Worldwide, regulatory requirements and the macro-environment are ever-evolving and so too is the need to adopt rigorous controls to monitor the risks that organisations are exposed to.
The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 reinforced the need for a risk-based approach, putting focus on understanding risk exposure and proportionate controls to mitigate this risk. Fundamental to this is the application and maintenance of a Customer Risk Assessment (CRA) methodology.
In LexisNexis’ 2023 report on the True Cost of Compliance, it is estimated that financial crime compliance costs for the UK will rise to over £30 billion and with developments to the macro-environment such as the Russia-Ukrainian war, costs to firms are consistently increasing with no clear end in sight.
Implementing and maintaining an effective CRA methodology is key to remaining compliant in a cost-effective way. However, the CRA has several interwoven dependencies which need to be managed to achieve effective compliance. We outline below some of the familiar barriers that impact the application of a risk-based Anti-Money Laundering (AML) compliance program.
1. Evolving Regulation and Risk Maintenance
Understanding and managing risk is a key component of CRA, but ensuring continued effectiveness requires ongoing maintenance particularly when macro-economic and sector specific developments continue to impact risk exposure. When implemented and maintained appropriately, the CRA supports a risk-based approach, allowing for application of controls proportionate to customer risk.
The ongoing maintenance of the CRA methodology continues to be a challenge for many firms without the necessary expertise and processes in place to effectively monitor changes to risk. This significantly hampers the implementation of the CRA methodology and is further compounded by the ever-evolving regulatory and macro landscape, such as the fast evolving sanctions landscape, the UK Government’s navigation Brexit and the Economic Crime and Corporate Transparency Bill.
2. Data Quality and Completeness
In our article last month, focusing on the challenges and operational efficiencies in Customer Due Diligence (CDD), we detailed the importance of data quality within the overall customer lifecycle. Data quality and completeness is a key challenge that hampers many organisations in the application/implementation of a CRA.
Inaccurate or incomplete data can impact the CRA through erroneous records and the need for default value application. This is a common challenge for many firms, with legacy systems, data issues as well as incomplete CDD policies having a downstream effect on risk assessment.
This leads to implications on complementary controls, such as the application of electronic Know Your Customer (eKYC) and risk-based customer monitoring. A failure to address critical data quality issues can compromise the effectiveness of controls and undermine the overall risk assessment process.
3. Ineffective Processes and Customer Journey Inefficiency
Policy or procedural ambiguity can result in operational inefficiency and has a downstream impact on risk assessment quality. It is essential to establish clear and consistent processes to support effective CRA.
The frequency and requirements of CDD Review cycles should be tailored to the risk presented by customers to ensure that the customer journey is managed effectively. This not only prevents the need for unnecessary customer outreach, but also ensures AML risk is monitored appropriately.
However, despite this, many organisations struggle defining and maintaining effective processes, continuing to apply those that don’t align with the inherent customer risk and failing to support the ongoing requirements for CRA.
4. Tuning & Calibration Processes
Model tuning is an essential driving force behind ensuring the CRA model accurately reflects customer risk. It’s essential to have a well-governed, risk-based tuning process to gain confidence that the model outcome is appropriate and capable of supporting AML controls.
Definition of an appropriate tuning methodology continues to be a common issue, with many organisations struggling to apply a risk-based and evidenced approach to tuning. In particular, model over-fitting is common, with many CRA models tuned on too small a customer sample with limited understanding of model performance across the wider customer-base.
5. Implementation & Integration
The CRA sits at the centre of the financial crime control framework, enabling the application of monitoring in a risk-based manner. This allows for a greater focus of controls and resourcing on higher risk customers and supports informed decision-making in areas such as customer onboarding, customer segmentation, Transaction Monitoring (TM) and ongoing monitoring.
Whilst it’s common to apply targeted periodic review cycles, many organisations struggle with the integration of CRA more widely within the financial crime control framework, with some of the common challenges including:
- Applying tailored controls based on risk level, including applying more stringent thresholds to higher risk customers.
- Implementing a feedback loop between the CRA and relevant controls, required to trigger changes following CRA reviews and trigger events.
- Tailoring ongoing monitoring and data requirements based on risk-exposure.
Enhancing the Operation
Given the wide range of challenges faced by financial services firms and the rising costs associated with compliance, it’s more important than ever to have the tools in place to remain operationally efficient.
We detail below four key operational enhancements capable of driving a more sustainable approach to compliance.
1. Target Operating Model (TOM) Development and Enhancement
A well-defined and governed CDD TOM is central to ensuring there is an effective strategy and approach to CDD/CRA. A well-defined TOM should provide the baseline for appropriate CDD, with a range of benefits, including:
- Providing a platform for completion and maintenance of a Business-Wide Risk Assessment (BWRA), both a key component and beneficiary of an effective CRA.
- Applying robust procedures for review and maintenance of CDD/CRA risk alignment.
- Risk-aligned policies and procedures catalysing CDD updates on either a periodic basis, or through trigger-based review.
- Implementation of risk-centric controls. For instance, applying more stringent TM thresholds to higher risk customers (a topic we’ll explore in more detail in an upcoming article on our TM Alert Classifier).
2. Risk-based Design and Tuning
Without aligning the design and implementation of a CRA methodology with risk exposure it’s almost impossible to get comfort that customer risk level is accurately set. A TOM provides a platform through the definition of a BWRA and procedures to regularly maintain the CRA, but this is only half of the challenge.
It’s important to remember that there is no ‘one size fits all’ approach to CRA. Each firm is exposed to bespoke risks and, as a result, risk factors and scoring methodology should be defined with that in mind. An appropriate risk-based tuning methodology should be applied to ensure model parameters are set at the necessary levels.
Ensuring there’s a comprehensive approach to defining and maintaining the risk assessment and scoring methodology which accounts for continual developments in risk is vital.
3. Governance Enhancements
The importance of a comprehensive governance structure is often overlooked. However, given the potential cost implications of mis-performing CRA models, having a robust control structure is a key component of success.
Like many of the enhancements, this is only a piece of the CRA puzzle, but without it, firms struggle to ensure that the necessary steps have been taken to validate the CRA and subsequent iterations. A comprehensive governance structure should provide the controls surrounding CRA definition, design, and implementation, including the oversight and sign-off procedures required to support maintenance of the model.
4. Outcome Testing
Testing is key to ensuring the CRA model performs in line with expectations. Inefficient/ineffective CRA models have the potential to significantly impact resourcing and risk exposure leading to increased staff costs, potential fines, and the possibility of remediation.
Many firms struggle to gain comfort in the risk ratings and the level of controls/resourcing required. Outcome testing serves to provide comfort, assessing the range of model performance with a particular focus on:
- Effectiveness – Assessing how effectively a model identifies higher risk customers. Model ineffectiveness exposes firms by under-classifying customer risk level.
- Efficiency – Identifying how accurately a model classifies lower risk customers. Model inefficiency drives increased costs with unnecessary controls applied to customers incorrectly classified as high-risk.
Future of CRA compliance
*Naturally, we’re already seeing a move towards the ‘future’ of CRA. As firms begin to better understand risk exposure and build improved controls, enhancements are being made to the way customer risk is defined and the complexity of models used.
As with many other areas of AML, one of the biggest shifts is the move to more data driven, automated approaches to defining customer risk. With this, many firms are investigating the use of network analysis, machine learning and dynamic risk assessment, amongst other techniques to better understand their customers and increase the accuracy and comfort in the way risk is assessed.
With technology ever evolving, the changes we’re seeing to risk assessment are set to continue, but are hindered by the challenges, outlined above, that many firms face. Without first countering these and implementing solid foundations, progress will be limited.