Assessing the 4 Risk Categories
In a previous newsletter I spoke on three basic steps required when conducting a risk-based approach risk assessment of your business. Step one was to assess the risk of the four different categories within your business, which included clients, products, countries, and channels. The second step was to determine what your business’ risk appetite is. And the final step is to review your internal controls. In today’s article, we will take a more detailed look at how to assess your business’ clients, products, countries, and channels.
Category 1: Clients
The first category we have are your clients. Remember to keep in mind that you want to tailor your risk assessment based on your institution or firm. All businesses are different and will require different policies, procedures, and controls based on who and what you are dealing with. Let’s start with an easy enough question in terms of your customer base:
Who are your customers?
Sounds simple enough, but you’ll need to dig to find more information on who you are working with. What type of client base are you dealing with? What industry are they in, where are they located, and so forth. In order to be compliant and answer these questions, you will need a sound KYC/CDD program to ensure you are not dealing with criminals and terrorists, individuals or regimes on a sanctions list. You will also need to obtain information on PEP’s, as they are more susceptible to bribery and corruption. Conduct an audit trail and documentation on any due diligence you perform. Once you have assessed your customers you will need to give them a risk rating determined by the information you have received from your customer due diligence. This rating should be from low, medium, or high in terms of how much risk they offer.
Category 2: Products and Services
The next category is products and services. This is where you will look at what products and services your business offers, what products, if any, you might want to add, as well as the risks associated with these products and services. Again, you will want to use the low, medium, to high risk rating on these items.
For example, domestic business transactions, like funds transfer or loans, would typically be a lower risk, since they are domestic. International funds transfer, or online banking should have a higher risk rating of medium to high due to the fact that you are dealing with foreign countries and non-face-to-face business transactions. If you are a corresponding bank or a private bank, you would tend to risk rate these services as high because of the nature of those businesses. Remember, this risk assessment depends on your business, and is unique to that.
Category 3: Countries
The third category to look at will be countries. This category can get a little tricky. It ties-in to a lot of different things. And you will have to stay updated on any changes that may occur from a regulatory standpoint. This means staying informed on current sanctions lists.
Essentially, you will be asking these questions while risk rating countries: Where is the financial institution headquartered? What is the place of domicile of your client? Does it differ from place of incorporation? Where are your clients doing business? Where do you offer your services? Is nationality important to you? Also, where are your transactions going to or coming from?
These are some of the many questions you will be assessing when pertaining to risk rating countries. Lower risk customers will have limited international clients, and most transactions will be domestic and local in behavior. Medium risk may have international branches and clients, or for US based institutions, may have branches or clients located in High Intensity Drug Trafficking Area (HIDTA) and High Intensity Financial Crime Area (HIFCA) locations. Higher risk institutions may deal with countries near sanctioned countries or international clients from offshore jurisdictions, or for US institutions branches or clients located in HIDTA and HIFCA locations as well.
Another aspect you want to look at when risk rating countries is whether they are a member of the Financial Action Task Force or of a FATF-style regional body. Typically, non-members are more likely to lack AML/CFT requirements equivalent to international standards and/or may have a negative political standing or bad reputation.
Category 4: Channels
The last category on the list to risk rate are the delivery and distribution channels of your services. You will want to look at how accounts originate. Was it through a walk-in or was it online with an online only identification process? Also, how do you service these accounts?
Higher risk accounts may be remote servicing, for example, online, mobile or telephone banking. From here you are going to want to monitor transaction risks. How much money in a single transaction? What is the frequency of transactions? Also look for trends, new typologies, and emerging risks. With your different channels and services, you will want to have the proper technology in place to monitor these transactions and to stay ahead of any potential wrongdoing your clients may pose.
Keeping track of all this can be a handful. But it really is necessary in the fight against money laundering and terrorist financing. And let’s be honest, your institution doesn’t want to be fined or risk reputational damage from being non-compliant. These assessments will need to be a group effort. And you must have support from senior management, as they make the ultimate decision on how much risk they are willing to take. It is, however, the compliance officers’ job to keep them informed and consult on the matter of staying compliant.