Intelligence-led risk management

This is the second article in our Future of Financial Crime series, with a focus on the importance of intelligence-led risk management as a foundation for a future financial crime framework.

What is a risk assessment?

The risk assessment is a critical tool which should sit at the heart of a financial services (FS) institution’s financial crime control framework. However, it is often viewed as a regulatory driven exercise, which results in generic evaluations of the financial crime (FC) vulnerabilities that an institution is exposed to. Such outcomes provide limited actionable intelligence to enable appropriate adjustments to be made to financial crime controls. With financial crime threats ever-changing and becoming increasingly complex, this approach must evolve.

Current limitations of risk assessments

Typically, risk assessments are often limited by the following:

• outdated intelligence about threats that is insufficient in the detail, accuracy and relevance needed to provide appropriate support for those responsible for risk management. This results in a lack of specificity in the identification, assessment, and prioritisation of the precise FC risks that the organisation faces. This can also mean an inability to articulate the threats in terms of their relevancy to an institution’s customers, geographies, and products;
• a lack of clear and timely linkage with the risks and threats identified and the preventative and detective controls for mitigating those risks;
• static documentation that is updated on an annual or bi-annual basis, with a significant time lag between changes in the risk assessment and associated adjustments to the control framework in response. For example, it can take several months for transaction monitoring (TM) rules, or several years for changes in due diligence (DD) requirements and processes to react to a changing threat landscape; and,
• manual processes which do not provide a continuous view, meaning that risks are not quantified on a consistent basis or measured dynamically against relative likelihood and impact.

Evolving regulatory expectations

Unsurprisingly, expectations about the role of the risk assessment are changing, driven by a number of factors. In recent years, regulatory visits and reviews have increased the focus on assessing

• how well the risk assessment recognises the specific threats the FS institution faces, and
• how effectively it evaluates the underlying mitigating controls.

Both are instrumental to delivering a risk-based approach. Regulatory enforcement can result where this is unsatisfactory. In the UK, the government’s Economic Crime Plan 2 (2023 – 2026) has set out clear actions to drive a more dynamic response by FS institutions to the FC risks faced by the UK.

On 20 July 2021, the European Commission presented an ambitious package of legislative proposals to strengthen the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) rules. The package includes a proposal to establish an EU anti-money laundering and counter-terrorism financing (AML/CFT) Authority, named AMLA, which will transform AML/CFT supervision in the EU and enhance cooperation between Financial Intelligence Units (FIUs). AMLA will be the central authority coordinating national authorities to ensure the correct and consistent application of EU rules. The Authority will facilitate cooperation between FIUs, including by establishing standards for reporting and information exchange, supporting joint operational analyses, and by hosting the central online system, FIU.net. This will ensure the prominent flow of information between the European Union, and a centralised knowledge base for all the member states.

Recomended changes

The regulatory expectations above will require the development of a control framework that provides a mechanism for adjusting areas of focus, and the ability to ‘dial-up’ and ‘dial-down’ activities as risks evolve.

Adopting a more dynamic and integrated approach to risk assessment and control modulation is key to addressing the limitations of risk assessments and meeting the changing regulatory expectations. Change can be incremental, and specific solutions will vary across FS institutions (based on sector, maturity, products, and customer base), but it is our belief that the following changes are needed:

1. implement a proactive risk assessment approach that involves gathering information from internal sources (such as past cases, trend analysis, and changes within the organization) as well as utilizing open-source intelligence and participating in public-private information sharing platforms. Additionally, it is important to establish private-to-private intelligence sharing functions to constantly update our understanding of risks and identify specific threats to the organization. The FIU plays a crucial role in this process, and we will discuss its future in a later article in this series;
2. carry out an improved methodology to address the changing landscape of threats.  This involves assessing and quantifying the inherent risk, evaluating the effectiveness of current controls, and documenting the residual risk. Where possible and applicable, quantitative measures should be used in this process. Through this methodology, the level of risk mitigation and risk acceptance of residual risk should be aligned to the commercial ambitions and risk appetite of the FS institution and governed accordingly;
3. enhance the integration of risk assessment by establishing dynamic values that are directly connected to the control framework. For example, a dynamic link to the client due diligence scoring or scoring used in integrated monitoring and segmentation which can expedite the reassessment process when risks evolve. This approach can help minimize the substantial costs typically associated with managing and responding to changes in risk;
4. the risk assessment and control library should be implemented in a suitable platform that can directly integrate with the control environment and provide demonstrable visibility of risks and controls for larger FS institutions.

Achievable benefits

In adopting these changes, we believe that it is possible to achieve three key benefits:

1. A demonstrable risk-based approach

Through the up-to-date identification and assessment of FC risks faced and the mitigating controls implemented by the FS institution, it will be possible to better demonstrate to a regulator (or other stakeholders) that a risk-based approach has been implemented effectively. 

A rigorous approach that is specific, has used appropriate sources and considered likely risks will provide a more defensible position in the event of regulatory scrutiny of a particular relationship or incident. This approach reduces the likelihood of regulatory supervision or enforcement actions as it demonstrates a proactive and well-informed approach to risk management.

2. Better control design and management

By establishing a direct connection between controls and risks, and by being more specific about the risks and threats involved, the mitigating controls can be custom designed to effectively prevent and detect the crystallization of risks. This documented linkage also reduces the possibility that key controls might be removed or updated inadvertently without appropriate governance. Additionally, by providing clear identification of the underlying risks that are being mitigated, reviews, escalations and responses by an investigator can be more tailored, so that they are more efficient and effective.

3. Competitive advantage

Organizations can gain a competitive advantage by swiftly directing their financial crime investments towards mitigating the most critical risks. By focusing controls on the prioritised areas, there is an opportunity to be more efficient, by dialling-down other controls as appropriate and achieving cost savings.

This more measured risk assessment and control approach enables an FS institution to deal with emergent risks as ‘business as usual’ and avoids the need for ‘fire drills’ that disrupt normal operations.

Additionally, having greater confidence in the effectiveness of their controls enables institutions to expand their offerings of new products and services safely, as well as price their risk more effectively. This could also allow the entry into new jurisdictions, which could otherwise be outside of the organisation's risk appetite. We will explore this further in the upcoming article on dynamic customer lifecycle management.

Conclusion

In summary, the proposed changes aim to implement a sophisticated and proactive intelligence-led approach to risk management that identifies the changing nature of FC threats and dynamically adjusts the mitigating controls on the highest priority risks. By doing so, it allows for dialling-down in effort in other areas that pose lower risks.

We believe the evolution of the risk assessment and control framework, as set out in this article, is fundamental for facilitating necessary changes in future financial crime capabilities. Specifically, it involves transforming the approach to due diligence to establish a more dynamic customer lifecycle management and integrating monitoring systems to simplify and streamline financial crime operations. Overall, this will drive a move to a more efficient and effective approach to fighting financial crime.

Please get in touch if you would like to discuss this topic further. Also look out for future articles in our Future of Financial Crime series – up next, Dynamic customer lifecycle management.