A few months have now passed by since the Dutch Central Bank (DNB) published its report about the AML/CTF landscape in the Netherlands. In this study ‘From Recovery to Balance’, the main call to action to the financial sector is for a more risk-based and focussed approach to keep the sector free of financial economic crime.
Contributor
Michiel is a Managing Principal Consultant in Delta Capita’s Financial Economic Crime practice who specialises in Operational Excellence.
This is a major trend break which leads to some interesting challenges. We all have fresh in mind the investigations by the Public Prosecution Office, warnings to several financial institutions and large fines that were imposed on several banks. At this moment, even board members are personally under investigation for their potential role in detecting financial crime failures.
In this setting of “fear and control”, companies are urged to substantially change their approach. We all are convinced that this is the right way to move forward to, but the question is: how?
We see three key drivers that will support your organisation during this transition:
- Risk trigger enhancement;
- Targeted risk assessment; and
- Recalibrate risk policies.
Risk trigger enhancement: Spearfishing vs. dragnet
To ensure that all prospects and customers are acting within the boundaries of the AML/CTF laws, lots of controls must be in place during the complete lifecycle of servicing customers. Automated risk triggers will flag certain deviant behaviour, after which the customer and/or transactions must be investigated by an analyst. A large part of these controls is still done manually, which leads to high costs for the operation and impacts clients.
In practice we see that most risk triggers are calibrated in a way that they work like a dragnet: it filters roughly without making a distinction between low or high risks.
These risk triggers can be improved considerably with help of technology. By using and combining all available data you can construct a dynamic client profile. Therefore, risk triggers can be enhanced in so that less ‘false positives’ are triggered. This results in a more effective approach, spearfishing, which focusses on the actual risks with less impact on clients and the organisation.
Targeted risk assessment – Perpetual KYC
There will be multiple events or situations in a client lifecycle that require some kind of assessment on possible risks, e.g.: changes in ownership structure or transactions that deviate from the expected transaction profile.
To be thorough and to not miss a single possible risk signal, organisations are inclined to do a fully-fledged assessment at any of those events, preferably on the complete client profile and all related parties as well.
This clearly puts a lot of pressure on the operation in terms of resources, costs and time and on the client, without being able to fully eliminate the chance that a risk might occur.
When assessing only the specific risk that triggered in an event, the process will be much more efficient, and clients will have less questions to answer and documentation to provide. By doing this, you do justice to your own risk control framework, the ongoing monitoring and the analyst teams.
This will also directly improve the customer journey, which is equally as important. A precondition is having an up-to-date record on basic customer information. The right combination and placement of all controls and risk triggers will ensure a sufficient mechanism to trigger the most evident risks. Do trust in this ‘perpetual KYC’ mechanism!
Recalibrate risk policies – New times call for new measures
In their study, DNB mainly gives additional guidance on how to organise a more risk-based approach. It comes down to how to be able to spend less time on low risks, which should enable you to spend more time on the higher risks.
This sounds like an open door, but most internal policies and operating procedures are somewhat outdated and/or do not make a distinction on this level. As 2nd and 3rd lines of defence will always test the daily practice to internal policies, this will have great impact on daily operations.
By recalibrating your risk policies, based on the Systematic Integrity Risk Assessment (SIRA), all underlying policies, standards and procedures can be updated and made more appropriate for the current situation.
Be sure that the policies make it clear on how to define low risks vs. high risks, so that all three lines of defence can act accordingly. By doing so, you will be able to restore the balance between risk, effort and impact on the client.
About the author:
Michiel Commandeur delivers complex projects in the financial sector. As a managing principal consultant in Delta Capita’s Financial Economic Crime practice, he specializes in Operational Excellence and has extensive expertise in change management, know your customer (KYC) and client lifecycle management (CLM).
To find out more, email him today at: Michiel.commandeur@deltacapita.com