Adopting a “risk-based approach” or RBA is crucial for financial institutions to meet compliance with anti-money laundering (AML) regulations. The Financial Action Task Force (FATF) maintains specific guidance for a risk-based approach in the banking sector, which states that “The risk-based approach (RBA) is central to the effective implementation of the revised FATF International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation.” This latest guidance updates the earlier endorsements for RBA per the latest FATF recommendations amended in Mar 2022.
FATF RBA directs countries, authorities, and financial institutions to identify, evaluate, and understand their money laundering and terrorist financing risks. Subsequently, it guides them to take the necessary measures for mitigating the risks for meeting financial crime compliance. At the onset, finding “how the identified ML/TF risks affect the entities concerned” is key to determining the optimal AML/CFT measures for a “risk-sensitive” application.
This blog outlines the FATF risk-based approach and guidance to help banks manage their financial crime compliance process in line with the latest recommendations.
FATF Risk-Based Approach – Key Guidelines for Banking Institutions
1. Resource Allocation
To begin with, banks need to assign resources and organize their internal controls, policies, procedures, etc., to dissuade and detect money laundering and terrorist financing. Advance allocation is essential to a forward-thinking approach to managing the financial crime compliance process.
2. Risk Assessment
a) Risk assessment should help the bank to assess its vulnerability in terms of the “how” and “scope”, allowing it to determine the resources needed for mitigating the risks. The assessments should be documented and communicated to relevant people in the bank.
b) Banks should consider diverse factors for identifying and assessing the ML/TF risks, including –
- Business complexity, nature of business, etc.
- Target markets
- Customers at risk
- Jurisdictions in scope
- Distribution channels including third-party
- Internal audit findings
- Volume and size of transactions
- Inputs from BU heads, relationship managers, national risk assessments, etc.
c) The bank’s senior management should periodically review and update the risk mitigation policies, procedures, and controls in line with the risk-based approach. Also, the risk evaluation should be approved by the management to support internal measures and policymaking.
3. Risk Mitigation
a) Banks should devise and implement risk mitigation policies based on “individual risk assessment.”
b) They should design Customer Due Diligence (CDD) processes to determine the customer risk profile and the extent of CDD needed for individual cases to deter unwanted business relationships and criminal activities.
c) The scope of CDD should include –
- Customer identification based on reliable and independent data as per the applicable regulatory standard
- Beneficiary details for the customer
- Purpose and nature of the business relationship
- Screening of customer and beneficiary names against relevant sanction lists
d) Banks should periodically review and update the customer risk profiles to support/guide the necessary CDD requirements. This is crucial to managing financial crime compliance processes.
e) In the absence of the requisite CDD, they should not enter into business relationships or terminate them altogether
f) Banking institutions should conduct CDD and transaction monitoring on an ongoing basis to detect anomalies vis-à-vis the customer’s documented risk profile and peer group. Monitoring should also be triggered for specific transactions. For automated transaction monitoring systems, the banks should understand their functionality and capability for addressing the ML/TF risks.
g) Funds with an allegedly suspected source should be flagged and promptly reported to Financial Intelligence Units (FIUs) for scrutiny.
4. Internal Controls, Governance, and Monitoring
a) Banks should install adequate internal controls to facilitate policy and process implementation. Key internal controls include –
- Appropriate governance arrangements with clear allocation of responsibilities
- Controls to monitor the integrity of staff as per local laws, national risks, and cross-border requirements
- Controls to test the overall effectiveness of policies and processes
b) Strong senior leadership and oversight are key governance requirements to support the FATF risk-based approach and manage the financial crime compliance process. The critical aspects of governance include:
- Sending a clear message in regards to not entering or maintaining business relations that carry ML/TF risks
- Implementing sufficient internal mechanisms to support communication between the bank and senior management, including the board and CRO
- Deciding the measures to avert or manage the risks the bank is ready to accept and provide the resources to the AML/CFT unit.
c) Sufficient measures should be taken by the bank to ensure training and raise awareness of its staff concerning the risk mitigation processes and requirements. As per the FATF risk-based approach, the training should be highly relevant, up-to-date, obligatory, ongoing, and tailored to meet the bank’s ML/TF risks and business activities.
d) “Monitoring of AML/CFT policies and controls” is another critical factor for effective management of financial crime compliance processes. As per FATF RBA guidelines, the bank’s compliance officer should provide measures for ongoing monitoring of the policies and controls, including an independent audit function.
Meeting Financial Crime Compliance with Digital Knowledge Operations™
Adhering to AML/CFT regulations can pose several challenges ranging from complex guidelines and fast-paced developments (such as a rapidly evolving sanction list) to technological roadblocks and human limitations. The FATF risk-based approach provides comprehensive guidance to preempt the ML/FT risks, however, understanding it is crucial to reap the benefits.
Anaptyss can help banks adopt the FATF RBA through a domain-led consultative approach based on the Digital Knowledge Operations (DKO™) framework. Anaptyss had leveraged the DKO framework to devise a consultative BSA/AML-focused risk mitigation program for a US-based community bank. Read this case study more details.
Anaptyss is a digital solutions specialist on a mission to simplify and democratize digital transformation for regional/super-regional banks, mortgages and commercial lenders, wealth and asset management firms, and other institutions. Its Digital Knowledge Operations™ framework integrates domain expertise, digital solutions, and operational excellence to drive the change.