A True ‘Risk-based Approach’—The Key to High-stakes AML


page image

By Frank Cummings, CEO of AML Partners, LLC

What is a Risk-based Approach and What Does It Mean?

That simple question elicits a thousand different answers—most of which are wrong. A lot of AML people throw around terms like “risk-based approach,” “tone from the top,” “our BSA/AML matrix,” “OFAC assessment” (specific to the US), “enterprise risk assessment” and “customer risk assessment.” Then they toss in “customer onboarding,” “ongoing due diligence,” “transaction monitoring,” “sanction screening,” and “314a requests” (again US only), and they tell you that’s all there is to a risk-based approach. Oh, and by the way, the examiners will love you—and your program.

But that couldn’t be further from the truth.

In fact, in and of itself that popular AML vocabulary list is nothing more than a disconnected string of isolated processes—and that is where major AML problems arise. Most financial institutions conduct these processes as independent tasks, and then they check the box and call it good. After the examiners come and go, you find yourself in the GM’s office trying to explain the Memo of Understanding you just received because, according to examiners, you have not implemented a “Risk-based Approach.” Sound familiar?

A true “Risk-based Approach” (RBA) is actually a process in and of itself. The RBA is a process that consists of all of the above procedures, where one or more of the procedures feeds as input into the next. This interconnectedness—this fully intentional linking of the results of one procedure into the construction of the next procedure—is the imperative piece that is missing in many BSA/AML “Internal Controls” programs.

Let me give you an example. As a consultant conducting an independent review of your transaction monitoring system, the first thing I would ask for is your enterprise risk assessment and a list of the behaviors you have chosen to monitor. In my experience, I can expect one of two responses: A) A blank stare accompanied by the “What do you need that for?” question, or B) “Sure, let me show you in my risk assessment where the risk is discovered that I am mitigating with the behaviors for which I am monitoring.”

If you immediately recognize Choice B as central to a true risk-based approach, the remainder of this article will be a validation of what you are already doing. If you are among the many who might recognize themselves in Choice A, this article will provide some professional advice on a process that you might find helpful.

 An Overview of the Components of a True Risk-based Approach

The following describes the components/procedures in the process that is a risk-based approach. Note that each component in the process feeds into other elements in this integrally connected process.

1. Tone from the Top

“Tone from the Top” is a catchphrase that describes in simplest terms the culture—including the risk culture—that has been establish by your leadership team. It is the cornerstone on which your institution’s day-to-day operations are built. The tone from the top carries both explicit and implicit messages regarding culture, regarding what is expected from you in your personal performance. In an effective risk-based approach to risk mitigation, this message must be clear, it must be concise, and it must be demanding. It also must be stated—and lived—in such a way that there is no wiggle room for an employee to think, for example, that it is okay to remove information from a wire that would be caught in a sanction filter. Simply put, in a risk-based approach the tone from the top should be clear: “Follow the laws, follow the rules, and understand the expectation of your examiners in the development and implementation of your operating process and procedures, not just the documentation of BSA/AML program.”

2. BSA/AML Risk Matrix and OFAC Risk Assessment

This tone from the top then feeds into the BSA/AML Risk Matrix and the OFAC Risk Assessment, which are Branch-level assessments. Take note: These are not your Enterprise Risk Assessment. These must be filled out and analyzed for the branch level even if you only have one branch. These forms are just two of the inputs you will need to conduct a proper enterprise risk assessment.

3. Enterprise Risk Assessment

With these branch-level assessments in hand, the Enterprise Risk Assessment may be undertaken. In my view, an Enterprise Risk Assessment should contain at least four clearly defined sections: a) an executive summary and leadership statement, b) the main body of the assessment, c) a detailed explanation of the mitigating controls, and d) a detailed analysis and evidentiary proof related to the mitigating controls. Each is described in brief below:

  1. An executive summary and leadership statement of the assessment may be in general terms. Also include an explanation of the quantitative and qualitative methods used.
  2. The main body of the assessment should include what was assessed, the result of the assessment, and mitigating controls to be implemented. This is your understanding of the risk you see in conducting business with the types of customers you have, the products and services and how they are used, and where your customers are conducting business. Label and explain the risk discovered.
  3. This section provides detailed explanation of the mitigating controls you are putting in place to mitigate the risks discovered in (b) above and where those controls will be put in place. These controls must be addressed both general and job-specific training plans with periodic review of their implementation. Tell your staff what they are required to learn, teach them, tell them what you taught them, and then verify they are doing it in their daily jobs. Writing a desk side-process and calling it good will not work. Rather, trust and verify: Trust your staff to do their jobs and then verify that they have.
  4. The last section is your detailed analysis and evidentiary backup for section (c). Here is where you show the quantitative and qualitative method used and the results. This section provides the testing and proof of your prior sections.

4. On-boarding Customer Risk Assessment

Now you take your complete Enterprise Risk Assessment and create your on-boarding customer risk assessment. Your on-boarding customer risk assessment is the risk model applied to every customer. Yes, you can have more than one, especially if you conduct business both locally and internationally. I prefer the “Weighted Average Method” of modeling with overriding controls for exceptions. The on-boarding customer risk model is where you implement some of the mitigating controls from your enterprise risk assessment. Yes, the two assessment must match. Here is yet one more opportunity to shine by showing you understand your risk and are actively looking for that risk in your on-boarding process. The second or Ongoing Due Diligence (ODD) Customer Risk Model(s) are the models you use to monitor the on-going risks that your customer may present—again, identified in your enterprise risk assessment. It is in the ODD model where you will also be looking at transaction analysis. And again, trust but verify that your customers are doing what they said they would.

5. Implementation of CDD, EDD, and ODD

The next step is implementation of your Customer Due Diligence (CDD), your Enhanced Due Diligence (EDD) and your Ongoing Due Diligence (ODD) programs, only part of which was discussed in Number 4 above. In these programs you will be implementing the discovery phase of your customer collection. I have published in previous articles a framework called the Legitimacy Lifecycle, and as part of the Legitimacy Lifecycle I explain a concept call “P.O.R.M.,” the Principles of Risk Mitigation. Use these principles here: Discover your Risk, Analyze your Risk, and then Mitigate your Risk. These programs must be dynamic and based on every characteristic of every customer. This may seem like a tall order, but it is easily implemented in the right automated system, which should be customized to your Enterprise Risk Assessment.

6. Implementation of Automated Systems

The next step is implementation of your automated systems. Here is where two worlds collide. Here is your last best hope for implementing the majority of your remaining mitigating controls, and here is where most institutions that fail will fail badly.

As with all the other procedures, the procedures above feed the procedures below. If your chosen vendor does not understand the nuts and bolts of a genuine “Risk Based Approach,” everything that you have done up until this point will be a complete waste of time. I am not talking about the buzzword boys and girls and their test-taking abilities. I am talking about a partner that both understands a genuine risk-based approach and delivers tools built specifically for that complex approach.

Far too often an institution chooses vendors based on how many times their leadership team has heard the name. Institutions have the false conception that all they need to do to be compliant is to purchase that system. A few million dollars and a year later (if they’re lucky), they have a wonderful system with pretty colors and blinking screens that captivate and appease, but little to none of this flash reveals an institution’s true risk. This high-investment-low-return transaction was especially common after the horrible events of 9/11 here in the U.S. as many institutions quickly put in automated transaction systems. Institutions had no idea what to do with the output from these systems or with the havoc caused by mountains of false-positive cases that lacked the due-diligence information required to properly analyze them—if by chance these cases had anything to do with your business to begin with. In two words: Choose wisely.

7. Trained, Competent, Caring Associates

The final essential element of a genuine risk-based approach is trained, competent, and caring associates. I have one rule that I tell every new employee in my company: “Know what you don’t know,” and if you don’t understand something then ask. A simple concept, but some employees with rather hide the fact that they don’t know how to do something and do it wrong, especially when using very complex automated systems they don’t completely understand.

The High Stakes of Getting Risk Right

Obviously, this is just a short overview and much more goes into the establishment of a true risk-based approach and an institution’s culture, especially as it pertains to risk mitigation. Today more than ever, pressures are mounting on financial institutions to achieve effective and efficient risk mitigation. From customers dealing in global terror and criminal enterprises to the rising stakes of massive fines and individual prosecutions for non-compliance, not getting serious about a true risk-based approach is becoming a very big risk.


Are the news stories about failed AML efforts making you nervous? If you’re ready for a true risk-based approach, call us today to learn about SURETY Suite, our end-to-end AML software solution built to implement true risk-based approaches to AML.