Exploring an Industry-Wide Standard to Customer Risk...

By FAROKH KEKI ADARIAN – CAMS-Audit, MBA (Banking); CFCS, ICA Prof.Pg Dip (FCC);

Int.Dip (GRC); FICA Certified Professional

CAMS-AUDIT

Exploring an Industry-Wide Standard to Customer Risk Assessment -

Proposing a Best Practice Model for Banks

Exploring an Industry-wide Standard to Customer Risk Assessment – Proposing a Best Practice Model for Banks

PAGE 1 OF 34

Contents

I. Executive Summary ............................................................................................. 2

II. Background ........................................................................................................... 3

A Introduction to the Risk-Based Approach and Risk Assessments.…………….3

B Presenting the Problem and Research Questions…………………..…………………5

III. The Solution – Theoretical Foundation ........................................................... 7

A Definitions…………………………..……………….……………………….……………………………9

B Mandatory Contextual Factors Limiting CRA Standardization..…..……………10

C Exploring an Industry-Wide CRA Model……………………..…………………………….12

IV. Harmonized CRA Benefits– Creating Stakeholder Value.............................14

A An Industry-Wide Global CRA Standard……………………………………………………15

B Value to Banks and their MLROs and Compliance Officials….…………………15

C Value to AML Auditors ................................................................................. 16

V. Model Limitations and Conclusion .............................................................. 20

VI. Acknowledgements……………………………………………………………………………………..21

Appendices..........................................................................................................22

VII. References............................................................................................................31

Annexures.............................................................................................................312


PAGE 2 OF 34

I. Executive Summary

The risk-based approach (RBA) is the cornerstone of a firm’s anti-money laundering (AML)

program. Fundamental to this approach, is the money laundering/terrorist financing

(ML/TF) risk assessment, which as a starting point, enables a firm to identify, understand

and assess the ML/TF risks to which it is exposed. These identified risks are then prioritized

and mitigated or managed by the firm, directing resources and controls first to the highest

risks identified, in line with the RBA.

Conceptually, the RBA is logical and provides flexibility to individual firms to design and

implement their own AML programs, which in turn, are supervised by their regulators.

However, by its very essence, the RBA demands active and dynamic participation by firms,

in terms of using their expertise, knowledge and judgement to conduct effective risk

assessments and develop robust AML programs appropriate to effectively manage the risks

facing their particular organizations.

There is no dearth of literature on the RBA. Similarly, industry, national or supranational

guidance on conducting risk assessments is abundant. Notwithstanding the above and the

maturity of AML systems in many countries, deficiencies in risk assessments continue to

feature regularly in enforcement actions and regulatory findings globally. Clearly, firms are

not getting their risk assessments right.

In an industry-wide AML survey by LexisNexis and ACAMS, one of the main challenges

identified in the area of risk assessments was the “lack of standardization.” Simply put,

despite the inundating amount of AML literature and guidance, there is no universally

agreed and accepted methodology that prescribes the nature and extent of risk

assessments, leaving individual firms to decide on the methodology they wish to deploy,

based on their own understanding and analysis of risks. Pragmatically speaking, firms seek

a standard risk assessment methodology, aligned with regulatory and industry

expectations.

This white paper is a conceptual attempt in this direction. The challenge faced in proposing

an industry-wide risk assessment model comes from the fact that the words “standard” and

“risk,” are not generally mentioned in the same sentence in AML literature. While

consistent with the basic tenets of the RBA, this paper explores the concept of

“harmonization,” in order to present a conceptual and harmonized customer risk

assessment model for banks. As opposed to process “standardization,” which in its strict

sense seeks to achieve uniformity of process activities (i.e., aims at only one uniform, global

standard), process “harmonization” seeks to align similar process activities based on a

single, focused business objective, while recognizing that some mandatory differences

(process variants) may be essential and will remain. The harmonization of laws in the EU

member states, is one such empirical example.


PAGE 3 OF 34

The proposed harmonized model is based on a contingency theory and it explores the

limits to which customer risk assessments can be standardized. The model recognizes and

permits certain contextual factors (termed “mandatory contextual factors”), which result

in local level process variability. This makes the model practical and easy to adopt by banks,

as regional or firm specific idiosyncrasies can be factored in the model. Furthermore, as the

model is fundamentally based on publicly available and credible national, supranational

and industry AML guidance, it is also proposed as a best practice model, enabling banks to

consume the best practice AML standards in their risk assessments.

Having proposed the model, this paper evaluates and presents its perceived benefits in

terms of value creation for banks, their money laundering reporting officers, compliance

officers and AML auditors. This paper concludes by highlighting model limitations and

suggesting areas for further research in this largely unexplored arena.

II. Background

The RBA and ML/TF risk assessments are interdependent and rather common terminology

used within the AML industry. It follows that the starting point of the RBA is a risk

assessment.

While the implementation of an RBA makes the AML regulation more flexible, it also

increases the responsibilities on individual firms to administer and implement their AML

programs effectively. In other words, under the RBA, the legislator/regulator effectively

delegates the design and implementation of the AML program to an individual firm, which

in turn is monitored and assessed by its regulator.

A brief introduction to the concepts is provide below.

A. Introduction to the Risk-Based Approach and Risk Assessments

1. The Risk-Based Approach

RBA was introduced by the Financial Action Task Force (FATF) in its Recommendations

and it forms the foundation of an anti-money laundering/counter-terrorist financing

(AML/CTF) compliance program. In essence, the RBA implies that as a starting point,

countries, competent authorities and firms (entities) need to identify, understand and

assess the ML/TF risks to which they are exposed. Based on these identified risks,

entities then need to prioritize these risks and allocate resources, conduct varying levels

of due diligence (simplified, standard or enhanced) and build controls and monitoring

mechanisms to effectively manage these risks. As a rule, the higher the risks assessed,


PAGE 4 OF 34

the greater should be the resource allocation, client

and transaction due diligence, transaction

monitoring and controls to enable effective risk

management.

1 ML/TF Risk Assessments

Having perused the essence of an RBA, it is easy to

appreciate that the RBA (and consequentially, a

firm’s AML program) cannot be effective without an

effective risk assessment. Simply put, one cannot

manage risks effectively, where the risks itself are

not recognized, understood and assessed!

There are basically two broad levels at which firms

conduct their risk assessments:

a An Enterprise-Wide Risk Assessment

(EWRA)

An EWRA is conducted across the firm or its

group (group-wide risk assessment) to

understand and assess the total ML/TF risks

faced. It considers, inter alia, the organization’s

markets and business lines, its geographical

footprint, customers it deals with, products and

services it offers, delivery channels used to

onboard its customers and used to conduct their

transactions, and other qualitative risk factors

facing the firm such as reliance on third parties,

recent/planned acquisitions, recent enforcement

actions, etc.

b Customer Risk Assessment (CRA)

In addition to an EWRA, firms also undertake

ML/TF risk assessments of their customers. The

objective here is to determine the ML/TF risks

associated with a particular customer relationship

or an occasional transaction (for a non-customer

undertaking a one-off financial transaction with

the bank). Based on the CRA model deployed, each

“The key purpose of a money

laundering risk assessment

[EWRA] is to drive improvements in

financial crime risk management

through identifying the general and

specific money laundering risks a

financial institution is facing,

determining how these risks are

mitigated by a firm’s AML program

controls and establishing the

residual risk that remains for the

financial institution21 p.3”

“A financial institution should

ensure that its internal controls are

proportionately aligned to the risks

posed by the range of its clients

[CRA], where the highest risk

clients will be the object of the most

rigorous AML controls, whether

through onboarding standards,

enhanced due diligence, enhanced

monitoring and/or more frequent

periodic reviews21 p.13”

“While the RBA confers flexibility, it

also demands an active and dynamic

participation by firms, in terms of

requiring them to use their expertise,

knowledge and judgement to conduct

effective ML/TF risk assessments and

develop robust AML programs

appropriate to effectively manage the

ML/TF risks facing their particular

organizations.”


PAGE 5 OF 34

customer is assigned an overall ML/TF risk score, which is then used to risk categorize

customers (say, into high, medium or low risk).

The scope of this white paper is restricted to customer risk assessment (CRA) methodology

across the banking industry.

B Presenting the Problem and Research Questions

1 “The Problem” – No Industry-Wide Standard Form or Template Exists

for ML/TF Risk Assessments

At this moment, it is apt to consider the following questions with respect to ML/TF risk

assessments:

How do firms practically identify and assess their ML/TF risks?

Is there any defined or standard methodology for firms to follow while undertaking

such risk assessments?

What are the regulators’ expectations in this regard? Is the firm’s risk assessment

approach sufficiently ring-fenced?

Finding the appropriate answers to the above questions presents practical global

challenges and it has been the subject matter of many surveys, articles and research in

the AML industry.

According to a joint research study, “Current

Industry Perspectives into Anti-Money

Laundering Risk Management and Due Diligence”,

conducted by LexisNexis and ACAMS in 2015, to

examine how the AML community is managing its

customer enhanced due diligence and ML risk

assessment processes, one of the main challenges

identified in the area of risk assessments was the

lack of standardization.

In their June 2013 AML survey, the following

question was posed to the 461 survey participants:

“Do you see a need for an industry-wide standard

risk assessment?” 70.1 percent of the survey

participants answered in the affirmative,

evidencing a long-standing industry need for a

standard approach, framework or model for firms

to undertake their risk assessments.

“[The ML risk assessment

was a] lengthy and

exhaustive process—no

standardization from the

industry itself”.

“There should be a

standardized template [for

risk assessment to] which

organizations may

customize to suit its own

business”.

LexisNexis & ACAMS

Survey35 2015


PAGE 6 OF 34

2 Problem Validation

The RBA emphasizes that there is no “one-size-fits-all” approach to the risk assessments.

Logically, this makes sense. Consider some of the following empirically observed facts:

Many multinational firms operate globally in different markets and have to account for

their different legal and regulatory systems;

There exists a wide and differing range of products and services firms offer;

Firms today deal with different types of customers, who in turn are

domiciled/incorporated/operate in different locations across the globe;

With the advent of technology and globalization, channels used to onboard customers

and conduct their transactions (e.g., internet, mobile, etc.) differ and are ever evolving

(e.g., payment systems, etc.);

Firm specific idiosyncrasies do exist, for e.g., an audit observation or an enforcement

action, third-party reliance, etc.

Each of these factors, in turn, introduce vulnerability and varying degrees of ML/TF risks

to which an individual firm is exposed. The RBA accordingly requires the firm to assess its

own unique risk exposure, adopting its own risk assessment methodology, appropriate to

suit its profile, structure, products, geographies, channels, etc., with such methodology

being well-documented with a proper rationale and approved by its senior management.

To enable firms to conduct effective risk assessments, guidance has been issued from time

to time by many industry setting global bodies like the FATF, the Wolfsberg Group, supra-

national authorities like the E.U., national regulators and industry bodies (collectively

termed “Global AML Guidance”- refer Annexure 2 on page 33). However, notwithstanding

this global AML guidance and the level of maturity of AML/CTF systems in many countries,

deficiencies in risk assessments are regularly featured in regulatory/enforcement actions

across countries.

Clearly, firms are not “getting their risk assessments right,” and as evident from the AML

survey, “seek a standard risk assessment methodology,” aligned with regulatory and

industry expectations.

This white paper attempts to explore an industry-wide (harmonized) CRA model. Using a

conceptual model based on a contingency theory. In addition, this paper seeks to

determine the extent to which CRA processes can be standardized, while recognizing

certain mandatory contextual factors which necessitate local level variability in risk

assessments. Finally, as the model is based on the fundamentals of global AML guidance,

it is also proposed as a best practice model for banks.


PAGE 7 OF 34

3 Framing the Research Questions

Based on the above motivation, the main research questions are as follows:

a) Which contextual factors necessitate mandatory or unavoidable variances in CRA

processes across the banking industry? What are the consequential limits to CRA

process standardization?

b) What are the benefits of CRA standardization to banks, their MLRO), compliance

officials and auditors (stakeholders)?

III. The Solution—Theoretical Foundation

As a means to approach the objective of this white paper, the author refers to and builds

upon the conceptual model proposed by H.L.Romero and Paul W.P.J.Grefen et.al5 (2015),

which is based on contingency theory as the guiding theory.

Contingency theory suggests that there is no single ‘best way’ to manage an organization;

instead, successful organizations adopt processes and structures that provide the “best fit”

to their internal and external business environments. Using the contingency theory and

undertaking a literature review, Romero et.al. identify11 contextual factors that affect

different aspects of process standardization in organizations.

The Romero et.al. conceptual model proposes that the extent to which business processes

can be standardized (i.e., the level of process harmonization), is dependent on these 11

contextual factors in the organization and its environment. The model further examines

the impact of such standardization (level of harmonization) on business performance. The

Romero et.al model is presented in Annexure 1.

The author adopts and builds on the Romero et.al. model, analyzing each of these 11

contextual factors, which influence the level of business process harmonization from an

ML/TF risk assessment process perspective. In particular, the author acknowledges the

following

1. Their relevance to the CRA process harmonization, and

2. the available global AML guidance, in particular, the customer risk factors identified

therein.

The objective of the analysis is to narrow down to those relevant contextual factors, which

necessitate mandatory or unavoidable variations in the CRA processes across banks

(termed the Mandatory Contextual Factors [MCFs]). By definition, MCFs cannot be


PAGE 8 OF 34

standardized. Therefore, MCFs set limits to the extent of CRA process standardization (i.e.,

the extent to which CRA processes across banks may be made uniform).

To identify the extent of CRA process standardization, the author undertakes a

comparative analysis of customer risk factors across the customer risk categories, as

detailed in the available global AML guidance, to identify the quoted customer risk factors

(QCRFs).

Therefore, the proposed harmonized model,

incorporates the best AML practice QCRFs

identified in the global AML guidance, while

providing for local level variability (to the extent

of the MCFs identified), thereby enabling banks

to adopt and adapt to the model while

undertaking their CRAs.

Having presented the best practice harmonized

CRA model, the benefits of this model in

creating value for banks, their MLROs,

compliance officials and internal and external

auditors (termed stakeholders) are evaluated.

The (modified) conceptual model proposed by the author is shown in Figure 1 below:

Mandatory Extent of CRA Stakeholder Contextual Factors Standardization Value

Figure 1: Relation between mandatory contextual factors, extent of CRA

standardization and stakeholder value.

The model comprises three interdependent parts viz., first, the mandatory contextual

factors (MCFs), which explain the need for firm specific CRA process variations (i.e.,

process variants that cannot be standardized); second, how these MCFs affect the CRA

process standardization (determining the extent of CRA process standardization or the

level of harmonization), and finally, the expected value created for stakeholders, resulting

from the CRA process harmonization.

As we embark on the model, the following definitions are relevant to our analysis.

“The proposed harmonized

CRA model incorporates the

best AML practice customer

risk factors identified in the

global AML guidance, while

providing for local level

variability, thereby enabling

banks to adopt and adapt to

the model.”


PAGE 9 OF 34

A Definitions

To understanding the model, a brief introduction and definitions of the concepts

‘standardization,’ ‘harmonization’ and ‘contextual factors’ are provided in this section.

1 Standardization

Standardization is about conformity. Davenport defines

process standardization as “the unification of business

processes and the underlying actions within a

company…”36 As Tregear (2010) highlights, the main

goal of process standardization is the development of

one standard or a best practice process used as a

template for all instances of the process throughout

organizations. 28

2 Harmonization

Harmonization is defined by the Business Dictionary as

“the adjustment of differences and inconsistencies

among different measurements, methods, procedures,

schedules, specifications, or systems to make them

uniform or mutually compatible.”

While process harmonization does not impose a strict one-standard process upon all, it

does entail decision-making on the extent to which different processes are standardized

(i.e., determining the ‘level of harmonization’ [number of process variants post

harmonization]). By its strict definition, standardization has only one process variant.

3 The “Trade-off”—Level of Harmonization

In practice, global uniformity of processes (i.e., standardization) is not always achieved.

Indeed, it has been empirically shown that some variability cannot be avoided (Frei29

et.al.,1999). Tregear (2010) emphasizes that complete or global uniformity should not be

strived for; rather, a trade-off should be struck between global uniformity and local

variability (the harmonization level). 28 This is depicted in Figure 2 below.

Global “The Trade-off”- Total

Uniformity Harmonization Level Diversity

Figure 2 The “Trade-off”—Determining the Level of Process Harmonization

“Process standardization

differs from process

harmonization mainly in

its goal or degree of

process strictness – while

involves

a reduction in process

variations and allows for

local-level variations,

standardization entails

moving towards the

eradication of any

variation, towards one

global standard.”


PAGE 10 OF 34

4 Contextual Factors

In contingency theory, contextual factors are described as environmental, organizational

and individual characteristics of a firm’s external and internal environments. The

contingency theory proposes a “fit” between the firm and these contextual factors to enable

effective organization management.

B Mandatory Contextual Factors limiting CRA standardization

As explained in Section III above, for the purpose of proposing a harmonized CRA model,

the author reviews each of the 11 contextual factors proposed by Romero et.al. for their

relevance to the CRA process. A detailed analysis is presented in the following Table 1:

Table 1: Determination of Mandatory Contextual Factors (MCFs) from an ML/TF risk

assessment context for proposed harmonized CRA Model

Category Type

Contextual Factors (Romero et. al)

Relevance to CRA process

Quoted In Global AML Guidance

MCF Remarks

External to the Firm

Cultural differences

Yes Yes Yes In an AML context, considered as the firm’s general operating environment, which may influence firms in particular regions to assess their CRAs differently.

Different regulations

Yes Yes Yes Different legislations or regulations may necessitate different CRA variants.

Power distance

No No No Concerns inter-firm collaborations. Not relevant for purpose of CRA process, given that the broad categories of customer risk factors are available in global AML guidance.

Internal to the Firm

Number of different locations

Yes Yes Yes (sub-point)

Relevant for multinational firms operating globally. Considered in our model, as a sub-component of the contextual factor ‘organization structure’ below.

IT governance centralization

Yes Yes Yes Considered as the sophistication level of a firm’s IT system. Technology impacts the extent of CRAs across firms, in terms of technical capability to undertake customer transaction volume analysis, ability to use central data warehousing for data analytics etc.

Product type Yes Yes Yes The range of products/services/channels offered by banks influence their CRAs.

Maturity level

No No No Concerns the maturity level of a firm’s processes; Romero proposes a positive correlation between the maturity level and potential for standardizing process. Not considered significant for CRA process harmonization, given the available global AML guidance.

Organization structure

Yes Yes Yes In AML context, considered as differences in terms of scope (business lines) and scale of operati0ns (local/national/multinational), which may influence CRAs across firms.


PAGE 11 OF 34

Number of mergers & acquisitions

No No No While this may impact general process harmonization as they increase the number of process variants within the merged entity, for the purpose CRA model, this is treated as an abnormal event and not considered.

Immediate (i.e., process Related)

Level of process structured-ness

No No No Concerns processes proposed to be harmonized; non-routine processes are less applicable to standardization than routine ones. Not considered as research focuses on the extent of CRA harmonization.

Personal differences

No No No Concerns people involved (and their personal differences) in the processes proposed to be harmonized. Not considered as the research focuses on the extent of CRA harmonization.

As gleaned from Table 1, the author identifies the following five mandatory contextual

factors (MCFs), which limit the extent of CRA process standardization:

Table 2: (MCFs for harmonized CRA model and possible CRA variants

SN Category Type

Mandatory Contextual Factors

Possible CRA variants – permissible local variability

1 External Firm’s operating

environment (internal/external)

Enforcement/Regulatory action (firm specific)

Audit action (firm specific)

Specific environmental risk factor

Emerging ML/TF typology

2 Different legislations or regulations

Legislative requirement

Regulatory requirement

Specific location Industry guidance

3 Internal Products/services/channels

(beyond the identified QCRFs)

New product development

New channel development

4 Scope and scale of operations

Unique international branch customer risk factors

New business line

5 IT sophistication* IT capabilities for internal data

processing/analytics e.g. account transaction volume analysis; linked accounts transaction (network) analysis etc.

IT centralization versus disparate systems which may limit CRA

*Note: The last MCF (i.e., IT sophistication), while appreciating its influence on process

standardization and the justified need for local variability, is not considered an MCF in our

proposed model.

This is because the CRA model, proposed as a best practice model, considers inter alia,

customer transaction volume/value analysis as an important component of the overall CRA

process and consequently, relies on the ability of individual firms to harness their

technological systems and capabilities to extract this data for undertaking such analysis for


PAGE 12 OF 34

the CRA process. Therefore, for operationalizing the best practice CRA model, this

particular MCF indirectly operates as an essential pre-condition to undertake the CRA.

The remaining four MCFs highlight the need for local-level variability (flexibility) proposed

in the model. For illustrative purposes, some possible (non-exhaustive) CRA model variants

are listed against each MCF in Table 2 above. Banks may adapt to these MCFs as per their

unique firm idiosyncrasies and local requirements.

C Exploring an Industry-Wide CRA Model

1 A Harmonized Model

It is apparent that a standard (uniform) CRA model, as a “one-size-fits-all” solution, will

not work. As highlighted in the MCFs, this is because firms vary in terms of scope, scale

and complexity when it comes to their operations, they operate in different markets, may

be subject to different legislations/regulations, have differing range of products, services,

channels or are subject to unique firm specific idiosyncrasies like audit/enforcement action

requirements, etc. These MCFs set limits to a standardized (uniform) CRA model.

Having identified the MCFs in Table 2, the next step in exploring an industry-wide CRA

model is to identify a best practice harmonized model, built on fundamental global AML

guidance, while permitting local level variability (in terms of the MCFs).

2 Model Framework

As the next step, the author undertakes a

comparative analysis across the various customer

risk factors referred to in available global AML

guidance (listed in Annexure 2).

While conducting this analysis, the author considers

the conventional/standard ML risk assessment

methodology, provided in the Wolfsberg (2015)

FAQs,21 as the overarching framework for the

harmonized model. This methodology considers the

following five risk categories:

1. Clients

2. Products and services

3. Channels

4. Geographies

5. Other qualitative risk factors—termed in our

model as the MCFs, reflecting local level firm

variability.

“The best practice

harmonized CRA model,

is based on conventional

ML risk assessment

methodology and

considers the best

practice customer risk

factors (from global AML

guidance) and the

mandatory contextual

factors (incorporating

local level firm specific

variability).”


PAGE 13 OF 34

Using this framework, the global AML guidance analysis identifies the quoted customer

risk factors (QCRFs), featured in the risk categories mentioned above. The best practice

harmonized CRA model, accordingly considers both the QCRFs (incorporating the best

international AML practice) and the MCFs (incorporating local level firm specific

variability).

As customer risk assessment is undertaken both at the time of customer onboarding and

subsequently during the life of the banker-customer relationship, two variants of the CRA

model are proposed below. Both the model variants assess the inherent money laundering

risk in a customer relationship. The key difference between the two model variants is the

analysis of customer account transactions in terms of transaction type and volume analysis

(i.e., the money that flows through the customer’s account is analyzed from a money

laundering risk perspective). The proposed CRA models are shown in Tables 3A and 3B

below:

Table 3A – Harmonized CRA Framework (Customer Onboarding Stage)

Category Risk Category Type Inherent ML Risk Weights

Risk Factors Description (“QCRFs”)

A Client type 30 Appendix A

B Products/services 20 Appendix B

C Geographies 25 Appendix C

D Channels 10 Appendix D

E MCFs 15 Table 2 on Page 11

100

Table 3B – Harmonized CRA Framework (Ongoing Relationship Monitoring)

Category Risk Category Type Inherent ML Risk Weights

Risk Factors Description (“QCRFs”)

A Client type 20 Appendix A

B Products/services 10 Appendix B

C Geographies 15 Appendix C

D Channels 10 Appendix D

E Account transaction analysis 30 Appendix E


PAGE 14 OF 34

F MCFs 15 Table 2 on Page 11

100

The models specify the risk categories and their inherent ML risk ratings. These risk ratings

are generally in line with the suggested inherent risk weighting ranges proposed in the

Wolfsberg (2015) FAQs,21 albeit modified by the author particularly for the second model

variant (Table 3B above), to consider the account transaction analysis as a separate risk

factor in itself. For the purpose of effectively assessing the ML risks associated with a client

relationship, in addition to other factors, due weightage is required to be accorded to the

type of transactions and quantum of money flows through the customer’s accounts. For

illustrative purposes, a non-resident alien domiciled in a high-risk country, opening a bank

account using the internet (non-face-to-face) channel, may pose an inherent high ML risk

to the bank; however, this risk does not effectively materialize unless money flows through

the customer’s account. Therefore, the ML risk assessment needs to adequately factor the

nature of transactions (i.e., cash, forex, etc.) and the quantum of money flows in the

customer’s accounts.

The relevant QCRFs within each risk category are identified in the stated appendices. While

conducting its CRA, within each risk category, the firm will consider the relevant QCRF

and accord a risk rating of High, Medium or Low, based on the risk factor description and

its alignment with the customer’s observed/known characteristics. As the next step, the

firm scores the inherent risk factors (for e.g., a high risk may be scored 3, medium risk 2

and low risk 1) to arrive at an individual risk category score and an overall HML (customer

risk) score attributed to a particular customer relationship.

IV. Harmonized CRA Benefits—Creating Stakeholder Value

The previous section proposed a best practice harmonized CRA model for banks. This

section explores the benefits of such harmonized model in terms of creating value for

banks, their MLROs, compliance officials and auditors (stakeholders).

The effect of business process harmonization is well acknowledged in the literature.

Romero et.al. summarize the effect of process standardization (harmonization) as follows:

“[Process harmonization is] a driver of improvements in terms of cost, time, efficiency,

effectiveness, quality and responsiveness” – Heidi Romero et.al2 (2012), p.16.


PAGE 15 OF 34

A An Industry-Wide Global CRA Standard

By design, the best practice harmonized CRA model considers and harmonizes the

customer risk factors (QCRFs) in the available global AML guidance, while allowing for

local level variability in terms of the MCFs.

This results in the model adopting the highest (harmonized) standard as a benchmark

global standard, depicted by the vertical line in the following figure 3.

Figure 3 – The Harmonized Global Standard

Regional standard Gap to meet global standard Additional local standard

When the CRA model is harmonized in this manner, it has the benefit of raising the bar in

terms of standards across geographies, enabling banks operating in a particular geography

to exceed their regulator’s expectation.

The benefits of the harmonized model are aplenty and create value for their stakeholders:

B Value to Banks and their MLROs and Compliance Officials

The benefits accruing to banks using the harmonized model are summarized hereunder:

a The harmonized model provides the much needed framework to banks and its

compliance officials, fulfilling a long-standing industry need for standardizing ML risk

assessments, while permitting flexibility in terms of local level variability. This enables

0 5 10

Region 1

Region 2

Region 3

Region 4

Region 5

Standard Requirement

Harmonized Global Standard

Local Standard


PAGE 16 OF 34

banks to quickly adopt and adapt to the model to suit their local requirements or firm

specific idiosyncrasies.

b. When the CRA model is harmonized to adopt the highest standard from global AML

guidance, it has the benefit of raising the bar in terms of standards, enabling banks

operating in a jurisdiction to exceed a regulator’s expectation in some areas. This may

enable banks to demonstrate their commitment to the highest standards of corporate

governance, embrace the spirit of compliance and build strong working relationships

with their regulator.

c In the case of multinational banks operating globally, the model enables them to

harmonize (minimize) the multiple versions of their internal policies, procedures and

processes, which may otherwise be required by their regional offices, enabling a

consistent enterprise-wide approach to CRA. Regulatory arbitrage, in the sense of the

same customer being assessed differently in different jurisdictions, is therefore,

minimized.

d Management information systems in terms of uniform senior management or board

reports, charts, tables, etc., within a global organization improves. Similarly,

benchmarking with peers and comparative reporting is enabled across the industry.

e Consistency prevails across the global organization in terms of staff operating in various

geographies, and the awareness of standard parameters and methodology. The model

aids comprehensive training design and implementation across the organization.

Similarly, at an industry level, AML measures and communication on standard

customer risk factors becomes more effective.

f Pursuing a higher standard acts as a positive knowledge enabler for the MLRO and the

compliance staff in general. Discussions on common issues at an industry-wide forum

(e.g., bank associations, etc.) develop professionalism, build the industry arsenal for

AML counter-measures and may indirectly address the otherwise perennial issue of

shortage of trained and skilled AML professionals in the industry.

C Value to AML Auditors

Being the third line of defense, the internal audit function (IAF) plays a crucial role in

performing an independent testing of the firm’s AML program. The AML audit assessment

provides the firm with an independent view of how well its AML program and risk

assessment is designed and functioning.


PAGE 17 OF 34

Arena and Azzone (2009) define effectiveness “as the capacity to obtain results that are

consistent with the target objective.” 24

The Institute of Internal Auditors (2010) define internal audit effectiveness “as the degree

(including quality) to which established objectives are achieved.” 25 While the objectives of

the IAF are dependent on the goals set by the management of its organization (Pungas26

2003), it is commonly acknowledged that the IAF lies at the center of a firm’s corporate

governance system, performing a crucial role by strengthening its system of controls and

conducting assurance reviews at various levels within the firm. This review process aims to

provide “assurance that key controls are designed properly, operate effectively and

efficiently to the different layers of management” (Lundin2009). 27

Several studies have been undertaken on internal audit effectiveness. The author identified

the following studies (Table 4) as relevant for the purpose of analyzing the impact of the

harmonized CRA model on auditors, in terms of improving their audit effectiveness:

Table 4: Studies on Internal Audit Effectiveness

SN Author and Title Design/

Methodology/ Approach

Nature Findings

1 Dieter De Smet and Anne-Laure Mention,9 (2011).

“Improving auditor effectiveness in assessing KYC/AML practices: Case study in a Luxembourgish context.”

The paper used a qualitative approach with various focus groups and case studies, to elaborate and validate the developed model through methodological triangulation.

The paper reports on the suitability of an ISO standard to create an internal control assessment model, which effectively acts as a control system template and mental model to evaluate compliance with the KYC/AML requirements in the Luxembourg retail and private banking sector.

The proposed assessment model has a matrix structure that facilitates the incorporation of checklists and narratives to ensure effective testing of controls and its structure allows targeting the specific areas of risk in the identified KYC/AML processes.

The model can be used to combine various reporting formats on internal control, hence audit effectiveness can be increased and information asymmetries can be reduced.

2 Badara, M.S. & Saidin, S.Z.17 (2012).

“The relationship between risk management and internal audit effectiveness at

Literature review The paper aims to examine the relationship between risk management and internal audit effectiveness at the local government level.

The study reveals that risk management can influence the effectiveness of internal auditors at the local government level.


PAGE 18 OF 34

local government level.”

As gleaned from the table above, improvements in risk management and the use of a

standard internal control assessment model (control system template/mental model) have

been found to impact internal audit effectiveness favorably.

A parallel can also be drawn in the field of financial reporting standards, where it has been

increasingly important for multinational companies using different reporting standards, to

overcome the problem of inefficient comparisons of their financial statements.

Harmonization via the International Financial Reporting Standards (IFRS) aimed at

reducing differences in financial reporting processes across the globe, helping to achieve

some level of comparability in the way financial statements are prepared and presented.

Among other benefits, this has benefited investors in terms of enabling a better

understanding of the financial statements and also resulted in increased auditing efficiency

and money savings, as companies have had to use only one set of reporting standards.

Coming back to AML, while evaluating the benefits of the harmonized CRA model for AML

auditors, it is important to appreciate the challenges confronting an auditor who embarks

on an AML audit. These challenges are further complicated in the case of a multinational

firm operating globally, in view of the many regional policies, procedures, regulations,

cultures, etc. There is no dearth of literature on the challenges in conducting an effective

AML audit or on the effective audit of an AML risk assessment. Some prerequisites

highlighted in the literature for enabling an effective AML audit are briefly summarized

hereunder:

1. An appropriate level of understanding the auditee firm’s business model, its business

activities, business lines, products/services offered, delivery channels used, geographies

in which it operates, third-party arrangements, customer types, etc.

2. Whether the AML risk assessment adequately factors all the relevant elements posing

ML/TF risk to the firm;

3. The auditee firm’s AML policies, procedures, processes and system controls across its

operating regions and whether these are appropriate to its AML risk assessment. These

are generally different across the firm’s operating geographies and complicates the task

of the auditor who has to account for these differences, while assessing the effectiveness

of the AML program, closely tracking compliance with the varying documented

procedures.

4. A good understanding of the ML risks associated with new emerging products,

especially sophisticated products or new emerging payment systems, new ML

typologies and trends observed in the global landscape, etc.

5. Level of conformity to the relevant national/supra national AML/CTF guidance


PAGE 19 OF 34

6. Industry level comparisons for best practices in ML risk assessments

7. Consideration of any enforcement actions relevant to the geography or specific to the

firm; regulator or industry level local guidance, etc.

8. Level of employee AML training and its appropriateness across geographies

With the above backdrop, it is easy to see the benefits conferred by the harmonized CRA

model to AML auditors:

1 The model facilitates a simplified application of the risk-based AML audit program in

the following ways:

a It presents a ready-to-use best practice framework, fundamentally built on sound

AML principles (global AML guidance). This framework incorporates the QCRFs

on which AML guidance is readily available, making the task of the AML auditor

relatively simple in terms of checking its applicability to the firm in question. The

result is less audit orientation time and more assurance of not missing out on the

inclusion of an important customer risk factor in the auditee firm’s customer risk

assessment;

b The harmonization also manifests into a reduced volume of policies and procedures

across the multinational firm, resulting in time saving and more focused audit time

on other aspects of the audit program;

c The model may also eliminate some unnecessary differences and irrelevant

complexities across firms’ risk assessment policies and procedures (except the

mandatory contextual factors explaining local differences, which will be assessed

by auditors for relevance to the firm). This should make the task of auditors simpler,

enabling them to achieve a higher degree of audit assurance within the given audit

period time.

2 The harmonized model facilitates the application of a standardized audit approach

across the industry, eventually improving the quality of AML risk management. A

parallel is drawn here to the study undertaken by Ines Simac and Marleen Willekens,19

which provides evidence that the harmonization of auditing via implementation of the

EU Statutory Audit Directive across different member states of the EU, as well as the

imposition of stricter regulations, significantly contributed to the financial reporting

quality of European financial institutions.

3 Harmonization may also facilitate audit firms, especially large international audit

firms, to develop and deploy more sophisticated audit tools/methodologies, built on

the best practice QCRFs.


PAGE 20 OF 34

4 The harmonized approach should facilitate peer-to-peer comparisons in terms of AML

risk management, enabling the implementation of best practice AML controls across

the industry for inherent risk represented by the QCRFs. This should make an auditor’s

recommendations highly relevant and practical for the auditee firm.

5 The need to keep the CRA model updated (ideally to be reviewed at least once a year),

will necessitate comparison with updated global AML guidance, which should factor

in any emerging ML/TF risk or typology across the industry. This approach indirectly

enables the incorporation of an AML ‘safety shield’ by banks operating in a geography,

who may otherwise be unaware of the emerging ML risks outside their jurisdiction,

thereby making the ML risk assessments more effective and relevant for the firms and

its auditors.

V. Model Limitations and Conclusion

In its recommendations, the FATF suggests that an AML program should not be

prescriptive, but rather risk-based. While maintaining the broad tenets of the RBA, this

white paper is an attempt to present a standard approach to customer risk assessments by

exploring the concept of “harmonization.” Harmonization recognizes that in addition to

some mandatory differences, there are also many commonalities to the AML customer risk

assessments, which may be harnessed to design a best practice harmonized CRA model,

built upon fundamental global AML guidance.

Recognizing that there cannot be one common global standard, the limits to the

standardization of the CRA model (level of harmonization) have been explored, based on

the Romero et.al. conceptual model, and the benefits of such harmonized model to banks,

its compliance officials and AML auditors presented.

While compelling, the proposed model has its own shortcomings. Foremost, it is a

conceptual model, based on literature review and remains to be proven empirically. The

development of a conceptual model is the first logical step toward more profound research

into the dynamic relationship between the identified mandatory contextual factors, the

level of harmonization and its impact on stakeholder value. The next step would be to

define the hypotheses on the relationship between these factors and to test the model

empirically. Clearly, more research is warranted. Secondly, the assignment of weights to

the customer risk categories, while based on industry guidance (Wolfsberg) is nevertheless

arbitrary. Third, it may be debated that the identification of QCRFs may not provide a

comprehensive ML risk profile for a particular firm or jurisdiction, especially as ML risk is

highly dynamic, may have regional influences and is overall, wide-ranging. It is expected


PAGE 21 OF 34

that th MCFs identified in the model should account for and cover this ‘gap.’ However, this

will be dependent on the firms to identify these ‘gaps’ correctly with respect to their firms

and factor them in the model effectively—a sort of mini déjà vu! Finally, the model does

not consider ML risk mitigating factors or the firm’s control systems, choosing to focus

only on the inherent customer risk factors. Likewise, the risk scoring methodology is not

explored in this paper and some of the good statistical techniques like the analytic

hierarchy process, Kappa Pearson statistical risk decision, etc., may be useful to firms in

this regard.

Nevertheless, the model is a useful starting point for firms to consider, given its many

benefits to the industry. It attempts to fulfill a long-standing industry need and offers a

much needed framework built on sound AML principles. Future research in this area may

reap great benefits.

VI. Acknowledgements

While not a thesis in itself, formulating and concluding this paper was by no means an easy

task; demanding long hours of hard work, effort, dedication and perseverance. While the

motivation to get started and research this interesting subject comes from within, it would

be incorrect to disregard the support of a few people who encouraged and enabled me to

complete the task successfully.

I am privileged to have Kenneth Simmons as my ACAMS Review Board member, and I

thank him for his valuable advice on the broad approach and structure of my white paper.

I thank him for his support and feedback.

I also express gratitude to my love and life partner, Daisy, for her understanding, patience,

encouragement and care during this period of research. Indeed, few of the graphical inputs

may be referenced to her skill and creativity! I thank my parents for making me believe in

myself. I also acknowledge the big sacrifices made by my little kids, Shahnaya and Farzin,

giving up their favorite cartoon television programs, allowing ‘Daddy’ to work through and

complete his ‘homework!’

Last but not the least, I am thankful to God Almighty for his kind blessings, for making me

who I am, and providing me with an opportunity to share knowledge with many more.


PAGE 22 OF 34

APPENDIX A- Quoted Customer Risk Factors – Customer

SN

Category Sub-parameters Customer Risk Factors & Risk Scoring

1 Customer constitution/type Refer Table A1 (below)

2 Industry, Profession, Business type Refer Table A2 (Refer page 24)

3 Unexplained geographical distance between the bank branch and the customer High Risk

Table A1 –Customer Constitution/Type

SN Customer Type Customer Risk Factors Inherent Risk

1 Individual Retail (domestic) Low

Domestic PEPs & International Organization PEPs Medium/High

Foreign PEPs High

Non Resident Alien High

High Net Worth High

Foreign Deposit Broker High

Significant Investment Visa (SIV) Person High

2 Entities Sole Proprietor/ one man company Medium

Partnership

Medium (Registered); High (Unregistered);

Trusts

Medium (Public Charitable Trusts); High (Private Trusts)

Associations/Societies/Clubs

Medium (Registered); High (Unregistered);

FI's/Banks/Regulated Entities

Low (Domestic & Listed); Medium (Domestic & not Listed); Medium (International & Listed); High (International & not listed);

Publicly Held Companies

Low (listed); Medium (not listed)

Privately Held Companies

Medium (non-bearer shares); High (bearer shares)


PAGE 23 OF 34

Government Entities

Low (domestic Govt.); High (foreign Govt.)

PIC/IBC High

3 Other Risk Factors Ownership/Control Structure

High (Complex/multi-layered, with no rationale)

Shell Company High

APPENDIX A

Table A2 – Quoted Customer Risk Factors – Industry, Profession, Business

SN

Customer Type Customer Risk Factors Inherent Risk

1 Individual Salaried/Employed Low

Retired/home maker Medium

Self-employed professional High

Other Medium

2 Individual/ Entity Casas de Cambio, Currency Exchanges, Money Services Business High

Charities & Non-Profit Organizations (NPOs) High

Intermediaries/Commission agents High

Real Estate Agents High

High Value Goods Dealers High

Precious Metals & Stone Dealers High

Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers). High

Casino's, including Internet Gambling High

Arms Dealers/ Private Military Firms High

Digital Currency Providers High

Construction High

Pharmaceuticals & Healthcare High

Extractive Industries High

Public procurement High

Cash Intensive Businesses e.g., gas stations, convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, parking garages High

Customers depositing/exchanging large amounts of small denomination notes High


PAGE 24 OF 34

Legal persons/arrangements as personal asset holding vehicles High

3

Other Qualitative Risk Factors Vintage (non-individual entities)

Low/Medium/High

Client Reputation (Past SAR/STR/SMR reporting, subject of past investigation or enforcement/Asset Freeze/ Adverse media news/ Internal firm negative intelligence etc.) High


PAGE 25 OF 34

APPENDIX B - Quoted Customer Risk Factors – Products & Services

SN Product/Service Risk Factors Inherent Risk

1 Savings Deposits (non-checkable accounts, no third party credits permitted) Low

2 Savings Deposits (checkable accounts, third party credits permitted) Medium

3 Current/Cash credit/Overdraft Accounts (checkable, third party credits permitted) Medium

4 Private Equity Low/Medium

5 Fixed/Recurring/Monthly deposit schemes with no third party receipts/payments Low

6 Cash/Marketable security backed loans High

7 Certain Mortgage/Pension/Life Insurance products- where payments from third parties/overpayments are allowed High

8 Other traditional loan products with fixed term repayments Low

9 Alternative Investment/Structured Products High

10 Trade Finance High

11 Private Banking/Wealth Management High

12 International Correspondent Banking High

13 Domestic Correspondent Banking (Licensed/Regulated & Listed) Medium; High (for others)

14 Special Use or Concentration Accounts High

15 International Brokered Deposits High

16 Safe Deposit Services High

17 Precious Metals (Delivery) Services High

18 Benchmark & other setting of Indices High

19 International Wire Transfers High

20 Pooled accounts High

21 Fiduciary deposits High

22 Trust and asset management services High

23 New technology/payment methods High

24 Prepaid/Stored value cards High

25 PUPID – Pay Upon Proper Identification transactions High

26 Third party payment processors High

27 Electronic funds transfer & Automated Clearing House (ACH) transactions High

28 Non deposit account services (e.g., non-deposit investment/insurance) High

29 Monetary instruments High


PAGE 26 OF 34

APPENDIX C

Quoted Customer Risk Factors – Geographies/Country Risk

SN

Geography/Country Risk Factors Inherent Risk

1 Individual Customer – nationality/residence/domicile/work country1 High/Medium/Low

3

2 Corporate Customer –country of incorporation/corporate office; major

operating markets; location of its major clients, suppliers, dealers1 & 2

High/Medium/Low3

3 Counterparty location – linked to customer’s transactions2 High/Medium/Low

3

Notes:

1. In addition to countries with economic/trade sanctions, certain national authorities determine

domestic high risk jurisdictions which need to be taken into account in CRAs e.g., the U.S.

government designated higher-risk areas:

a. High Intensity Drug Trafficking Areas (HIDTA);

b. High Intensity Financial Crime Areas (HIFCA)

2. Ascertaining the location of customer’s clients is not easy and has its practical difficulties,

including establishing the veracity of such information obtained from the customer. Banks may

accordingly seek to ascertain and establish the location of a multinational customer’s major

clients/suppliers/dealers. Alternatively, banks with sophisticated technology systems can

periodically data mine its customers’ transactions to establish transaction linkages with high

risk countries, in terms of counterparty locations. This can then be factored into their risk

assessments.

3. The inherent risk rating is dependent on the risk rating of the country/geography in question.

Determining the risk rating of a country is an area where practice differs, with many banks

developing their own in-house country risk matrices or procuring the same from an outside

vendor. While this approach is permitted under the RBA, provided banks have a clearly

documented rationale accounting for the relevant risk factors appropriate to their organization

and customers, the author recommends the use of a globally recognized index like the Basel

AML Index.

The Basel AML Index measures the ML/TF risks of countries based on publicly available

sources, using 14 indicators (refer table on the following page) dealing with AML/CFT

regulations, corruption, financial standards, political disclosure and rule of law, aggregated into

a single country risk score, seeking to provide an overall picture of a country’s ML/TF risk level.

Basel offers a subscription-based Expert Edition with an overview of 203 countries, along with

periodic updates and email notifications/alerts. Subscribing banks have an option to adopt the


PAGE 27 OF 34

Basel Index country risk score thresholds or document their own risk-score threshold approach

to determine low, medium or high country risk ratings.

Source: Basel AML Index Report 2016, Basel Institute of Governance, 27 July 2016 report, pp.23-24


PAGE 28 OF 34

APPENDIX D

Quoted Customer Risk Factors – Channels Risk

SN

Customer Stage Channel Parameters

Inherent Risk

1 Account Opening Non face-to-face account opening channel used1 High

Via third parties/Intermediaries (unsolicited) 1,2 & 3 High

Walk-in customers4 High

2 Account Servicing Face-to-face Low

Majority of transactions conducted non-face-to-face5

(Internet, Mobile, Phone, Mail, via intermediaries etc.) High

Notes:

1. Where the customer is not physically present for identification/customer due diligence

(CDD) purposes, the inherent ML risk is increased as the bank may not truly know or

understand the identity and activities of the client.

However, a bank using a reliable form of non-face-to-face CDD, such as account opening

using bio-metric identification via government national ID, in line with regulatory guidance

with appropriate customer profiling, may not face heightened risks.

2. Regular account opening arrangements with reputed, regulated intermediaries, not based

in high-risk jurisdictions, may be treated as ‘medium’ risk, provided the bank relying on the

intermediary obtains the necessary CDD information/documents and is otherwise satisfied

with the AML governance of the intermediary.

3. Where an intermediary has been sanctioned for breaches to AML/CFT obligations, the same

may be treated as ‘high’ risk. Dealing with such intermediaries is a matter of the firm’s risk

appetite (policy) and subject to applicable regulation.

4. It is a good practice to treat all unsolicited customers for account opening, including branch

walk-ins, as ‘high’ risk for an initial time period, say, six months; a distinction may, however,

be made for certain customer classes like Government offices or its departments etc.

5. Where a client is known to the bank, though conducts majority of its business activity in a

non-face-to-face manner, the same may be treated as ‘medium’ risk.


PAGE 29 OF 34

APPENDIX E

Customer Account & Transaction Analysis

SN

Category Sub-parameters Risk factor description

Inherent Risk

1 Transaction Type/ Volume Analysis Refer Table E1 (Below)

As per the Statistical Model

2 Account Status Analysis Suddenly Active (from inactive/dormant)1 High

3 Account Usage Analysis High proportion of pass-through transactions1 High

Structuring below reporting threshold limits2 High

Customer or customer group making significant transactions to the same individual or group

High

Note:

1. This can be triggered upon reaching the bank specified account turnover threshold.

2. This can be triggered for transactions below the reporting value thresholds, where such

number of transactions exceed the bank specified frequency during a time period.

Table E1 - Customer Transaction Type/Volume Analysis via a Statistical

Model (Analytic Hierarchy Process etc.)

SN

Variable classes Risk factor description

1 Total Cash turnover Considers total cash (debit/credit) turnover in the account during the preceding ‘X’ months on a rolling basis

2 Total Forex turnover Considers total foreign exchange (debit/credit) turnover in account during preceding ‘X’ months on a rolling basis

3 Total Turnover Considers total turnover (debit/credit) in the account during the preceding ‘X’ months on a rolling basis

4 Total Cash/Total Turnover Considers proportion of cash turnover to total turnover in the account

5 Total Forex/Total Turnover Considers proportion of forex turnover to total turnover in the account

Notes:

1. There is no specified AML methodology on analyzing customer account transactions. The above

construct is but one statistical model, which considers the two fundamental types of customer


PAGE 30 OF 34

transactions, known to present ML risks – cash and foreign currency transactions – and having

regard to the total money flow through the customer’s account (total account turnover).

2. Customer transaction type and volume analyses represent the dynamic variables in the CRA

process, as these variables change over a period of time. For the best-practice model, a monthly

CRA review, with the dynamic parameters being updated over the preceding ‘X’ months on a

rolling basis, is recommended. This will enable capturing the change in money flows in the

customers’ accounts and effectively assess the ML risk exposure to the bank.

3. For risk weighting these dynamic variables and calculating their risk scores, advanced statistical

techniques like the Analytic Hierarchy Process (AHP), which allow human judgement (i.e. the

Bank’s AML Subject Matter Expert Panel views) to be combined with the statistical model can

be used. Using the AHP, percentile threshold limits for enabling a risk classification of the

dynamic variables can be derived, and risk scores calculated.


PAGE 31 OF 34

VII. References

1. Romero, H.L. (2014), The role of contextual factors in process harmonization, Technische Universiteit Eindhoven, University of Technology.

2. Heidi Romero, Remco Dijkman, Paul Grefen, Arjan van Weele (2012), A literature review in process harmonization: a conceptual framework, Beta Working Paper series 379, Beta Research School for Operations Management and Logistics.

3. H.L.Romero, Ad de Jong (2015), Measures of process harmonization, Article in Information and Software Technology, July 2015.

4. Wiers, V.C.S.,van Weele, A.J. (Ed.), & van Houtum, G.J.J.A.N. (Ed.) (2015), Process harmonization for business performance: determining the right balance between variety and standardization based on contextual factors, ESCF operations practices: insights from science, Eindhoven, Technische Universiteit Eindhoven.

5. H.L.Romero, Paul W.P.J. Grefen (2015), Factors that determine the extent of business process standardization and the subsequent effect on business performance, Technische Universiteit Eindhoven, Article August 2015.

6. Albrecht Richen and Ansgar Steinhorst (2005), Standardization or harmonization? You need both, www.bptrends.com, November 2005.

7. Aub Chapman, The ML/TF Risk Assessment- Is it fit for purpose?, ACAMS white paper.

8. Basel Institute of Governance (2016), Basel AML Index Report 2016, International Centre For Asset Recovery.

9. Dieter De Smet Anne-Laure Mention, (2011), Improving auditor effectiveness in assessing KYC/AML practices: case study in a Luxembourgish context, Managerial Auditing Journal, Vol.26 Iss 2 , pp. 182-203.

10. Kem Warner, The Challenges in conducting an AML/CFT audit in offshore jurisdictions, ACAMS white paper.

11. Karima Touil, Risk-Based Approach: understanding and implementation; challenges between risk appetite and compliance, ACAMS white paper.

12. Sid Valluri, Challenges in implementing effective AML compliance and internal audit programs in a global enterprise, ACAMS white paper.

13. Thomas Alessandro, How audit departments can develop an effective AML program, ACAMS white paper.

14. John Dudovskiy (2013), Need for harmonization as a reason for international differences in financial reporting, posted on internet on January 24, 2013.

15. LexisNexis & ACAMS (2013), Anti-Money Laundering Risk Assessment and Customer Due Diligence-a Global Perspective, Risk Solutions Financial Services, June 2013.

16. Mu'azu Saidu Badara, Siti Zabedah Saidin (2013), The Journey so far on internal audit effectiveness: a calling for expansion, International Journal of Academic Research in Accounting, Finance and Management Sciences, vol.3,No.3, July 2013, pp.340-351.

17. Mu'azu Saidu Badara, Siti Zabedah Saidin (2012), The relationship between risk management and internal audit effectiveness at local government level, Journal of Social and Development Sciences, vol.3,No.12, Dec.2012.

18. Lucia Dalla Pellegrina, Donato Masciandaro, The Risk Based Approach in the new European Anti-Money Laundering Legislation: a law and economics review, Universita Commerciale Luigi Bocconi, Paolo Baffi Centre Research Paper series No.2008-22, http://ssm.com/abstract=1182245.

http://www.bptrends.com/


PAGE 32 OF 34

19. Ines Simac and Marleen Willekens, How did the European Union’s effort in harmonizing the statutory audit function affect financial reporting quality in European financial institutions?, Eufin 2016 Program, available on events.unifr.ch>Papers>Paper-10.

20. Anti-money laundering compliance- the case for a global enterprise wide standard, Accenture 2016, available on https://www.slideshare.net.

21. The Wolfsberg Group (2015), The Wolfsberg Group frequently asked questions on risk assessments for money laundering, sanctions and bribery & corruption (2015).

22. FATF (October 2014), Guidance for a Risk Based Approach: the banking sector.

23. The European Supervisory Authorities (the ESAs), Joint Consultation Paper, 21 October 2015, JC 2015 061, Joint guidelines under Article 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions, The Risk Factors Guidelines.

24. Arena,M,& Azzone.G. (2009), Identifying organizational drivers of internal audit effectiveness. International Journal of Auditing, 13, 43-60.

25. IIA. (2010), Measuring internal audit effectiveness and efficiency. IPPF- Practice guide. The Institute of Internal Auditors.

26. Pungas,K. (2003), Risk assessment as part of internal auditing in the government institutions of the Estonian Republic.EBS review summer,42-46.

27. Lundin,E. (2009), Delivering audit value. Internal Auditor, Vol.66 No.4.

28. Tregear, R. (2010), Business Process Standardization. In Handbook on Business Process Management 2 (pp.307-327). Springer Berlin Heidelberg.

29. Frei, F.X., Kalakota, R., Leone, A.J., and Marx, L.M. (1999), Process Variation as a Determinant of Bank Performance: Evidence from the Retail Banking Study. Management Science (45:9), pp.1210-1220.

30. Monetary Authority of Singapore (MAS), Guidelines to MAS Notice SFA03AA-N01 on Prevention of Money Laundering and Countering the Financing of Terrorism- 3 JANUARY 2016

31. FATF Report - Money Laundering & Terrorist Financing Risk Assessment Strategies - June 2008.

32. The DFSA Rulebook, Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module.

33. Hong Kong Monetary Authority (HKMA) Guideline on Anti-Money Laundering and Counter- Terrorist Financing (For Authorized Institutions).

34. FFIEC Infobase, BSA/AML Examination Manual, BSA/AML Risk Assessment- Overview.

35. LexisNexis & ACAMS, December 2015, Current Industry Perspectives into Anti-Money Laundering Risk Management and Due Diligence.

36. Davenport, T.H. (2005). The coming commoditization of processes. Harvard Business Review, 83(6), 100-108.

37. AUSTRAC (2014), Risk Management - A tool for small-to-medium sized businesses.

38. AUSTRAC (2013), Consideration of possible enhancements to the requirements for customer due diligence- Discussion paper.


PAGE 33 OF 34

Annexure-1

Romero et.al. Conceptual Model

Source – “Factors that Determine the Extent of Business Process

Standardization and the Subsequent Effect on Business Performance”, pp.12 –

H.L.Romero, Paul W.P.J.Grefen, Technische Universiteit Eindhoven, Article

August 2015, available on Research Gate.


PAGE 34 OF 34

Annexure-2

Global AML Guidance – Reference Sources

SN Issuer Country Guidance

1 The Wolfsberg Group

International Guidance

The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption.

2 The European Supervisory Authorities (ESA)

European Union (E.U.)

Joint Consultation Paper- Joint Guidelines under Article 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions- The Risk Factors Guidelines.

3 Federal Financial Institutions Examination Council (FFIEC)

U.S. FFIEC BSA/AML Examination Manual, BSA/AML Risk Assessment- Overview

4 Monetary Authority of Singapore (MAS)

Singapore Monetary Authority of Singapore (MAS), Guidelines to MAS Notice SFA03AA-N0.1 on Prevention of Money Laundering and Countering the Financing of Terrorism.

5 Hong Kong Monetary Authority (HKMA)

Hong Kong Hong Kong Monetary Authority (HKMA) Guideline on Anti-Money Laundering and Counter- Terrorist Financing (For Authorized Institutions).

6 Dubai Financial Services Authority (DFSA)

Dubai International Financial Center (DIFC)

The DFSA Rulebook, Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module.

7 Australian Transaction Reports and Analysis Centre (AUSTRAC)

Australian Government- AUSTRAC

1. Risk Management – A tool for small-to-medium sized businesses- December 2014.

2. Consideration of possible enhancements to the requirements for customer due diligence- Discussion paper- May 2013.

Exploring an Industry-Wide Standard to Customer Risk...

Documents

Transcript of Exploring an Industry-Wide Standard to Customer Risk...