Skip to main content

From compliance to competitive edge: looking at risk differently

Welcome to the second article in our Future of Financial Crime series. In this edition, we explore how intelligence-led risk management is crucial for an advanced financial crime framework.

A Money Laundering and Terrorism Financing (ML/TF) risk assessment is the foundation that guides the design and execution of a risk-based Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Program. Often, these assessments are perceived as mere regulatory obligations, leading to broad evaluations that fail to offer actionable intelligence and focus on the highest areas of risk within an organisation. As financial crime threats evolve and become more intricate, such an approach is no longer sufficient.

AUSTRAC, in its Regulatory Priorities for 20241 highlights this area as one of its enduring priorities. It notes that reporting entities must understand the nature of the ML/TF risk they face, and the linkages between their ML/TF risk profile and their AML/CTF program2, to develop an appropriately risk-based approach.

A driver of this regulatory focus has been the repeated findings by AUSTRAC that reporting entities are not regularly and consistently updating their ML/TF risk assessments based on organisational change or in response to the release of new guidance or external intelligence. For example, the recently released National Risk Assessment by AUSTRAC should be considered as a trigger for reporting entities to consider as part of its ML/TF risk assessment.

Further to this, there is a recognition by the Australian Government that the current AML/CTF regime does not sufficiently emphasise the importance of an ML/TF risk assessment. Proposed revisions to the AML/CTF Act aim to clearly state that reporting entities must consider the nature, size and complexity of its business in determining their ML/TF risk level, incorporate relevant risks identified by AUSTRAC, and to document their risk assessment methodology as part of its AML/CTF program.

Moving beyond the regulatory mandated requirements, organisations are realising wider benefits from performing more comprehensive and regular ML/TF risk assessments. These include the ability to better target AML/CTF programs and resources towards higher-risk areas through an intelligence-led approach. Examples emerging in Australia include the evolution of dynamic Customer Risk Assessment (CRA) models and the more rapid ingestion and actioning of external financial and open-source intelligence feeds in risk and control systems, moving beyond the historical approach of assessing ML/TF risk at arbitrary, static points in time.

At its essence, there is a need for organisations to look at financial crime risk differently, beyond merely being a compliance ‘tick box’ obligation, and embracing it as an enabler of intelligence, focus, efficiency, and competitive advantage.

In this article authored by our UK colleagues, we delve into building a dynamic risk assessment and the benefits they offer beyond regulatory compliance. 

 

Delivering a risk-based approach

This is the second article in our Future of Financial Crime series, with a focus on the importance of intelligence-led risk management as a foundation for a future financial crime framework.

The risk assessment is a critical tool which should sit at the heart of a financial services (FS) institution’s financial crime control framework. However, it is often viewed as a regulatory driven exercise, which results in generic evaluations of the financial crime (FC) vulnerabilities that an institution is exposed to. Such outcomes provide limited actionable intelligence to enable appropriate adjustments to be made to financial crime controls. With financial crime threats ever-changing and becoming increasingly complex, this approach must evolve.

Typically, risk assessments are often limited by the following:

  • outdated intelligence about threats that is insufficient in the detail, accuracy and relevance needed to provide appropriate support for those responsible for risk management. This results in a lack of specificity in the identification, assessment, and prioritisation of the precise FC risks that the organisation faces. This can also mean an inability to articulate the threats in terms of their relevancy to an institution’s customers, geographies, and products;
  • a lack of clear and timely linkage from the risks and threats identified to the preventative and detective controls for mitigating those risks;
  • static documentation that is updated on an annual or bi-annual basis, with a significant time lag between changes in the risk assessment and associated adjustments to the control framework in response. For example, it can take a number of months for transaction monitoring (TM) rules, or several years for changes in due diligence (DD) requirements and processes to react to a changing threat landscape; and 
  • manual processes which do not provide a continuous view, meaning that risks are not quantified on a consistent basis or measured dynamically against relative likelihood and impact.

Unsurprisingly, expectations about the role of the risk assessment are changing, driven by a number of factors. In recent years, regulatory visits and reviews have increased the focus on assessing how well the risk assessment recognises the specific threats the FS institution faces, and how effectively it evaluates the underlying mitigating controls. Both are instrumental to delivering a risk-based approach. Regulatory enforcement can result where this is unsatisfactory. In the UK, the government’s Economic Crime Plan 2 (2023 – 2026) has set out clear actions to drive a more dynamic response by FS institutions to the FC risks faced by the UK. This will require the development of a control framework that provides a mechanism for adjusting areas of focus, and the ability to ‘dial-up’ and ‘dial-down’ activities as risks evolve.

Adopting a more dynamic and integrated approach to risk assessment and control modulation is key to addressing the limitations of risk assessments and meeting the changing regulatory expectations. Change can be incremental, and specific solutions will vary across FS institutions (based on sector, maturity, products, and customer base), but it is our belief that the following changes are needed:

  • a move to a proactive risk assessment approach which combines intelligence from internal sources (such as previous cases, trend analysis, changes to the business, etc.) with the enhanced use of open-source intelligence, and increased and active engagement in public-private information sharing platforms. In addition, the development and use of private-to-private intelligence sharing functions will be key to continuously update the understanding of the risks and to articulate the specific threats faced by the organisation. The role of the financial intelligence unit (FIU) is critical here, and we will share our views on the future of the FIU in a later article in this series;
  • the implementation of an enhanced methodology to address the changing landscape of threats, by assessing and quantifying the inherent risk, and by assessing the current controls and their effectiveness in order to calculate and document the residual risk - using quantitative measures (where available/applicable). Through this methodology, the level of risk mitigation and risk acceptance of residual risk should be aligned to the commercial ambitions and risk appetite of the FS institution and governed accordingly;
  • greater integration of the risk assessment, where possible, through dynamic values directly linked to the control framework. For example, a dynamic link to the client DD scoring or scoring used in integrated monitoring and segmentation, to accelerate re-assessment when risks change. This would help to reduce the often significant costs associated with managing and responding to changes in risk;
  • for larger FS institutions, the risk assessment and control library should be implemented in a suitable platform, that can directly integrate with the control environment and provide demonstrable visibility of risks and controls.

In adopting these changes, we believe that it is possible to achieve three key benefits:

Through the up-to-date identification and assessment of FC risks faced and the mitigating controls implemented by the FS institution, it will be possible to better demonstrate to a regulator (or other stakeholders) that a risk-based approach has been implemented effectively.

A rigorous approach that is specific and has used appropriate sources and considered likely risks will provide a more defensible position in the event of regulatory scrutiny of a particular relationship or incident, and so reduce the likelihood of regulatory supervision or enforcement.

By explicitly linking controls to the risks and providing a greater level of specificity in the risks and threats faced, the mitigating controls can be specifically designed to focus on preventing and detecting risk crystallisation. This documented linkage also reduces the possibility that key controls might be removed or updated inadvertently, without appropriate governance. Additionally, by providing clear identification of the underlying risks that are being mitigated, reviews, escalations and responses by an investigator can be more tailored, so that they are more efficient and effective.

Organisations stand to gain a competitive advantage if they can rapidly focus their FC investments to mitigate the most serious risks. By focusing controls on the prioritised areas, there is an opportunity to be more efficient, by dialling down other controls as appropriate and achieving cost savings.

This more measured risk assessment and control approach enables an FS institution to deal with emergent risks as ‘business as usual’ and avoids the need for ‘fire drills’ that disrupt normal operations.

Additionally, greater confidence in the effectiveness of the institution's controls will help an FS institution to grow through the safe offering of new products and services, and more effective pricing of this risk. This could also allow the entry into new jurisdictions, which could otherwise be outside of the organisation's risk appetite. We will explore this further in the upcoming article on dynamic customer lifecycle management.

In summary, the changes suggested here will deliver a sophisticated and proactive intelligence-led approach to managing risk that identifies the changing nature of FC threats and dynamically adjusts the mitigating controls on the highest priority risks, allowing the dialling down of effort in other areas.

We believe the evolution of the risk assessment and control framework as set out in this article is fundamental to enabling further changes that are needed in a future financial crime capability. Specifically, changing the approach to due diligence to create a more dynamic customer lifecycle management, and the convergence of monitoring to allow the simplification and streamlining of FC operations. Overall, this will drive a move to a more efficient and effective approach to fighting financial crime.

Please get in touch if you would like to discuss this topic further. Also look out for future articles in our Future of Financial Crime series – up next, Revolutionising Due Diligence in Customer Lifecycle Management.

___________________________________________________

References

Recommendations