Implementation of the risk-based approach
In order to detect suspicious business transactions as accurately as possible, it is important to differentiate between persons and transactions in analysis. Private or retail banking, retail or corporate business, institutional investors or brokerages have business relationships that each demonstrates a different business behavior. While high volumes of money flow in and out of corporate accounts on a near daily basis, this is unusual in the accounts of private customers. So if an unusually large transaction occurs in the account of a private customer, a compliance officer should look into the matter. Institutions that assign risk classes to all of their customers and business relationships that regulate evaluation of potential risks obtain the best analytical results. For example, the analysis of a high risk could mean that crediting a payment could be delayed until the case is resolved. It is also important to assign a separate risk class for politically exposed persons because, from a compliance perspective, they require special attention and are considered “high-risk situations” in the new money laundering directive.
Risk classification in the Know Your Customer (KYC) profile
KYC identity checks are necessary not only for new customers, but for existing customers as well. At a minimum, institutions are required to identify the contractual partner, determine beneficial ownership, and evaluate economic background. Every business relationship is subject to different logic. Here are some examples:
- Is the customer in private or retail banking or involved in the commercial banking business?
- Is it an institutional investor or broker?
- What kind of business does the bank expect to conduct with the customer (credit, deposits, transactions with foreign business partners)?
For the various banking activities, there are different business behaviors. For instance, corporate accounts have high inflows and outflows of money. For a private account, this transaction pattern would be more unusual and would be considered a potential risk. Further analyses by client type might include country risk, transaction behavior, legal status, financial circumstances, industry, politically exposed persons or professions.
Checking customer data against sanctions list entries
Screening of customer data against national and international sanctions lists is one of the risk management tasks expected of financial institutions. A large selection of public and commercial sanctions lists is available on the market. Many institutions have even started using several lists concurrently. Automatic checks usually include names, aliases, alternative name spellings, dates of birth, nationality, and domicile. Institutions regularly screen all of their customers and business relationships – usually once a day. To avoid runaway screening costs, it is good practice to fine-tune results so that institutions end up with a list of only the truly relevant suspicious cases.
Know Your Transaction (KYT): Monitoring transactions
Monitoring payment transactions is part of the KYT principle. To find out whether a transaction poses a risk, an analysis must be performed to determine whether the initiator or recipient is on either an internal or external blacklist, whether limits are complied with, which countries are involved, the reason for payment, and the customer’s history. It is also a good idea to analyze transaction patterns. This means that the analysis takes not only individual transactions into account, but also the connection between a number of payments. Inflows and outflows occurring within a brief period can be an indication of money laundering. Smurfing is another technique in which large transactions are broken down into smaller tranches. In practice, numbers of financial transactions are subject to seasonal fluctuation. Banks have to be capable of reliably analyzing the transaction spikes that occur on weekends, before holidays, and at the end of the month or year, which are generally higher than volumes on other days.
Throughout the duration of the customer relationship, it makes sense to collect baseline data for risk classification from transaction behavior. For example:
- Assets and number of transactions
- Overall cash turnover within a defined period
- Total turnover in relation to assets
- Cash turnover in relation to assets
- Transactions and the amount of turnover with high-risk countries within a specified period
In the final determination of risk, it is important to place the numbers in context. For instance, it makes sense to differentiate between threshold values for retail, corporate, and private banking clients. This makes it possible to classify transactions from corporate customers with high-risk countries as less critical than transactions with high-risk countries initiated by private persons.
Monitoring rules for persons and transactions
All monitoring scenarios, regardless of whether the analysis is of personal or transaction-related data, are defined by rules. Below are some examples:
- What is the maximum transaction amount for private clients?
- How high is the limit for financial transactions for corporate clients?
- What is the customer’s risk class?
- How is a particular risk customer classified (PEP, crime, terrorist)?
- What is the nature of payment transactions between two business partners internally in the bank or with external payees?
- Which countries are on a sanctions list?
Milestones in automated moneylaundering prevention
For reasons of time and cost, and also due to steadily increasing data volumes, money-laundering prevention must be automated and to the greatest extent possible generate only truly relevant results. If a risk is identified, it must be checked by a compliance officer. The most important milestones for effective anti-money-laundering measures are: risk classification, monitoring, clarification, and auditable documentation.