Welcome to the 2nd instalment of our journey to real-time AML risk assessment. Missed the first one? No worries, you can catch up here. We discussed the merits of introducing an on-going risk assessment and warn you of some of the pitfalls to avoid when attempting this transformation. This time around we will go through all main types of data you will need for conducting a risk assessment. The aim of the current approach is to make your data as easily automatable as possible, so keep an eye out for tips on this as well.
The most straight-forward type of data you can obtain is customer data – how many private or corporate customers are actively using your products, which industries corporate customers operate in, which products/services are used by the customers, etc. Another category is related to product statistics – how many products do you offer? How many customers use the product? How big is the product turnover? These are the most important data points to start with for a far-reaching overview of your exposure to ML/TF risks. In fact, automatically updating easy-to-access overview of this data may already be available at your company, as this data is also very important for business teams. But the truth is, these numbers don’t mean much on their own.
Customer/product numbers can’t really be used for having an overview of risk exposure without context. This calls for another category of questions: How many customers operate in high-risk industries or interact with high-risk countries? How many corporate customers operate with a risky (e.g. complex) business structure? Which products have a higher ML/TF risk and how many customers are using these products? The context is driven by your company’s risk appetite and requires an understanding of what is the risk level you are willing to work with to be able to grow as a business.
There is one more question category we should add to the mix that provides a third type of data: How has context data changed over time? This is the most crucial question for both yearly and on-going risk assessment.
Changes could be the result of a change in context (e.g. two new countries were added to high-risk country list) or a change in customer numbers (the number of corporate customers operating in construction industries has risen 200%). To work towards an ongoing risk assessment, we recommend thinking through what are the trend events that should trigger action – is a 5% increase in the user count of your riskiest product a significant change to warrant action? How about a 30% increase?
To go from a yearly to an ongoing risk assessment, real-time data on all three data types above should be available. Depending on the overall quality level your data, its current value assessment and your IT/data analyst capabilities, this might be tricker than it first seems. We might make a separate blog series about this topic one day (as we mentioned in the first blog post of this series, we at BearingPoint are very much into all things data) but for now, if you would like to validate the value of your customer/product data, get in touch here and we will help you assess where the value of your data lies and how to improve it.
Anyone who has ever attempted to assess control effectiveness knows that it is not a task for the faint of hearted. The number of stakeholders involved spans across many different departments, the assessment itself can feel very subjective and the required level of detail will make your head spin. So, what should the strategy be here in terms of the collected data that leads to easier automation down the line?
Depending on your product offering and customer base, your control environment can be very simple or eye-tearingly complex.
By qualitative we mean the assessment of the health of the control environment – are there relevant instructions in place, do the instructions follow the law, do the instructions make sense for the operational teams, this sort of stuff. By quantitative we mean numbers: how many SARs have been made, how many customers in EDD, but also relevant sections from the context and customer data above, and, last but not least, quality assurance data (are instructions/working documents properly followed by all relevant teams). Both qualitative and quantitative data types need a seat at the table for a full picture of the control environment. For easiest future automation, it is recommended to restrict and simplify possible answers with qualitative data – yes/no questions are an easy way to make future automation easier.
No man is an island, and no credit institution works independently of the world around. This means that any money laundering or terrorist financing risks that a company is exposed to are highly dependent on world events and local cultural/political/geographical conditions. Decreases/increases in use of cash, emerging conflict zones, new fraud vulnerabilities identified nationally – these are all examples of external data that can end up changing the impact or probability of a risk.
The best way to collect this data with automation in mind is to set up systems for a structural information intake. Setting this up inhouse would require significant resources, but luckily there is an emerging market for relevant service providers out there that provide both existing risks and strategic foresight data on future probable risks (Acuminor, MetricStream, Futures Platform to name a few). It is crucial to set up a central risks list that all external data is mapped to – this ensures that risk descriptions and trends are understood in the same way across AFC teams. Last but not least, having a central storage for the information will go a long way for automating the data with the least resource effort.
Congrats, you have made it to the end. Quite a lot of different data to consider, right? If you are feeling overwhelmed, take a deep breath or two, and get in touch. We would love to share our knowledge from working with lots of different risk assessment environments.
Katja Mäkelä
Director, Financial Services
BearingPoint Finland
Diana Tomingas & Simo Manninen
In the next blog post, we will be delving into control data. We briefly introduced our approach to control data categories above but the topic is so many-sided (and fascinating) that it really does deserve its own blog post.