COMPLIANCE
What is risk-based due diligence?
To safeguard themselves from the money laundering, terrorist financing and financial crimes risk posed by highrisk customers, FIs implement and execute risk-based due diligence or enhanced due diligence( EDD) to manage high-risk customer relationships and to assess whether a customer relationship should be retained or terminated.
Risk-based due diligence is a bespoke control developed by FIs to review and assess each customer based on the risk they pose to an FI. Customers are assigned risk ratings( high / medium / low or numerical values) based on their profile and background information and are subject to the required level of due diligence which, at a minimum, includes negative media research, transactional activity review, review of transaction monitoring alerts, sanctions screenings, previous suspicious activity and transaction reporting, among other activities.
Regulatory requirements concerning high-risk customers
Banking regulators in most countries mandate FIs to incorporate risk-based due diligence before onboarding any new customers and to conduct periodic risk-based due diligence on high-risk customers to assess if the risk posed by such customers is within the FI’ s risk appetite. Some of the key regulations which require FIs to implement risk-based due diligence controls are the Bank Secrecy Act and the USA PATRIOT Act in the U. S. which states“ FIs must establish Enhanced Due Diligence policies, procedures and controls that are reasonably designed to enable FIs to detect and report instances of [ money laundering ] through these accounts.” 1 Similarly in Canada, the Proceeds of Crime( Money Laundering) and Terrorist Financing Act lays out the requirements for risk-based due diligence and Money Laundering Regulations 2017 outlines the requirements in the U. K.
Despite regulatory and legal requirements, it is often reported in media that FIs are at the receiving end of the regulators’ stick and are heavily penalized for not adopting adequate risk-based due diligence controls. A few recent instances have been the cases of Binance, Klarna Bank, City National Bank and Starling Bank who faced the wrath of the regulators for the reasons detailed in Table 1 on the next page.
A common theme observed in the previous cited cases is that the above FIs probably lacked adequate risk management efforts to identify, assess and mitigate the risk posed by high-risk customers. This draws attention to the importance of an effective risk management culture within an FI, which can strengthen and enhance risk-based due diligence controls for the continuous review and assessment of high-risk customers.
The risk management technique
Risk management can be described as strategic and combined steps taken by an FI’ s board( including risk committees) and management to identify risks, assess the impact of identified risks on the FI’ s ability to achieve its goals and objectives, assess the effectiveness of existing controls, enhance existing controls or develop new controls and continuous monitoring and reporting of the performance of the controls. Risk management is a continuous process and Graphic 1 demonstrates the cyclical nature of this activity.
Most large FIs have a dedicated second line of defense( 2LOD) team, which undertakes risk management activities to assess the risks posed by high-risk customers and to assess the mitigating controls in place. The section below details the various steps involved in risk management( as indicated in Graphic 1) for managing the risks posed by high-risk customers.
1. Risk identification
The first step within the risk management process is to identify the risks posed to an FI by high-risk customers. These risks can include but are not limited to:
a. Risk of onboarding and conducting business with customers involved in or having the potential to be involved in money laundering / terrorist financing activity
b. Risk of continuing a business relationship with customers involved in or having the potential to be involved in money laundering / terrorist financing activity
c. Risk of an FI’ s products and services being used as a platform to conduct transactions for the purpose of money laundering / terrorist financing
2. Risk assessment and its impact
Once the risks of dealing with high-risk customers are identified, the subsequent step is conducting an assessment of the impact of these risks. Risk assessment has two important constituents: the likelihood of risk occurrence and the impact of the risk on the bank’ s ability to achieve its goals and objectives. Some of the impacts of the above-mentioned risks can include those listed below.
a. Potential financial penalties and related costs: Conducting business with high-risk customers can leave an FI to be held responsible for the money laundering / terrorist financing-related activities conducted by its high-risk customers. Such instances can result in heavy financial penalties and fines being
60 acamstoday. org