Under 4AMLD, ESA has been assigned the task to issue guidelines on risk factors to be taken into consideration and the measures to be taken in situations where both simplified CDD and enhanced CDD measures would be appropriate. A final version of these Guidelines were issued in June and is appropriately called “The Risk Factors Guidelines”. The aim of the Guidelines is “to promote the development of a common understanding, by firms and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied”. The Guidelines will apply by 26 June 2018.
1. Current Barriers to RBA
These risk factors are relevant considering the additional emphasis put on a risk-based approach (RBA) under 4AMLD and much welcomed as often Compliance Officers have felt that implementation of a risk-based approach was too risky: better safe than sorry. And not only on the business side, some regulators have also failed to support RBA. It is worthwhile noting that during the consultation on the Guidelines respondents raised concerns about the ability of national competent authorities to apply these Guidelines in a consistent manner. Certain authorities have (unintentionally) created barriers to a truly effective implementation of RBA. It is almost a chicken and egg story. Companies will keep any engrained tick-box approach to satisfy the regulator if the regulator does not truly support RBA. These concerns are extremely valid in my view. For different applications of AML obligations per EU country, see my white paper “Payments Compliance in Europe – Gaining Competitive Advantage with through AML/KYC Regulations” (https://emergingpayments.org/resources/payments-compliance-in-europe-gaining-competitive-advantage-through-amlkyc-regulations/).
Let’s hope these Guidelines will pave the way to RBA acceptance by all EU regulators and consequently resulting in compliance departments feeling comfortable enough to consider a true implementation of RBA. It may no longer be too risky to implement a risk-based approach. It should further contribute to Compliance Officers getting a better understanding of the firms’ customers and underlying risk exposures as the Guidelines require a thorough assessment of the circumstances surrounding those customers.
2. What and Who?
2.1 What is RBA again?
Extremely relevant is to remind everyone of what a risk-based approach means again. RBA is an approach where most resources are put on customers/ transactions that pose increased ML/TF risk and less resources where there is less risk (as FATF and these Guidelines define: “RBA to AML/CFT means that countries, authorities and Financial Institutions are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risk in order to mitigate them effectively”).
2.2 What do the Guidelines preach?
The Guidelines set out which factors are to be considered when assessing money laundering/ terrorist financing (ML/TF) risk and how the extent of CDD measures can be adjusted in such a way that they are commensurate to the identified ML/TF risks. However, it also notes that the factors and measures described are not exhaustive and that obliged entities should consider other factors and measures as appropriate.
2.3 For whom relevant?
Besides a first general part applicable to all companies, there are also sector specific guidelines for correspondent banks, retail banks, e-money issuers (EMIs), money remitters, wealth management, trade finance providers, life insurance undertakings, investment firms and providers of investment funds. Unfortunately sector specific guidelines for certain other companies like payment institutions (PIs) are missing, even though they are also obliged entities under 4AMLD. It is unclear why these are omitted, especially considering that they represent a big chunk of the financial institutions out there, but let’s assume that at least the general part provides sufficient guidance for these entities.
So now that we know what the Guidelines truly entail and to whom they apply, I want to do an overall assessment of how these Guidelines would work in the real world.
3. Are the Risk Factors Guidelines Standing in the Way of RBA?
Title II is general and applies to all firms, designed to equip firms with the tools to make informed, risk-based decisions when identifying, assessing and managing ML/TF risk associated with individual business relationships or occasional transactions.
Where the risk factors laid down in ESAs Guidelines are considered helpful, it remains to be seen how this will truly contribute to RBA (I will come back to that later). I was surprised to learn that ESA explicitly emphasizes that the guidelines are focused on risk assessments of individual business relationships and occasional transactions, but that they could also be used for their business-wide ML/TF risk assessment pursuant article 8 AMLD (title I, subject matter, point 2, page 9). However, the primary focus as stated by ESA is the support in CDD on customer level.
3.1 Less or more resources?
When reading the risk factors and the questions posed (as part of these factors to assist in the assessment of the risks), I could not help but wonder how much time and effort it would take obliged entities to have these questions answered on a per customer/ transaction basis, regardless of the outcome of their assessment being low or high risk? The Guidelines seem to stipulate that in order to reach to the outcome of a risk assessment of a particular customer being high or low risk – and then determining CDD levels -, the questions should be answered first.
3.2 How many questions to answer?
The referenced Customer risk factors name three areas to focus on (customer/UBO reputation, activity and nature/behavior) with in total over 25 questions listed as relevant risk factors when considering said customer risk. Counting the questions under the other risk factors, results in a total of almost 60 questions to be answered on a per customer basis in order to assess associated risk? It is not immediately clear whether the questions are just mere examples to pick and choose or whether they should all be reviewed, but it might just be the latter (wording used in the guidelines per risk area are “Risk factors firms should consider…include”, but then in other occasions “Risk factors that may be relevant…include”). The ESA clarified during the consultation that the word ‘must’ is used to describe a legal obligation, ‘should’ introduces a strong expectation and ‘may’ describes examples of possible measures firms could take to meet their legal and regulatory obligations. Of all risk factor questions there are 11 out of 18 ‘should consider’ and the latter 7 ‘may consider’. However, it is also made very clear that the ESA expects “in accordance with Article 16(3) of the ESAs Regulations, competent authorities and financial institutions must make every effort to comply with the guidelines.” It is unclear how compliance is expected in the cases of the ‘should’s and the ‘may’s. How to comply with an expectation and how to enforce it? Anyway, answering these questions for each customer individually will take up quite some time and have tremendous impact on the onboarding process.
3.3 Can it get worse?
When ESA discusses the weighting risk factors, it seems to get even more complicated. Weighting risk factors are used to define the level of importance of a certain factor. A firm may consider, considering its products/services or customer base, a specific factor of more relevance than another. Not every factor gets an equal share in calculating the final risk scoring. Depending upon the complexity of a firms’ RBA matrix (in such a matrix each risk area sets different factors resulting in a final calculation of a certain risk level of a customer), weighting factors may be included. However, these weighting factors are already set prior to an individual customer assessment and applies to all customers.
Be that as it may, the Guidelines state “When weighting risk factors, firms should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction. This often results in firms allocating different ‘scores’ to different factors; for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek.” “Ultimately, the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another.” (bullet 36-37, page 22). So, firms will need to assign different weightng risk factors on a per customer level (rather than overall business level) as well?
4. Automation please!
Automation to decrease time and effort is the only option I see here if firms do not want to triple their compliance resources. However, firms are warned that they should take a holistic view of associated risk with a situation and that the presence of isolated risk factors as laid down in the Guidelines do not necessarily move a relationship into a higher or lower risk category. An assessment of the customer by a real-life person for a final risk assessment will remain required at all times. Risk scoring solutions and the use of Artificial Intelligence might be the only answer to a firm’s prayers. I truly hope that the current service providers and their risk scoring model can adapt to ensure compliance with these Guidelines and facilitate a risk scoring differentiation per customer.
5. Are firms up for the task?
As stated above, ESA emphasizes on multiple occasions through the Guidelines that they are primarily relevant for the customer specific risk assessment. However, does it not make most sense to embed these risk factors and their questions while setting up a RBA matrix in general rather than on a per customer basis? It would at least make the job doable and less complicated in my view. Having to perform such an assessment each time per customer, even before its risk classification is determined, does in fact stand in the way of a true RBA. The same level of considerable amounts of time and effort are to spend in order to determine whether a customer is high risk or low risk. If the risk classification turns out that the customer is low risk, it would only be at CDD and monitoring stage that less resources can be assigned. Already a lot of effort has been spent in order to get to the customer risk classification pursuant to these Guidelines.
The intentions are good and the risk factors are truly helpful. But it seems to fail on implementation. Rather than being a helpful contribution, this would hurt a true and effective implementation of RBA in the broadest sense of its being. Less resource on less risk throughout the entire customer onboarding and customer relationship management process. An intensive risk assessment as such during onboarding would still require much more resources in the compliance teams. Less heavy lifting during KYC document requests and assessments and monitoring does not change the resource need prior to that. This resource can only be – partially though – addressed through (semi-)automation (provided that the service providers can adopt their models accordingly!) and would force even small firms – who have always used their own in-house risk scoring models – to make quite an investment in that area.
I would recommend reconsideration of the Guidelines where implementation of these risk factors and their questions are recommended at a business-wide level rather than on a per-customer basis. Anyway, regardless at which level these risk factors are to be embedded, Compliance departments and regulators have a hefty task ahead of them.
