With the amount of airtime given to the Risk-Based Approach (RBA) by the UK’s AML regulators and supervisors, you’d be forgiven for thinking it’s an idea that had been formulated relatively recently in response to evidence of UK PLC’s increasing ineffectiveness at AML controls.
That couldn’t be further from the truth. First championed by the FCA’s forerunner, the Financial Services Authority (FSA) in 2006, the idea has been integrated into UK Money Laundering regulations for over a decade and reinforced via integration of 5MLD, in January 2020. Today, it’s firmly embedded in UK Money Laundering Regulations and is an essential business tool for every regulated and obliged UK entity. By neglecting it, businesses open themselves up to regulatory scrutiny, investigations and even fines.
And for good reason. It’s a highly sensible approach that encourages compliance professionals to look at the bigger picture and leave no stone unturned; consider every possible risk point a new customer poses and truly understand the potential for money laundering or terrorist financing. After all, the risk a person poses isn’t just about who they are, it’s about where they are, who they associate with, their political exposure, whether they have ownership and control of entities and where, plus any product or service risk.
Thorough checks make good business sense. Ensuring you really know who you are dealing with and at the same time evaluating the financial crime risks attached to them, not only helps protect your organisation’s reputation, but it plays an integral role in early detection and prevention of possible money laundering activity. A win-win situation, one could argue.
As long ago as 2012, the Financial Action Task Force’s (FATF) recommendations for AML policy makers championed the Risk-Based Approach as a cornerstone of a country’s AML/CFT framework. Since then, many others have lent their support.
Yet, fast forward to 2021 and it’s abundantly clear that the Risk-Based Approach has, at best, only partially been adopted by AML-regulated firms in both the financial and professional services sectors.
Firms are clearly struggling with implementing the RBA, in spite of the vast sums of money – nearly £29bn* – being spent on AML compliance activities annually by UK PLC, as revealed in the latest Cutting the Cost of AML Compliance study published by LexisNexis® Risk Solutions in June 2021.
In his speech to the AML & ABC Forum in March 2021, Mark Steward of the FCA spoke about ‘purposeful’ anti-money laundering controls, noting at the time that the FCA had no less than 42 live investigations and in the past twelve months, two of the biggest penalties imposed on UK firms were in relation to failure to address financial crime and AML risk. He went on to stress controls must be efficient and courageous in identifying suspicious activity – but what does this mean?
It seems clear that the regulator is looking for much more than simple rules-based compliance in their audits and that they sense an overreliance placed on statements of the deal team. In other words, all too often, commercial pressures to ‘do the business’ prevail over due diligence or proper risk assessment. It’s time for compliance teams, supported by their senior management, to take a stand.
The FCA’s subsequent ‘Dear CEO’ letter to UK retail banks, dated 21 May 2021, struck a somewhat contemptuous tone, indicating that they continue to observe the same old failings in firms’ AML controls framework. The letter pulled no punches, particularly in the area of business risk assessments, which they described as being generally poor and highlighting weaknesses in risk assessments being too generic and customer due diligence, inadequate.
The LexisNexis Risk Solutions Cutting the Costs of AML Compliance research highlights a whole raft of deficiencies that are preventing firms from adopting a full RBA. The increasing burden of regulatory obligation was identified as the leading cause of increasing costs, and a lack of guidance from the regulators, a significant barrier. It also highlighted that new technology adoption in AML has some way to go, showing that 70% of total AML spend is on people and training costs, with only 28% being invested in technology. Data quality was another recurring theme with data siloes, inaccurate and incomplete data leading to process inefficiency and high levels of false positives, requiring further remediation.
However, it also seems some of the inefficiencies are self-inflicted as the Wolfsberg Group’s recent paper ‘Demonstrating Effectiveness’ observed, highlighting that many financial institutions are spending significant time and resources on activities that are not required by law or regulation. Eliminating those activities alone could surely benefit firms, freeing resource to redeploy towards more useful activities. The Wolfsberg paper goes on to give numerous examples of best practice that would lead to an effective and efficient AML control system, however, it also recognises that financial crime risks vary between organisation and that sector and risk controls need to be bespoke to an organisation’s activities.
Whether you ask FATF, Wolfsberg Group, or the FCA, they all stipulate that FI’s need to adopt a proactive approach to every process or step, from initial risk assessment, through to customer due diligence processes and ongoing monitoring. The key to efficiency is to examine each process in detail, and where a control requires a significant amount of time and resource – but only contributes in a small way to risk mitigation – to change or even eliminate it. Re-engineering processes and applying process improvement techniques can make a huge difference, ensuring resources are applied in areas that have the most impact on AML effectiveness.
Implementing a Risk Based Approach may seem like an arduous task, but if you want my advice, the first step towards effectiveness is quality data, good data management and smart technology to automate core processes. If you need help, these are areas of particular expertise at LexisNexis Risk Solutions where we already help a wide range of organisations to automate and streamline their KYC and AML processes.
Please do contact us to discuss how we can help with your implementation plans or, in the meantime, have a look at our RBA guide which gives detailed guidance for compliance teams on the factors to be considered in designing a solution.