Demystifying the Risk-Based Approach (RBA)
The term Risk-Based Approach (RBA) is used extensively in conjunction with Anti-Money Laundering. In this post, we explore the various ways it can be implemented, and how adopting this approach improves effectiveness and efficiency of AML activities across the board.
The Devil in the Haystack
The 1995 movie The Usual Suspects paraphrases a quote from the French poet Charles Baudelaire: “The greatest trick the Devil ever pulled was convincing the world he didn’t exist.” The metaphor could easily be applied to money laundering where criminals disguise themselves and blend into society as upright individuals, owning legitimate companies and convincing authorities and service providers no money laundering activity is taking place.
We know they exist though. The question is, how many money launderers are out there? Given the nature of money laundering, we can never know for sure, but there are some clues that could help us understand the extent of the problem. For example, money laundering prosecutions in the UK average around 2,000 cases a year. The United Nations, however, estimates that 90% of money laundering crimes go undetected. A back-of-the-envelope calculation, based on these figures, suggests that around 0.3% of businesses could be involved in such criminal activity. One other independent data point is the percentage of businesses that get rejected by banks or financial institutions due to concerns around financial crimes. According to the Financial Contact Authority (FCA), this figure stood at 0.45% in 2019-2020.
This means that, even for a small firm in the accountancy, legal, or corporate services sector, dealing with less than 500 clients, there is a high likelihood that an individual with money laundering connections will one day walk through the door and attempt to take advantage of the firm’s professional services for their illicit activity. Identifying these cases is a classic problem of finding needles in a haystack, only the needles are trying to convince you they do not exist. So how can you go about finding them?
Comb, Search and Rummage
Here is where the Risk-Based Approach (RBA) comes in. Since 2012, the Financial Action Task Force (FATF) has placed the RBA as the cornerstone of anti-money-laundering efforts. Guidance published by the FATF, the European Union, national authorities and sectorial supervisory bodies are all based on the RBA.
Using a risk-based approach to find needles in a haystack, we would start by dividing the haystack into smaller piles – let’s go with three – a high-risk pile where we believe we are more likely to find a needle, followed by a medium-risk pile and a low-risk pile. We then finely comb the high-risk pile, search the medium-risk pile in less detail, and finally have a quick rummage through the low-risk pile. This allows us to simplify the process making it more efficient (we don’t have to comb the whole pile) and more effective (since we are more likely to find the needle).
The textbook definition of the risk-based approach is one where you identify, assess, and understand the money laundering risk and then devise mitigations that are commensurate with these defined risks. This allows us to give more focus to areas where exposure to money laundering is higher.
That’s all nice and theoretical but how can the RBA be applied within AML? Ask a dozen AML experts and you might get a dozen different answers. The reason is that the risk-based approach is implemented differently based on the level at which you are carrying out anti-money laundering activity. An RBA can in fact be applied at the national level, at the supervisory level, at a business-wide level within the organisation and at individual client levels.
Risk-Based Approach at the Regulatory Level
The topmost levels where an RBA can be applied is at a national level by the relevant institutions responsible for AML regulations. An RBA allows regulators to focus efforts on the biggest problem areas within their jurisdiction.
An important tool at this level is the National Risk Assessment (NRA). This is a document produced following an exercise to identify, assess, and understand the AML risk the country is exposed to at a national level. A number of countries choose to make this document publicly available and the FATF maintains a list of links to such documents on their website.
The document typically identifies the sectors within the country that are more prone to money laundering and terrorist financing risk and sets the tone in terms of where the country should focus on in terms of AML/CFT efforts. For example, amongst other sectors, the United Kingdom’s NRA classifies accountancy services, legal services and the TCSP sector as high-risk while gambling is considered low risk. On the other hand, the Bahamas’s NRA lists casinos and gambling, FCSPs and lawyers as high risk and accountants as medium-low.
The NRA also highlights areas that pose more risk. For example, the United Kingdom’s NRA highlights the risks posed by cash-intensive businesses and lists businesses such as beauty parlours, newsagents, restaurants, takeaways, and car washes as prime examples of businesses used to launder money. The NRA goes on to classify non-profit organisations (NPO) as low risk. This is because, even though NPOs may be attractive to money laundering, there is little evidence that these are being exploited, particularly thanks to controls implemented by NPOs in the UK and their limited exposure to high-risk jurisdictions.
Once all the risks are understood, mitigation plans that give more focus to areas that carry a higher risk are then drawn up. This may affect the structure of the country’s supervisory regime and guide legislation and regulation. For example, the UK is currently considering relaxing some mandatory requirements around local PEPs since the risk they pose was deemed low within the latest NRA. On the other hands the government is looking to restructure the supervisory regime due to shortcomings in supervision within the accountancy and legal sectors.
Risk-Based Approach at the Supervisory Level
Supervisory bodies are responsible in ensuring compliance and effectiveness of AML processes with the private sector population they supervise. Some jurisdictions, like the UK, have multiple supervisors, with different bodies responsible for different sectors. Other jurisdictions, like Jersey, rely on a single supervisor or a small set of supervisors that cater for more than one sector. Supervisors should educate and publish guidelines, monitor and inspect their supervised population, and issue fines for non-compliance where necessary.
If you work within these institutions, an RBA will allow you to focus your efforts on the biggest problem areas within your jurisdiction or sector, helping maintain a good reputation for the country and industries that fall within your responsibility. If you work in the private sector, understanding how the RBA is applied at this level will help you understand the “why” behind the actions and guidelines of supervisors.
Effective supervisory bodies understand the landscape that their supervised populations operate in. They are also able to classify the firms they supervise in terms of risk. Once again, they assign more resources to the cohort that poses higher risks. For example, supervisors may carry out more frequent inspections on high-risk firms.
Risk-Based Approach at the Business Level
The next level of AML activity at which a risk-based approach should be taken is at the private business level. Financial institutions as well as DNFBPs such as accountancy firms, legal firms and TCSPs, should implement this at two levels: the business level and the customer level.
The starting point here is a Business Risk Assessment (BRA) that defines the risks the business is exposed to in terms of money laundering. Considerations that need to be taken into account include the jurisdictions the organisation is exposed to, the type of clients, the transactions involved, the services it offers, and the channels used to deliver these services. For example, an audit firm whose client base is predominantly face-to-face local businesses that are not cash intensive has a different risk exposure to a TCSP that mainly sets up corporate structures for high-net-worth (HNW) individuals from all over the world, including individuals from jurisdictions that pose a higher risk. The business can then draw up AML mitigation measures, once again focusing on the areas that pose a higher risk. Mitigation factors can vary but could include ensuring that:
- Clients and their ultimate beneficial owner (UBOs) are properly identified.
- Data and documentation stored on clients and their UBOs is complete and up to date.
- Ongoing checks against sanctions, PEPs and adverse media databases are carried out.
- Policies and procedures are drawn up, thoroughly communicated, and adhered to.
- Software is used to automate all the above.
Risk-Based Approach at the Client Level
The mitigation factors at the business level would include details on what data and documents to collect about your clients and what checks need to be implemented at the client level. However, not all clients pose the same AML risk and therefore even at this level, not all clients should be treated equally. Once again, we can apply a risk-based approach. An important tool used at this level is the Customer Risk Assessment (CRA). The CRA is used to classify clients into different risk classifications. For example, you may devise a CRA that divides clients into high, medium, and low risk. High risk clients could include clients operating in high-risk jurisdictions, those which are associated to Politically Exposed Persons (PEPs) or those whose activities are defined as high risk in the NRA (for example, cash-intensive businesses).
Once clients are stratified into these risk classifications, your resources can be tuned to focus more on high-risk clients than on low-risk clients. For example, you may decide to collect more information for high-risk clients, monitor them more frequently or carry out a review more often.
The term risk-based approach is used extensively within the AML space and the details of how it is implemented can differ based on whether the AML activities are at the national, sectoral, supervisory, business or client level. Across all levels, however, the key concept remains the same – identify, assess and understand risks and focus more of your resources on mitigating the higher risk elements. Finding elusive needles in haystacks is a time-consuming task but taking a risk-based approach to it will maximise efficiency and effectiveness.