Our solution streamlines risk assessment processes, considering all key risks: customer, product, channel, and geography. It offers customization options to meet specific institutional needs. With our system, customer risk profiles are automatically updated with new information, providing a comprehensive view for informed decision-making regarding the acceptance or rejection of the relationship. It also incorporates customer-specific behavioural patterns and can adjust risk scores if any concerns arise regarding increased ML/TF risk.
400+ requested demo already
ML/TF risk assessment and management plays a key role in ensuring that the necessary preventive measures are in place and that efforts are focused on effectively avoiding the ‘bad guys’. You can effectively mitigate ML/TF risks by performing automated risk assessments on new and existing customers and identifying high-risk customers, enabling you to protect your business and focus AML/CFT control processes on the real threats.
Our solution offers unlimited data import possibilities, allowing you to include relevant information in your automated risk scoring. Customise workflows based on your own customer risk assessment matrix, considering country, customer, product, channel, and other risks specific to your institution.
Stay updated on changes to customer information with our dynamic risk assessment feature. Continuously reassess customer risk ratings based on their actual behaviour, ensuring accurate risk profiles and timely response to any potential risks.
Automate the processing of large volumes of data within the frequency set by your institution. Our system generates automated case management, identifying high-risk cases for further decision-making, enabling efficient escalation and prioritisation.
Protect your organization
ML/TF risk assessment is a mandatory regulatory requirement aimed at efficiently implementing a risk-based approach that ultimately enables institutions to identify, assess and control the ML/TF risks to which they are exposed.
ML/TF risk assessment has two mandatory pillars – enterprise-wide risk assessment and individual customer risk assessment. Although each serves a specific purpose, these processes are intertwined and the results of these processes should complement other ML/TF risk management measures. You can read more about ML/TF risk assessment in general on our Blog.
In our experience, the most common mistakes that institutions make when building and updating their risk scoring models are as follows:
- Risk assessment is not integrated into the overall AML/CFT risk management framework (no alignment between the enterprise-wide ML/TF risk assessment framework and the individual customer risk assessment framework, no alignment between customer data updates and customer re-scoring, etc.);
- Risk criteria are not aligned (or not updated) with the actual ML/TF threats faced by the organisation;
- The use of overrides for automated risk scoring is flawed (there is no clear process for manual overrides, manual overrides are not performed in the controlled environment, overrides are not documented, etc.);
- The risk scoring matrix is not properly calibrated (e.g. risk factor weighting is unduly influenced by one risk factor, regulatory requirements for high risk situations are overridden by the institution’s risk weighting);
- Changes in the variables of the risk scoring matrix do not trigger the overall re-scoring of the client portfolio, thus exposing the institution to a potential breach of the legal requirements to apply enhanced customer due diligence (e.g. changes in the assessment of geographical risk factors, changes in the assessment of industry risk factors, etc.);
- No trigger-based re-scoring applied in the institution (institution relies solely on the ongoing due diligence of the client for risk re-scoring purposes).
To ensure that your institution does not make these mistakes, you should maintain the necessary balance between an automated risk scoring solution, appropriate manual intervention and properly aligned AML/CFT processes.
Any AML/CFT professional can wake up in the middle of the night and quote the regulatory requirements for ML/TF risk categories: customer, geography, product and channel. The challenge is to decipher what lies behind each risk category on an individual basis. Some tips on how to define the risk criteria for each risk category are given below.
When assessing customer risk, you may want to consider the type of customer (natural or legal person), the legal form of a customer (sole proprietorship, limited liability company, corporation, cooperative, non-profit organisation, trust, etc.), the customer’s industry (financial institution, online gambling institution, IT service provider, legal advisor, crypto asset service provider, arms dealer, adult services, marketing services, etc.), customers with specific criteria that increase risk (customers with difficult ownership structures, politically exposed persons, high net worth individuals, etc.), and other criteria.
When considering geographic risk, you may want to separately weigh the customer’s domicile (registration address), nationality, and inbound and outbound transactions. Taking into account the FATF lists (so-called “black” and “grey” lists) and the lists of high-risk countries published by the European Commission is a “must” when constructing a geographical risk matrix. In addition, you may want to consider whether the country is included in international sanctions lists, offshore jurisdiction lists, tax blacklists, country indices that define the country’s level of corruption (e.g. Transparency International Corruption Perception Index), level of terrorism (e.g. Global Terrorism Index), other trends that may increase the geographical risk (e.g. trends in drug trafficking, human trafficking, sanctions evasion, etc.).
Product and service risk criteria depend mainly on the variables of the products you offer to your customers, different sets and variations of these products. When weighting the product risk criteria, be aware of the requirements of the regulation or guidelines on how to treat certain products (e.g. crypto assets, different variations of correspondent banking relationships), and remember that different variations of the same product or different sets of products may pose different risks together and separately (e.g. using only a payment initiation service or having a set of cross-border financial services).
When identifying product channel risks, consider how the customer obtains your products or services: the network of introducers, agents or intermediaries used by the institution, the extent to which the relationship is conducted through third party arrangements, the extent to which functions are outsourced, the forms of non-face-to-face relationship.
The primary data source for ML/TF risk assessment will always be your customer. Data provided by the customer in the customer application form, onboarding form or KYC form will be the initial dataset for ML/TF risk assessment. How much you trust your customer and how far you will go with data validation (will you rely on self-declaration alone or will you validate certain data or collect additional data on your customer yourself) will depend on a regulatory requirement (e.g. screening of politically exposed persons, verification of certain customer due diligence data in the reliable and independent data sources), the type of customer (e.g. customer whose activity should be licensed) or the initial risk score of the customer (high-risk customers will be subject to broader data collection and deeper data validation).
The customer’s behavioural patterns before or during the relationship (communication with the institution, unexplained delays in providing information, false and contradictory information, etc.) and transactional patterns during the relationship (monitoring alerts, triggering possible deviations from usual transactional activity and/or leading to possible suspicions of illegal activity).
For some of the variables in the risk scoring model, external data sources (such as FATF black or grey lists, tax blacklists, negative media screening results, etc.) or additional internal data sources (such as internal watch lists) may be used.
The automated solutions are not mandatory requirements in most countries, as most regulators follow the so-called “proportionality” or “technology neutral” principles to allow the institution itself to define the best solutions for implementing the regulatory requirements. This is to avoid pushing small, low-risk institutions into large, expensive solutions that are not needed in the early stages of business development, when manual processes will do the job.
However, automated solutions are a necessity for high-risk business models, for growing institutions and for medium to large institutions. Automated solutions not only optimise processes and save human resources, but are also less subjective to human error and manipulation of information evaluation. If you have high-risk business solutions, growing customer portfolio size, proving to regulators that an Excel spreadsheet is a sufficient customer risk scoring solution may be difficult, if not impossible.