Managing your financial crime risk

The Financial Action Task Force (FATF) assesses a country’s level of implementation of its recommendations on an ongoing basis, providing an in-depth description and analysis of each country’s system for preventing criminal abuse of the financial system. Getting an adverse FATF review has serious economic and social consequences for a country as it has the potential to restrict capital flows and increase the overall cost of doing business in the country.

It is no wonder therefore that countries take this evaluation seriously and publish laws and regulations enabling strong punishment for financial crime-related offenses. Central banks are given supervisory powers to ensure that Financial Institutions (FIs) effectively adhere to regulations and follow international guidelines to support the country’s effort against Financial Crimes (FC): money laundering/terrorist financing and sanctions. While the probability of the risk occurring always exists, implementing effective controls can assist in
mitigating that risk.

Being an integral part of the financial system, FIs need to ensure that FC risks are within the acceptable risk appetite of the FI and the country. FC risks faced by the FIs are primarily through the:

i)  geography and customer profiles, where the FI can accept or reject the inherent risk but cannot minimize it; and

ii) products and channels (offerings), where the FI can mitigate the inherent risk through the product/channel features.

FIs can assess the effectiveness of the FC framework through conducting an enterprise-wide Financial Crime Risk Assessment (FCRA).

What is FCRA?

An FCRA assesses the FC risks such as dealing with customers in high-risk jurisdictions, cross-border or cash-based transactions and the anonymity of the transactions conducted by the FI. It allows FIs to identify FC risks, assess controls relating to these risks and subsequently strengthen or add any needed controls to mitigate or minimise the residual risk.

• Step 1: Identify inherent risks
  Inherent risks are the risks that exist prior to implementing any mitigating controls. These risks vary between FIs, based on the target market, geographic operations, channels of service and the profile of their offerings.

• Step 2: Identify and assess controls
  FIs need to implement controls to mitigate the inherent risks identified. These controls need to be assessed and tested on a regular basis in order to ensure that they remain effective in mitigating the evolving risks identified.
• Step 3: Determine residual risks
  Depending on the outcome of the risk and controls assessment, FIs can take any of the plausible actions:
  • Accept the risk, based on its risk appetite;
  • Mitigate the risk, by strengthening controls to bring the risk to an acceptable level; or
  • Reject the risk, i.e. stop offering the product/channel or stop facilitating the customer/geography.

An FCRA methodology is usually based on international guidelines such as FATF, Wolfsberg, or the Financial Conduct Authority (FCA), and will identify FC typologies to assess inherent risks. These typologies signify possible FC risks facing the industry. While the risks may differ between offerings, all typologies should be assessed to ensure that the FI focuses its efforts and limited resources where the risk really lies.

The following are some of the challenges that may impede an efficient and effective FCRA outcome:

• An unclear risk appetite relating to FC risks.
• A poorly defined FCRA methodology and approach.
• A lack of understanding of the FIs unique offerings.
• A lack of buy-in and sponsorship from key stakeholders.
• A mechanism to robustly and accurately capture the process and outcomes of the FCRA, such that recommendations can be tracked through implementation.

Tools and digital assets

There are various FC risk and compliance solutions that collect critical information to address gaps between the principles and practices in a FI’s compliance program. From risk assessments and ratings to control effectiveness and other key performance indicators, these solutions enable FIs to have an aerial view of their threats and risks while operating in a global marketplace. The solutions are accelerator capabilities used to automate, reduce cost, improve consistency and ensure accuracy of FCRAs. It allows for a customized assessment structure to meet regulatory and organizational reporting requirements across geographies, operating groups and business units.

Below are a few features of the Solutions available to facilitate FCRAs 

• Risk methodologies: Ready-made methodologies that can be used without modification or configuration to address specific organizational requirements. Configurable elements include ratings inherent risk, country risk, control effectiveness and residual risk, as well as calculation rules.
• Risk analysis: To allow assessors to navigate the risk model, filtered by group and category for each risk factor and answering the risk indicators. Inherent risk ratings per risk factor is automatically calculated based on the risk model weightings and risk methodology.
• Controls assessments: To provide a library of ready-made controls and allows for adding custom controls. Controls can be assessed for design effectiveness and operational effectiveness.
• Reporting: Online, interactive drilldown report as well as the ability to export a pre-configured report in Microsoft Word format for further refinement.

With an estimated cost of US$11 trillion, a future estimated loss of US$10 trillion
in earnings and with the world economy shrinking by 4.3 percent in 2020, no
country can afford capital flows being restricted or the cost of doing business
going up due to financial crime concerns. Regulators such as the CBUAE have
been issuing guidance to assist FIs in mitigating FC risks and as FIs return to
their business as usual, they need to conduct FCRAs to ensure that they have
adequate and effective controls to mitigate any FC risk they may face.

by Muzzi Ebrahim, Partner and Saad Qureshi, Assistant Director, Financial Advisory, Deloitte Middle East