Other parts of this series:
- Building a Strong Anti-Money Laundering Risk Assessment Process
- Elements of an Anti-Money Laundering (AML) Risk Assessment Program
- Structuring an Anti-Money Laundering (AML) Risk Assessment Program
- The Stages of Maturity in Anti-Money Laundering (AML) Risk Assessment
- A Five-step Process for Structuring an AML Risk Assessment Program
- Common Challenges in Building Anti-Money Laundering Risk Assessment Programs
As noted in my last blog, banks are at different stages in the path to a mature AML risk assessment program. Most banks, however, fall into three main categories.
Banks at this stage of maturity have either limited or no formally defined governance structures or decision-making bodies to provide oversight and approvals. Their operating models are specific to lines of business or geography, with limited integration, and they have neither a clear articulation of risk appetite, risk factors, or control categories nor clear ownership of AML risk components.
Senior management at these banks are aware of the AML risk assessment needs, but have not yet allocated dedicated risk assessment resources. Instead, the assessment is performed by line resources on a part-time basis. AML risk assessment processes are undertaken on an ad hoc basis, without an enterprise-wide methodology or approach, and the processes are primarily manual and not automated. There is little or no technology used to facilitate the assessment; data availability is limited, without an agreed system of record, and reporting is static, without analysis or an orientation towards action.
In this case, banks have defined governance structures in place for approval of AML risk assessment results, along with enterprise-wide standards for risk and control taxonomies. They have identified key risk factors and overall risk appetite. Their operating model, while fragmented, covers major lines of business.
At these banks, senior management are aware of and experienced in AML risk assessment and risk assessment is structured to leverage line resources and compliance personnel. There are partially standardized processes across lines of business and geographies. AML risk assessment is viewed as a requirement and applied superficially with a focus on meeting regulatory expectations, but there are ad-hoc assessments conducted on higher risk areas. There is limited data availability and technology may or may not be used to drive AML risk assessment routines. Reporting, however, is proactive and is analyzed to drive organizational improvements.
3. High Performing
Here, banks have formally defined governance structures and decision-making bodies for approvals and planning. The operating model is enterprise-wide and is consistent across lines of business and geographies. They have established risk and control taxonomies and have identified risk factors and the risk appetite. The lines of business own most AML risk components, but senior management sees AML risk assessment as an integral part of the AML compliance program.
High performers provide AML risk assessment with dedicated resources, leveraging the factory model for operational activities with oversight from highly trained AML specialists. They have a defined globally consistent process across lines of business and geographies, supported by workflow, as well as a standardized assessment methodology and approach.
These banks implement the AML risk assessment process within a strategic technology tool, with agreed data sources and systems of record for data extraction. They leverage a central repository and a standards data dictionary. Finally, they employ automated and dynamic reporting allowing for on-going and periodic assessment.
Getting from the rudimentary to the high-performing stage of AML risk assessment is a complex undertaking with a number of critical steps. I will discuss that process in my next post.
For more information, view our presentation on how financial services firms can set-up an effective AML risk assessment program.