Automated ODD as the only solution in a risk-based AML approach

As noted in our earlier NextGen Anti-Money Laundering publications, we see that regulators, supervisors, financial institutions and law enforcement are all striving for a more effective and balanced AML approach. The term ‘risk based’ is often used in this context, to describe that AML efforts by financial institutions (FIs) should be more sharply and proportionally targeted at possible forms of money laundering and terrorist financing. And not disturb or disadvantage bona fide clients.

The recent risk-based roundtables and NVB Industry Baselines are an attempt to provide guidance in operationalising the risk based approach. ODD can be seen as the comprehensive set of processes, procedures, actions and measures taken by banks to screen and monitor clients, their transactions and behaviour continuously¹. One area of opportunity that could substantially increase efficiency gains, is in the automated trigger-based Ongoing Due Diligence (ODD) of clients. In practice, most FIs are conducting manual client reviews on a periodic basis. These manual reviews are time-consuming, provide (relatively) limited added value to the mitigation of money laundering risks, and have a negative impact on client satisfaction and data privacy.

In applying a risk based approach, FI’s should decommission ineffective or inefficient controls and allocate resources proportionately towards higher risks. With regards to ODD, this translates to more reliance on automated risk detection mechanisms and risk-differentiated reviews. But what does it take to operationalise such a framework?

We see six key enablers for the successful implementation of a good risk-based ODD framework:

1. Data quality
   FIs strive for their relevant client data to be complete and correct by, among others, having a risk based data actualisation process in place (see NVB Industry Baseline ‘Client data actualisation’). The quality of data is obviously key to assess client risks of money laundering adequately. This becomes even more apparent when the reliance on automated mechanisms or models is increasing. However, also in updating client data, FI’s could follow a risk-based approach. Where possible, relevant client data is retrieved and updated automatically through access to public registers. Further, certain client data can be derived from internal analyses. Only when needed, clients are asked to update their client data or provide confirmation of critical data elements.
   
   
2. Fit-for-purpose tooling
   In a risk-based ODD framework, FIs rely on automation. This increases their dependency on a reliable IT environment. Risk triggers and risk detection mechanisms must be implemented in a stable IT environment generating valid and reliable alerts. Further, tooling must allow for more sophisticated alert generating models and connections to public registers (where possible).
   
   
3. Integrated design
   The design of the FIs risk based approach is sufficiently integrated in and among their enterprise-wide risk assessment and risk appetite, CDD policies and procedures and other client centric processes. The aforementioned policies, procedures and processes must be clearly documented (and periodically validated, see also bullet 4). This does not necessarily require new instruments, but rather the adaptation of existing instruments (such as policies and risk assessments) to allow for more automation.
   
   
4. Continuous tracking risks
   A fundamental condition of having a trigger-based ODD framework in place, is that the enterprise-wide risk assessments and the operational effectiveness of the controls behind the ODD design are periodically tested and validated. Further, to continuously enhance the framework, feedback loops, process monitoring, internal control testing and audits should be in place. Besides IT controls, also model validation approaches will be needed to monitor the accurate functioning of such automated mechanisms. It is should be accepted that, just as when conducting periodic reviews, the trigger-based ODD framework is not flawless and risks will be missed.
   
   
5. Risk-differentiated reviews
   The (automated) trigger-based ODD framework, in which risks are detected automatically and continuously, allows financial institutions to first focus on the triggered risks and, hence, conduct risk-differentiated reviews. In simple words: first only review the event (such as a transaction or change in client profile) that is automatically triggered. In case the analyst detects new risks or considers the risks to be too complex, a full review is triggered and the client risk profile is being comprehensively reassessed.
   
   
6. Reporting and oversight
   FIs are transparent on their ODD approach, its outcomes, and how the framework fulfills regulatory and risk requirements. These substantiations are documented and demonstratable upon request of the regulator. Also, this reporting enables FI’s to keep oversight, and adjust the ODD framework when required.
   

We encourage FI’s to re-evaluate the effectiveness of their current ODD framework and to not be too risk averse in applying the risk based approach. Working in a risk based manner requires well-weighted and thought-through decisions. Working risk-based also implies taking a risk: it will occur that important signals for potential money laundering will be missed. As long as this risk is explicitly accepted and within risk appetite, and the substantiation of risk based decisions and conclusions are documented in a proportionate manner, FI’s will still be able to demonstrate their level of compliance. When all stakeholders keep that in mind when operationalizing the risk-based approach, Anti-Money Laundering can be made more effective, and the burden on banking clients can be reduced.

¹ Definition retrieved from NVB Standaard Glossary. ODD is also referred to in de industry as ‘Continuous KYC’, ‘Perpetual KYC’ or ‘Smart KYC’.