laundering money.”
Risk-based AML and global regulation
There are Anti-Money Laundering regulatory bodies with national and international jurisdictions applicable in different geographies around the world: where a company operates determines the local and international regulations it needs to comply with to do business. The Financial Action Task Force (FATF) is the global money laundering and terrorist financing watchdog. This inter-governmental body sets international standards that aim to prevent these illegal activities and the harm they cause to society. As a policy-making body, the FATF works with governments and national regulatory bodies to achieve regulatory reforms. It covers more than 200 countries and jurisdictions.
A 'risk-based approach' to AML was first proposed by the then UK Financial Services Authority (FSA), now the Financial Conduct Authority (FCA) in 2000 and further defined by the FATF in 2012. The principle of proactive management of risk, deploying the right level of security and scrutiny to control these risks was established.
A risk-based approach to AML
A payment services company plans to launch a new payment card. The risk assessment should consider, who is the target customer demographic (individual risk), what are the target markets and their regulations/regulatory bodies (geographic & regulatory risks), how the card will be delivered to the customer (channel risk), what the card limits will be (transaction risk) and if there are any marketing offers (product/service risk) that carry the risk of abuse.
Common AML risk factors
A proactive risk-based approach to AML relies on accurate risk assessment and there are distinct areas of risk that regulated industries need to focus on in that assessment.
Individual risks
Governments are responsible for collecting and maintaining lists of high-risk individuals. These sanction lists typically include known fraudsters, money launders, terrorists, and also red-flagged ‘Politically Exposed Persons’ (PEPs) and their associates; individuals assessed as high-risk because of their influence and access to large funds.
Checking for high-risk individuals is a Know Your Customer (KYC) regulatory requirement.
Geographic risks
Governing bodies (such as HM Treasury in the United Kingdom) also compile assessments of the risk posed by geographic jurisdictions, flagging unsatisfactory money laundering and terrorist financing controls. Geography determines the laws, regulations, technology, security, data privacy and data accuracy of a business environment, so a proactive risk-based approach to AML needs to take account of the market-specific risk present for a product or service.
Channel risks
The way a product or service is taken to market can affect the risk. In an increasingly digital economy, internet-mediated sales of a product and services carry an inherent risk of identity fraud without a suitably robust digital identity verification and authentication process in place. Meanwhile, third-party services or payments associated with product or service delivery can increase the assessment of risk associated with a transaction.
“A proactive risk-based approach to AML relies on accurate risk assessment and there are distinct areas of risk that regulated industries need to focus on in that assessment.”
Transaction risks
There are a variety of indicators that might red-flag an individual transaction as higher risk.
An unusually large transaction or unusual activity that seems to sit outside normal commercial activities might represent a risk factor. Transactions that are complex in nature or involve payment type (cash or cryptocurrency) or routing of payments may also be assessed as higher risk.
Real-time AML risk mitigation for digital transactions across all channels
How to implement a risk-based approach to AML
Managing a risk-based approach to AML is like managing any other risks in your business. For example, a health and safety risk management cycle in a factory would typically include identifying and assessing hazards, establishing procedures for safely controlling those dangers, reviewing and reporting on the controls in place. A piece of machinery or manufacturing process may present higher risk of injury; this doesn’t mean that the manufacturer cannot use it, it means that the factory must maintain tight controls over its use to operate safely.
A risk-based approach to AML follows a similar process and the same logic.
-
Identifying business risks
To identify AML risk, a business must first conduct a review of its product or service portfolio, reflecting common AML risk factors and its own size and complexity, for example,
- Customers: what do you know about the type of customers for your service?
- Geography: what is the exposure of the target markets to financial crime?
- Delivery channel: how will the product or service be delivered to the customer?
- Industry: how advanced are the regulations governing your industry?
- Monetary value: does your product or service have a high monetary value?
- Regulatory controls: how advanced are the regulations in the industry?
- Product / service: how much monetary value can be gained?
- Market: what is the exposure of the market to financial crime?
- Process controls: how well do you document and follow your processes as a business?
-
Assessment of the risks
Central to a risk-based approach to AML is an assessment of a product or service’s exposure to risks occurring and the potential impact. Using a table of risk factors for each product, a business can begin by assigning an ‘unknown’ level of risk until review allows the assignment of ‘low’, ‘medium’ or ‘high’, or the deployment of effective mitigation policies or procedures helps adjust the risk level.
The FATF guide to National money laundering and terrorist financing risk assessment shows how to rank risks using a simple matrix.
A risk-based approach to AML
A business plans to launch a new crypto exchange. The risk assessment should consider, who is applying to trade (individual risk), where the customers using the exchange are residing (geographic & regulatory risks), how the platform will be made available and secure (channel risk), what limits will be placed on any transactions (transaction risk) and if there are any marketing offers (product/service risk) that carry the risk of abuse.
-
Implement policies mitigating risks
Once assessment is complete, a risk-based approach shifts to policies and implementation of solutions to mitigate risks. These should ensure that the right level of scrutiny is applied; a balance that pivots towards security for high risks and towards minimising customer friction for low risks.
Detect and take action to prevent money laundering
Anti-Money Laundering technology
Managing and mitigating risk is likely to include an orchestrated combination of solutions and processes to cover different business activities and activity risk profiles. There are a lot of AML tools out there, the best of which will automate risk-assessment for new customers and new transactions in real time.
The key Anti-Money Laundering technologies breakdown into two key categories.
Know your customer
Know your customer (KYC) refers to the customer due diligence (CDD) and enhanced due diligence (EDD) that regulated companies carry out to ensure their customers are genuine and do not pose an individual risk to the business at the point of onboarding and as part of continuous monitoring during the business relationship.
In an increasingly digital economy, solutions for digital identity verification and identity proofing are always advancing. These technologies can assess whether an identity is genuine and whether the person presenting it is the legitimate owner. They can also assess the risk or reputation of that identity based on past activities and continue to review risk with ongoing monitoring, helping a business to know its customers.
Know your customer and protect your business
Transaction monitoring
The process of monitoring a customer's transactions such as transfers, deposits and withdrawals is known as transaction monitoring. Transaction monitoring solutions are designed to mitigate the risk of money laundering, monitoring digital transactions across all business channels for suspicious behaviour which could indicate money laundering occurring and preventing it before it occurs.
The cost of these solutions to the business is a consideration but one which needs to be weighed against the potential cost of fraudulent activity, fines and reputational damage.
Businesses also need to balance risk mitigation with customer experience when deploying Anti-Money Laundering technologies, flexibly adapting controls for the level of risk an individual customer or transaction is assessed to represent to the business. Speed and convenience matter as much as security for services that inspire trust. Not every customer journey needs to take the most secure route and unnecessary friction that causes prospective customers or transactions to drop should be dialled down.
“Central to a risk-based approach to AML is an assessment of a product or service’s exposure to risks occurring and the potential impact.”
Frequently asked questions
What is Anti-Money Laundering?
Anti-Money Laundering (AML) refers to a wide set of laws and regulations mandating steps that financial institutions and other regulated industries must take to prevent criminals from laundering money. These regulations are designed to ‘counter the financing of terrorism’ (CFT) and other illicit activities. Regulated business must not knowingly or unknowingly aid these activities.
What is a risk-based AML assessment?
Central to a risk-based approach to AML is an assessment of a product or service’s exposure to individual customer, geographic, channel, transaction or other risk factors occurring. The level (low, medium or high) of that risk and the potential impact on the business is assessed so that mitigating policies and procedures can be devised and implemented.
Where can I find industry-specific guidance to risk-based AML?
Many of the national and international AML regulatory bodies, produce industry-specific guidance for a risk-based approach to AML around the world. FATF publishes recommendations and risk-based guidance for several industries; including accountancy services, banking, cryptocurrencies, legal and real estate services. Professional bodies representing highly regulated industries also produce industry-specific guidance.
What is Know Your Customer?
Know your customer (KYC) refers to the customer due diligence (CDD) and enhanced due diligence (EDD) that regulated companies carry out to ensure their customers are genuine and do not pose an individual risk to the business at the point of onboarding and as part of continuous monitoring during the business relationship.
Sign up for more expert insight
Hear from us when we launch new research, guides and reports.
