Financial institutions face a growing tension: the need to grow while staying compliant with increasingly complex regulations like the new EU anti-money laundering regulations, AMLR.
Most who have been working in the financial industry for a while, have seen how EBA risk factor guidelines and other similar publications have been used in various financial crime processes – often leading to generic, over-simplistic views on what risks your organisation is facing.
In other words, they have led to a so-called blanket approach to financial crime risk assessments (“all customers with a link to country X pose a very high risk), often leading to blanket de-risking of entire customer segments just based on a general perception that they might be too dangerous.
The practice of de-risking has been frowned upon for years by watchdogs FATF, EBA and UK FCA for several reasons:
At a first glance, it can sometimes make sense from a business perspective since the effects on failing to comply with the AML regulations are extreme, especially compared to the meager earnings you likely get from your small business customers – the risk-reward ratio simply doesn’t add up.
But quite often, business wants to go after clients or markets to which the risk and compliance teams refuse to sign off on, leading to slow, expensive de-risking practices which have a significant negative impact on business growth.
But does it have to be this way?
No, not at all. Blanket de-risking practices are almost always based on a too-crude understanding of what your risks actually are. To employ a true risk-based approach requires detailed, accurate insights into threats and risk indicators relevant to your unique business.
This requires:
Granular, accurate understanding of your true risks paves the way to accurate, effective controls. The opposite (general, non-risk-based controls) is usually a bad idea:
In 2021, one of the UK banks was fined for failing to detect suspicious cash deposits from a small business customer which deposited up to £1.8 million in cash per day.
Apparently, the bank applied generic controls and missed clear red flags. And it demonstrates how without a risk-based approach, even basic anomalies such as many transactions involving high-risk jurisdictions and corrupt entities, can go undetected.
Evidencing effective, true risk-based controls is not only that is increasingly required by many regulators (with the UK regulator FCA, Hong Kong regulator HKMA, Dutch DNB and Swedish FSA being leaders of the pack) – it’s also a way to significantly reduce your operational costs.
Imagine if you could reduce your transaction monitoring alerts by 90% without sacrificing control?
This is where the question about AMLA comes in. While some regulators in the EU are leading the evolution of risk-based supervision, several are still hopelessly behind their international cousins.
Put it this way, it’s likely no coincidence AMLA HQ was placed in Germany – a country that until this point has failed in fully implementing the risk-based approach.
To create a data-driven, intelligence-led supervisory framework is a massive project, and AMLA only has 1.5 years to effectively pull it off until its go-live time in mid-2027.
This, combined with the recruitments done to AMLA from EBA, is a reasonable assumption that the first iterations of the AMLA guidelines on risk factors (and the subsequent supervision of how these risk factors have been implemented in the EU financial industry) will be based on a simplified, generalistic view of risk, similar to what EBA has been providing.
This means that most compliance professionals in the EU will spend a tremendous amount of time, money and effort to go back into a more rules-based approach, while maintaining the risk-based approach for their UK operations. To sum it up: there’s a risk that the ones who are really bad will get better, but the ones that are really good will be worse off.
There’s a real risk that blanket de-risking of entire customer segments will remain or even increase as a result of AMLA – unless the authority makes it crystal clear what is expected from the regulated entities.
And it’s not enough to say “don’t do de-risking” – they need to be encouraged to go beyond the simple tick-box exercise that has led to systematic compliance failings on too many occasions. The only ones who would benefit from that, are the criminals trying to misuse the financial system.