Preparing for a Thematic Review: Customer Risk Assessments
Previously we highlighted that the FCA is likely to undertake a thematic review of Firms’ risk assessments and we issued guidance on Business Wide Risk Assessments. Today we focus on Customer Risk Assessments (CRA).
Your CRA is extremely important in driving the appropriate level of due diligence and ongoing monitoring to ensure each customer’s risk is being managed, monitored, and mitigated. The FCA pay specific attention to the risk levels, scores, and justifications that firms provide through their CRA and their associated methodology. A well thought out CRA that delivers the right outcomes provides the FCA with comfort that the broader control framework is effective. The inverse is also true, with a weak CRA often pointing to wider issues. It is therefore critical that you can illustrate that your CRA is robust and designed effectively.
It is also essential that you have a methodology that provides a holistic view of all data points used to determine each customer’s risk rating. This enables you to understand your financial crime risks at a firmwide level and allows you to easily update customers’ risk ratings on an ongoing basis, as required.
Here we detail some of the common mistakes that we see when we visit firms, and questions that you can ask yourself to be prepared for a regulatory visit.
Incomplete risk factors
CRA methodologies must assess Customer risk; Geographic risk; Product, service, and transaction risk; and Delivery channel risk. We frequently see examples of CRAs that don’t include one or more of these factors. The most frequent omission is channel risk, and this is justified on the basis that customers can only be onboarded through one channel. However, we recommend either expressly addressing this risk factor given it is specifically referenced in various provisions within the Money Laundering Regulations (MLRs) or documenting the rationale for not including it in the methodology.
How do you get comfort that all relevant risks are covered in your CRA?
Inconsistent outcomes
We often see CRAs where it is not clear how a customer’s risk rating impacts the level of due diligence required at take on, the sign offs required, and the level and frequency of ongoing monitoring, resulting in inconsistent outcomes.
Is your customer risk assessment and associated methodology designed to drive consistent and effective outcomes?
Does your approach to assessing risk mean that high risk triggers (such as PEPs) will always increase the risk rating of the customer relationship?
Inadequate guidance and descriptions
We regularly see CRAs where the risk descriptions are unclear or incomplete. For example, the CRA might state that the Firm considers jurisdictions regulated in an equivalent jurisdiction to be low risk, but there is no further information on what equivalent means and which jurisdictions are deemed to be equivalent. Similarly, we see many examples where adequate guidance and has not been supplied to staff explaining how to apply the CRA model.
How do you get comfort that your risk descriptions are clear and can be understood by the business?
Do you have adequate guidance for staff which details how to apply the CRA model?
What level of manual discretion does your CRA allow for? How do you get comfort that that is reasonable?
Static risk ratings
We often find that Firms’ scoring processes and risk ratings are static, and it is unclear how the components and scoring may change on an ongoing basis, for example, if there is a true screening match or changes to the customer’s country of residence since onboarding.
Do trigger events cause the customer risk assessment to be reviewed or refreshed?
When updates are made to your CRA, what is the approach taken to reperform an assessment of existing customers?
Does your methodology clearly articulate your approach and include a clear rationale?
Poorly maintained models
Often, we identify that Firms are not testing their CRA models and as a result they cannot evidence the model is working as intended. We also regularly see CRAs and associated methodologies that have not been recently updated.
How have you tested your CRA model to assess whether typical customer profiles are risk rated consistently and adequately?
What controls are in place to ensure that the customer risk assessment remains fit for purpose?
As ever, we would love to help. If you need any support, please email us at contact@avyse.co.uk