Applying a risk based approach to anti-money laundering, counter-terrorism financing and anti-proliferation programmes has been a difficult switch for many. For the past decade, most regulated businesses appointed a compliance officer and left him or her with the task of incorporating checklists, ticking boxes and maintaining records to show compliance.
However, adopting a risk based approach requires the participation of everyone in the organisation to be truly effective. But what is it exactly? Because no two businesses are the same, finding practical guidance can be frustrating.
We asked Kendra Foster, Founding Principal of U Law in the Cayman Islands, for some guidance on effectively switching to a risk based approach. Kendra noted that the four basic stages of a risk based approach are: (1) identifying risk; (2) assessing risk; (3) understanding risk; and (4) mitigating risk. She suggests the following approach to get started:
- Use common risk criteria – For identifying, assessing, understanding and mitigating your business risks as well as your customer risks, use common risk criteria as follows
- Country or geographical risk (e.g. countries which do not have equivalent regulation);
- Customer risk (e.g. costumers which present higher risks such as PEPs);
- Product/service risk (e.g. how your products/services may be misused); and
- Delivery channel risk (e.g. how your customers find you).
- Assign a risk level to your business and each customer – Risk levels to be assigned should represent a range such as low, medium or high. To assign a risk level, you could use a numerical system based on the common risk criteria above. When all relevant risk factors are considered together an appropriate risk level can be documented.
- Use appropriate tools – Business and customer risk assessment could be conducted using a paper based checklist with manual sign-off, using an automated spreadsheet with set formulas or using a customisable technology solution with electronic sign-off. Implementing a technology solution to automate the risk assessment, track assigned risk levels, implement workflows for internal controls and monitor requirements is highly recommended.
- Ensure the risk level assigned permeates the programme – Policies and procedures in relation to client acceptance, due diligence measures, ongoing monitoring, and termination of the relationship or conclusion of the transaction should be risk-based. For example, simplified or standard due diligence measures should not be applied for customers that have been assessed as high-risk.
You will need to write new procedures for your staff to document each aspect of the risk based programme including mitigation procedures. There are numerous ways to mitigate risk in your business. An example of mitigation procedures could be to require compliance and senior management sign-off on all higher risk customers while lower risk customers can be signed off by the account manager alone.
Remember, the reason for applying a risk based approach is to efficiently allocate your resources. A well designed risk based compliance programme will actually reduce your compliance costs in the long-run.
*Kendra is a founder of U Law in the Cayman Islands. Formerly a Senior Associate at Maples and Calder and the Deputy Compliance Director at Intertrust, Kendra has over 14 years experience in the financial services industry and specialises in regulatory and risk management. Kendra can be reached at kendra@ulaw.ky.