We’re excited to announce the launch of our own Financial Crime Risk Assessment product! Our solution gives compliance leaders a totally new way to approach risk assessments by equipping them with a truly dynamic, automatically updating, easy-to-use risk assessment tool. It also enables partner banks and BaaS platforms to effectively manage their fintech programs. Read our full announcement here.
Financial crime risk assessments are one of the most difficult parts of the financial crime framework to get right, but they are essential to analyze a business's risk of financial crime exposure.
Without a good risk assessment, it’s impossible to meet regulatory expectations for an adequate compliance program. Regulators are increasingly demanding that firms’ financial crime compliance programs be effective and risk-based.
Consequences are severe for getting this wrong.
Recently, financial crime risk assessments featured prominently in the US OCC’s corrective actions for a US partner bank. In the UK, the Gambling Commission’s largest fine to date was issued to a large sports-betting and gaming group for inadequate AML risk assessment processes.
This post describes the key components of the financial crime risk assessment process and provides a downloadable example risk assessment checklist.
But many compliance leaders acknowledge the need to improve current risk assessment processes. Here are a few reasons why:
Financial crime risk assessments have two stages:
Identification. Firms first identify broad or high-level risk areas to evaluate, then further determine specific risk categories that apply to their business, based on regulatory guidance or expectations (e.g., from the Wolfsberg Group, FATF, JMLSG Guidance, FFIEC, or national risk assessments) and industry practice.
The following risk areas are commonly considered in risk assessments:
Assessment. For each specific risk category, firms evaluate their inherent risk, the strength of their relevant controls, and their residual risk.
Risk ratings for each risk category are aggregated into an overall risk score for each high-level risk area. Then, an enterprise-level risk score is determined based on the risk scores for the risk areas.
Controls mitigating a particular risk need to be assessed for both adequacy and effectiveness.
To rate overall control efficacy for a risk, firms have to accurately evaluate both of these control aspects through metrics and self-assessments.
Assessing controls is a challenging, time-consuming task for many compliance teams that only provides a snapshot of how controls are operating at a single time.
Risk assessments are foundational for firms’ compliance programs. After completing an assessment, firms should take the following steps: