Confessions of a compliance officer: The risk-based approach goes wrong

Published on Apr 17, 2019

Love it or hate it, the risk-based approach (RBA) is a key aspect of compliance work. But what happens when the boss shows up one day with a woefully muddled up RBA plan and expects it to be implemented? A London-based compliance officer recalls being amused at the sheer madness of it all, and gives his take on handling the RBA issue. The compliance officer does not wish to disclose their name or other details.

Financial crime staff will be very familiar with the “risk based approach” (RBA) first encouraged in the 2005 Third EU Money Laundering Directive and subsequently mandated in the 2012 Financial Action Task Force (FATF) Recommendations. I would like to relay how the bank I was working at some years ago attempted to implement the new philosophy.

The London operation of the bank operated as an investment bank dealing with large institutional clients and counterparties. We did not have any retail customers nor did we offer retail products and services. The risk analysis showed that 75% of our client and counterparties were regulated financial institutions in FATF jurisdictions, while another 15% were companies (or their subsidiaries) who had their securities listed on one of the world’s major securities exchanges.

The main operation of the bank in its home country had hundreds of retail branches, offered facilities to small, medium size and multinational companies and it sponsored the national football team.

A new system introduced

The powers that be decided that we in London would use the customer risk scoring tool that had been implemented in the retail branches and other units in the home country. In essence, the staff member would complete a risk assessment tool that ascribed risk factors to such customer characteristics as main country, legal type, industry type and so on that would produce a risk score.

This risk score would then be used to classify the customer as a High, Medium or Low risk which would then signify which due diligence documents would be need to be obtained and the degree of associated ongoing monitoring. We in London analysed the risk scoring tool and performed a test on a sample of London customers. The results were woeful.

The country list contained over 225 jurisdictions and territories, which is remarkable considering the United Nations has 192 member countries. However, there were multiple country lists for such matters as money laundering, terrorist financing, bribery, corruption, sanctions, etc. which attempted to ascribe risk ratings for each of these issues.

The list of legal entity types contained over one hundred entries. Risk ratings were allocated to private companies, public companies, partnerships, trusts, foundations, etc. What made this list so large (and cumbersome) was the attempt to identify, on a global basis, national variations of these fundamental types of structures, such as a French SA, a Dutch NV and a German gmbh.

As a compliance professional, I was not sure that I could articulate the differences between the inherent financial crime risk between a private limited company and a public limited company. I was, however, convinced that neither would the front office person completing the assessment tool be able to either.

Substantial flaws

The list of industries and its associated ratings for money laundering risk I found to be substantially flawed. The bank used a global standard industrial classification list that is used by countries around the world for the national accounts, economic reporting and policy making. Each industry was ascribed a risk rating from 1 to 8 with 8 representing the highest money laundering risk.

I was astounded when I reviewed those industries deemed to be the riskiest. According to the bank, the industry that had the highest inherent money laundering risk was………ice cream parlours!!! I am still not aware of any typologies from any official body highlighting the risks of dealing with these establishments. Nor has this sector been mentioned at any of the many industry conferences and seminars that I have attended over the years.

Within the industry risk list, the relative ratings were somewhat unbalanced. For example, in the bank’s home country, there were many members of NATO forces stationed in military bases. A retail customer of the bank who was a member of a foreign military was given a risk score of 4.5. In contrast, the European Central Bank (ECB) was deemed to have an industry risk rating of 6.5.

Accordingly, the bank believed that the ECB represented a 44% higher money laundering risk than a foreign soldier. I suggest that the ECB with most of its counterparties being central banks of EU Member States is a relatively low money laundering risk. The complexity of the industry list was often bewildering and, from my view, pointless. I can only hazard what Front Office staff thought of the list and, as a consequence, of the Compliance department.

For example, if the customer manufactured furniture, the risk scoring tool then requested further details such as “Home or Office”? On selecting “Home”, the next question was “House or Garden”? On selecting “House”, individual risk scores were attributed to wood, metal or plastic furniture.

Again, at industry conferences over the years and in many discussions with regulators and supervisors, the relative risks of dealing with furniture manufacturers and the materials they used in their products never came up as a topic of conversation! Not unsurprisingly, these fundamentally flawed individual risk ratings produced some strange results for individual customers.

The London office of a UK company whose main business was in the services sector and whose securities were listed on the London Stock Exchange was deemed to be a “Medium” risk. Its Jersey operation was, apparently, a “Low” risk”. After we presented the details of our review to the Global Head of Compliance, a further review was conducted which led to the person responsible for devising and implementing the risk scoring tool leaving the bank, whilst the tool was substantially amended and simplified in the home country.

We never did implement the original version of the risk scoring tool.

Keep it simple, reliable

What are the lessons from this sorry saga? Firstly, given that the money laundering risk is owned by the Front Office, make sure any risk assessment tool is relatively simple to use. Secondly, make sure the risk ratings are based on reliable, public assessments. Thirdly, make sure the overall results of the risk scoring are credible and consistent.

Finally, make sure that prior to implementation that the tool is rigorously tested so that a firm can justify its use and conclusions to its regulator and a Court if need be.

Historically, batch screening has been the one area of AML compliance practice to which it has not been possible to apply the risk-based approach. However, KYC360's next-generation screening technology has been designed to enable the risk-based approach to be applied to ongoing monitoring of customer risk

As a postscript to this saga, a few months later, Head Office Compliance staff visited London to discuss the overall money laundering risk rating of the branch. They explained they had risk rated each of the individual branches in the home country and they would also risk rate all the bank’s branches around the world.

They concluded that, overall, London was a “High” risk based on its clients and the products its offered. I disagreed with their assessment based on the nature of our largely regulated or quoted client base and the lack of reliable evidence that the securities markets are widely used to launder criminal proceeds. They explained they had used the original risk scoring tool to rate all branches including London, but they said that they would happily accept an alternative assessment from me.

They noted they had sent their overall risk rating of the home branches to their home regulator. I was surprised as my colleagues had earlier confirmed that they had used the now discredited risk tool to assess the home branches. I inquired “So you knowingly sent the regulator an overall risk assessment that was based on a risk tool that was substantially flawed?” They shrugged their shoulders and said “Yes. We had to send them something.”

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.