Assessing the Risk Categories
September 21, 2020
In a previous newsletter I spoke on three basic steps required when conducting a risk-based approach risk assessment of your business. Step one was to assess the risk of the four different categories within your business which include clients, products, countries, and channels. The second step was to determine what your business’ risk appetite is. And the final step is to review your internal controls. In today’s article we will look a bit more in detail at how to assess your business’ clients, products, countries, and channels.
The first category we have are your clients. Remember to keep in mind that you want to tailor your risk assessment based on your institution or firm. All businesses are different and will require different policies, procedures, and controls based on who and what you are dealing with. Let’s start with an easy enough question in terms of your customer base; Who are your customers? Sounds simple enough, but you’ll need to dig to find out information on who you are working with. What type of client base are you dealing with? What industry are they in, where are they located, and so forth. In order to be compliant and to answer these questions, you will need a sound KYC/CDD program to ensure you are not dealing with criminals and terrorists, individuals or regimes on a sanctions list, and will need to obtain information on PEP’s as they are more susceptible to bribery and corruption. You will also want to have an audit trail and documentation on any due diligence you perform. Once you have assessed your customers you will need to give them a risk rating determined by the information you have received from your customer due diligence. This rating should be from low, medium, or high in terms of how much risk they offer.
The next category is products and services. This is where you will look at what products and services your business offers, what products, if any, you would like to add, and what are the risks associated with these products and services. Again, you will want to use the low, medium, to high risk rating on these items. For example, domestic business transactions, whether it be funds transfer, loans, etc., would typically be a lower risk being that they are domestic. International funds transfer, or online banking should have a higher risk rating of medium to high due to the fact you are dealing with foreign countries and non-face-to-face business transactions. If you are a corresponding bank or a private bank you would tend to risk rate these services as high because of the nature of those businesses. Remember, this risk assessment depends on your business, and is unique to that.
The third category to look at will be countries. This category can get a little tricky as it ties-in to a lot and you will have to keep up to date with any changes that may occur from a regulatory standpoint and will want to stay informed on current sanctions lists. What you will be risk rating countries on is determined by where the financial institution is headquartered, where your clients are located, where your clients are doing business, where are your services offered, what is the place of domicile of your client, does it differ from place of incorporation, is nationality important to you, and where are your transactions going to or coming from? These are some of the many questions you will be assessing when pertaining to risk rating countries. Lower risk customers will have limited international clients and most transactions will be domestic and local in behavior. Medium risk may have international branches and clients, or for US based institutions, may have branches or clients located in High Intensity Drug Trafficking Area (HIDTA) and High Intensity Financial Crime Area (HIFCA) locations. Higher risk institutions may deal with countries near sanctioned countries or international clients from offshore jurisdictions, or for US institutions branches or clients located in HIDTA and HIFCA locations as well. Another aspect you want to look at when risk rating countries is whether they are a member of the Financial Action Task Force or of a FATF-style regional body. Typically, non-members are more likely to lack AML/CFT requirements equivalent to international standards and/or may have a negative political standing or bad reputation.
The last category on the list to risk rate are the delivery and distribution channels of your services. You will want to look at how accounts originate; was it through a walk-in or was it online with an online only identification process? How do you service these accounts? Higher risk accounts may be remote servicing, for example, online, mobile or telephone banking. From here you are going to want to monitor transaction risks. How much money in a single transaction, what is the frequency of transactions, as well as looking for trends, new typologies, and emerging risks. With your different channels and services, you will want to have the proper technology in place to monitor these transactions and to stay ahead of any potential wrongdoing your clients may pose.
Keeping track of all this can be a handful but is necessary in the fight against money laundering and terrorist financing. And let’s be honest, your institution doesn’t want to be fined or risk reputational damage from being non-compliant. These assessments will need to be a group effort and must have support from senior management as they make the ultimate decision on how much risk they are willing to take. It is, however, the compliance officers’ job to keep them informed and consult on the matter of staying compliant.