The risk-based approach

The risk-based approach (RBA) refers to how FIs apply the most cost effective and proportionate way to manage and mitigate financial crime risks. The approach can follow the process of:

  • Identifying the financial crime risks relevant to the FI (namely AML/CFT sanctions, fraud, tax evasion and bribery & corruption)
  • Assessing risks presented by the FI’s customer, products or services, transactions, delivery channels, and jurisdictions of operation;
  • Designing and implementing controls to manage and mitigate these risks, in the context of the firm’s risk appetite;
  • Monitor and improve the effective operations of these controls and;
  • Maintain good management systems, reporting and record decisions and issues appropriately

As a first step in designing an RBA framework, an FI should establish who its customers are, where they operate, the nature of their business and what products they’ll be engaging with in their relationship with the FI. By leveraging information provided by relevant regulatory and international institutions, the FI should establish risk factors relating to their customers, countries, geographic areas they operate, products, services, transactions and delivery channels. In considering what steps are appropriate, institutions should also consider the size and nature of their business to establish the complexity of the risk assessment exercise.

Based on the risk assessment findings, the firm will then design its policies, procedures and controls to ensure that the level of due diligence, oversight and resources are commensurate and applied appropriately in respect of each customer or product, based on the risks identified. The risk-based approach provides the following:

  • Recognition that financial crime threats will vary across customers, jurisdictions, products and delivery channels;
  • Allowing management to differentiate between their customers in a way that matches the risk in their business and shape procedures, systems, and controls and accordingly;
  • The outcome should be a proportionate response to manage risks effectively.