Ri

sk-
Bas
edAppr
oac
h
Under
sta
n di
nga
n dI
mpl
eme
n t
aon
Chal
l
enge
sbe
twe
enr
is
kappet
eandc
ompl
i
anc
e

Pr
epa
redby
:Ka
rimaT
oui
l
Table of Contents

Executive summary ....................................................................................................................................... 1

1.Background ............................................................................................................................................ 2
1.2. Purpose and Scope ........................................................................................................................ 2
1.3. Understanding of RBA ................................................................................................................... 2
2. Definition............................................................................................................................................... 3
2.1. Components of the Risk-Based Approach and Risk Profiling......................................................... 4
2.2. Residual Risk Scoring...................................................................................................................... 8
2.3. Risk-Based Approach vs. Risk Appetite .......................................................................................... 8
3. Implementation Process ....................................................................................................................... 8
3.1. Implementation Stages .................................................................................................................. 9
3.2. Customer Onboarding Lifecycle in the Risk-based Approach ........................................................ 9
3.3. Enhanced Due Diligence in the Risk-Based Approach ................................................................... 9
3.4. Internal Controls .......................................................................................................................... 10
3.5. Challenges Faced by the Financial Institution.............................................................................. 10
4. Risk-Based Approach Compliance Review .......................................................................................... 10
4.1. Reviewer Expectations ................................................................................................................. 10
4.2. Risk Assessment and Ongoing Update......................................................................................... 11
Conclusion ............................................................................................................................................... 11
References .............................................................................................................................................. 12
Abbreviations and Acronyms .................................................................................................................. 12
Appendix 1 – High-Risk Business Activities - RBA
Appendix 2 - Customer Onboarding Lifecycle in the Risk-Based Approach
Appendix 3 - Customer Risk Assessment Sample
Executive Summary

In today’s emerging risks and challenges, financial institutions, especially in the Middle East, are
exposed to money laundering, terrorist financing and sanctions risks leading to the necessity of
adopting preventive measures that can be enabled in the financial institution to mitigate risks.

Regulators are more aware of the impact of money laundering and the advancements and
evolvement of money laundering methods which parallel to the nature and level of scrutiny
adopted by the regulators to ensure that stringent regulations are complied with and impose
fines on any financial intuition found to be in breach of anti-money laundering (AML) rules.

In a study conducted by Deloitte on anti-money laundering/counter-terrorist financing

(AML/CTF) risk management evolution, the trend of fines (Figure 1) has increased reaching
record-breaking levels with the fines imposed on banks, such as BNP Paribas that was fined $8.9

billion for noncompliance with AML rules and sanctions breach.

Page 1 of 12
 Figure 1: Trend of fine and penalties 2003-2004 (Deloitte study on AML/CTF risk management evolutions)

These fines were an eye-opener to the financial institutions required to enhance their control
measures to mitigate AML/CTF risks, as set out by relevant rules and regulations.

Certainly new technologies in the field may provide more advanced ways and establish features
to implement a risk-based approach within financial institutions. This will help financial
institutions to better monitor client and transactional behavior; and in order to do so, the
financial institution must have a good understanding of the requirements to implement such
tools.

Background

The aim of this paper is to share experiences in implementing customer risk assessment from one
of the leading banks in the United Arab Emirates (UAE) with AML professionals.

This paper will take the readers through the steps that have been followed in the implementation
process of the risk-based approach during the initial onboarding phase in all banking groups and
the various challenges faced during and post implementation, as well as the point of view of audit
in terms of the requirements and the approach.

1.2. Purpose and Scope

The purpose of this paper is to highlight the steps of developing and implementing a risk-based
approach in a financial institution including sharing the expectation of the regulators and
auditors.

The targeted audiences are mainly AML professionals that would like to implement the RBA in
financial institutions or that had already integrated a similar approach.

1.3. Understanding of RBA

Page 2 of 12
The term “risk” can be defined as a “combination of the likelihood of an adverse event (hazard,
harm) occurring, and of the potential magnitude of the damage caused” (the incident itself, the
number of people affected and the severity of the damage for each).1

Considering the aforementioned factors, financial institutions should understand that the risk-
based approach is a quantitative methodology that will not eliminate the risk; however, it will
enable the understanding of risks with the aim of mitigating the impact which requires
identification of risk factors, classification and scoring.

2. Definition:

What is a risk-based approach?

In 2007, the Financial Action Task Force (FATF) had introduced a guidance called “Risk-Based
Approach to Combating Money Laundering and Terrorist Financing” outlining the importance of
implementing the risk-based approach as part of the AML program in banking and other
industries.

FATF guidance aim was to emphasize identifying the risk-based approach framework and the
applicable principals that can be considered by a country in parallel to the local authorities and
financial intelligence units (FIUs).

In addition to the series of RBA guidance targeting different sectors such as dealers in precious
metals and stones, trust and company service providers (TCSPs), accountants; real estate agents
and other banking products such as prepaid cards, mobile payments and Internet-based payment
services as well as virtual currencies, the revised FATF 40 Recommendations in 2012 stressed the
following on assessing and identifying risks: “countries should apply a risk-based approach (RBA)
to ensure that measures to prevent or mitigate money laundering and terrorist financing are
commensurate with the risks identified. This approach should be an essential foundation to
efficient allocation of resources across the anti-money laundering and combating the financing
of terrorism (AML/CFT) regime and the implementation of risk based measures throughout the
FATF Recommendations.”2 FATF is one of the advisory bodies that highlight the best practices
and international standards in the aim of guiding financial institutions in combating money
laundering and terrorist financing. Whereas the risk-based approach has been as well
recommended and guided by regulatory bodies such as European Union (EU) directives, Financial
Conduct Authority (FCA), Dubai Financial Services Authority (DFSA) and others.

According to FATF guidance, published on October 2014, “RBA to AML/CFT means that
countries, competent authorities and financial institutions are expected to identify, assess and

1
“Introducing a Risk-Based Approach to Regulate Businesses,” World Bank Group, 2014, http://www-
wds.worldbank.org/external/default/WDSContentServer/WDSP/IB/2014/09/18/000333037_20140918121617/Re
ndered/PDF/907540BRI0Box30d0approach0Sept02013.pdf
2
FATF revised 40 recommendations 2012, Recommendation No. 1 Assessing risks & applying a risk-based approach

Page 3 of 12
understand the ML/TF risks to which they are exposed and take AML/CFT measures
commensurate to those risks in order to mitigate them effectively.”3

It has also been recommended in FATF revised recommendations the implementation of RBA
stating that “By adopting a risk-based approach, competent authorities and financial institutions
are able to ensure that measures to prevent or mitigate money laundering and terrorist financing
are commensurate to the risks identified.” 4

The risk-based approach has been as well reflected earlier by the Wolfsberg Group in one of their
guidance in 2006, specifically in terms of clients’ risk assessment and the type of risks a financial
institution should consider during the implementation of such approach and stressing the basis
of a reasonably designed risk-based approach5.

However, it has been clearly highlighted that there was no universally agreed and accepted
methodology that prescribes the nature and extent of a risk-based approach, leaving the financial
institution to decide on the methodology they want to use based on the analysis of the risk and
the risk management framework.

All advisory bodies have agreed on the context of the risk-based approach as a methodology to
assess and measure risks to provide a quantitative results to assist in the decision making process
towards the level of risk or threat. By using this method, the risk mitigation plan can be set by
implementing controls to mitigate these risks and establish the risk levels for the ongoing due
diligence on customers.

2.1. Components of the risk-based approach and risk profiling:

The revised FATF Recommendation 1 advises on how to identify and assess ML/TF risks and
ensure that the determined measures to prevent or mitigate them are adequate to the defined
risks and the regulatory environment. It states that “Countries should identify, assess, and
understand the money laundering and terrorist financing risks for the country, and should take
action, including designating an authority or mechanism to coordinate actions to assess risks, and
apply resources, aimed at ensuring the risks are mitigated effectively. “Countries should identify,
assess, and understand the money laundering and terrorist financing risks for the country, and
should take action, including designating an authority or mechanism to coordinate actions to
assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.”

3
FATF Guidance, RISK-BASED APPROACH GUIDANCE FOR THE BANKING SECTOR
4
FATF, June 2007, Guidance On The Risk-Based Approach To Combating Money Laundering And Terrorist Financing
5
The Wolfsberg Group, 2006, Wolfsberg risk based approach guidance.

Page 4 of 12
It is essential to understand that there is no such blue print that draws the implementation of the
risk-based approach in the financial institution; however, FATF Recommendation 1 can be
considered the groundwork towards the implementation of the risk-based approach:

Assess Take action

•Identify the •Understand
risk factors •Assess the the impact •Mitigation
level of risk of the risk plan

Identify Understand

Figure 2 – Risk based approach implementation Groundwork6

The main question that comes across during the process is:

What are the main components which drive a risk assessment by the financial institution?

During the initial onboarding process or in the know your customer (KYC) level, the main
indicators that constitute any money laundering or terrorist financing risk are the nature of the
customer (potential client), customer background, industry or business activities and the
products and services provided by the financial institution. These components will assist in
determining the level of risk that can be from high to low depending of the gravity or the threat
attributed to any of these components.

The Wolfsberg risk-based approach guidance has provided an insight on the approach by
identifying these components that can assist in measuring the risk. Industry risk related to
business activities in which the customer is involved. “Money laundering risks may be measured
using various categories, which may be modified by risk variables. The most commonly used risk
criteria are: country risk customer risk and services risk.”7

Based on Wolfsberg’ s guidance on a risk-based approach, risk factor identification or indicators

that can allow the assessment and measurement of the level of risk can be summarized in the
following diagram:

6
FATF recommendations, Recommendation No.1, 2012
7
Wolfsberg Statement, Guidance on a Risk Based Approach for Managing Money Laundering Risks, 2006

Page 5 of 12
 • Customer background. • Country of residence
• AML system check. • Country of incorpration
• Political affiliations if
(PEPs)…
Customer Country

Products
& Industry
• Type of account and/or Services
facility
•Nature of business
• Account currency activities
• Previous banking • Related activities
relationship

Figure 3 – Risk-Based Approach: Risk Factors

Identifying these risk factors will assist in defining the weightage (weighted risk level) by listing
each component and attributing a rating that will allow the risk rating.

In order to define the customer risk, the financial institution should understand the nature of the
customer that should be defined based on its vulnerability to money laundering and terrorist
financing (e.g., the AML/CTF risk would be higher for nonresident customers than for residents).

Identifying the risk level of the financial institution customers can be challenging in countries
where there is no clear definition on high risk customers or activities. However, there are
international organizations that have advised on the type of customers susceptible to be used by
money launderers and terrorist financiers; such as FATF recommendations, Wolfsberg principals,
the EU Third Directive,8 and BSA/AML Risk assessment guidance9 which can be adopted as best
practices.

These customers can be classified depending on their link to money laundering and customers,
where the structure or nature of the entity or relationship makes it difficult to identify the
underlying beneficial owners, and their vulnerability to the risk of money laundering and terrorist
financing, such as money services businesses, PEPs, cash incentive businesses, trusts,

8
https://eiopa.europa.eu/Publications/Reports/JC_2011_096__AMLTF_2011_05_-_UBO_Report_.pdf

9
http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_005.htm

Page 6 of 12
gatekeepers (lawyers, accountants), offshore companies charities/NGOs, and others. It is
challenging to identify high-risk customers based on all the facts and circumstances, including the
question of whether the industry they are in is susceptible to money laundering and terrorist
financing. Therefore a thorough understanding of all the risks associated with the customers
should be obtained prior providing a risk rate.

On the other hand, the country risk can be identified based on several aspects such as:

 Countries not having adequate AML/CTF systems

 Countries subject to sanctions, embargoes issued by the U.N., EU and OFAC
 Countries having significant levels of corruption or other criminal activities such as
narcotics, arm dealing, human trafficking, illicit diamond trading, etc.
 Countries identified to support terrorist activities, or have designated terrorist
organizations operating within their country

High-risk countries have been identified similarly by many regulatory and advisory bodies based
on certain characteristics as stated above which can assist in understanding the level of risk such
as the level of stability and corruption, terrorist and criminal activity.

Similarly, some organization has developed country risk rating index or tools which can be used
as during the implementation of the risk-based approach such as AML & Sanction Atlas™ -
Country Risk Ratings10 and Basel AML Index11.On the other hand, the industry risk as part of the
risk-based approach and CIP will allow the bank to measure the level of risk posed by the
customers’ business activities and enable the bank staff to understand the regulatory
and sanctions risk involved in dealing with high risk industry.

The customer business activities risk, which has been identified by the Central Bank of
the UAE in Circular No 2922/2008 and International Advisory bodies such as FATF,
Wolfsberg principals, etc. can be utilized to set the risk grading which has been identified
based on the following criteria:

 Vulnerability to money laundering and terrorist financing

 Activities prohibited or restricted by sanctions and embargo regimes imposed
by the U.N., EU and OFAC
 Legitimate businesses that can be exposed to financial crimes such as tax
evasion, corruption, human and drug trafficking, arm dealing, etc.

10
promontorycs.com/images/products/ingrid/amlpop.pdf
11
http://index.baselgovernance.org/index/home

Page 7 of 12
FATF’s 40 Recommendations and other advisory bodies have defined the businesses that are
vulnerable to money laundering and terrorist financing which can be legitimate business and can
be used by money launderers and terrorist financers as a means to conceal illegal activities.

I have gathered a list of these businesses in Appendix 1, in order to provide more insight on which
businesses are considered high risk.

As far as the products and services concerned the risk attributes can be identified based on their
vulnerably to money laundering and terrorist financing.

Products/services that allow unlimited third-party transactions (such as demand deposit

accounts), those that operate with limited transparency, Internet banking, call accounts, and
those that may involve significant international transactions such as correspondent banking,
private banking, e-banking, politically exposed persons (PEPs) can be determined as high risk and
require further scrutiny compared to other banking products where the risk can be mitigated
easily.

As the categories are defined, the next step is to develop a risk assessment by calculating each
risk factor based on the level of impact and threat attributed giving the weightage and risk scoring
that will enable the classification of risk.

2.2. Residual Risk Scoring:

Attributing the risk rating should be in a numerical format. The financial institution can choose
ranges from 1 to 5 with 1 being the lowest and 5 being the highest or they can choose
percentages and use the weighted average to determine the level of risk as depicted in the
example below:

100% 80% 60% 40% 20%

5 4 3 2 1
Very High High Medium Medium Low Low

The weight assigned to each of the input categories (individually or in combination) to ascertain
the overall risk rating of each client is judgmental and based on the risk factors stated earlier.
This rating will also determine the level of due diligence and mitigation process that the financial
institution can adopt to mitigate the compliance risk.

Page 8 of 12
2.3. Risk-Based Approach vs. Risk Appetite:

Developing a risk-conscious environment can be challenging, however, the ability of the financial
institution to balance between strategic objectives with the amount of risk that the financial
institution is willing to take on pursuit of value and profit is challenging and dynamic.

The financial institution that tends to take adverse risk should demonstrate a high level of
scrutiny and enhanced due diligence (EDD) tools that will allow compliance with AML/CTF
obligations. However, this can increase the cost of compliance and regulator concerns on the
level of compliance.

3. Implementation process:

During the implementation process, it is important for the financial institution to plan the
process to eliminate gaps that can lead to negative observations from the regulators.

1 2 3 4 5
Identify Integrating Training Ongoing
Continious
risks and with KYC and due
update
risk rating process awareness diligence

3.1. Implementation stages:

The first step is the base of implementing RBA and should cover all aspects by identifying the risk
factors and setting up risk scoring. While this stage can become more critical during the
implementation phase, utilizing an automated tool can ease the task and assist in the creation of
workflows and allow the integration of RBA with the financial institution’s customer onboarding
process. However, the implementation and roll out timelines may vary depending on the
processes, core systems and size of the financial institution.

3.2. Customer onboarding lifecycle in the risk-based approach:

This process may vary by institution; however, the basics are similar. In addition to ticking the
boxes and following the usual process from the KYC, CIP and CAP, another attribute will be added
to risk score the customer. Based on the score, the mitigation plan will be set and EDD will be
upon the nature of risks which may vary from implementing additional questionnaires,
undertaking, declarations, UBO verification. The same has been described in Appendix 2.

3.3. Enhanced Due Diligence in the Risk Based Approach:

EDD can be accomplished in several forms such as questionnaires, additional search tools, and
other required documentation, depending on the processes and controls as well as the scoring.

Page 9 of 12
The financial institution awareness of the risk should justify the approval provided in the initial
onboarding. In the example provided below, the approval matrix sets out the level of risk
attributed to an authority level that will provide approval based upon justification and EDD
controls in the financial institution:

Risk scoring 5 4 3 2 1
Risk level Very High High Medium Medium Low Low
Due
Simplified due
diligence EDD CDD
diligence
level
AML
Approval MLRO Unit head Relationship manager/officer
committee

EDD based on risk rating score:

Due diligence level Description of the financial institution EDD process

In the instance of low-risk scoring, the financial institution will adopt the regular
CDD
KYC procedures.
Simplified due Simplified due diligence will assist the financial institution to justify and satisfy the
diligence risk component by requesting further information.
EDD in a high risk instance should be conducted through a thorough search on the
EDD potential customer whether in Google or other search engines, and
questionnaires designed for individuals and entities and even PEPs.

3.4. Internal controls:

Financial institutions should set up processes and controls that will better guide business units to
ensure adherence to better understand the financial institution’s AML program.

These controls can be in the form of policies, standard operating procedures, or can be systematic
in the AML system and other means if any of the previous cannot be implemented.

3.5. Challenges faced by the financial institution:

There are several challenges that the financial institution may face during the implementation
process that may delay or prevent an assessor from attributing the correct risk scoring and may
also not be able to successfully mitigate the risk:

 The risk indicators assessment should be based on appropriate risk considerations and
the methodology should be properly documented.
 Attributing insufficient weight without considering other factors.

Page 10 of 12
  Using waivers on certain types of customers or products can put the financial institution
at risk.
 Not considering the UBO in the risk scoring.
 Inability to properly risk score products and services.

4. Risk-based approach compliance review:

Reviewing the risk-based approach can be as important as the implementation itself. It will study
all components and the action taken by the financial institution from senior management to IT.

4.1. Reviewer expectations:

From an audit point of view, the level of awareness and the ability to manage the risks is essential.

 The reviewer should be able to identify the logic of classifying the risk and the risk scoring.
The ideal situation is for the financial institution to have narrative guidance on each risk
factor describing the process and highlighting the decision-making process; all of which
should be set and approved by senior management.

 Related policy should be drafted including roles and responsibilities and the training
should be documented and kept.
 Adopting an automated risk based approach process that has the capability of creating an
automated risk scoring and re-profiling in addition to account opening approval work
flow. Currently almost all automated AML system providers such as SAS, Oracle, Fenergo,
Nice actimize, EastNest… have a built in customer risk profiling provision with similar
approach.

 Ability in managing the risk model.

4.2. Risk Assessment and ongoing update

The risk scoring and level of risk is a manual process and should be updated regularly to avoid
falling into underrating the customer risk factors, which will negatively affect the KYC and due
diligence process in the initial onboarding stage.

Financial institutions should take into consideration EDD and automation of the risk-based
approach in order to have an MIS tool that will assist in understanding the rate of high-risk
instances and determining the required enhancement in current controls or training needs in
certain areas.

Page 11 of 12
5. Sample of Customer Risk Assessment Matrix:

The sample case in Appendix 3 will illustrate all the points stressed out in this white paper and
will enable readers to have an understanding on the process of the risk-based approach.

Conclusion
The risk based approach (RBA) is considered by regulatory and advisory bodies an important
element in the initial customer onboarding process where any financial Institution can establish
a risk assessment strategy to mitigate and assess the risks involved in dealing with high-risk
customers and the ongoing due diligence required.

Nevertheless, implementing such an approach involves a comprehensive analysis and profound

knowledge in AML standards and KYC international norms and standards.

Although benchmarking the risk-based approach in the onboarding process in any financial
service institution can be challenging, the implementation process where the requirement of
measuring the level of risks versus the risk appetite that the financial institution is adopting, as
well as the regulatory environment in the country, all need to be considered in order to properly
assess the risk associated with each and every customer.

Page 12 of 12
References:

 Financial Action Task Force - www.fatf-gafi.org

 FATF 40 Recommendations
 The World Bank - www.worldbank.org
 International Monetary Fund - www.imf.org,
 The Wolfsberg Group - www.wolfsberg-principles.com
 Transparency International - www.transparency.org
 Financial Crimes Enforcement Network (FinCen) - www.fincen.gov
 AML-CFT risk management framework evolutions, Deloitte & Touche Financial Advisory
Services Pte Ltd, 2015.

Other website resources:

 www.baselgovernance.org
 www.knowyourcountry.com
 Index.baselgovernance.org

Abbreviations and Acronyms:

AML Anti-Money Laundering

CTF Counter Terrorist Financing

CDD Customer Due Diligence

EU European Union

EDD Enhanced Due Diligence

FATF Financial Action Task Force.

Financial Conduct Authority: statutory regulator of most
FCA financial services providers under the Financial Services and
Markets Act 2000.
MSB Money Service Business

PEP Politically Exposed Person

RBA Risk based approach

Page 13 of 12
 Appendix 1
High Risk business Activities – Risk Based Approach

List of high risk business activities that are considered to be potential source of money laundering
and criminal activities:
 Appendix 2
Customer onboarding lifecycle in the risk based approach
 Appendix 3
Customer Risk Assessment

Date DD-MM-YY Business Unit Corporate Banking

Relationship
Customer Introduced by Head of Wealth Management XBZ
Manager
Customer Name: XYZ General Trading Free Zone Company

Rating
Risk Factors Risk Description Description Risk Rating
range
General trading company dealing in export and
Customer type Nature of the customer 1 to 5 4
import of Oil and Gas
AML screening result that in case
AML screening result of a match against SDN name or in 1 to 5 Customer being involved in Iran trading 5
relation to a financial crime
Nationality /Country of Country where the company is
1 to 5 British Virgin Island 4
incorporation registered or incorporated
Country where the company is
Country of residence 1 to 5 United Arab Emirates 1
residing
Business Activity Type of business activities involved 1 to 5 Export and Import 4
Ultimate beneficial owner
UBO 1 to 5 Iran 4
nationality
Partners (select the one
from higher risk Partner nationality 1 to 5 Iran 4
country)
Financial Products & Type of banking product (to be)
1 to 5 LC facility 3
Services used by the customer
Risk Scoring 4
Remarks:
Approval Authority MLRO
Due diligence level EDD