Financial institutions face a growing tension: the need to grow while staying compliant with increasingly complex regulations like the new EU anti-money laundering regulations, AMLR.
Most who have been working in the financial industry for a while, have seen how EBA risk factor guidelines and other similar publications have been used in various financial crime processes – often leading to generic, over-simplistic views on what risks your organisation is facing.
In other words, they have led to a so-called blanket approach to financial crime risk assessments (“all customers with a link to country X pose a very high risk), often leading to blanket de-risking of entire customer segments just based on a general perception that they might be too dangerous.
The Cost of Blanket Controls
The practice of de-risking has been frowned upon for years by watchdogs FATF, EBA and UK FCA for several reasons:
- It’s not very risk-based, which is sort of the whole point behind the modern financial crime framework.
- Its negative impact on society: non-profit charities getting de-banked and small business owners not being able to hold a basic bank account. It all contributes to segregation and economic hardships for the parts of society that already often are being left behind.
At a first glance, it can sometimes make sense from a business perspective since the effects on failing to comply with the AML regulations are extreme, especially compared to the meager earnings you likely get from your small business customers – the risk-reward ratio simply doesn’t add up.
But quite often, business wants to go after clients or markets to which the risk and compliance teams refuse to sign off on, leading to slow, expensive de-risking practices which have a significant negative impact on business growth.
Blanket compliance vs. risk-based approach
But does it have to be this way?
No, not at all. Blanket de-risking practices are almost always based on a too-crude understanding of what your risks actually are. To employ a true risk-based approach requires detailed, accurate insights into threats and risk indicators relevant to your unique business.
This requires:
- Skilled human judgment
- Investment in risk analysis technology and solid data
Granular, accurate understanding of your true risks paves the way to accurate, effective controls. The opposite (general, non-risk-based controls) is usually a bad idea:
In 2021, one of the UK banks was fined for failing to detect suspicious cash deposits from a small business customer which deposited up to £1.8 million in cash per day.
Apparently, the bank applied generic controls and missed clear red flags. And it demonstrates how without a risk-based approach, even basic anomalies such as many transactions involving high-risk jurisdictions and corrupt entities, can go undetected.
Evidencing effective, true risk-based controls is not only that is increasingly required by many regulators (with the UK regulator FCA, Hong Kong regulator HKMA, Dutch DNB and Swedish FSA being leaders of the pack) – it’s also a way to significantly reduce your operational costs.
Imagine if you could reduce your transaction monitoring alerts by 90% without sacrificing control?
AMLA – are we going back in time?
This is where the question about AMLA comes in. While some regulators in the EU are leading the evolution of risk-based supervision, several are still hopelessly behind their international cousins.
Put it this way, it’s likely no coincidence AMLA HQ was placed in Germany – a country that until this point has failed in fully implementing the risk-based approach.
To create a data-driven, intelligence-led supervisory framework is a massive project, and AMLA only has 1.5 years to effectively pull it off until its go-live time in mid-2027.
This, combined with the recruitments done to AMLA from EBA, is a reasonable assumption that the first iterations of the AMLA guidelines on risk factors (and the subsequent supervision of how these risk factors have been implemented in the EU financial industry) will be based on a simplified, generalistic view of risk, similar to what EBA has been providing.
This means that most compliance professionals in the EU will spend a tremendous amount of time, money and effort to go back into a more rules-based approach, while maintaining the risk-based approach for their UK operations. To sum it up: there’s a risk that the ones who are really bad will get better, but the ones that are really good will be worse off.
There’s a real risk that blanket de-risking of entire customer segments will remain or even increase as a result of AMLA – unless the authority makes it crystal clear what is expected from the regulated entities.
And it’s not enough to say “don’t do de-risking” – they need to be encouraged to go beyond the simple tick-box exercise that has led to systematic compliance failings on too many occasions. The only ones who would benefit from that, are the criminals trying to misuse the financial system.
