Conducting a business-wide AML/CTF risk assessment is hard time-consuming work. But does it have to be? What if we told you there was a way to conduct it rapidly, consistently and transparently without losing out on quality? In this blog series we’ll share with you our vision for an ongoing dynamic risk assessment.
Identify risks, assess inherent risk, set mitigating controls in place, assess residual risk, compare residual risk to risk tolerance and add controls where residual risk is too high. And do it all over again after “a period of time” (let’s say, a year). If this was a blog post about how to go about setting up risk assessment, we’d be done. And you wouldn’t have learned much. But in this blog series (first part of which you’re reading now) we want to delve into something that is a bit trickier – how to make the most out of your AML risk assessment and waste the least time while conducting the risk assessment by transforming it from a yearly process to an ongoing real time process. Essentially, we’re tackling three topics – optimization, automation, implementation. Sounds quite an endeavor, right? Let us share how we plan to go about this task.
At the core of our approach to AML risk assessment are our love for all things data and automation. By taking the necessary steps to collect the relevant data with good quality in mind and by automating a large chunk of the data collection, the yearly time-consuming process of AML risk assessment can be transformed into an ongoing process that allows for a quick and dynamic update about any changes in risk to be identified, verified, and communicated real-time without any critical delays. Counter to a static once-a-year risk assessment process, risks change all the time, and crucial changes in the legal landscape (such as new laws or regulations), external variables (e.g., wars or new fraud trends in geographically relevant areas) or internal processes (for example, new product launches or changes in company structure) can lead to an unacceptable rise in AML risk in a matter of days or weeks. Having a dynamic risk assessment in place to tackle and identify new challenges instead of a static manual yearly process can be the crucial difference between relevant risk mitigation and criminals abusing your system’s vulnerabilities to clean their ill-gotten funds.
A static yearly risk assessment process takes months to conduct. In fact, the bigger the financial company, the more time it should take (according to the FATF recommendation on risk assessment’s commensurability with the financial institution’s size ). Identifying the risks, getting all the relevant control data from control owners/leads, assessing the risks and controls in a clear measurable way, putting together a plan to mitigate risks that are too high, conducting the plan etc. – all of this is a lot of information to gather making risk assessment a long expensive process.
Instead of manually looking for the business customer industry list, relevant suspicious activity reports, or overview of transaction monitoring alert efficiency, having this data collected and assessed automatically means that risks mitigation efficiency can be assessed contextually, effectively and on a continuous basis.
The reliability of your risk assessment is directly dependent on the method of conducting it. The process needs to yield high-quality results every time, otherwise any long-term trends can’t be trusted, causing limited visibility on existing risks. Having a (changing) team of people conduct manual research, and make manual conclusions based on the data they’ve gathered is bound to produce varying decisions year after year.
Being able to identify risks, where additional controls are needed in a timely manner, helps organizations to react to increased risks and saves the organization from possible unexpected losses or regulatory sanctions.
As indicated before, we want these knowledge-sharing blog posts to be all about making the most of your organization’s risk assessment while reducing the costs. We believe that focusing on obtaining good quality data and implementing critical automation will result in the right conditions for transforming your manual yearly risk assessment to a real-time risk assessment.
The next blog post in this series will addresses the types of data you’ll come across while conducting risk assessment (spoiler: we’ll be focusing on customer data, control data and external (industry/market) data) and how this categorization will help you have a better grasp on the channels of information at your disposal.
Once we have our data types categorized, the following blog post will focus on the trickiest (and we would say, most important) data type – control data. Here is where the topic of automation takes center stage. We’ll tackle the following topics: What’s the benefit of automation, what can be automated and how to make sure the quality of the data stays up to par.
After that we’ll delve into the transformation of AML risk assessment from a yearly manual process to an ongoing automated process. It’s important to consider the ways in which such a transformation affects the different touch points between compliance, product, support, and other relevant functions. An ongoing risk assessment calls for quick and clear communication channels regarding any changes in risk levels. This needs to be in place before changes in the risk assessment process are made.
And after that, there’s more to come. These are just some topics we’ll cover in this series. Risk assessment is a crucial, yet often dismissed topic. Getting one up and running effectively requires more than just a sufficiently working assessment matrix. But for now, we’ll stop here. Watch this space for the next blog post.
Hope you’ll join us for the rest of the journey!
Katja Mäkelä
Director, Non-Financial Risk & Operational Excellence
Simo Manninen
Manager, Non-Financial Risk Management
Diana Tomingas
Senior Business Consultant, Anti-Financial Crime