Exploring an Industry-Wide Standard to Customer Risk...
Transcript of Exploring an Industry-Wide Standard to Customer Risk...
By FAROKH KEKI ADARIAN – CAMS-Audit, MBA (Banking); CFCS, ICA Prof.Pg Dip (FCC);
Int.Dip (GRC); FICA Certified Professional
CAMS-AUDIT
Exploring an Industry-Wide Standard to Customer Risk Assessment -
Proposing a Best Practice Model for Banks
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 1 OF 34
Contents
I. Executive Summary ............................................................................................. 2
II. Background ........................................................................................................... 3
A Introduction to the Risk-Based Approach and Risk Assessments.…………….3
B Presenting the Problem and Research Questions…………………..…………………5
III. The Solution – Theoretical Foundation ........................................................... 7
A Definitions…………………………..……………….……………………….……………………………9
B Mandatory Contextual Factors Limiting CRA Standardization..…..……………10
C Exploring an Industry-Wide CRA Model……………………..…………………………….12
IV. Harmonized CRA Benefits– Creating Stakeholder Value.............................14
A An Industry-Wide Global CRA Standard……………………………………………………15
B Value to Banks and their MLROs and Compliance Officials….…………………15
C Value to AML Auditors ................................................................................. 16
V. Model Limitations and Conclusion .............................................................. 20
VI. Acknowledgements……………………………………………………………………………………..21
Appendices..........................................................................................................22
VII. References............................................................................................................31
Annexures.............................................................................................................312
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 2 OF 34
I. Executive Summary
The risk-based approach (RBA) is the cornerstone of a firm’s anti-money laundering (AML)
program. Fundamental to this approach, is the money laundering/terrorist financing
(ML/TF) risk assessment, which as a starting point, enables a firm to identify, understand
and assess the ML/TF risks to which it is exposed. These identified risks are then prioritized
and mitigated or managed by the firm, directing resources and controls first to the highest
risks identified, in line with the RBA.
Conceptually, the RBA is logical and provides flexibility to individual firms to design and
implement their own AML programs, which in turn, are supervised by their regulators.
However, by its very essence, the RBA demands active and dynamic participation by firms,
in terms of using their expertise, knowledge and judgement to conduct effective risk
assessments and develop robust AML programs appropriate to effectively manage the risks
facing their particular organizations.
There is no dearth of literature on the RBA. Similarly, industry, national or supranational
guidance on conducting risk assessments is abundant. Notwithstanding the above and the
maturity of AML systems in many countries, deficiencies in risk assessments continue to
feature regularly in enforcement actions and regulatory findings globally. Clearly, firms are
not getting their risk assessments right.
In an industry-wide AML survey by LexisNexis and ACAMS, one of the main challenges
identified in the area of risk assessments was the “lack of standardization.” Simply put,
despite the inundating amount of AML literature and guidance, there is no universally
agreed and accepted methodology that prescribes the nature and extent of risk
assessments, leaving individual firms to decide on the methodology they wish to deploy,
based on their own understanding and analysis of risks. Pragmatically speaking, firms seek
a standard risk assessment methodology, aligned with regulatory and industry
expectations.
This white paper is a conceptual attempt in this direction. The challenge faced in proposing
an industry-wide risk assessment model comes from the fact that the words “standard” and
“risk,” are not generally mentioned in the same sentence in AML literature. While
consistent with the basic tenets of the RBA, this paper explores the concept of
“harmonization,” in order to present a conceptual and harmonized customer risk
assessment model for banks. As opposed to process “standardization,” which in its strict
sense seeks to achieve uniformity of process activities (i.e., aims at only one uniform, global
standard), process “harmonization” seeks to align similar process activities based on a
single, focused business objective, while recognizing that some mandatory differences
(process variants) may be essential and will remain. The harmonization of laws in the EU
member states, is one such empirical example.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 3 OF 34
The proposed harmonized model is based on a contingency theory and it explores the
limits to which customer risk assessments can be standardized. The model recognizes and
permits certain contextual factors (termed “mandatory contextual factors”), which result
in local level process variability. This makes the model practical and easy to adopt by banks,
as regional or firm specific idiosyncrasies can be factored in the model. Furthermore, as the
model is fundamentally based on publicly available and credible national, supranational
and industry AML guidance, it is also proposed as a best practice model, enabling banks to
consume the best practice AML standards in their risk assessments.
Having proposed the model, this paper evaluates and presents its perceived benefits in
terms of value creation for banks, their money laundering reporting officers, compliance
officers and AML auditors. This paper concludes by highlighting model limitations and
suggesting areas for further research in this largely unexplored arena.
II. Background
The RBA and ML/TF risk assessments are interdependent and rather common terminology
used within the AML industry. It follows that the starting point of the RBA is a risk
assessment.
While the implementation of an RBA makes the AML regulation more flexible, it also
increases the responsibilities on individual firms to administer and implement their AML
programs effectively. In other words, under the RBA, the legislator/regulator effectively
delegates the design and implementation of the AML program to an individual firm, which
in turn is monitored and assessed by its regulator.
A brief introduction to the concepts is provide below.
A. Introduction to the Risk-Based Approach and Risk Assessments
1. The Risk-Based Approach
RBA was introduced by the Financial Action Task Force (FATF) in its Recommendations
and it forms the foundation of an anti-money laundering/counter-terrorist financing
(AML/CTF) compliance program. In essence, the RBA implies that as a starting point,
countries, competent authorities and firms (entities) need to identify, understand and
assess the ML/TF risks to which they are exposed. Based on these identified risks,
entities then need to prioritize these risks and allocate resources, conduct varying levels
of due diligence (simplified, standard or enhanced) and build controls and monitoring
mechanisms to effectively manage these risks. As a rule, the higher the risks assessed,
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 4 OF 34
the greater should be the resource allocation, client
and transaction due diligence, transaction
monitoring and controls to enable effective risk
management.
1 ML/TF Risk Assessments
Having perused the essence of an RBA, it is easy to
appreciate that the RBA (and consequentially, a
firm’s AML program) cannot be effective without an
effective risk assessment. Simply put, one cannot
manage risks effectively, where the risks itself are
not recognized, understood and assessed!
There are basically two broad levels at which firms
conduct their risk assessments:
a An Enterprise-Wide Risk Assessment
(EWRA)
An EWRA is conducted across the firm or its
group (group-wide risk assessment) to
understand and assess the total ML/TF risks
faced. It considers, inter alia, the organization’s
markets and business lines, its geographical
footprint, customers it deals with, products and
services it offers, delivery channels used to
onboard its customers and used to conduct their
transactions, and other qualitative risk factors
facing the firm such as reliance on third parties,
recent/planned acquisitions, recent enforcement
actions, etc.
b Customer Risk Assessment (CRA)
In addition to an EWRA, firms also undertake
ML/TF risk assessments of their customers. The
objective here is to determine the ML/TF risks
associated with a particular customer relationship
or an occasional transaction (for a non-customer
undertaking a one-off financial transaction with
the bank). Based on the CRA model deployed, each
“The key purpose of a money
laundering risk assessment
[EWRA] is to drive improvements in
financial crime risk management
through identifying the general and
specific money laundering risks a
financial institution is facing,
determining how these risks are
mitigated by a firm’s AML program
controls and establishing the
residual risk that remains for the
financial institution21 p.3”
“A financial institution should
ensure that its internal controls are
proportionately aligned to the risks
posed by the range of its clients
[CRA], where the highest risk
clients will be the object of the most
rigorous AML controls, whether
through onboarding standards,
enhanced due diligence, enhanced
monitoring and/or more frequent
periodic reviews21 p.13”
“While the RBA confers flexibility, it
also demands an active and dynamic
participation by firms, in terms of
requiring them to use their expertise,
knowledge and judgement to conduct
effective ML/TF risk assessments and
develop robust AML programs
appropriate to effectively manage the
ML/TF risks facing their particular
organizations.”
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 5 OF 34
customer is assigned an overall ML/TF risk score, which is then used to risk categorize
customers (say, into high, medium or low risk).
The scope of this white paper is restricted to customer risk assessment (CRA) methodology
across the banking industry.
B Presenting the Problem and Research Questions
1 “The Problem” – No Industry-Wide Standard Form or Template Exists
for ML/TF Risk Assessments
At this moment, it is apt to consider the following questions with respect to ML/TF risk
assessments:
How do firms practically identify and assess their ML/TF risks?
Is there any defined or standard methodology for firms to follow while undertaking
such risk assessments?
What are the regulators’ expectations in this regard? Is the firm’s risk assessment
approach sufficiently ring-fenced?
Finding the appropriate answers to the above questions presents practical global
challenges and it has been the subject matter of many surveys, articles and research in
the AML industry.
According to a joint research study, “Current
Industry Perspectives into Anti-Money
Laundering Risk Management and Due Diligence”,
conducted by LexisNexis and ACAMS in 2015, to
examine how the AML community is managing its
customer enhanced due diligence and ML risk
assessment processes, one of the main challenges
identified in the area of risk assessments was the
lack of standardization.
In their June 2013 AML survey, the following
question was posed to the 461 survey participants:
“Do you see a need for an industry-wide standard
risk assessment?” 70.1 percent of the survey
participants answered in the affirmative,
evidencing a long-standing industry need for a
standard approach, framework or model for firms
to undertake their risk assessments.
“[The ML risk assessment
was a] lengthy and
exhaustive process—no
standardization from the
industry itself”.
“There should be a
standardized template [for
risk assessment to] which
organizations may
customize to suit its own
business”.
LexisNexis & ACAMS
Survey35 2015
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 6 OF 34
2 Problem Validation
The RBA emphasizes that there is no “one-size-fits-all” approach to the risk assessments.
Logically, this makes sense. Consider some of the following empirically observed facts:
Many multinational firms operate globally in different markets and have to account for
their different legal and regulatory systems;
There exists a wide and differing range of products and services firms offer;
Firms today deal with different types of customers, who in turn are
domiciled/incorporated/operate in different locations across the globe;
With the advent of technology and globalization, channels used to onboard customers
and conduct their transactions (e.g., internet, mobile, etc.) differ and are ever evolving
(e.g., payment systems, etc.);
Firm specific idiosyncrasies do exist, for e.g., an audit observation or an enforcement
action, third-party reliance, etc.
Each of these factors, in turn, introduce vulnerability and varying degrees of ML/TF risks
to which an individual firm is exposed. The RBA accordingly requires the firm to assess its
own unique risk exposure, adopting its own risk assessment methodology, appropriate to
suit its profile, structure, products, geographies, channels, etc., with such methodology
being well-documented with a proper rationale and approved by its senior management.
To enable firms to conduct effective risk assessments, guidance has been issued from time
to time by many industry setting global bodies like the FATF, the Wolfsberg Group, supra-
national authorities like the E.U., national regulators and industry bodies (collectively
termed “Global AML Guidance”- refer Annexure 2 on page 33). However, notwithstanding
this global AML guidance and the level of maturity of AML/CTF systems in many countries,
deficiencies in risk assessments are regularly featured in regulatory/enforcement actions
across countries.
Clearly, firms are not “getting their risk assessments right,” and as evident from the AML
survey, “seek a standard risk assessment methodology,” aligned with regulatory and
industry expectations.
This white paper attempts to explore an industry-wide (harmonized) CRA model. Using a
conceptual model based on a contingency theory. In addition, this paper seeks to
determine the extent to which CRA processes can be standardized, while recognizing
certain mandatory contextual factors which necessitate local level variability in risk
assessments. Finally, as the model is based on the fundamentals of global AML guidance,
it is also proposed as a best practice model for banks.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 7 OF 34
3 Framing the Research Questions
Based on the above motivation, the main research questions are as follows:
a) Which contextual factors necessitate mandatory or unavoidable variances in CRA
processes across the banking industry? What are the consequential limits to CRA
process standardization?
b) What are the benefits of CRA standardization to banks, their MLRO), compliance
officials and auditors (stakeholders)?
III. The Solution—Theoretical Foundation
As a means to approach the objective of this white paper, the author refers to and builds
upon the conceptual model proposed by H.L.Romero and Paul W.P.J.Grefen et.al5 (2015),
which is based on contingency theory as the guiding theory.
Contingency theory suggests that there is no single ‘best way’ to manage an organization;
instead, successful organizations adopt processes and structures that provide the “best fit”
to their internal and external business environments. Using the contingency theory and
undertaking a literature review, Romero et.al. identify11 contextual factors that affect
different aspects of process standardization in organizations.
The Romero et.al. conceptual model proposes that the extent to which business processes
can be standardized (i.e., the level of process harmonization), is dependent on these 11
contextual factors in the organization and its environment. The model further examines
the impact of such standardization (level of harmonization) on business performance. The
Romero et.al model is presented in Annexure 1.
The author adopts and builds on the Romero et.al. model, analyzing each of these 11
contextual factors, which influence the level of business process harmonization from an
ML/TF risk assessment process perspective. In particular, the author acknowledges the
following
1. Their relevance to the CRA process harmonization, and
2. the available global AML guidance, in particular, the customer risk factors identified
therein.
The objective of the analysis is to narrow down to those relevant contextual factors, which
necessitate mandatory or unavoidable variations in the CRA processes across banks
(termed the Mandatory Contextual Factors [MCFs]). By definition, MCFs cannot be
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 8 OF 34
standardized. Therefore, MCFs set limits to the extent of CRA process standardization (i.e.,
the extent to which CRA processes across banks may be made uniform).
To identify the extent of CRA process standardization, the author undertakes a
comparative analysis of customer risk factors across the customer risk categories, as
detailed in the available global AML guidance, to identify the quoted customer risk factors
(QCRFs).
Therefore, the proposed harmonized model,
incorporates the best AML practice QCRFs
identified in the global AML guidance, while
providing for local level variability (to the extent
of the MCFs identified), thereby enabling banks
to adopt and adapt to the model while
undertaking their CRAs.
Having presented the best practice harmonized
CRA model, the benefits of this model in
creating value for banks, their MLROs,
compliance officials and internal and external
auditors (termed stakeholders) are evaluated.
The (modified) conceptual model proposed by the author is shown in Figure 1 below:
Mandatory Extent of CRA Stakeholder Contextual Factors Standardization Value
Figure 1: Relation between mandatory contextual factors, extent of CRA
standardization and stakeholder value.
The model comprises three interdependent parts viz., first, the mandatory contextual
factors (MCFs), which explain the need for firm specific CRA process variations (i.e.,
process variants that cannot be standardized); second, how these MCFs affect the CRA
process standardization (determining the extent of CRA process standardization or the
level of harmonization), and finally, the expected value created for stakeholders, resulting
from the CRA process harmonization.
As we embark on the model, the following definitions are relevant to our analysis.
“The proposed harmonized
CRA model incorporates the
best AML practice customer
risk factors identified in the
global AML guidance, while
providing for local level
variability, thereby enabling
banks to adopt and adapt to
the model.”
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 9 OF 34
A Definitions
To understanding the model, a brief introduction and definitions of the concepts
‘standardization,’ ‘harmonization’ and ‘contextual factors’ are provided in this section.
1 Standardization
Standardization is about conformity. Davenport defines
process standardization as “the unification of business
processes and the underlying actions within a
company…”36 As Tregear (2010) highlights, the main
goal of process standardization is the development of
one standard or a best practice process used as a
template for all instances of the process throughout
organizations. 28
2 Harmonization
Harmonization is defined by the Business Dictionary as
“the adjustment of differences and inconsistencies
among different measurements, methods, procedures,
schedules, specifications, or systems to make them
uniform or mutually compatible.”
While process harmonization does not impose a strict one-standard process upon all, it
does entail decision-making on the extent to which different processes are standardized
(i.e., determining the ‘level of harmonization’ [number of process variants post
harmonization]). By its strict definition, standardization has only one process variant.
3 The “Trade-off”—Level of Harmonization
In practice, global uniformity of processes (i.e., standardization) is not always achieved.
Indeed, it has been empirically shown that some variability cannot be avoided (Frei29
et.al.,1999). Tregear (2010) emphasizes that complete or global uniformity should not be
strived for; rather, a trade-off should be struck between global uniformity and local
variability (the harmonization level). 28 This is depicted in Figure 2 below.
Global “The Trade-off”- Total
Uniformity Harmonization Level Diversity
Figure 2 The “Trade-off”—Determining the Level of Process Harmonization
“Process standardization
differs from process
harmonization mainly in
its goal or degree of
process strictness – while
involves
a reduction in process
variations and allows for
local-level variations,
standardization entails
moving towards the
eradication of any
variation, towards one
global standard.”
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 10 OF 34
4 Contextual Factors
In contingency theory, contextual factors are described as environmental, organizational
and individual characteristics of a firm’s external and internal environments. The
contingency theory proposes a “fit” between the firm and these contextual factors to enable
effective organization management.
B Mandatory Contextual Factors limiting CRA standardization
As explained in Section III above, for the purpose of proposing a harmonized CRA model,
the author reviews each of the 11 contextual factors proposed by Romero et.al. for their
relevance to the CRA process. A detailed analysis is presented in the following Table 1:
Table 1: Determination of Mandatory Contextual Factors (MCFs) from an ML/TF risk
assessment context for proposed harmonized CRA Model
Category Type
Contextual Factors (Romero et. al)
Relevance to CRA process
Quoted In Global AML Guidance
MCF Remarks
External to the Firm
Cultural differences
Yes Yes Yes In an AML context, considered as the firm’s general operating environment, which may influence firms in particular regions to assess their CRAs differently.
Different regulations
Yes Yes Yes Different legislations or regulations may necessitate different CRA variants.
Power distance
No No No Concerns inter-firm collaborations. Not relevant for purpose of CRA process, given that the broad categories of customer risk factors are available in global AML guidance.
Internal to the Firm
Number of different locations
Yes Yes Yes (sub-point)
Relevant for multinational firms operating globally. Considered in our model, as a sub-component of the contextual factor ‘organization structure’ below.
IT governance centralization
Yes Yes Yes Considered as the sophistication level of a firm’s IT system. Technology impacts the extent of CRAs across firms, in terms of technical capability to undertake customer transaction volume analysis, ability to use central data warehousing for data analytics etc.
Product type Yes Yes Yes The range of products/services/channels offered by banks influence their CRAs.
Maturity level
No No No Concerns the maturity level of a firm’s processes; Romero proposes a positive correlation between the maturity level and potential for standardizing process. Not considered significant for CRA process harmonization, given the available global AML guidance.
Organization structure
Yes Yes Yes In AML context, considered as differences in terms of scope (business lines) and scale of operati0ns (local/national/multinational), which may influence CRAs across firms.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 11 OF 34
Number of mergers & acquisitions
No No No While this may impact general process harmonization as they increase the number of process variants within the merged entity, for the purpose CRA model, this is treated as an abnormal event and not considered.
Immediate (i.e., process Related)
Level of process structured-ness
No No No Concerns processes proposed to be harmonized; non-routine processes are less applicable to standardization than routine ones. Not considered as research focuses on the extent of CRA harmonization.
Personal differences
No No No Concerns people involved (and their personal differences) in the processes proposed to be harmonized. Not considered as the research focuses on the extent of CRA harmonization.
As gleaned from Table 1, the author identifies the following five mandatory contextual
factors (MCFs), which limit the extent of CRA process standardization:
Table 2: (MCFs for harmonized CRA model and possible CRA variants
SN Category Type
Mandatory Contextual Factors
Possible CRA variants – permissible local variability
1 External Firm’s operating
environment (internal/external)
Enforcement/Regulatory action (firm specific)
Audit action (firm specific)
Specific environmental risk factor
Emerging ML/TF typology
2 Different legislations or regulations
Legislative requirement
Regulatory requirement
Specific location Industry guidance
3 Internal Products/services/channels
(beyond the identified QCRFs)
New product development
New channel development
4 Scope and scale of operations
Unique international branch customer risk factors
New business line
5 IT sophistication* IT capabilities for internal data
processing/analytics e.g. account transaction volume analysis; linked accounts transaction (network) analysis etc.
IT centralization versus disparate systems which may limit CRA
*Note: The last MCF (i.e., IT sophistication), while appreciating its influence on process
standardization and the justified need for local variability, is not considered an MCF in our
proposed model.
This is because the CRA model, proposed as a best practice model, considers inter alia,
customer transaction volume/value analysis as an important component of the overall CRA
process and consequently, relies on the ability of individual firms to harness their
technological systems and capabilities to extract this data for undertaking such analysis for
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 12 OF 34
the CRA process. Therefore, for operationalizing the best practice CRA model, this
particular MCF indirectly operates as an essential pre-condition to undertake the CRA.
The remaining four MCFs highlight the need for local-level variability (flexibility) proposed
in the model. For illustrative purposes, some possible (non-exhaustive) CRA model variants
are listed against each MCF in Table 2 above. Banks may adapt to these MCFs as per their
unique firm idiosyncrasies and local requirements.
C Exploring an Industry-Wide CRA Model
1 A Harmonized Model
It is apparent that a standard (uniform) CRA model, as a “one-size-fits-all” solution, will
not work. As highlighted in the MCFs, this is because firms vary in terms of scope, scale
and complexity when it comes to their operations, they operate in different markets, may
be subject to different legislations/regulations, have differing range of products, services,
channels or are subject to unique firm specific idiosyncrasies like audit/enforcement action
requirements, etc. These MCFs set limits to a standardized (uniform) CRA model.
Having identified the MCFs in Table 2, the next step in exploring an industry-wide CRA
model is to identify a best practice harmonized model, built on fundamental global AML
guidance, while permitting local level variability (in terms of the MCFs).
2 Model Framework
As the next step, the author undertakes a
comparative analysis across the various customer
risk factors referred to in available global AML
guidance (listed in Annexure 2).
While conducting this analysis, the author considers
the conventional/standard ML risk assessment
methodology, provided in the Wolfsberg (2015)
FAQs,21 as the overarching framework for the
harmonized model. This methodology considers the
following five risk categories:
1. Clients
2. Products and services
3. Channels
4. Geographies
5. Other qualitative risk factors—termed in our
model as the MCFs, reflecting local level firm
variability.
“The best practice
harmonized CRA model,
is based on conventional
ML risk assessment
methodology and
considers the best
practice customer risk
factors (from global AML
guidance) and the
mandatory contextual
factors (incorporating
local level firm specific
variability).”
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 13 OF 34
Using this framework, the global AML guidance analysis identifies the quoted customer
risk factors (QCRFs), featured in the risk categories mentioned above. The best practice
harmonized CRA model, accordingly considers both the QCRFs (incorporating the best
international AML practice) and the MCFs (incorporating local level firm specific
variability).
As customer risk assessment is undertaken both at the time of customer onboarding and
subsequently during the life of the banker-customer relationship, two variants of the CRA
model are proposed below. Both the model variants assess the inherent money laundering
risk in a customer relationship. The key difference between the two model variants is the
analysis of customer account transactions in terms of transaction type and volume analysis
(i.e., the money that flows through the customer’s account is analyzed from a money
laundering risk perspective). The proposed CRA models are shown in Tables 3A and 3B
below:
Table 3A – Harmonized CRA Framework (Customer Onboarding Stage)
Category Risk Category Type Inherent ML Risk Weights
Risk Factors Description (“QCRFs”)
A Client type 30 Appendix A
B Products/services 20 Appendix B
C Geographies 25 Appendix C
D Channels 10 Appendix D
E MCFs 15 Table 2 on Page 11
100
Table 3B – Harmonized CRA Framework (Ongoing Relationship Monitoring)
Category Risk Category Type Inherent ML Risk Weights
Risk Factors Description (“QCRFs”)
A Client type 20 Appendix A
B Products/services 10 Appendix B
C Geographies 15 Appendix C
D Channels 10 Appendix D
E Account transaction analysis 30 Appendix E
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 14 OF 34
F MCFs 15 Table 2 on Page 11
100
The models specify the risk categories and their inherent ML risk ratings. These risk ratings
are generally in line with the suggested inherent risk weighting ranges proposed in the
Wolfsberg (2015) FAQs,21 albeit modified by the author particularly for the second model
variant (Table 3B above), to consider the account transaction analysis as a separate risk
factor in itself. For the purpose of effectively assessing the ML risks associated with a client
relationship, in addition to other factors, due weightage is required to be accorded to the
type of transactions and quantum of money flows through the customer’s accounts. For
illustrative purposes, a non-resident alien domiciled in a high-risk country, opening a bank
account using the internet (non-face-to-face) channel, may pose an inherent high ML risk
to the bank; however, this risk does not effectively materialize unless money flows through
the customer’s account. Therefore, the ML risk assessment needs to adequately factor the
nature of transactions (i.e., cash, forex, etc.) and the quantum of money flows in the
customer’s accounts.
The relevant QCRFs within each risk category are identified in the stated appendices. While
conducting its CRA, within each risk category, the firm will consider the relevant QCRF
and accord a risk rating of High, Medium or Low, based on the risk factor description and
its alignment with the customer’s observed/known characteristics. As the next step, the
firm scores the inherent risk factors (for e.g., a high risk may be scored 3, medium risk 2
and low risk 1) to arrive at an individual risk category score and an overall HML (customer
risk) score attributed to a particular customer relationship.
IV. Harmonized CRA Benefits—Creating Stakeholder Value
The previous section proposed a best practice harmonized CRA model for banks. This
section explores the benefits of such harmonized model in terms of creating value for
banks, their MLROs, compliance officials and auditors (stakeholders).
The effect of business process harmonization is well acknowledged in the literature.
Romero et.al. summarize the effect of process standardization (harmonization) as follows:
“[Process harmonization is] a driver of improvements in terms of cost, time, efficiency,
effectiveness, quality and responsiveness” – Heidi Romero et.al2 (2012), p.16.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 15 OF 34
A An Industry-Wide Global CRA Standard
By design, the best practice harmonized CRA model considers and harmonizes the
customer risk factors (QCRFs) in the available global AML guidance, while allowing for
local level variability in terms of the MCFs.
This results in the model adopting the highest (harmonized) standard as a benchmark
global standard, depicted by the vertical line in the following figure 3.
Figure 3 – The Harmonized Global Standard
Regional standard Gap to meet global standard Additional local standard
When the CRA model is harmonized in this manner, it has the benefit of raising the bar in
terms of standards across geographies, enabling banks operating in a particular geography
to exceed their regulator’s expectation.
The benefits of the harmonized model are aplenty and create value for their stakeholders:
B Value to Banks and their MLROs and Compliance Officials
The benefits accruing to banks using the harmonized model are summarized hereunder:
a The harmonized model provides the much needed framework to banks and its
compliance officials, fulfilling a long-standing industry need for standardizing ML risk
assessments, while permitting flexibility in terms of local level variability. This enables
0 5 10
Region 1
Region 2
Region 3
Region 4
Region 5
Standard Requirement
Harmonized Global Standard
Local Standard
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 16 OF 34
banks to quickly adopt and adapt to the model to suit their local requirements or firm
specific idiosyncrasies.
b. When the CRA model is harmonized to adopt the highest standard from global AML
guidance, it has the benefit of raising the bar in terms of standards, enabling banks
operating in a jurisdiction to exceed a regulator’s expectation in some areas. This may
enable banks to demonstrate their commitment to the highest standards of corporate
governance, embrace the spirit of compliance and build strong working relationships
with their regulator.
c In the case of multinational banks operating globally, the model enables them to
harmonize (minimize) the multiple versions of their internal policies, procedures and
processes, which may otherwise be required by their regional offices, enabling a
consistent enterprise-wide approach to CRA. Regulatory arbitrage, in the sense of the
same customer being assessed differently in different jurisdictions, is therefore,
minimized.
d Management information systems in terms of uniform senior management or board
reports, charts, tables, etc., within a global organization improves. Similarly,
benchmarking with peers and comparative reporting is enabled across the industry.
e Consistency prevails across the global organization in terms of staff operating in various
geographies, and the awareness of standard parameters and methodology. The model
aids comprehensive training design and implementation across the organization.
Similarly, at an industry level, AML measures and communication on standard
customer risk factors becomes more effective.
f Pursuing a higher standard acts as a positive knowledge enabler for the MLRO and the
compliance staff in general. Discussions on common issues at an industry-wide forum
(e.g., bank associations, etc.) develop professionalism, build the industry arsenal for
AML counter-measures and may indirectly address the otherwise perennial issue of
shortage of trained and skilled AML professionals in the industry.
C Value to AML Auditors
Being the third line of defense, the internal audit function (IAF) plays a crucial role in
performing an independent testing of the firm’s AML program. The AML audit assessment
provides the firm with an independent view of how well its AML program and risk
assessment is designed and functioning.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 17 OF 34
Arena and Azzone (2009) define effectiveness “as the capacity to obtain results that are
consistent with the target objective.” 24
The Institute of Internal Auditors (2010) define internal audit effectiveness “as the degree
(including quality) to which established objectives are achieved.” 25 While the objectives of
the IAF are dependent on the goals set by the management of its organization (Pungas26
2003), it is commonly acknowledged that the IAF lies at the center of a firm’s corporate
governance system, performing a crucial role by strengthening its system of controls and
conducting assurance reviews at various levels within the firm. This review process aims to
provide “assurance that key controls are designed properly, operate effectively and
efficiently to the different layers of management” (Lundin2009). 27
Several studies have been undertaken on internal audit effectiveness. The author identified
the following studies (Table 4) as relevant for the purpose of analyzing the impact of the
harmonized CRA model on auditors, in terms of improving their audit effectiveness:
Table 4: Studies on Internal Audit Effectiveness
SN Author and Title Design/
Methodology/ Approach
Nature Findings
1 Dieter De Smet and Anne-Laure Mention,9 (2011).
“Improving auditor effectiveness in assessing KYC/AML practices: Case study in a Luxembourgish context.”
The paper used a qualitative approach with various focus groups and case studies, to elaborate and validate the developed model through methodological triangulation.
The paper reports on the suitability of an ISO standard to create an internal control assessment model, which effectively acts as a control system template and mental model to evaluate compliance with the KYC/AML requirements in the Luxembourg retail and private banking sector.
The proposed assessment model has a matrix structure that facilitates the incorporation of checklists and narratives to ensure effective testing of controls and its structure allows targeting the specific areas of risk in the identified KYC/AML processes.
The model can be used to combine various reporting formats on internal control, hence audit effectiveness can be increased and information asymmetries can be reduced.
2 Badara, M.S. & Saidin, S.Z.17 (2012).
“The relationship between risk management and internal audit effectiveness at
Literature review The paper aims to examine the relationship between risk management and internal audit effectiveness at the local government level.
The study reveals that risk management can influence the effectiveness of internal auditors at the local government level.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 18 OF 34
local government level.”
As gleaned from the table above, improvements in risk management and the use of a
standard internal control assessment model (control system template/mental model) have
been found to impact internal audit effectiveness favorably.
A parallel can also be drawn in the field of financial reporting standards, where it has been
increasingly important for multinational companies using different reporting standards, to
overcome the problem of inefficient comparisons of their financial statements.
Harmonization via the International Financial Reporting Standards (IFRS) aimed at
reducing differences in financial reporting processes across the globe, helping to achieve
some level of comparability in the way financial statements are prepared and presented.
Among other benefits, this has benefited investors in terms of enabling a better
understanding of the financial statements and also resulted in increased auditing efficiency
and money savings, as companies have had to use only one set of reporting standards.
Coming back to AML, while evaluating the benefits of the harmonized CRA model for AML
auditors, it is important to appreciate the challenges confronting an auditor who embarks
on an AML audit. These challenges are further complicated in the case of a multinational
firm operating globally, in view of the many regional policies, procedures, regulations,
cultures, etc. There is no dearth of literature on the challenges in conducting an effective
AML audit or on the effective audit of an AML risk assessment. Some prerequisites
highlighted in the literature for enabling an effective AML audit are briefly summarized
hereunder:
1. An appropriate level of understanding the auditee firm’s business model, its business
activities, business lines, products/services offered, delivery channels used, geographies
in which it operates, third-party arrangements, customer types, etc.
2. Whether the AML risk assessment adequately factors all the relevant elements posing
ML/TF risk to the firm;
3. The auditee firm’s AML policies, procedures, processes and system controls across its
operating regions and whether these are appropriate to its AML risk assessment. These
are generally different across the firm’s operating geographies and complicates the task
of the auditor who has to account for these differences, while assessing the effectiveness
of the AML program, closely tracking compliance with the varying documented
procedures.
4. A good understanding of the ML risks associated with new emerging products,
especially sophisticated products or new emerging payment systems, new ML
typologies and trends observed in the global landscape, etc.
5. Level of conformity to the relevant national/supra national AML/CTF guidance
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 19 OF 34
6. Industry level comparisons for best practices in ML risk assessments
7. Consideration of any enforcement actions relevant to the geography or specific to the
firm; regulator or industry level local guidance, etc.
8. Level of employee AML training and its appropriateness across geographies
With the above backdrop, it is easy to see the benefits conferred by the harmonized CRA
model to AML auditors:
1 The model facilitates a simplified application of the risk-based AML audit program in
the following ways:
a It presents a ready-to-use best practice framework, fundamentally built on sound
AML principles (global AML guidance). This framework incorporates the QCRFs
on which AML guidance is readily available, making the task of the AML auditor
relatively simple in terms of checking its applicability to the firm in question. The
result is less audit orientation time and more assurance of not missing out on the
inclusion of an important customer risk factor in the auditee firm’s customer risk
assessment;
b The harmonization also manifests into a reduced volume of policies and procedures
across the multinational firm, resulting in time saving and more focused audit time
on other aspects of the audit program;
c The model may also eliminate some unnecessary differences and irrelevant
complexities across firms’ risk assessment policies and procedures (except the
mandatory contextual factors explaining local differences, which will be assessed
by auditors for relevance to the firm). This should make the task of auditors simpler,
enabling them to achieve a higher degree of audit assurance within the given audit
period time.
2 The harmonized model facilitates the application of a standardized audit approach
across the industry, eventually improving the quality of AML risk management. A
parallel is drawn here to the study undertaken by Ines Simac and Marleen Willekens,19
which provides evidence that the harmonization of auditing via implementation of the
EU Statutory Audit Directive across different member states of the EU, as well as the
imposition of stricter regulations, significantly contributed to the financial reporting
quality of European financial institutions.
3 Harmonization may also facilitate audit firms, especially large international audit
firms, to develop and deploy more sophisticated audit tools/methodologies, built on
the best practice QCRFs.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 20 OF 34
4 The harmonized approach should facilitate peer-to-peer comparisons in terms of AML
risk management, enabling the implementation of best practice AML controls across
the industry for inherent risk represented by the QCRFs. This should make an auditor’s
recommendations highly relevant and practical for the auditee firm.
5 The need to keep the CRA model updated (ideally to be reviewed at least once a year),
will necessitate comparison with updated global AML guidance, which should factor
in any emerging ML/TF risk or typology across the industry. This approach indirectly
enables the incorporation of an AML ‘safety shield’ by banks operating in a geography,
who may otherwise be unaware of the emerging ML risks outside their jurisdiction,
thereby making the ML risk assessments more effective and relevant for the firms and
its auditors.
V. Model Limitations and Conclusion
In its recommendations, the FATF suggests that an AML program should not be
prescriptive, but rather risk-based. While maintaining the broad tenets of the RBA, this
white paper is an attempt to present a standard approach to customer risk assessments by
exploring the concept of “harmonization.” Harmonization recognizes that in addition to
some mandatory differences, there are also many commonalities to the AML customer risk
assessments, which may be harnessed to design a best practice harmonized CRA model,
built upon fundamental global AML guidance.
Recognizing that there cannot be one common global standard, the limits to the
standardization of the CRA model (level of harmonization) have been explored, based on
the Romero et.al. conceptual model, and the benefits of such harmonized model to banks,
its compliance officials and AML auditors presented.
While compelling, the proposed model has its own shortcomings. Foremost, it is a
conceptual model, based on literature review and remains to be proven empirically. The
development of a conceptual model is the first logical step toward more profound research
into the dynamic relationship between the identified mandatory contextual factors, the
level of harmonization and its impact on stakeholder value. The next step would be to
define the hypotheses on the relationship between these factors and to test the model
empirically. Clearly, more research is warranted. Secondly, the assignment of weights to
the customer risk categories, while based on industry guidance (Wolfsberg) is nevertheless
arbitrary. Third, it may be debated that the identification of QCRFs may not provide a
comprehensive ML risk profile for a particular firm or jurisdiction, especially as ML risk is
highly dynamic, may have regional influences and is overall, wide-ranging. It is expected
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 21 OF 34
that th MCFs identified in the model should account for and cover this ‘gap.’ However, this
will be dependent on the firms to identify these ‘gaps’ correctly with respect to their firms
and factor them in the model effectively—a sort of mini déjà vu! Finally, the model does
not consider ML risk mitigating factors or the firm’s control systems, choosing to focus
only on the inherent customer risk factors. Likewise, the risk scoring methodology is not
explored in this paper and some of the good statistical techniques like the analytic
hierarchy process, Kappa Pearson statistical risk decision, etc., may be useful to firms in
this regard.
Nevertheless, the model is a useful starting point for firms to consider, given its many
benefits to the industry. It attempts to fulfill a long-standing industry need and offers a
much needed framework built on sound AML principles. Future research in this area may
reap great benefits.
VI. Acknowledgements
While not a thesis in itself, formulating and concluding this paper was by no means an easy
task; demanding long hours of hard work, effort, dedication and perseverance. While the
motivation to get started and research this interesting subject comes from within, it would
be incorrect to disregard the support of a few people who encouraged and enabled me to
complete the task successfully.
I am privileged to have Kenneth Simmons as my ACAMS Review Board member, and I
thank him for his valuable advice on the broad approach and structure of my white paper.
I thank him for his support and feedback.
I also express gratitude to my love and life partner, Daisy, for her understanding, patience,
encouragement and care during this period of research. Indeed, few of the graphical inputs
may be referenced to her skill and creativity! I thank my parents for making me believe in
myself. I also acknowledge the big sacrifices made by my little kids, Shahnaya and Farzin,
giving up their favorite cartoon television programs, allowing ‘Daddy’ to work through and
complete his ‘homework!’
Last but not the least, I am thankful to God Almighty for his kind blessings, for making me
who I am, and providing me with an opportunity to share knowledge with many more.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 22 OF 34
APPENDIX A- Quoted Customer Risk Factors – Customer
SN
Category Sub-parameters Customer Risk Factors & Risk Scoring
1 Customer constitution/type Refer Table A1 (below)
2 Industry, Profession, Business type Refer Table A2 (Refer page 24)
3 Unexplained geographical distance between the bank branch and the customer High Risk
Table A1 –Customer Constitution/Type
SN Customer Type Customer Risk Factors Inherent Risk
1 Individual Retail (domestic) Low
Domestic PEPs & International Organization PEPs Medium/High
Foreign PEPs High
Non Resident Alien High
High Net Worth High
Foreign Deposit Broker High
Significant Investment Visa (SIV) Person High
2 Entities Sole Proprietor/ one man company Medium
Partnership
Medium (Registered); High (Unregistered);
Trusts
Medium (Public Charitable Trusts); High (Private Trusts)
Associations/Societies/Clubs
Medium (Registered); High (Unregistered);
FI's/Banks/Regulated Entities
Low (Domestic & Listed); Medium (Domestic & not Listed); Medium (International & Listed); High (International & not listed);
Publicly Held Companies
Low (listed); Medium (not listed)
Privately Held Companies
Medium (non-bearer shares); High (bearer shares)
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 23 OF 34
Government Entities
Low (domestic Govt.); High (foreign Govt.)
PIC/IBC High
3 Other Risk Factors Ownership/Control Structure
High (Complex/multi-layered, with no rationale)
Shell Company High
APPENDIX A
Table A2 – Quoted Customer Risk Factors – Industry, Profession, Business
SN
Customer Type Customer Risk Factors Inherent Risk
1 Individual Salaried/Employed Low
Retired/home maker Medium
Self-employed professional High
Other Medium
2 Individual/ Entity Casas de Cambio, Currency Exchanges, Money Services Business High
Charities & Non-Profit Organizations (NPOs) High
Intermediaries/Commission agents High
Real Estate Agents High
High Value Goods Dealers High
Precious Metals & Stone Dealers High
Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers). High
Casino's, including Internet Gambling High
Arms Dealers/ Private Military Firms High
Digital Currency Providers High
Construction High
Pharmaceuticals & Healthcare High
Extractive Industries High
Public procurement High
Cash Intensive Businesses e.g., gas stations, convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, parking garages High
Customers depositing/exchanging large amounts of small denomination notes High
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 24 OF 34
Legal persons/arrangements as personal asset holding vehicles High
3
Other Qualitative Risk Factors Vintage (non-individual entities)
Low/Medium/High
Client Reputation (Past SAR/STR/SMR reporting, subject of past investigation or enforcement/Asset Freeze/ Adverse media news/ Internal firm negative intelligence etc.) High
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 25 OF 34
APPENDIX B - Quoted Customer Risk Factors – Products & Services
SN Product/Service Risk Factors Inherent Risk
1 Savings Deposits (non-checkable accounts, no third party credits permitted) Low
2 Savings Deposits (checkable accounts, third party credits permitted) Medium
3 Current/Cash credit/Overdraft Accounts (checkable, third party credits permitted) Medium
4 Private Equity Low/Medium
5 Fixed/Recurring/Monthly deposit schemes with no third party receipts/payments Low
6 Cash/Marketable security backed loans High
7 Certain Mortgage/Pension/Life Insurance products- where payments from third parties/overpayments are allowed High
8 Other traditional loan products with fixed term repayments Low
9 Alternative Investment/Structured Products High
10 Trade Finance High
11 Private Banking/Wealth Management High
12 International Correspondent Banking High
13 Domestic Correspondent Banking (Licensed/Regulated & Listed) Medium; High (for others)
14 Special Use or Concentration Accounts High
15 International Brokered Deposits High
16 Safe Deposit Services High
17 Precious Metals (Delivery) Services High
18 Benchmark & other setting of Indices High
19 International Wire Transfers High
20 Pooled accounts High
21 Fiduciary deposits High
22 Trust and asset management services High
23 New technology/payment methods High
24 Prepaid/Stored value cards High
25 PUPID – Pay Upon Proper Identification transactions High
26 Third party payment processors High
27 Electronic funds transfer & Automated Clearing House (ACH) transactions High
28 Non deposit account services (e.g., non-deposit investment/insurance) High
29 Monetary instruments High
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 26 OF 34
APPENDIX C
Quoted Customer Risk Factors – Geographies/Country Risk
SN
Geography/Country Risk Factors Inherent Risk
1 Individual Customer – nationality/residence/domicile/work country1 High/Medium/Low
3
2 Corporate Customer –country of incorporation/corporate office; major
operating markets; location of its major clients, suppliers, dealers1 & 2
High/Medium/Low3
3 Counterparty location – linked to customer’s transactions2 High/Medium/Low
3
Notes:
1. In addition to countries with economic/trade sanctions, certain national authorities determine
domestic high risk jurisdictions which need to be taken into account in CRAs e.g., the U.S.
government designated higher-risk areas:
a. High Intensity Drug Trafficking Areas (HIDTA);
b. High Intensity Financial Crime Areas (HIFCA)
2. Ascertaining the location of customer’s clients is not easy and has its practical difficulties,
including establishing the veracity of such information obtained from the customer. Banks may
accordingly seek to ascertain and establish the location of a multinational customer’s major
clients/suppliers/dealers. Alternatively, banks with sophisticated technology systems can
periodically data mine its customers’ transactions to establish transaction linkages with high
risk countries, in terms of counterparty locations. This can then be factored into their risk
assessments.
3. The inherent risk rating is dependent on the risk rating of the country/geography in question.
Determining the risk rating of a country is an area where practice differs, with many banks
developing their own in-house country risk matrices or procuring the same from an outside
vendor. While this approach is permitted under the RBA, provided banks have a clearly
documented rationale accounting for the relevant risk factors appropriate to their organization
and customers, the author recommends the use of a globally recognized index like the Basel
AML Index.
The Basel AML Index measures the ML/TF risks of countries based on publicly available
sources, using 14 indicators (refer table on the following page) dealing with AML/CFT
regulations, corruption, financial standards, political disclosure and rule of law, aggregated into
a single country risk score, seeking to provide an overall picture of a country’s ML/TF risk level.
Basel offers a subscription-based Expert Edition with an overview of 203 countries, along with
periodic updates and email notifications/alerts. Subscribing banks have an option to adopt the
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 27 OF 34
Basel Index country risk score thresholds or document their own risk-score threshold approach
to determine low, medium or high country risk ratings.
Source: Basel AML Index Report 2016, Basel Institute of Governance, 27 July 2016 report, pp.23-24
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 28 OF 34
APPENDIX D
Quoted Customer Risk Factors – Channels Risk
SN
Customer Stage Channel Parameters
Inherent Risk
1 Account Opening Non face-to-face account opening channel used1 High
Via third parties/Intermediaries (unsolicited) 1,2 & 3 High
Walk-in customers4 High
2 Account Servicing Face-to-face Low
Majority of transactions conducted non-face-to-face5
(Internet, Mobile, Phone, Mail, via intermediaries etc.) High
Notes:
1. Where the customer is not physically present for identification/customer due diligence
(CDD) purposes, the inherent ML risk is increased as the bank may not truly know or
understand the identity and activities of the client.
However, a bank using a reliable form of non-face-to-face CDD, such as account opening
using bio-metric identification via government national ID, in line with regulatory guidance
with appropriate customer profiling, may not face heightened risks.
2. Regular account opening arrangements with reputed, regulated intermediaries, not based
in high-risk jurisdictions, may be treated as ‘medium’ risk, provided the bank relying on the
intermediary obtains the necessary CDD information/documents and is otherwise satisfied
with the AML governance of the intermediary.
3. Where an intermediary has been sanctioned for breaches to AML/CFT obligations, the same
may be treated as ‘high’ risk. Dealing with such intermediaries is a matter of the firm’s risk
appetite (policy) and subject to applicable regulation.
4. It is a good practice to treat all unsolicited customers for account opening, including branch
walk-ins, as ‘high’ risk for an initial time period, say, six months; a distinction may, however,
be made for certain customer classes like Government offices or its departments etc.
5. Where a client is known to the bank, though conducts majority of its business activity in a
non-face-to-face manner, the same may be treated as ‘medium’ risk.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 29 OF 34
APPENDIX E
Customer Account & Transaction Analysis
SN
Category Sub-parameters Risk factor description
Inherent Risk
1 Transaction Type/ Volume Analysis Refer Table E1 (Below)
As per the Statistical Model
2 Account Status Analysis Suddenly Active (from inactive/dormant)1 High
3 Account Usage Analysis High proportion of pass-through transactions1 High
Structuring below reporting threshold limits2 High
Customer or customer group making significant transactions to the same individual or group
High
Note:
1. This can be triggered upon reaching the bank specified account turnover threshold.
2. This can be triggered for transactions below the reporting value thresholds, where such
number of transactions exceed the bank specified frequency during a time period.
Table E1 - Customer Transaction Type/Volume Analysis via a Statistical
Model (Analytic Hierarchy Process etc.)
SN
Variable classes Risk factor description
1 Total Cash turnover Considers total cash (debit/credit) turnover in the account during the preceding ‘X’ months on a rolling basis
2 Total Forex turnover Considers total foreign exchange (debit/credit) turnover in account during preceding ‘X’ months on a rolling basis
3 Total Turnover Considers total turnover (debit/credit) in the account during the preceding ‘X’ months on a rolling basis
4 Total Cash/Total Turnover Considers proportion of cash turnover to total turnover in the account
5 Total Forex/Total Turnover Considers proportion of forex turnover to total turnover in the account
Notes:
1. There is no specified AML methodology on analyzing customer account transactions. The above
construct is but one statistical model, which considers the two fundamental types of customer
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 30 OF 34
transactions, known to present ML risks – cash and foreign currency transactions – and having
regard to the total money flow through the customer’s account (total account turnover).
2. Customer transaction type and volume analyses represent the dynamic variables in the CRA
process, as these variables change over a period of time. For the best-practice model, a monthly
CRA review, with the dynamic parameters being updated over the preceding ‘X’ months on a
rolling basis, is recommended. This will enable capturing the change in money flows in the
customers’ accounts and effectively assess the ML risk exposure to the bank.
3. For risk weighting these dynamic variables and calculating their risk scores, advanced statistical
techniques like the Analytic Hierarchy Process (AHP), which allow human judgement (i.e. the
Bank’s AML Subject Matter Expert Panel views) to be combined with the statistical model can
be used. Using the AHP, percentile threshold limits for enabling a risk classification of the
dynamic variables can be derived, and risk scores calculated.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 31 OF 34
VII. References
1. Romero, H.L. (2014), The role of contextual factors in process harmonization, Technische Universiteit Eindhoven, University of Technology.
2. Heidi Romero, Remco Dijkman, Paul Grefen, Arjan van Weele (2012), A literature review in process harmonization: a conceptual framework, Beta Working Paper series 379, Beta Research School for Operations Management and Logistics.
3. H.L.Romero, Ad de Jong (2015), Measures of process harmonization, Article in Information and Software Technology, July 2015.
4. Wiers, V.C.S.,van Weele, A.J. (Ed.), & van Houtum, G.J.J.A.N. (Ed.) (2015), Process harmonization for business performance: determining the right balance between variety and standardization based on contextual factors, ESCF operations practices: insights from science, Eindhoven, Technische Universiteit Eindhoven.
5. H.L.Romero, Paul W.P.J. Grefen (2015), Factors that determine the extent of business process standardization and the subsequent effect on business performance, Technische Universiteit Eindhoven, Article August 2015.
6. Albrecht Richen and Ansgar Steinhorst (2005), Standardization or harmonization? You need both, www.bptrends.com, November 2005.
7. Aub Chapman, The ML/TF Risk Assessment- Is it fit for purpose?, ACAMS white paper.
8. Basel Institute of Governance (2016), Basel AML Index Report 2016, International Centre For Asset Recovery.
9. Dieter De Smet Anne-Laure Mention, (2011), Improving auditor effectiveness in assessing KYC/AML practices: case study in a Luxembourgish context, Managerial Auditing Journal, Vol.26 Iss 2 , pp. 182-203.
10. Kem Warner, The Challenges in conducting an AML/CFT audit in offshore jurisdictions, ACAMS white paper.
11. Karima Touil, Risk-Based Approach: understanding and implementation; challenges between risk appetite and compliance, ACAMS white paper.
12. Sid Valluri, Challenges in implementing effective AML compliance and internal audit programs in a global enterprise, ACAMS white paper.
13. Thomas Alessandro, How audit departments can develop an effective AML program, ACAMS white paper.
14. John Dudovskiy (2013), Need for harmonization as a reason for international differences in financial reporting, posted on internet on January 24, 2013.
15. LexisNexis & ACAMS (2013), Anti-Money Laundering Risk Assessment and Customer Due Diligence-a Global Perspective, Risk Solutions Financial Services, June 2013.
16. Mu'azu Saidu Badara, Siti Zabedah Saidin (2013), The Journey so far on internal audit effectiveness: a calling for expansion, International Journal of Academic Research in Accounting, Finance and Management Sciences, vol.3,No.3, July 2013, pp.340-351.
17. Mu'azu Saidu Badara, Siti Zabedah Saidin (2012), The relationship between risk management and internal audit effectiveness at local government level, Journal of Social and Development Sciences, vol.3,No.12, Dec.2012.
18. Lucia Dalla Pellegrina, Donato Masciandaro, The Risk Based Approach in the new European Anti-Money Laundering Legislation: a law and economics review, Universita Commerciale Luigi Bocconi, Paolo Baffi Centre Research Paper series No.2008-22, http://ssm.com/abstract=1182245.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 32 OF 34
19. Ines Simac and Marleen Willekens, How did the European Union’s effort in harmonizing the statutory audit function affect financial reporting quality in European financial institutions?, Eufin 2016 Program, available on events.unifr.ch>Papers>Paper-10.
20. Anti-money laundering compliance- the case for a global enterprise wide standard, Accenture 2016, available on https://www.slideshare.net.
21. The Wolfsberg Group (2015), The Wolfsberg Group frequently asked questions on risk assessments for money laundering, sanctions and bribery & corruption (2015).
22. FATF (October 2014), Guidance for a Risk Based Approach: the banking sector.
23. The European Supervisory Authorities (the ESAs), Joint Consultation Paper, 21 October 2015, JC 2015 061, Joint guidelines under Article 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions, The Risk Factors Guidelines.
24. Arena,M,& Azzone.G. (2009), Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing, 13, 43-60.
25. IIA. (2010), Measuring internal audit effectiveness and efficiency. IPPF- Practice guide. The Institute of Internal Auditors.
26. Pungas,K. (2003), Risk assessment as part of internal auditing in the government institutions of the Estonian Republic.EBS review summer,42-46.
27. Lundin,E. (2009), Delivering audit value. Internal Auditor, Vol.66 No.4.
28. Tregear, R. (2010), Business Process Standardization. In Handbook on Business Process Management 2 (pp.307-327). Springer Berlin Heidelberg.
29. Frei, F.X., Kalakota, R., Leone, A.J., and Marx, L.M. (1999), Process Variation as a Determinant of Bank Performance: Evidence from the Retail Banking Study. Management Science (45:9), pp.1210-1220.
30. Monetary Authority of Singapore (MAS), Guidelines to MAS Notice SFA03AA-N01 on Prevention of Money Laundering and Countering the Financing of Terrorism- 3 JANUARY 2016
31. FATF Report - Money Laundering & Terrorist Financing Risk Assessment Strategies - June 2008.
32. The DFSA Rulebook, Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module.
33. Hong Kong Monetary Authority (HKMA) Guideline on Anti-Money Laundering and Counter- Terrorist Financing (For Authorized Institutions).
34. FFIEC Infobase, BSA/AML Examination Manual, BSA/AML Risk Assessment- Overview.
35. LexisNexis & ACAMS, December 2015, Current Industry Perspectives into Anti-Money Laundering Risk Management and Due Diligence.
36. Davenport, T.H. (2005). The coming commoditization of processes. Harvard Business Review, 83(6), 100-108.
37. AUSTRAC (2014), Risk Management - A tool for small-to-medium sized businesses.
38. AUSTRAC (2013), Consideration of possible enhancements to the requirements for customer due diligence- Discussion paper.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 33 OF 34
Annexure-1
Romero et.al. Conceptual Model
Source – “Factors that Determine the Extent of Business Process
Standardization and the Subsequent Effect on Business Performance”, pp.12 –
H.L.Romero, Paul W.P.J.Grefen, Technische Universiteit Eindhoven, Article
August 2015, available on Research Gate.
Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks
PAGE 34 OF 34
Annexure-2
Global AML Guidance – Reference Sources
SN Issuer Country Guidance
1 The Wolfsberg Group
International Guidance
The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption.
2 The European Supervisory Authorities (ESA)
European Union (E.U.)
Joint Consultation Paper- Joint Guidelines under Article 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions- The Risk Factors Guidelines.
3 Federal Financial Institutions Examination Council (FFIEC)
U.S. FFIEC BSA/AML Examination Manual, BSA/AML Risk Assessment- Overview
4 Monetary Authority of Singapore (MAS)
Singapore Monetary Authority of Singapore (MAS), Guidelines to MAS Notice SFA03AA-N0.1 on Prevention of Money Laundering and Countering the Financing of Terrorism.
5 Hong Kong Monetary Authority (HKMA)
Hong Kong Hong Kong Monetary Authority (HKMA) Guideline on Anti-Money Laundering and Counter- Terrorist Financing (For Authorized Institutions).
6 Dubai Financial Services Authority (DFSA)
Dubai International Financial Center (DIFC)
The DFSA Rulebook, Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module.
7 Australian Transaction Reports and Analysis Centre (AUSTRAC)
Australian Government- AUSTRAC
1. Risk Management – A tool for small-to-medium sized businesses- December 2014.
2. Consideration of possible enhancements to the requirements for customer due diligence- Discussion paper- May 2013.