Bringing Risk Analytics

The Financial Action Task Force (“FATF”) released a study in July 2021, on the opportunities of emerging financial crime related technology solutions and how the role of artificial intelligence and data analytics can assist organisations overcome numerous AML/CFT (anti-money laundering/combating the financing of terrorism) challenges and provide for more efficient and effective ways to identify and mitigate financial crime risks. As substantiated by FATF, “technology can increase the capacity to collect and process data, and share it with stakeholders, including supervisors. Artificial intelligence-based tools can analyse data accurately, in real-time and help better identify emerging risks. It can also assist the validation of the results of manual assessments, and their subsequent conclusions.”

A key challenge identified in the study is the lack of understanding and awareness organisations have towards effectively assessing their ML/TF (money laundering and terrorist financing) threats. This is a direct result of risk assessments (“RAs”) developed and applied by the organisation which are not aligned to the true application of the risk-based approach (“RBA”). It was observed that key decision making of organisations were founded on inadequate RAs which were either inaccurate or irrelevant and relied heavily on human judgement. In some instances, RAs also encompassed “defensive box-ticking approaches” which swayed the outcome of ML/TF risks.

At the core of these RA’s lies the Business Risk Assessment (“BRA”) which is considered as the central plexus to providing organisations with a holistic overview of their financial crime risk. The BRA encompasses internal and external ML/TF risks faced by the organisation including RA results on the nature and activities of the organisation, its customer base, the type of products and services offered, any geographic nexuses and delivery channels utilised. The result of insufficiently and ineffectively assessing these risks will have a direct impact on how financial crime risk is portrayed in an organisation which consequently affects the organisation’s key decision making towards curbing ML/TF risks.

FIAU’s Business Risk Assessment Review:

Malta’s FIAU published a cross-sectorial review of 100 BRAs during the period July 2019 – June 2020 to share their observations on common deficiencies with these BRAs. The FIAU identified the following thematic deficiencies:

• Inadequate or missing BRA methodologies (including the risk scoring mechanisms for inherent and residual risks);
• Linkage between controls and identified risks and how they mitigate ML/TF exposure;
• Lack of risk analysis from a quantitative perspective which included customer, geographic, products, services, transaction and delivery risks;
• Management lacked understanding of the BRA as they were not actively involved in the development of their organisation’s BRA where this was outsourced; and
• BRA was not updated continuously with relevant ML/TF risk data therefore the identification of risks and appropriate controls were not sufficiently identified.

Our point of view

Consistent with the views of prominent regulators and best practices, Deloitte believes that there is a compelling need for organisations to enhance the design and application of their risk-based approach to anti-money laundering/combating the financing of terrorism, specifically, the Business Risk Assessment..

We often find that Board members, who are required to approve the BRA, find the assessment theoretical and at times misaligned with their understanding of the organisation’s exposures. Consequently, boards find it difficult to engage in meaningful debate and/or challenge and the opportunity of re-evaluating an organisation’s risk exposure against its risk appetite is missed. This board review process is core to the effective implementation of a RBA.

We believe that there is a combination of varying factors that lead to this, however we have identified the following fundamental causes:

• The BRA is performed periodically as a standalone exercise to satisfy regulatory and policy requirements. The responsibility for this assessment falls on the MLRO or compliance function who often do not possess the required risk management skills that are necessary to perform a risk assessment. This results in a time consuming and costly exercise, often disjointed from other components of the organisation’s AML/CFT and Sanctions Framework that yields little to not value.
• Organisations do not use data to drive their understanding of their exposures and for the measurement of risks. We often find that this is not due to the unavailability of data but rather due to the lack of skills and tools available to those who are driving the risk assessment process.
• Risk scoring methodologies are not adequate or are not used altogether. Even when data is available and analysed, the means in which quantitative data is used to drive the likelihood and impact scores is not based on a robust and consistent methodology. Likewise, the evaluation of controls is often not adequately mapped to relevant risks and risk scoring methodologies fail to consistently measure the impact of controls on inherent risk.
  

How can we help?

Our Financial Crime Services offerings are designed to address the fundamental deficiencies we find in the marketplace. Our team’s multi-disciplinary approach brings together the skills we believe are necessary to design and develop methodologies and solutions that bring tangible value to the organisation; these include risk management, regulation, data analytics and technology skills.

Our BRA Analytics dashboards leverage the organisation’s data to bring to life ML/TF Key Risk Indicators in a custom-built visual dashboard that is intuitive and provides the MLRO and broader financial crime team visibility of the organisations ML/TF risk profile during the course of the year. This is an invaluable tool though which detailed cross risk analysis and drill down review can be performed with ease and at speed, facilitating ongoing monitoring, data quality validation and reporting.

We support organisations develop risk scoring methodologies that are based on robust risk management principals and that leverage quantitative and qualitative data points in a robust and consistent manner. Our BRA journey is scalable and can be extended to fully automate the BRA process.