7 minute read
Business-Wide ML/tF Risk Assessment
Consequently, to reduce their own risk profile, they have opted to close higher-risk correspondent accounts or cross-border remittances, especially when the cost of compliance was too high to justify maintaining the relationship. For those correspondent accounts that are maintained but considered high risk, the respondent bank may be subject to restrictions and increased costs for maintaining such facilities. the loss of correspondent banking relationships can have negative effects on the international business activities and the ease of doing business in a jurisdiction, and the loss of cross-border remittances can have a negative impact on migrant remittances.
Moreover, where a bank is considered complicit in ML or tF, supervisory authorities can take control of the bank and, in worse-case scenarios, go as far as to close the institution.2 However, such extreme cases are rare.
Reputational Risk
As Benjamin Franklin said, “It takes many good deeds to build a good reputation, and only one bad one to lose it.” this classic saying is still true today for banks and other financial institutions. Unethical business practices, involvement in ML/tF, or enforcement actions by supervisory authorities can affect the reputation of a financial institution. Reputational risk is also difficult to quantify and factor into, for instance, capital adequacy requirements, but it should nonetheless be part of the institution’s risk management framework. Reputational damage can attract enhanced supervisory attention, not only in the home jurisdiction but also in other jurisdictions where the financial institution might be active. For developing jurisdictions, the adverse impact of reputational risk on access to correspondent banking should also be factored into the risk management framework of banks and their supervisors.
Legal and Compliance Risk
Banks are exposed to higher legal and compliance costs associated with the risk of enforcement actions and penalties resulting from failure to comply with AML/CFt requirements. Indeed, financial institutions can incur high legal costs if they have to defend themselves from potential enforcement actions. In cases where the supervisory actions include long-term remedial measures, compliance costs can also rise significantly. Additionally, enhanced supervisory monitoring can have material costs on the operations of banks (for example, through more frequent and in-depth on-site inspections and audits). Depending on the financial standing and reputation of the bank, these costs can jeopardize the safety and soundness of the institution.
In some jurisdictions, shareholders (and depositors) can also take legal action against the board of directors and senior management for failure to discharge their fiduciary responsibilities associated with AML/CFt arising from poor governance practices and negligent compliance.
BUSINESS-WIDE ML/TF RISK ASSESSMENT
In order for financial institutions to apply the AML/CFt measures in a risk-based manner, to the extent allowed under domestic law, financial institutions need to understand and manage their ML/tF risks.3 they should therefore be required to conduct an overall, business-wide
risk assessment.4 to accomplish this assessment, they must identify and assess their inherent risks—that is, the risks to which an institution would be exposed if there were no control measures in place to mitigate them, so that they can apply appropriate and proportionate risk-mitigating controls and systems. the ML/tF risk assessment should be part of, or in addition to, an institution’s broader enterprise risk management framework and should be documented and updated periodically. the business-wide ML/tF risk assessment should be available to the supervisor, which can use the additional information to develop the risk profile of the institution. the first step in conducting a business-wide ML/tF risk assessment is for financial institutions to identify, assess, and understand their inherent ML/tF risks across all business lines with respect to the following risk factors:
● Customers
● Products, services, and transactions
● Delivery channels
● Geographic locations
● other quantitative and qualitative risk factors, as applicable.
Risks often occur as combinations of these risk factors—because of the interrelationship between a customer and the jurisdictions where the customer originates or is active or because of the connection between a product and the delivery channel. Based on the inherent risk factors, financial institutions can formulate risk scenarios and assess the likelihood that a scenario will occur and the impact should a scenario materialize. the likelihood can be assessed based on the number of times per year that a risk scenario can occur. the impact can be assessed based on the possible financial and reputational risk that can result if a scenario indeed occurs. In this way, the institution can determine the inherent risks.
When assessing its inherent risks, a financial institution should make an inventory of the customers it services and the products and services it offers and define the scope of business areas to assess, including business units, legal entities, divisions, jurisdictions, and regions. to do this, it should use up-to-date information on the type and number of customers (for example, politically exposed persons and casinos); the maturity or stability of its client base; the volume of operations for certain types of customers; the volume of business for products, services, and transactions (for example, trade finance, private banking, and outgoing and oncoming international transactions); and geographic reach (for example, number of customers in high-risk jurisdictions).
Based on the inherent risk assessment, the institution can then set out to determine the nature and intensity of risk controls to apply to the inherent risks. the assessment of inherent ML/tF risks and the level of risk controls will result in the institution’s residual risks—that is, the risks that remain when effective control measures have been taken to mitigate risks. It is important for all relevant business lines and staff of the institution to be involved in this process of assessing ML/tF risks. the business-wide risk assessment should not be narrow in scope. In addition to those of the compliance unit and staff, the inputs and views from other relevant units—including risk management, internal control, and human resources—should be taken into account. the results of the assessment need to be communicated to management and relevant staff, including the board of directors.
While financial institutions have discretion to implement their own AML/CFt frameworks, to have some consistency and allow for cross-institution comparisons, supervisors should provide guidance on risk factors and the model or methodology that financial institutions could use to assess their inherent and residual ML/tF risks. notwithstanding the model used, the adequacy of risk assessment
will be influenced largely by the availability, accuracy, and up-to-date nature of information required for the conduct of risk assessments.5 the supervisor will review the effectiveness of the AML/CFt risk assessment relative to, among others, the degree and nature of inherent risks. the degree of complexity of a financial institutions’ risk assessment model should be commensurate with the nature, complexity, and size of its business. For less complex financial institutions, a simpler risk assessment will suffice, but a large, complex institution will require a more elaborate risk assessment. the customer base, international presence, business products, and other factors contribute to the degree of complexity required.
Risk mitigation is not a zero-sum game, and it cannot be guaranteed that, after applying control measures, there will not be any residual ML/tF risks in an institution’s operations. therefore, when assessing the inherent and residual risks, an institution also needs to assess whether a given risk is within the institution’s risk appetite. It is important that this assessment be done in a proportionate manner, with due regard to the specifics of each case, to avoid treating all customers of the same category as presenting equal risk and thus leading to potential de-risking. the level of residual risk may be indicative of the risk-taking culture of the institution’s management. It is expected that residual risks will be subject to close monitoring and control by management and that control measures will be enhanced should a residual risk be too high or not within the institution’s risk appetite. the risk assessment should be conducted periodically for all business lines and processes or for one (or more) business line and activity. In particular, the business-wide risk assessment should be conducted when new developments occur, such as the introduction of new products and services. Also, the model and methodology should be subject to periodic review to ensure that their relevance takes into account changes in the assessment of inherent risk factors, including emerging risks and new technologies. In the end, the business-wide risk assessment will form the basis for risk-based AML/CFt policies and procedures.
Proliferation Financing
Financial institutions also need to identify and assess their proliferation financing risks in line with the nature and size of their business. they should have policies, controls, and procedures in place to manage and mitigate effectively the proliferation financing risks that have been identified. this process may be undertaken within the framework of their existing tF supervision or compliance programs.
Group ML/TF Risk Assessment
Financial institutions that are affiliated with other institutions or holding companies often use systemwide AML/CFt risk assessment and compliance systems. In such cases, the financial institution should assess the risks within business lines as well as the consolidated risks across all activities and group members. the lead institution or holding company should frequently reassess and update the ML/tF risks throughout the organization and should communicate any changes to the appropriate business units, functions, and group members. A risk or deficiency that exists in one part of the organization may also occur in other parts of the organization or may raise concerns in other parts of the organization, and management should quickly and diligently address these concerns throughout the organization.
