The prescriptive approach was that regulations were originally based on the risks and controls relating to retail banking and simply did not fit other business models, such as private, institutional or investment banking and wealth management.
Due to the increased regulatory burden, almost all businesses now have to comply and tick the boxes as best they could. This resulted in firms trying to customize and change AML controls to fit their own business models, trying to satisfy the regulatory, but potentially missing the actual risks they were exposed. Thus the compliance efforts failed to meet regulatory expectations. This created a new approach to managing risk called Risk-Based Approach (RBA).
The aim of RBA was to create an environment where controls were commensurate with actual risk. RBA is a more flexible and rational approach to KYC/AML, addressing the actual risks to which the application of AML controls was exposed, rather than simply ticking boxes hoping to satisfy the regulator.
RBA & FATF
In 2007, the Financial Action Task Force (FATF) stepped in with its first attempt at implementing an RBA, issuing a paper which stated:
“By adopting a risk-based approach, competent authorities and financial institutions are able to ensure that measures to prevent or mitigate money laundering and financing threats are commensurate to the risks identified. This will allow resources to be allocated in the most efficient ways. The principle is that resources should be directed in accordance with priorities so that the greatest risks receive the highest attention.”
The intention of RBA was to create more practical methodologies and processes for KYC and AML. The result was somewhat different, with highly complex processes emerging in many instances as a direct result of individual interpretation of the new guidelines. This led to widespread confusion throughout the financial industry.
The FATF then revised its guidelines in 2010. The Expert Working Group advising the FATF on the risk-based approach and FATF Recommendations in 2010 said:
“As a basic principle, financial institutions and DNFBPs (Designated Non-Financial Business Providers) should be required to take steps to identify and assess their money laundering/financing threat risks for customers, countries or geographic areas, and products/services/transactions/delivery channels.”