top of page

The Risk-Based Approach

The Risk-Based Approach

3 August 2023

To avoid the stereotype of a moaning compliance professional, I want to preface the following waxing of lyrics by stating that the thing I’m most passionate about in the world of AML/CFT and Regulatory Compliance is working with professionals on both sides of the aisle who are committed to following the rules and being both pragmatic and outcome focused.  Some of the most frustrating moments I’ve had in office environments are when a fellow compliance colleague is saying no to a suggestion but not being able to articulate anything beyond a generic risk statement. There should be a healthy tension between people in commercial roles and those in oversight roles but the management teams who work best are those who are able to find that balance between commerciality and risk and have equal respect for both (my next article will be about culture…).  Which leads me nicely onto the subject of this very article.

If you search for the term “risk-based approach” in the Guernsey Financial Service Commission’s (“GFSC”) Handbook on Countering Financial Crime and Terrorist Financing it will return 36 results. If you remove the hyphen, you receive another two responses totalling 38 times.  When I performed the exercise of bashing the keys into the search bar, I was surprised by how few times the phrase was actually returned, given that the term “risk-based approach” is drummed into the international finance industry.  But I think it is very possibly one of the most used, yet least understood, phrases within management teams when it comes to a problem with a client that needs to be solved.  It is used so frequently that is has all but lost meaning in this humble Compliance professionals’ opinion. 

The most common example of this is in an instance where a client has failed to provide all due diligence, what has been provided is not correct in some way or the amount of detail (particularly in relation to source of wealth or source of funds) is deficient.  Rather than go back to the client, a member of the management team suggests that “a risk-based approach” is applied and the deficiency left unrectified, with a file note written to explain why the position was not remedied.  It’s almost as if people doing this are assuming we all get a set number of times a year to play this card.

The problem with this thought process is that it misinterprets the purpose of the concept of applying a risk-based approach.  Within the context of a due diligence deficiency, you’re tacitly accepting that your profile is going to remain incorrect or incomplete which, inherently, increases the overall risk to the business by one degree of another.  The Handbook has already supplied businesses with the ability to apply a risk-based approach to CDD, this is done by creating the concepts of simplified due diligence, standard due diligence and enhanced due diligence (I’m not going to enter the minefield of enhanced measures!).  Applying a framework which gives you the ability to utilise all the simplified provisions and fleshes out what you do differently between a standard risk case and a high risk case (namely the application of enhanced due diligence) is the application of a risk-based approach in action.  It may seem like I’m teaching the proverbial grandmother to suck eggs, but I bet if every Board Director, Senior Manager and Compliance Professional gave it eight seconds of thought they could recall a situation that I’ve described above and somebody suggested the application of a “risk based approach” with no further action proposed more than merely a file note signed off by a director or directors.  Just don’t do it, if what you’ve received is wrong, or you don’t have enough, then ask for further information or revised documents. 

Now, you may be thinking I’m naïve, sometimes the onboarding process is clunky or a client is given poor guidance by the business and so a concession is considered appropriate.  That won’t be a factor for the Commission when reviewing files as part of an onsite and if the process was poor for this client, it is likely poor for other clients and if there are concessions being made on those clients too, you’re opening up a significant can of worms when they ask sharp questions about process and culture. 

My next point is looking squarely at the wheeler-dealers, the bloodhounds, those who bring in the proverbial bacon risk based approach is not exclusively aimed at onboarding, CDD processes or monitoring.  It should also be a key criteria for when the business is pitching or considering the commerciality of the client.  We all know how competitive the market is, but real thought must be given to how the risks presented can be managed.  The only way to manage them, in simplistic terms, is by applying tools in the form of human or technological resource.  Both cost money and it should be factored into the pricing at the outset and on an ongoing basis. 

As a Compliance Professional I have sat in client review, or take on panels where, upon the suggestion that further work needs to be done to address a matter or monitor a situation, the response has been very much along the lines of fee recoverability and it is seen as a burden or something that makes the business uncompetitive.  Rather than squinting at the Compliance Professional and wondering if the enhancement to practice they’re suggesting is strictly required, go the other way, cost it up and go out to the client.  Be bold.  Or, just implement the control and learn to factor it in next time, but don’t avoid a control because it will affect recoverability negatively, that is not a conversation you want to have with a Regulator!

I feel like thus far, anybody in a non-compliance role may be feverishly looking up my LinkedIn profile to print a picture of my face and attach it to their dartboard.  If they don’t have a dartboard, they may be considering buying one.  It’s all been a bit one-sided and, I will accept it, a bit finger pointy.  So in the interest of balance, I will make a point about the approach to risk by Compliance Professionals.  Not all professionals, but some professionals.  I’ve observed scenarios where I have been asked for a second opinion on an issue where an administrative task is required, but the Compliance or Financial Crime Team has blocked the action because of a known, generic risk factor.  For example, a payment to a clients account in a high-risk jurisdiction despite it being their nationality and a place they spent a significant portion of the year.  If a client’s profile links significantly to that jurisdiction and you have no specific financial crime concerns in relation to the provenance of funds or the specifics of a transaction, the risk on which you’re impeding client service is generic and should have been understood and managed accordingly at the outset of the relationship.  Drastic action that stops commerce in its tracks can only be justified if you have a specific concern, for example a question that has not been answered or a pattern of behaviour that is suspect and gone unnoticed.  Similarly, a high-risk indicator is not necessarily a reason to reject a client.  Let’s create an example and go through a logical thought process designed to hopefully reduce the number of cardiac episodes within compliance community.

Example - A client has links to high-risk industries and/or jurisdictions but the business has not identified any specific financial crime, terrorist financing / proliferation financing concerns. At this juncture, only a client information request and structure chart has been completed and screening on all entities / individuals completed with no negative results.

All Compliance Professionals will have the same reaction to the above, albeit the degree of emotion in the response will change person to person.  But it has to be remembered, that unless there is known or suspected criminality, this is a commercial decision and those are the considerations to pursue at this juncture.  Here is the information I would seek and the steps I would take:

1.      What specifically are the key risks?  Document these, line by line.

2.      What could be done to mitigate those risks at the outset of the relationship? What are the financial implications to the business (including time cost for staff and senior management)? Document these alongside the risks.

3.      What would need to be done to manage those risks? (including time cost for staff and senior management)? Document these alongside the risks.

4.      What are the anticipated workflows for the client? All administration tasks.

Then, it is time to perform the equation:

Fees Proposed to Client ÷ Proposed Costs of Maintaining the Client (including Compliance Costs at the outset and per annum) = Anticipated Recoverability

The above is not an exact science, but it hopefully creates a more meaningful conversation which is not as emotionally driven.  The process shouldn’t take any longer than an hour with the right people involved and therefore should not prevent a quick turnaround for a proposal being issued (or alternatively, a highly caveated proposal could be issued and once more facts are understood a more accurate proposal issued in due course) which is always a concern for people tasked with winning new business. 

If by steps 2 and 3 above, the business cannot take reasonable steps to manage the risk of financial crime (used as a broad term), the only reasonable outcome is not to pursue the relationship.  I say this with the belief that the lofty philosophical debate about businesses “never being able to fully mitigate risk” is not a conversation any business should be entertaining as chances are it will lead you to, if you’re not already in, the hottest of hot waters with a Regulator or Law Enforcement. If you’re dealing with the former, they can lean back on their enforcement powers and the subjectivity of the terminology “reasonable measures” and the latter…well by then you may be in a room that’s too cold or too hot, sitting on a hard plastic chair with (ironically) a plastic cup of room temperature water.

I hope you will forgive and indulge me for going slightly off topic at this juncture, but just a general point to make.  In Paragraph 101(a) of the GFSC Handbook (captured under 3.17.1 in Chapter 3), there exists the following sentence:

“The firm should note that the absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing”

The above, while not overly pronounced in the GFSC Handbook, gives you a firm indication of how the GFSC feel about adverse media in respect of unprosecuted allegations of criminality.  The old world of “the client hasn’t been convicted” is no more, and these thoughts should be removed from one’s considerations.  As a couple of former colleagues who happened to be ex-law enforcement officers in one capacity or another would say, the bar for suspicion should be considered so low you could trip over it.  Conversely, the bar for prosecution is far higher, so dealing with those types of individuals with adverse media and potential criminality should be done with the utmost caution and a very conservative view of what “reasonable measures” look like should be observed.

This, I believe, is what I believe it truly means to implement a risk-based approach.  Employing a rigorous and calculated set of parameters to measure the risks versus the reward to be gained.

Applying a risk based approach means different things to different facets of each business.  Some will naturally be more accepting of risk and others more adverse to it.  But risk exists whether that is at the outset of a relationship or as it progresses.  For the common good,  it is about finding a way to control the risks while achieving the businesses commercial goals.  This can only be done if both sides of the aisle are willing to work together and respect each other’s roles, opinions and concerns.

When our Operations Manager, James Le Gallez, advised me that he had just uploaded new articles onto the Redwood website, I immediately seized on the opportunity to feed my ego and etch my thoughts on one (of many) subjects I’m passionate about into stone and then issue it to the masses via the platform of the interweb.  Once I realised etching things into stone was quite an undertaking that requires significant expertise and the use of sharp tools (which I’m not normally allowed access to at home or in work), and indeed the interweb was not designed to handle hand carved messages…I booted up Microsoft Word and started typing.

bottom of page