12:13 23.11.2011 - posted by
I suggest to divide the discussion according to the directions of the application of risk-based approach:
1) risk-based approach concerning the supervisory authorities – how do they exactly define certain organizations which need to be checked
2) risk-based approach concerning to the client’s operations (only suspicious OPERATIONS are checked with no regard to the client, which means that the client or his profile is a secondary factor in this case)
3) risk-based approach concerning to the permanent/intensified monitoring of CERTAIN clients and their operations (not only politically exposed persons but also persons who are suspected in committing a crime or assistance in illegal activity).
Which approaches, solutions or decisions could be usefull concerning to the directions mentioned above according to your point of view?
What are the best useful practises of implementation of RBA in other countries?
16:44 22.11.2011 - posted by
It is also important to note that risk-based approach is mistakenly confused with liberalization. Yet, in our opinion, it is not what FATF implies. Here the case of the European Union may be relevant. For more than five years the RBA is considered as a way to enhance the effectiveness of the AML/FT system there. Risk-based approach allows concentrating on really risky cases by reallocating the relevant resources. In fact, that is a way to employ flexible approach instead of the purely technic. For example, there are cases when customer de-facto uses the services of more than one financial institution (e.g., if the credit card is associated with the ‘wallet’). In those situations the KYC measures (if they are fully in place) are only duplicated without any valuable contribution to the AML/FT activities. And that is the most important thing – RBA should be based on the considerations of effectiveness and sensible allocation of resources.
16:44 22.11.2011 - posted by
cont. ... We consider that inherently wrong – because the lower level of analysis, more precise the AML/FT will be. Yet, the analysis of the risks for the typical operation is not enough – risk-minimization factors are to be taken into account as well (e.g., if the credit card is associated with the ‘wallet’). That is why it is virtually impossible to create the universal system – hence, the central role of the typologies.
The Ukrainian situation mentioned below is quite indicative. For banks, making clients give additional information is not an easy task. But there is an obvious solution for the E-money systems. Since the functionality of the ‘wallets’ is inherently limited, encouraging the cooperation with the FI is simpler. Every step should be accompanied by enhancement of functionality (e.g., imposing lighter limits for transaction) But in order for that system to work, we need to acknowledge that acquiring information is also the risk-minimizing factor (something that can be accomplished in the RBA framework as well).
16:43 22.11.2011 - posted by
As mentioned below, risk-based approach is relevant both for the regulating authorities and the regulated institutions. Firstly, the essence of the risk-based approach should be defined. From the FIs’ view, this is when allocation of resources used for AML/FT purposes is proportionate to the operation/client/product risk. As pointed out by Konstantin, typologies are of utter importance in that respect – if one knows that certain situation can be exploited by the criminals it should become the primary focus of attention. For banks that provide wide range of services the elaboration of the risk-based approach is a truly large-scale task. That is why the example of e-money may be simpler. E-Money operators allow only limited list of operations: topping-up, withdrawal, payment and e-money transfer. Still, we see different interpretations of the RBA here as well. There is an opinion that according to RBA, all e-money operations are to be assigned the same level of risk...
14:36 22.11.2011 - posted by
Re-posted from Russian branch of the forum: http://experts.eurasiangroup.org/ru/index.php?item=39 Author: Andrey
Risk oriented approach in organizing AML/CFT inner control system in a bank will always be based on quality evaluation of inner policy and procedures which exist in credit organizations. Herewith it is very difficult to carry out precise quality factors evaluation so, that it would reflect the opinions of both: credit organizations and supervision authority by a number of reasons.
The first reason is that the level of subjectivity is high enough when it comes to quality factors evaluation. That’s why positive characteristic given by the bank may not be similar to the supervision authority opinion. Thereat, each characteristic has enough evidence to be recognized.
The second reason: the evaluation of banks’ compliance to the quality requirements (quality factors measurements) is always based on characteristics (correlations) which satisfy the bank. It means – when AML/CFT risks are minimal on opinion of bank’s experts and management. However, the same characteristics can not be sufficient for supervision authority employees – the interpretation of risk level can be different.
Third reason. Risk oriented approach applied by the credit organization in AML/CFT risks control sphere will always be aimed to carry out quality monitoring of suspicious operations. Timely revelation of the operation, deal, activity which has suspicious or extraordinary attributes (when and on which level this risk was determined) – these are the quality characteristics of the process. Will one or several messages addressed to Rosfinmonitoring untimely serve as an evaluation criteria for the bank’s policy and procedures? I don’t think so. On my opinion, risk oriented approach in AML/CFT system of a bank involves centralization of the efforts (material, labor and intellectual assets) focused on the revelation of the operations which presumably have the aim of money laundering or terrorist financing, in other words, high-risk operations. Risk oriented approach is effective when the bank can prevent or minimize high risks. Credit organization should elaborate its’ own criteria of the inner AML/CFT control system. The question is: will these criteria be enough for the supervision authority?
Nowadays, the quality evaluation of the credit organization’s activity in AML/CFT sphere is based mainly on quantitative characteristics. That’s why we can’t talk about effective risk oriented approach in this situation. The methodological basis should be marked in supervision authorities’
recommendations and the methods and procedures – elaborated by credit organizations.
Re-posted from Russian branch of the forum: http://experts.eurasiangroup.org/ru/index.php?item=39
10:16 22.11.2011 - posted by
Another thought on employing risk based approach in banking is the following: the methodology of such risk assessment should be segragated into 3 broad parts:
- Gross risks as per different factors: jurisdictional risks, client types risks, product risks, etc.
- Controls applied to minimize or deter any of those risks
- Net risks remaining which should be escalated and discussed with management on how they could be further handled.
For example, if a bank operates in high risks jurisdictions, then one of the gross risks will be the sanctions risks applied to its clients. The controls measure would be World-Check screening compulsorily applied when onboarding each new client. Then, the net risk would remain that a client might become sanctioned after onboarding. So, one could discuss with the management the ways to ensure that such screenings are regularly running per the existing client base and the alerts are appropriately reviewed.
14:34 10.11.2011 - posted by
First of all, the management of any risk implies the assessment of risk and the adoption of appropriate management decisions in order to minimize and avoid the risk. This same approach can be applied to the assessment of the risk of involvement of the financial organization in the schemes of money laundering and financing of terrorism.
In this connection, the main task is the definition of the boundaries of risk-based approach (RBA), its components and their relationship with each other, as well as to develop the ideal ratio efficiency/ cost of labor for its implementation.
In the development of methodical recommendations for financial organizations on the use of the RBA in matters of AML/CFT it is necessary to identify the following important aspects:
1) What information is needed to assess the risk of ML/FT (this can include the information about the profile of the clients activity and information about the operations of the client in the financial organization), how detailed should be such information?
2) What risk assessment models financial organizations can use?
3) What should be monitored depending on the level of risk of ML/TF, with what frequency, and what types of clients operations are subject to analysis depending on the level of risk?
4) How should procedure for making of managerial decisions be built, at what level of risk the question of customer service should be transferred to the level of management, what are the possible variants of the solution?
14:32 10.11.2011 - posted by
Various supervisory bodies both in Russia and all over the world apply a risk-based approach (RBA) for a long time to a certain extent. However, the general concept to it has not yet been developed.
Supervisory bodies have a limited resource from the point of view of audits and other supervisory activities in connection with the fact that the number of supervised institutions are far beyond the capabilities of a full-scale surveillance and incommensurable with it. A special place in the supervisory sphere is traditionally occupied by national/central banks. Because of their special role in the economy they are forced to lead overall supervision and control. This is due to the special role of the banking system in the society and the need to manage related risks.
Today RBA has found its application in various spheres of supervision, but the approaches to it are different. Any supervisory authority studies accountable facilities and identifies those of them associated with the highest risk before taking the test. In the process of regular remote monitoring of the supervised organizations they develop appropriate risk criteria. In turn, these criteria are reflected in the development plans of inspections, which are included in the most problematic from the point of view of the companys risk. Cases, when the sanctions are implied in respect of the supervised organizations (they are to be fined, lost their licenses or eliminated), are a consequence of the application of the
10:24 04.08.2011 - posted by
I have managed and completed a survey on ML / FT strategic risk assessment in Armenia, which has been proactively discussed and received general approval at MONEYVAL. The manual / methodology upon which the survey was conducted broke down the following risk categories (with quantitative and qualitative indicators to assess such risks):
- major risks in financial sector,
- major risks in non-financial and non-commercial sectors,
- major risks in economic, geographic and demographic environments.
As to the banking sector the risk was assessed taking the following indicators:
- financial market share (as per capital and assets)
- ownership structure (domestic vs. foreign ownership and backrounds of owners / UBO-s)
- client base (share of non-resident clients)
- number and character of STRs filed
- use of new technologies in banking and risks associated with that.
This is a brief outline of the methodology. I can surely discuss it in more detail upon interest.