Risk matrix development

Understanding what is legally required of your institution, employees and customers is essential to a successful program.

The theory is that no financial institution can reasonably be expected to detect all wrongdoing by customers, including money laundering. But if an institution develops systems and procedures to detect, monitor and report the riskier customers and transactions, it will increase its chances of staying out of harm’s way from criminals and from government sanctions and penalties.

A risk-based approach requires institutions to have systems and controls that are commensurate with the specific risks of money laundering and terrorist financing facing them. Assessing this risk is, therefore, one of the most important steps in creating a good anti-money laundering compliance program. As money laundering risks increase, stronger controls are necessary. However, all categories of risk — whether low, medium or high — must be identified and mitigated by the application of controls, such as verification of customer identity, CDD policies, suspicious activity monitoring and economic sanctions screening.

Risk-based approach is preferable to a prescriptive approach in the area of AML and CTF, as it is more:
Flexible — as money laundering and terrorist financing risks vary across jurisdictions, customers, products and delivery channels, and over time.
Effective — as companies are better equipped than legislators to effectively assess and mitigate the particular money laundering and terrorist financing risks they face.
Proportionate — because a risk-based approach promotes a common sense and intelligent approach to fighting money laundering and terrorist financing as opposed to a “check the box” approach.

From Rule-based to Risk-based

Identification procedures

Know Your Customer

From Identification procedures to Customer due diligence

Which source?

Which methodology?

From risk assessment to risk scoring

The securities and financial institutions industry rules and regulations have many specific guidelines pertaining to BSA/AML Risk Profile and Risk Assessment. However, the industry rules and regulations are not very clear when it comes to specific guidelines and requirements defining how or when securities and financial institutions are required to assign a risk score to a customer or entity. Many securities and financial institutions are learning the benefits of risk scoring to identify the level of risk associated with a new customer or account by efficiently capturing CDD information during onboarding and ongoing monitoring. The use of due diligence information can generate an initial score for each new customer/account and ongoing transaction data from existing monitoring systems (particularly high-risk transaction activity) to build and continuously update the customers risk score within a “Risk Profile” for each customer or entity.


However costly and time-consuming AML compliance may be, financial institutions that understand the importance of implementing a strong AML program will quickly realize its worth. In today’s world, any financial institutions who do not appreciate the importance of a strong BSA/AML programs targeting customer risk scoring and CDD programs need to understand the costs and risks of having an inadequate AML program. When you have a strong AML program, the risk of financial loss due to penalties can be mitigated along with various other regulatory, legal and reputational risks.

From RE-active to PRO-active

What is Proactive Risk Management?

Proactive risk management improves an organization’s ability to avoid or manage both existing and emerging risks and helps adapt quickly to unwanted events or crisis. It helps build an understanding required to measure and manage emerging risks which give organizations a better view of tomorrow’s risk and how it impacts their business.

What differentiates proactive risk management approach from a reactive approach is the way risks are assessed, reported and mitigated. It involves carefully analyzing a situation or assessing processes to determine the potential risks, identifying drivers of risks to understand the root cause, assessing probability and impact to prioritize risks and accordingly preparing a contingency plan. To do so, risk managers need to learn to assess the strength of the innovation component of the organization and use that information effectively to combat known and emerging risks. Also, focus on using the expertise of experienced risk managers to engage in strategic risk utilization.

Implementing Proactive Risk Management

Proactive Risk Management is not a process or an initiative but a discipline that an organization has to practice and make an integral part of the overall business strategy. It cannot be defined in a day and cannot be performed in isolation. It is a continuous process until it becomes an integral part of organization’s risk culture.

Developing and implementing a preventive risk identification and management program helps businesses limit exposure, save costs, and enhance value for stakeholders. However, there are challenges that need to be managed before seeing the results of such approach, for example, lack of clear understanding about the spectrum of risks and consequences, lack of relevant tools and techniques, availability of data in silos, limited resources, and absence of tone-at-the-top.

Delivering effective and proactive Risk Management needs an organization to have more clarity about the breadth of risks facing the business and understand the potential threats and opportunities in alignment with the overall business strategy in order to plan appropriate mitigation action. Also, ensuring proper communication between all stakeholders across functions and harnessing the benefits of technology are crucial elements to create greater business value.

Capture and Store Data Elements pertaining to risks (AML/fraud/reputation)
Anticipated utilization of account and anticipated activity in account
Non-individuals (industry segment, number of employees, gross annual revenue, sales volumes, complexity, geographies, etc.)
Individuals (citizens, foreign nationals, politically exposed persons, employed/self-employed/unemployed/student/retired)
Customer’s characteristics
Capture and store documentary evidence
Use data elements to auto generate customer’s initial risk score
Capture and record key transaction data that bears risks
Types and amounts of returned credits (i.e., RDIs, WICs, Disputed ACH transactions, etc.)
Volumes and dollar amounts of foreign wires (particularly those sent to High Risk Countries)
Volumes of Global Trade Product Transactions
Number of currency transaction reports filed on the customer
Number of triggered alerts on the customer through the AML automated alerting platform
Continuously refresh the customer’s automated risk profile
By (i) comparing ongoing to stated anticipated activity, (ii) developing triggering thresholds for dollar and volumes of activities deemed higher risk (e.g., cash, wires, transactions in high risk jurisdictions, etc.) and (iii) other automated analysis of the onboarding data and ongoing data, automatically categorize customers within different risk categories. So that at any point in time a customer’s “risk score” is known.
For customers falling into the Higher Risk Categories, include a level of human involvement in the refinement of the calculated risk “score” and escalate certain customers for closure