What is Risk-Based Approach (RBA) in KYC/AML?
In the mid-1990s, KYC and AML regulations were still new and prescriptive in nature. Banks and Financial Institutions were forced to tick the boxes and follow best practices. The prescriptive approach was that regulations were originally based on the risks and controls relating to retail banking and simply did not fit other business models, such as private, institutional or investment banking and wealth management.
Due to the increased regulatory burden, almost all businesses now have to comply and tick the boxes as best they could. This resulted in firms trying to customize and change AML controls to fit their own business models, trying to satisfy the regulatory, but potentially missing the actual risks they were exposed. Thus the compliance efforts failed to meet regulatory expectations. This created a new approach to managing risk called Risk-Based Approach (RBA).
The aim of RBA was to create an environment where controls were commensurate with actual risk. RBA is a more flexible and rational approach to KYC/AML, addressing the actual risks to which the application of AML controls was exposed, rather than simply ticking boxes hoping to satisfy the regulator.
RBA & FATF
In 2007, the Financial Action Task Force (FATF) stepped in with its first attempt at implementing an RBA, issuing a paper which stated:
“By adopting a risk-based approach, competent authorities and financial institutions are able to ensure that measures to prevent or mitigate money laundering and financing threats are commensurate to the risks identified. This will allow resources to be allocated in the most efficient ways. The principle is that resources should be directed in accordance with priorities so that the greatest risks receive the highest attention.”
The intention of RBA was to create more practical methodologies and processes for KYC and AML. The result was somewhat different, with highly complex processes emerging in many instances as a direct result of individual interpretation of the new guidelines. This led to widespread confusion throughout the financial industry.
The FATF then revised its guidelines in 2010. The Expert Working Group advising the FATF on the risk-based approach and FATF Recommendations in 2010 said:
“As a basic principle, financial institutions and DNFBPs (Designated Non-Financial Business Providers) should be required to take steps to identify and assess their money laundering/financing threat risks for customers, countries or geographic areas, and products/services/transactions/delivery channels.”
In 2012, as part of their revision of the 40 Recommendations, the FATF issued a further definition regarding the RBA requiring countries to assess and understand their money laundering/threat financing risks and to designate an authority to coordinate actions to assess and mitigate risks using a risk-based approach. It also noted that countries should require reporting entities to assess and take effective action to mitigate their money laundering/financing threat risks.
The 2010 and 2012 definitions delivered largely positive results: By focusing on understanding money laundering/financing risk and then deploying effective controls to manage and mitigate those risks, the current guidelines are far more pragmatic and therefore much more useful to banks and FIs grappling with a constantly increasing regulatory burden.
This evolution in the RBA has resulted in two distinct pillars of risk assessment.
- First, on a country-by-country basis, each individual government needs to understand their vulnerability to money laundering. This is being rolled out through national risk assessments.
- Second, against the context of national risk, each FI must complete its own internal risk assessment, tailoring its money laundering/financing threat risk management program
RBA as a concept is a rational approach to KYC/AML processes and it is far superior to the tick-box approach it has replaced. What’s needed is the simplicity of assessment and application, because the very real risk faced by firms is vast amounts of time and effort spent in creating an environment that complies with regulations but does not actually manage the real risks they face.
One possible solution: Implement a robust KYC/AML technology such as KYC-Chain which enables platforms to easily identify the risks posed by clients. This involves continuous monitoring as well as sophisticated AML sanction screenings. Get in touch and book a free DEMO today.
