This is the second article in our Future of Financial Crime series, with a focus on the importance of intelligence-led risk management as a foundation for a future financial crime framework.
The risk assessment is a critical tool which should sit at the heart of a financial services (FS) institution’s financial crime control framework. However, it is often viewed as a regulatory driven exercise, which results in generic evaluations of the financial crime (FC) vulnerabilities that an institution is exposed to. Such outcomes provide limited actionable intelligence to enable appropriate adjustments to be made to financial crime controls. With financial crime threats ever-changing and becoming increasingly complex, this approach must evolve.
Typically, risk assessments are often limited by the following:
Unsurprisingly, expectations about the role of the risk assessment are changing, driven by a number of factors. In recent years, regulatory visits and reviews have increased the focus on assessing how well the risk assessment recognises the specific threats the FS institution faces, and how effectively it evaluates the underlying mitigating controls. Both are instrumental to delivering a risk-based approach. Regulatory enforcement can result where this is unsatisfactory. In the UK, the government’s Economic Crime Plan 2 (2023 – 2026) has set out clear actions to drive a more dynamic response by FS institutions to the FC risks faced by the UK. This will require the development of a control framework that provides a mechanism for adjusting areas of focus, and the ability to ‘dial-up’ and ‘dial-down’ activities as risks evolve.
Adopting a more dynamic and integrated approach to risk assessment and control modulation is key to addressing the limitations of risk assessments and meeting the changing regulatory expectations. Change can be incremental, and specific solutions will vary across FS institutions (based on sector, maturity, products, and customer base), but it is our belief that the following changes are needed:
In adopting these changes, we believe that it is possible to achieve three key benefits:
Through the up-to-date identification and assessment of FC risks faced and the mitigating controls implemented by the FS institution, it will be possible to better demonstrate to a regulator (or other stakeholders) that a risk-based approach has been implemented effectively.
A rigorous approach that is specific and has used appropriate sources and considered likely risks will provide a more defensible position in the event of regulatory scrutiny of a particular relationship or incident, and so reduce the likelihood of regulatory supervision or enforcement.
By explicitly linking controls to the risks and providing a greater level of specificity in the risks and threats faced, the mitigating controls can be specifically designed to focus on preventing and detecting risk crystallisation. This documented linkage also reduces the possibility that key controls might be removed or updated inadvertently, without appropriate governance. Additionally, by providing clear identification of the underlying risks that are being mitigated, reviews, escalations and responses by an investigator can be more tailored, so that they are more efficient and effective.
Organisations stand to gain a competitive advantage if they can rapidly focus their FC investments to mitigate the most serious risks. By focusing controls on the prioritised areas, there is an opportunity to be more efficient, by dialling down other controls as appropriate and achieving cost savings.
This more measured risk assessment and control approach enables an FS institution to deal with emergent risks as ‘business as usual’ and avoids the need for ‘fire drills’ that disrupt normal operations.
Additionally, greater confidence in the effectiveness of the institution's controls will help an FS institution to grow through the safe offering of new products and services, and more effective pricing of this risk. This could also allow the entry into new jurisdictions, which could otherwise be outside of the organisation's risk appetite. We will explore this further in the upcoming article on dynamic customer lifecycle management.
In summary, the changes suggested here will deliver a sophisticated and proactive intelligence-led approach to managing risk that identifies the changing nature of FC threats and dynamically adjusts the mitigating controls on the highest priority risks, allowing the dialling down of effort in other areas.
We believe the evolution of the risk assessment and control framework as set out in this article is fundamental to enabling further changes that are needed in a future financial crime capability. Specifically, changing the approach to due diligence to create a more dynamic customer lifecycle management, and the convergence of monitoring to allow the simplification and streamlining of FC operations. Overall, this will drive a move to a more efficient and effective approach to fighting financial crime.
Please get in touch if you would like to discuss this topic further. Also look out for future articles in our Future of Financial Crime series – up next, Revolutionising Due Diligence in Customer Lifecycle Management.