Mastering Risk-Based Approach: 7 Deficiencies to conquer

The Enterprise-Wide adoption of a Risk-Based Approach is essential in countering Money Laundering (ML) and Terrorist Financing (TF) risks. The regulated entities in the UAE must adopt a Risk-Based Approach and design their AML/CFT program and controls commensurate with the risks the entity is exposed to. If the entity operates in a high-risk environment, it should have more controls to manage the overall risks and keep them within its risk appetite. Here is the article ‘Mastering Risk-Based Approach: 7 Deficiencies to Conquer’ to help you counter financial crimes effectively:

Top 7 Deficiencies around the adoption of a Risk-Based Approach (RBA)

1. Undocumented RBA methodology

The regulated entities are required to document the RBA methodology adopted by the company. Some companies fail to document or adequately describe the overall RBA methodology.

2. Lack of application of the RBA

The entities must adopt the RBA and apply it uniformly across the company. Some entities fail to adopt it and deploy controls commensurate with the nature, size, and complexity of business, client relationships, geographies, delivery channels, and products and services.

3. Undocumented Risk Appetite

Sometimes, risk appetite is not formally defined, documented, or communicated to the concerned team; hence, no uniform approach is taken to mitigate the risks.

4. Deficiencies around Enterprise-Wide Risk Assessment (EWRA)

Some entities fail to carry out the Enterprise-Wide Risk Assessment (EWRA) and identify the risks they are exposed to, the likelihood of a risk materialising, controls deployed, and the residual risks associated with the company.

5. Failure to review EWRA

The EWRA is not a static exercise. The date of the review and its timing must be recorded, and the next EWRA review date must also be documented. The EWRA must be reviewed at least every year. If there are reasons to believe that the risks associated with the company have changed, it needs to be performed even earlier. Most entities fail to realise this and do not review their gross and residual risks, and hence fail to deploy appropriate controls to mitigate such risks.

6. Deficiencies around Customer Risk Assessment (CRA)

Some entities fail to understand the importance of customer risk assessment, and they do not identify the risks associated with a customer and hence fail to apply proper risk mitigation measures.

7. Missing authorisation from the top management

Top management authorisation is necessary in high-risk situations while onboarding the client or conducting the transaction. Some of the entities fail to meet this requirement.