Anti-money laundering (AML), anti-terrorist financing, and sanctions compliance present ongoing challenges for financial institutions in today’s global marketplace. As the financial services landscape evolves, organizations struggle with the difficulties associated with effective customer identification, customer and transaction screening, and transaction monitoring, areas that continue to be in the gaze of regulators. Given this, the successful adoption and validation of customer risk rating (CRR) models remain as important as ever.
The Role of CRR in AML
While an effective risk-based AML compliance program relies on the successful operation of several interconnected pieces, a vital component is the CRR model. This model relies on gathering relevant, accurate, and comprehensive customer-related information through the Know Your Customer (KYC)/Customer Due Diligence (CDD) processes, which provide inputs (such as geographies, ownership, anticipated activity, etc.) to a CRR model to help identify those customers deemed to be higher risk and require more intensive monitoring. The CRR model also will use a customer’s transaction history, sourced from the transaction monitoring systems used to identify potentially suspicious behavior, and adjust the risk score dynamically.
Obtaining an accurate risk rating of customers, both at onboarding and on an ongoing basis, is essential. Getting it wrong could lead to both financial and reputational harm. Risk rating high-risk customers as “low or medium risk” can have severe regulatory implications, while risk rating low- or medium-risk customers as “high-risk” can significantly increase compliance costs, and either might make its way into the news cycle.
CRR Model Impacts
The CRR model affects several key areas, including:
- The enhanced due diligence (EDD) to be performed—high-risk customers require more data points and more regular review
- The level of transaction monitoring required—risk ratings help with prioritization of alerts and provide an input to certain detection scenarios
- The need to close accounts if a client poses an unacceptable level of risk
- The necessity to change risk rating to reflect changes in customer activities over time
- The need to focus team members’ efforts when reviewing model outputs
It is vital, therefore, that CRR model configuration is fully understood and rigorously tested. This typically comes in the form of a model validation that constitutes testing the model’s:
- Conceptual soundness, model theory, and design
- Inputs, assumptions, and data
- Processing and calculations
- Ongoing monitoring
- Outcomes analysis
- Change management, governance, and controls
- Documentation
Key Takeaways
In our view, there are several critical points to consider to help achieve an effective CRR process and result:
- A CRR methodology that is risk-based and comprehensive
- A “tool” to support the implementation of the methodology
- A methodology and tool that can be validated as well as a resource with the requisite experience (internal or external) to perform these validations
- A tool that has the flexibility to be periodically tuned to reduce manual overrides and account for the dynamic nature of customer relationships
- Accurate, complete, and consistent data across data feeds/systems
- An individual or individuals who take ownership of the model and its ongoing performance
While the CRR model is a key component in any effective compliance program, it remains critical to recognize the interconnected nature of an effective anti-financial crime control environment. Other components such as CDD, transaction monitoring, and suspicious activity reporting are equally important. Effective CRR is key but will only be valuable if integrated as one part of a complex system.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars