Implementation of the risk-based approach in accordance with the ­ 4th EU Anti-Money Laundering Directive

Client risk rating as a key element of the risk-based KYC process

A guest contribution by Dr. Burkhard Eisele

Download article as PDF

The 4th EU Anti-Money Laundering Directive (4th EU AMLD) became effective in June 2017. Intended to prevent the use of the financial system for money laundering or terrorist financing purposes, the 4th EU AMLD states that financial institutions must evaluate their clients as part of the Know Your Customer (KYC) process by means of a risk-based approach.

Recital 22 of the 4th EU AMLD states that “… a holistic, risk-based approach should be used. … It involves the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing … more effectively.”

The scope of the risk-based approach is defined in Article 14 (5) of the 4th EU AMLD: “Member States shall require that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, including at times when the relevant circumstances of a customer change.” In this context, the term “appropriate times” does not refer to a transitional period needed for comprehensive implementation of the risk-based approach for existing clients, but rather to the frequency at which a client must be reevaluated.

Concerning the KYC process, the risk-based approach must be applied in the following three cases:

  • During client onboarding to determine the money laundering risk of potential new clients prior to the signing of a contract
  • During regular review to periodically determine the money laundering risk of existing clients based on the risk classifications “high risk,” “medium risk” or “low risk”
  • In case of an event-driven review, it is necessary to run an ad hoc evaluation of the money laundering risk of existing clients whenever exogenous or endogenous events occur

Almost two years after the 4th EU AMLD became effective, many financial institutions still do not use proper methodologies in this process and fail to comprehensively utilize the risk-based approach.

Risk types and factors indicating potentially higher risk
In addition to risk factors that need to be determined individually by each institution (for example, on the basis of an institution’s specific business model), Article 8 of the 4th EU AMLD provides a non-exhaustive list of risk factors and risk types that need to be taken into account for the client risk rating: “Member States shall ensure that obliged entities take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the obliged entities.”
These risk factors are specified in Annex II to the 4th EU AMLD (“factors and types of evidence of potentially lower risk”) and Annex III to the 4th EU AMLD (“factors and types of evidence of potentially higher risk”; Figure 1).

Methodological approach for the client onboarding process
The client risk rating is an integral part of the client onboarding process and therefore a key element of the risk-based approach. The client risk rating methodology leverages the risk-scoring model and ensures a risk-adequate and client-specific assessment of the money laundering risk.
A suitable methodology for a risk-based KYC approach within the client onboarding process is described in the following section.

Calculation of the client risk rating
As part of the client onboarding process, information is collected about the sources of funds, the purpose of the business relationship and the beneficial owner. This collection of information is performed as a new client is identified and legitimized. The risk scoring model uses this information alongside the previously mentioned risk factors to determine the client risk rating, which results from (a) the initial risk rating and (b) what are known as the “prohibitive risk factors.”

Initial client risk rating
To determine the client risk rating, all the information collected during the client onboarding process needs to be evaluated; specific KYC data and client documents will be assessed as risk factor input and stored in the KYC workflow system.
The risk scoring model calculates risk factor values and determines the weighted risk score using an econometric model.
The outcome of this step is the initial risk score, which is expressed as a value from 0 to 100. Afterward, the risk score is converted into one of the three risk classifications: “low risk,” “medium risk” or “high risk.” (Table 1)

Prohibitive risk factors
The initial client risk rating provides the basis for the final client risk rating. The following section focuses on prohibitive risk factors.

Prohibitive risk factors are:

  • the existence of a PEP (politically exposed person) flag (according to Article 3 (9) of the 4th EU AMLD, a “politically exposed person is a natural person who is or who has been entrusted with prominent public functions”),
  • the occurrence of adverse information (“negative news”) and
  • identification of activities and transactions related to sanctioned and/or embargoed countries.

If one of the prohibitive risk factors is applicable, the final client risk rating automatically shifts to high and the initial client risk rating will be overruled. If no prohibitive factor is applicable, the final client risk rating is the same as the initial client risk rating. (Figure 2).

Client acceptance and consultation process for high-risk clients
As part of the onboarding process, the client risk rating is a key element used to determine whether client management (the first line of defense) and the compliance function (the second line of defense) need apply the simplified or enhanced level of customer due diligence.

According to the 4th EU AMLD, financial institutions need to take risk factors “into consideration and [take the applicable measures] in situations where enhanced customer due diligence measures are appropriate. Specific account shall be taken of the nature and size of the business, and, where appropriate and proportionate, specific measures shall be laid down” (Article 18 [4]).
Simplified customer due diligence is to be performed for customers with a client risk rating of low or medium; in such cases, no explicit involvement of the compliance function is needed for client acceptance as part of the onboarding process.

Clients who are rated high risk according to the client risk rating must be handed over to the compliance function for the final decision. In the consultation process, the compliance risk exposure associated with the client will be evaluated, and a joint decision will be made by client management (the first line of defense) and the compliance function (the second line of defense). The potential client then receives unconditional acceptance, conditional acceptance or no acceptance.

Regular review
As already indicated, Article 14 (5) of the 4th EU AMLD states that financial institutions must reevaluate existing clients within an appropriate timeframe. The criterion for the frequency of this regular review is the client’s current risk rating. The review of clients and the reevaluation of the client risk rating are performed at three typical frequencies:
Low-risk clients: reevaluation of client risk rating every five years
Medium-risk clients: reevaluation of client risk rating every two years
High-risk clients: reevaluation of client risk rating annually
This ensures a client’s risk rating is always up to date.
Ideally, regular reviews should not be performed at the same time for all clients in the same risk classification group; rather, the reviews should be distributed over the entire reevaluation cycle.

Event-driven review
In addition to the reevaluation of a client during regular review, clients must be reevaluated immediately if any change in exogenous or endogenous factors indicates an increased compliance risk. A client’s compliance risk can increase as a result of:

  • changes to the country risk list according to the Corruption Perceptions Index (CPI),
  • appearance on a sanction list or embargo list,
  • change in the risk classification of industries by the AMLD,
  • occurrence of a PEP or
  • significant increase in the client’s transaction volume.

Event-driven review ensures that all clients whose compliance risk increases due to their exogenous or endogenous factors are monitored at the enhanced level of customer due diligence. Similarly, this review ensures that a decreased risk results in application of the simplified level of customer due diligence. If this response to a decrease in risk is neglected, the cohort of clients under enhanced customer due diligence will accumulate over time.

Integrated KYC platform and client risk rating
A high-quality client risk rating can be achieved by implementing an appropriate workflow system. An integrated digital KYC platform supports client management representatives in the collection of client data, evaluation of risk factors and calculation of client risk ratings during the onboarding process.

At the same time, an integrated KYC platform significantly improves the efficiency of the regular review process. The workflow system automatically generates client dossiers for review based on the recorded reevaluation dates. Ideally, information about exogenous factors is also automatically submitted as a result of queries sent to external data sources.
As part of event-driven review, the workflow system identifies those client dossiers for which changes in exogenous or endogenous factors may have an impact on the client risk score and client risk rating.

Leveraging the fast progress of technology (big data, artificial intelligence, etc.), some leading institutions are currently considering performing a daily client risk rating procedure for all existing customers in an overnight batch run. In such cases, regular review and event-driven review converge, as an up-to-date risk assessment is conducted for all clients every day.

However, it is important that experienced client managers and compliance experts still actively monitor high-risk cases. This ensures that changes to a client’s risk profile can be captured even if these changes are not encapsulated in public information and thus not automatically recognized by the workflow system.

For medium- and low-risk clients, usually sample-based monitoring of client data is adequate if the workflow system can flag client dossiers as complete in the automated assessment.

Summary and outlook
The client risk rating is a key element in the risk-based approach according to the 4th EU Money Laundering ­Directive.
In the risk-based approach, for the first time, money laundering and terrorist financing risks are consistently reflected by means of a comprehensive methodology.
Depending on the client risk rating of a potential new or existing client, financial institutions need to comply with different customer due diligence requirements. However, an adequate risk-based approach entails more than just regular reevaluation of existing clients by means of regular and event-driven reviews.

beisele@kpmg.com