That’s the question I get asked most often by AML Compliance colleagues--and it’s the question that worries me the most.
That question tells me that the financial institution likely has a major problem with its Risk-based Approach. I’ve been doing AML for close to 20 years now, the first seven implementing “other people’s software” or just Ops work. Those early years inside
Compliance shops, Audit shops, and IT shops focused on slaying the shape-shifting monster of new laws, rules, and expectations. It’s the rules and expectations that get you every time, because it’s tempting to jump straight to rules without first doing a deep
dive into Risk.
The process of selecting what “Rules” to run begins and ends with your Enterprise Risk Assessment (ERA). You have one; every financial institution is required to have one. Now that being said, most ERAs I have read have a few parts lacking.
To their credit, most ERAs do identify the risks in conducting business; they look at where, with whom, and how business is conducted. The common lack lies not in the identification of the risk, but rather in the Risk Mitigation Plan (RMP). Simply stated,
the RMP should detail exactly what the institution will do to mitigate this identified risk.
We need to remember that running an AML Rule is an internal control to mitigate an identified risk. Examples abound. Collecting information during on-boarding is mitigating an identified risk. Screening for sanctions is mitigating a risk. When you do your
geographic risk analysis, you are identifying the riskiest places to do business; specifying the reasons why an area is risky will help you determine what risk-mitigating rules you need.
I recommend extracting the identified risks from your summaries and creating a simple spreadsheet: entries in column one identify the risk; column two specifies the reason for the risk; and column 3 specifies the mitigation plan. It may look something like
So, the first example of risk is for Terror Financing for customers transacting business in or through Afghanistan. Enhanced Due Diligence is the mitigating factor to this risk. So, the internal control you are instituting is EDD to further identify higher
risk customers. The second example of risk is high ‘source of funds’ risk due to high cash-transaction counts and amounts. The Velocity rule will find inbound money followed by an internal transfer and a transfer out; and the ‘Regular Large Crypto Purchases’
rule will find abnormal crypto purchases that are not consistent with the business’s purpose.
If you have been around awhile, you will recognize that this is the classic Risk-based Approach—logical, systematic, and easy to justify to anyone who asks. The rules to run result from the specific risks identified rather than from general AML experience
or personal preference.
So what AML rules are you going to run?