The risk-based approach in Anti-Money Laundering Compliance

The risk based approach to AML - Anti-Money Laundering Compliance

Money Laundering and Terrorist Financing are global threats. Governments across the globe have framed laws and regulations to counter Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF). The regulated entities are obligated to employ their resources to fight financial crimes. For any business, resources are always scarce, and hence they would want them to be employed efficiently. That is where the Risk Based Approach to AML compliance comes into play and helps businesses deal with financial crimes efficiently.

Definition of Risk Based Approach (RBA):

The Risk-Based Approach (RBA) is basically the effective deployment of controls to counter the most significant ML/TF/PF risks a business is exposed to. It takes into account various risk factors, their likelihood of occurrence, impact, controls in place, and the risk appetite of the management to keep ML/TF risks at an acceptable level. Every business has its own risk-bearing capacity, and in AML compliance, it becomes essential to adopt a Risk-Based Approach in order to tackle ML, TF, and PF. Further, under an RBA, there is no such thing as ZERO risk, but it offers the most effective way to counter the risks. EDD for high-risk customers, determination of sample size by AML auditors, cash transaction thresholds, customer acceptance and customer exit policies are some of the common examples of having taken a risk-based approach.

Before going into detail about compliance requirements for a Risk-Based Approach under the UAE’s AML/CFT regulations, let us understand what a Risk-Based Approach in the AML realm means.

What is a Risk-Based Approach in Anti-Money Laundering (AML)?

Risk Based Approach: Meaning

The UAE Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations required Fis, DNFBPs, and VASPs to take a Risk-Based Approach to counter money laundering and terrorist financing risks.

The Risk-Based Approach (RBA) helps reporting entities effectively identify, assess and tackle ML/TF/PF risks. Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) should apply appropriate measures and procedures commensurate with the risks of money laundering, terrorist financing, and proliferation financing. The Risk-Based Approach enables the reporting entities to apply their efforts optimally to mitigate ML/TF/PF and sanctions risks. The RBA provides the risk-sensitive application of AML/CFT measures. Accordingly, companies are able to apply the principle of “higher the risks, higher the controls”.

The application of the Risk-Based Approach helps firms decide on the degree, frequency, or intensity of the ML/TF/PF/ controls.

Enforcement of cash thresholds by entities to mitigate ML/TF risks is one example of a risk-based approach. Other examples of RBA include EDD for high-risk customers, ML/TF independent audits, etc.

Step-by-step implementation of Risk-Based Approach in AML

RBA requires proper implementation of controls for an AML program to be successful. For an effective RBA process, all steps must be looked into and implemented correctly. The following is the step-wise process that DNFBPs should undertake for taking a Risk-Based Approach to compliance:

1. Risk Identification:

In identifying the ML/FT and PF risks to which DNFBPs are exposed, they should consider various internal and external factors such as the nature of business, product, services, risks associated with each customer, geography, especially high-risk jurisdictions and distribution channels. This step becomes a base for risk assessment, as DNFBPs are supposed to conduct risk assessments based on the factors identified to evaluate the emerging and relevant ML/FT and PF threats.

2. Risk Assessment:

It forms the basis of the DNFBP’s RBA for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the institution and stating the risk level deemed acceptable.

This step enables DNFBPs to understand the possibilities of risk materialising and the impact thereof.

4. Residual Risk:

It is necessary for DNFBPs to compare the risk profile to risk controls to measure the effectiveness of control measures against risk. This step requires identifying risk that remains after efforts have been made to reduce the inherent risk. The residual risk is also known as net risk.

Residual Risk = Inherent Risk – Controls

5. Risk Appetite:

After residual risk is identified, it is vital to compare it to determine whether it meets the risk acceptance level set out in the risk appetite. Risk appetite is set at the early stage, which defines the amount and type of risk that is accepted. As a forward-looking concept, it helps in assessing the residual risk an organisation can accept.

6. Take Additional Measures:

Principles of The Risk Based Approach to AML Compliance

Acceptance of the existence of risk is the first thing that actually matters when it comes to the principles of the RBA to AML compliance. A risk assessment should be carried out according to the intensity of risk, the risk assessment process should be examined, and the compliance process should be applied.

Inherent Risk:

The gross risk is the risk an entity is exposed to before putting any AML/CFT controls in place.

Residual Risk:

The residual risk is the risk the reporting entity assesses once AML/CFT controls and measures are put in place.

According to the principles of a Risk-Based Approach, controls need to be aligned with the risks involved. The risk-based approach requires an entity to focus more on the risks that can have a higher impact.

For instance, the Customer Due Diligence (CDD) Process for Politically Exposed People (PEPs), which undoubtedly belongs to a high-risk profile, will remain insufficient if Enhanced Due Diligence isn’t carried out for them.

In addition, business enterprises must continuously monitor, analyse, and interpret their pool of data that falls within the scope of anti-money laundering compliance.

The manual monitoring of a business relationship is impractical when the transaction volume is high. Therefore, the regulated entities may resort to transaction monitoring software which can help them identify suspicious patterns in customer’s transactions and help them investigate the cases further and submit SAR/STR depending on the facts of the case.

Importance of Risk-Based Approach in Anti-Money Laundering Compliance

The risk appetite and risk-bearing capacity differ from one company to another. Therefore, following the same AML process for each enterprise or individual will not fetch healthy results.

Besides that, the risk-bearing appetite of the companies from the same industry also differs because the management style isn’t uniform everywhere.

Here is when the need for and importance of a Risk-Based Approach come into the picture. With the help of a Risk-Based Approach, companies from various business sectors can create an anti-money laundering framework that helps them fight ML/TF effectively.

The Traditional Tick-Box Approach vs. Risk-Based-Approach

Prior to the evolution of RBA, financial institutions (Fis) and DNFBPs were employing a tick-box approach to manage their AML compliance requirements. Under the traditional tick-box approach, merely going through a set of uniform AML standards was assessed and satisfied. However, with the changing financial landscape and advancement of technology, the Financial Action Task Force (FATF) presented the concept of RBA.

The following is an analysis of the traditional tick-box approach vs. the Risk-Based Approach on different factors:

Criteria	Tick-Box Approach	Risk-Based Approach
Flexibility	It is an inflexible approach as a set of compliance requirements without considering underlying unique aspects of risk.	It is a flexible approach as it leaves the possibility to consider the unique risk profile and make it more adaptive.
Efficiency	In terms of efficiency, there is no scope to change and make it adaptive to new changes and risks, thus making it an inefficient approach.	It is dynamic and adaptable, which allows efficient use of resources in combating ML/FT and PF risks, thus increasing the efficiency of AML measures.
Resource	This measure follows a resource-intensive approach for applying AML measures. It requires extensive manual effort and time to complete. Thus, for efficient measures, this approach can take up a lot of resources, leading to an increase in financial burden as well.	This allows for smarter allocation of resources by focusing efforts on areas of higher risk, optimising efficiency, and enhancing effectiveness in identifying and mitigating risks. It also fosters a more dynamic and targeted approach to AML compliance.
Effectiveness	It is a superficial approach that only addresses surface-level aspects of AML compliance and disregards associated risks.	It is an effective approach that focuses on in-depth learning, understanding new risks, and implementing measures accordingly.
Prioritising	This works by taking a one-size-fits-all approach to every risk, leaving little room for risk prioritisation.	This approach prioritises risk by incorporating a tailored method for each risk according to its impact and probability.
Proactiveness	It is an active approach for AML measures by working in a manner that follows standard policies without being open to the risk that requires a proactive approach.	It is a proactive approach to compliance by entailing measures for identifying, assessing, and controlling risks.

UAE AML/CFT Laws and FATF Recommendations Around Risk-Based Approach

What is the reasoning behind implementing a risk-based anti-money laundering approach?

The UAE has adopted effective AML laws to combat financial crimes, including ML, FT, and PF. The regulatory framework in the UAE includes federal laws that are aligned with international standards set out by the Financial Action Task Force (FATF).

Within UAE’s legal regime, it has implicitly adopted RBA to AML compliance to understand ML/FT and PF risks and implement appropriate measures. Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to implement RBA to identify, assess and understand ML/FT and PF risks and further take the most appropriate mitigating measures.

The RBA framework is also based on FATF recommendation no. 1, which lays down the principle of applying RBA to assess and adopt measures for ML/FT and PF risks.

Primary Elements of a Risk-Based Approach in AML Compliance for DNFBPs and VASPs

The following is the list of primary elements of a Risk-Based Approach in AML compliance for DNFBPs and VASPs:

ML/FT Enterprise-Wide Risk Assessment

ML/FT Enterprise-Wide Risk Assessment (EWRA), also known as Business Risk Assessment, is a key pillar of the RBA. It is an enterprise-level risk assessment that plays a pivotal role in combating ML/FT and PF risks.

EWRA is a process of identifying all external and internal risk factors such as products, services, transactions, delivery channels, customers, geographies, technology, etc, and further assessing their impact, exploring ways to mitigate, and controlling and monitoring associated risks.

Assessing the risk at the enterprise level helps in formulating a comprehensive and better AML framework.

AML/CFT Policy and Procedures

AML/CFT policies and procedures are the foundational documents that outline an entity’s approach to preventing, detecting, and mitigating ML/FT and PF activities.

These documents provide guiding principles to compliance officers and employees regarding their responsibilities to ensure compliance with AML/CFT regulations and the actions required.

These policy documents cover a wide range of areas under the AML framework that include CDD, transaction monitoring, reporting activities, and risk management.

The policies and procedures detail the actual implementation of RBA within an organisation. What it perceives as an ML/TF/PF risk and the commensurate controls to counter it.

With effective AML/CFT policies and procedures, DNFBPs can establish an effective AML/CFT framework within their organisation to counter financial crimes, including ML/FT and PF.

KYC and Customer Due Diligence (CDD)

Know your customer, and the customer due diligence processes are carried out in order to identify who the customers really are and to further verify their identity and the nature of the businesses they engage with.

These procedures are one of the most fundamental building blocks of efficient and effective anti-money laundering compliance management. Within the scope of these procedures, you can assess and determine the level of risks associated with the customer and then take necessary actions to mitigate those risks.

Assessing the risk level of your customers accurately is an undeniable prerequisite for the Risk-Based Approach. However, without accurate customer due diligence, it is difficult to analyse risks posed by a customer.

Sanctions Screening

Sanctions screening aims to restrict dealings with persons involved in illicit activities. For this purpose, an entity is required to screen names against sanction lists maintained by governments, international organisations, and regulatory authorities.

DNFBPs, by conducting sanctions screening, can efficiently identify and prevent dealings that are against the regulatory framework and can also demonstrate adherence to the compliance requirements.

As per UAE AML Regulations, DNFBPs and VASPs are required to conduct screening against the UNSC Consolidated List and the UAE Local Terrorist List.

If the regulated entity deals with foreign countries, it can adopt a Risk-Based Approach and consider other relevant sanction lists for screening purposes.

PEP Screening

PEP screening means screening customers to identify if they are politically exposed persons (PEPs) or are related to a person identified as PEP. PEPs pose a high risk to DNFBPs because of their prominent position, which can be misused for illicit activities like corruption and financial crimes.

This measure involves screening customers against a PEP database to assess the nature and extent of their political exposure.

PEP screening helps to implement RBA and a better risk assessment process, which enhances the ability to take appropriate risk mitigation measures like Enhanced Due Diligence.

Adverse Media Screening

Any negative news about an individual customer or a business enterprise can broadly impact the decision to enter into a business relationship with them.

Plus, keeping an eye on such news is the best way to protect your organisation from any potential risks that might come when dealing with clients with high-risk profiles.

Adverse Media Screening helps a reporting entity adopt a Risk-Based Approach effectively and fight ML/TF risks.

Anti-money Laundering Transaction Monitoring

The regulated entities conduct CDD and risk assessments while onboarding the customer. This helps them understand the customer profile and the expected nature, volume, and frequency of transactions.

If the actual transactions with customers are not monitored, the risk-based approach adopted by the entity fails. What if the customer is transacting beyond his means?

Regulated entities implement transaction monitoring software which help them segment their customers based on various attributes like age, gender, nationality, turnover, size of business, etc. and frame rules to identify and investigate exceptions.

The system then monitors transactions and generates alerts when it finds a suspicious transaction.

Risk based transaction monitoring helps in suitably changing customer profiles and the risks associated with them, and it helps implement RBA in its true sense.

AML Compliance Officer

The DNFBPs and VASPs in UAE are required to designate a competent person as the company’s compliance officer. The compliance officer is responsible for AML/CFT program management, imparting AML/CFT training, and submitting regulatory reports on the goAML portal.

The AML Compliance Officer is the human arm of the Risk-Based Approach. The compliance officer adds the human element to RBA and changes the approach to fighting ML/TF according to the risks involved.

Thus, an AML compliance officer is an integral part of the implementation of the Risk-Based Approach.

Independent Audit

An AML independent audit is a comprehensive review of the AML program by an external party who is not involved in the operations of the business. The purpose of conducting an AML independent audit is to outline the effectiveness of the AML program, identify gaps for non-compliance and provide recommendations for improvement.

This measure helps maintain the transparency, integrity, and credibility of DNFBPs in the AML efforts. An external AML audit is an integral part of the RBA adopted by the regulated entity.

Monitoring and Review

When an entity establishes business relationships with persons, it is required to conduct ongoing monitoring to address any evolving risks and changes in the compliance framework. Monitoring and review are ongoing processes of RBA in AML that continuously assess the effectiveness of the AML compliance program.

Monitoring measures involve regular surveillance of customers, their transactions, and activities to detect any suspicious activity or unusual behaviour that may indicate potential ML/FT and PF activities.

The review measures include periodic evaluation of the AML framework to identify changes in risk patterns, determine the capacity of control measures in combating financial crimes, and observe areas for improvement.

By undertaking these measures, DNFBPs can proactively address compliance gaps and areas for improvement and, based on such evaluation, enhance their risk management capabilities.

Challenges in Implementing a Risk-Based Approach

Difficulty in Identifying Risk Factors

The complexity of identifying and categorising risk factors makes it difficult to implement RBA within the AML framework. Additionally, the realm of the financial landscape keeps changing due to new trends in criminal activities, making it more difficult to identify risk.

Difficulty in Assessing ML/TF and PF Risks

RBA requires an accurate assessment of ML/FT and PF risks. However, the assessment of ML/FT and PF risks requires knowledge about the financial landscape, known ML/TF/PF typologies, FATF recommendations, National Risk Assessment (NRA), transactions and patterns, which makes it difficult to assess.

Difficulty in Assessing the Effectiveness of Controls

The application of AML measures requires continuous updates and monitoring due to the dynamic nature of the business. This requires continuous changes in control measures, thus making it difficult to assess the effectiveness of control measures. Further, the effectiveness of the control measures is measured by the quality of their implementation than the quantity. This adds a layer of subjectivity to the overall assessment.

Difficulty in Identifying Risk Appetite

It is a crucial step of RBA to establish an accurate Risk Appetite Statement that lays down the level of risk an entity is willing to accept. However, it becomes difficult to identify risk appetite due to the changing landscape and the involvement of multiple parameters.

Lack of Expertise

The application of RBA is technical, and it requires knowledge of the business and existing and emerging ML/TF/PF risks and their patterns. DNFBPs face challenges here due to their small size and the unavailability of competent persons internally.

Top Management Support

RBA requires taking proactive action to combat ML/FT and PF risks and top management’s support is vital as various actions require approval from senior management, which at times can be difficult. Unavailability and resistance to change from top management makes it difficult for businesses to take proactive measures.

Consistency in Risk Assessment Methodologies

Consistency is utmost important while adopting RBA for risk management. It helps staff stick to a uniform procedure. However, for a growing organization, changes in products, services, and technology are constant variables. This leads to inconsistency in applying RBA.

Handling Customer Experience

RBA requires taking stringent measures to implement an effective AML framework within the organisation. These measures include undertaking enhanced due diligence and monitoring, which may cause inconvenience to customers who are not involved in any illicit activities. It is thus difficult to find a balance between mitigating AML risks and positive customer experience.

Lack of Budget

RBA is a detailed process that requires expert knowledge and resources for effective implementation. However, such measures need budgetary support, which could be difficult for small organisations.

Building a Robust AML Compliance Framework using RBA

Crafting an effective AML compliance framework using RBA is important to detect and deter financial crimes, including ML/FT and PF.

Here is the list of elements required for building a robust AML compliance framework using RBA:

Establishing a Strong AML Culture

The AML compliance culture means shared values, practices, and behaviours within a business workplace that prioritise adherence to the AML regulatory framework.

With a strong compliance culture, businesses can efficiently and consistently employ a risk-based approach.

Training and Awareness Programs for Staff

Compliance officers and staff need to carry out responsibilities in the AML/CFT framework for successful compliance with the AML regulatory requirements. An AML compliance framework incorporates a training program tailored to staff based on their role and responsibilities. Further, in order to have effective AML governance, DNFBPs must undertake periodic and up-to-date training program activities and maintain training records.

With such AML training programs, employees can easily understand ML/FT and PF risks and, therefore, employ measures required to fight such risks. This goes a long way in implementing the RBA in the regulated entity.

Customer Identification and Verification

To ensure compliance with KYC and CDD requirements, customer identification and verification systems are necessary. Customer identification and verification systems come with liveness checks, two-factor authentication, and checks for the authenticity of ID documents. Such systems help adopt a Risk-Based Approach and determine if the customer is acceptable, considering the company’s customer acceptance policy.

Transaction Monitoring

Transaction monitoring helps identify transactions that do not align with the customer’s profile or expected business activities. There are transaction monitoring tools available to identify suspicious patterns and put transactions on hold until the compliance team investigates them and decides if there is a requirement to submit SAR/STR.

By employing transaction monitoring tools, DNFBPs can take a Risk-Based Approach and decide if EDD is required, customer offboarding is necessary, or the system generates a false alert.

Record-Keeping

Under the UAE AML/CFT Laws, regulated entities are required to keep all AML/CFT records for a minimum of 5 years. The ADGM and DIFC-based entities are required to retain records for 6 years.

The record-keeping serves as evidence of having taken a Risk-Based Approach.

Reporting Structure

An effective reporting structure is required for better implementation of the AML framework to combat ML/FT and PF risks. DNFBPs must maintain records and develop a reporting system in their AML governance program.

This measure must include systems for maintaining data on the number of customers rejected, terminated relationships, transactions monitored, and alerts generated, as well as systems for reporting suspicious transaction reports and suspicious activity reports STRs/SARs via the goAML system.

Periodic AML/CFT compliance reporting to top management helps management take a Risk-Based Approach and determine if they need to put in more resources to counter ML/TF risks or tweak AML/CFT policies and procedures to align them with their risk appetite.

Internal Controls and Risk Management

Internal Controls and Risk Management processes help fight ML/TF. The nature and extent of such internal control mechanisms differ from business to business, depending on the entity’s risk appetite and risk-based approach.

Technological Support

Technology has made life easy for DNFBPs and criminals as well. To counter technologically driven criminal activities, the AML compliance framework should leave space to employ technologically driven tools.

It also helps enhance AML compliance by quickly analysing vast quantities of data to detect suspicious patterns and anomalies that might indicate the happening of ML, FT, or PF activity.

How Does the Risk-Based Approach Work in AML?

The Risk-Based Approach works differently for every business as no two businesses are the same, and so are the risks. It essentially boils down to the risk appetite of the regulated entity and what they think is an acceptable risk.

There is no concept like ZERO risk in business. Risk management is resource-intensive, and businesses have to control their costs. However, they also need to ensure that the ML/TF and PF are countered and legal requirements are met.

Regulated entities, therefore, prioritise their risks and enforce controls judicially to maintain risks at an acceptable level.

Benefits of a Risk-Based Approach to AML

Resource Optimization

Risk-based approach to compliance focuses on allocating resources based on risk assessment and its impact on the regulated entity. It’s a need-based resource allocation which optimises resource utilisation and saves costs.

Effective in Countering ML/TF

With elaborate steps and a defined approach, RBA effectively counters ML/FT and PF risks. Furthermore, RBA targets the risk in a structured manner based on its impact. This increases the effectiveness of DNFBPs’ AML efforts.

Enhances Customer Onboarding Experience

RBA enhances the customer onboarding experience. It treats each customer in isolation depending on the risks they pose to the business. Low-risk customers undergo simplified due diligence, medium-risk customers undergo standard due diligence, and high-risk customers undergo enhanced due diligence.

In the case of high-risk customers, the business can also decide to exit the business relationship if the risks are not acceptable as per the risk appetite.

This enhances the customer onboarding experience as not everyone goes through the stringent KYC and CDD requirements.

Improved Risk Management

RBA follows a proactive approach to prevent and mitigate financial risks, including ML/FT and PF. Such proactive measures of identifying and managing risks reduce DNFBPS’ exposure to financial crimes and illicit activities.

Ensures Regulatory Compliance

It is essential for all DNFBPs in the UAE to adhere to the AML/CFT regulatory framework. RBA increases their attention to regulatory outcomes, and activities throughout the business lifecycle. Thus, adopting RBA in their AML framework helps DNFBPs meet their regulatory requirements effectively.

Strategic Business Insights

RBA is a continuous process that involves risk assessment, policy framework, and the systematic application of mitigation measures. With RBA to AML, DNFBPs gain valuable insights for informed decision–making and improving performance. Therefore, RBA enhances flexibility in AML compliance and boosts competitiveness in the market.

Improved Regulatory Reporting

RBA applies controls based on risk level and focuses on prioritising resources on identified risks. With such a targeted approach, it is easier for DNFBPs to focus on high-risk areas and report suspicious activities with more efficiency and accuracy. RBA, therefore, improves the reporting system, which helps DNFBPs, as well as regulatory authorities, to fight ML/TF risks effectively.

Employee Engagement

Adopting RBA requires the proactive application of measures that require quick decision–making for AML policies, implementation, and performance assessment. This fosters employee engagement, which enhances the overall effectiveness of AML measures and promotes responsibility among employees and a compliance culture.

Final words on Risk Based Approach

The UAE AML CFT Law requires FIs, DNFBPs, and VASPs to employ a Risk-Based Approach that is tailored to their business. The controls employed by a reporting entity should be in sync with the risks to which it is exposed. Money Laundering and Terrorist Financing risks differ from organisation to organisation and industry to industry. Therefore, DNFBPs need to assess and understand ML/TF risks associated with each customer, supplier, and third party.

The adoption of a Risk-Based Approach does not mean that the organisation will be able to eliminate all risks related to financial crime. It only means that ML/TF risks are managed, but the organisation is still vulnerable to various risks that it couldn’t identify and assess. Risks, by their very nature, are dynamic.

Niyeahma provides extensive help and guidance on implementing a Risk-Based Approach. Contact us if you are looking to optimise your ML/TF countermeasures.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.