I have had some super interesting discussions about building a financial crime taxonomy over the last few months, and one question all of these conversations have raised is - can you build a fin-crime taxonomy from the top down? In my opinion the answer is no. It needs to be from the bottom up - and here is why.
Some quick definitions. By a bottom-up approach, I mean that you start from an evidence-based set of intelligence sources. In Acuminor's case, these are government, law enforcement or vetted bodies who are authorities on financial crime threats and risks. Starting from this basis means that every word in each report is analysed and in this way the threat and risk taxonomy is built from the bottom up. The bottom is the sources, and the taxonomy emerges from an analysis of every threat and risk mentioned within these sources.
In contrast, the top-down approaches I have come across, rely on internal subject matter experts to sit down, and get started by documenting a threat and risk taxonomy. Usually this is created from their own knowledge of the threats and risk affecting a particular business. The challenge with this approach is taking that initial taxonomy and turning into a living breathing resource that keeps up to date with the changing threat landscape. It’s almost impossible for a top down taxonomy to encompass all relevant threats and risks mentioned in relevant sources and that are applicable to their business.
I believe that the only way forward for a dynamic financial crime taxonomy is to follow a bottom-up methodology, and here's why:
A top-down approach is typically: -
Driven by subject matter expertise - the threat and risk language has been derived from an internal view of the external environment; this will ultimately be biased by individual experiences. This also creates dependencies on small groups of employees and that the language used by this group is understandable by a larger circle of recipients, e.g. business, audit or regulators.
Not scalable – the taxonomy documented can only grow in line with an individual’s or team’s ability to identify new threats and risks, it is nearly impossible to keep up with the changing threat landscape without a highly skilled team that are fully dedicated with the right tools to keep such a taxonomy up to date.
Susceptible to duplication – you are reliant on manual checks; you will ultimately end up with similar threats and risks being added to the taxonomy with slightly different phrasing.
Hard to industrialise across the business – It’s a huge task to work out which parts of your taxonomy are relevant to which parts of your business, you will spend most of your time fighting push back from the business or product owners, who often don't accept that certain threats or risk are relevant to their area.
In contrast, a bottom-up taxonomy can be: -
Evidence driven - the threat and risk language has been derived from relevant sources, it has not been made up or been biased by internal opinion.
Scalable - the taxonomy grows with the evidence base being analysed. Each new source analysed provide intelligence that either fits into an existing piece of the taxonomy or can be added within the ever-growing structure.
Has no duplication - all new terms are automatically checked against the existing database to ensure there is no duplication.
Relevant & contextual - each piece of the taxonomy is connected to the contextual financial crime intelligence. This means that you can easily work out which threats and risk are relevant to which financial products, geographies, or channels in your business.
Finally, and probably most importantly. A bottom-up approach allows you to take your taxonomy, industrialise it across the business and use it create actions plans to combat financial crime. A top-down approach is so resource intensive, you will struggle to have the time to focus on actions.
I'd love to hear your thoughts, get in touch with me at harriet@acuminor.com.