Anyone who has spent any time with the team at FINTRAIL will attest to the fact that we are passionate about anti-financial crime and how you balance effective controls with a great customer experience. To achieve this, we believe that setting a well considered financial crime risk appetite is critical. It is an often neglected area but something we think is vital for companies looking to scale their offering. In this piece we are going to explore what we mean by a financial crime risk appetite and how to use it.
What is it and why is it important?
A risk appetite sets out how much risk a firm is willing to take in a given area. Ideally a risk appetite should align with the firm’s risk-based approach, and this is particularly pertinent regarding financial crime. A risk appetite statement will allow firms to define boundaries at the early stages of a new business or product as it allows you to target your resources in line with your risk-based approach; it will also allow you to identify whether you are in or outside of the firm’s appetite, which is a key foundation to implementing a risk-based approach. If you would like more information on having a risk-based approach and how that is implemented into financial crime frameworks, have a look at our Risk Assessment blog post here.
A well defined risk appetite enables you to scale your financial crime operations effectively and removes some of the challenge that can be associated with subjective decision making. For example, what customer behaviours or industries are outside your business appetite? If this is clear, as you scale rapidly, you can operationalise controls to identify the activity and take prompt action to resolve it when it is outside of your risk appetite. Rather than spending time debating whether each individual customer or transaction it is or isn’t within your appetite, the decision has already been made at a firm/business level and therefore all operations have to do is execute the required action.
Risk Appetite Statement:
Firms take different approaches when writing their risk appetite statement. At FINTRAIL, we have found that a combination of a header statement of intent, aligned to quantified risk indicators from management information (MI) tends to prove most effective. We give a few examples of this below.
A risk appetite statement may look like:
“Bank ABC has a zero tolerance to financial crime and sanction breaches.”
Although we would all like to see zero occurrences of financial crime, this statement is not realistic and will likely mean that the business is constantly operating outside of its risk appetite. The statement also does not provide any data or metrics useful in gauging success, or details about the financial crime risk that is seen within the business. For a more useful risk appetite statement, businesses could include the number of AML, fraud, tax evasion, corruption cases it will accept, the number of high risk customers/transactions processed or any industries it does not want to work with and any other relevant areas where MI is recorded.
So for example this statement would be better written as:
'“Bank ABC has zero tolerance for sanction breaches”.
Bank ABC has a low tolerance for financial crime risk. Based on the risk assessment and risk-based approach, the group is operating within the risk appetite below:
Internal suspicious activity reports reviewed within 24 hours
Monthly total of funds subject to an external suspicious activity report not to exceed 3% of the total volume
Transactions to or from high risk tax jurisdictions not to exceed 20% of total transactions
No more than 10 staff over 30 days overdue for online anti-bribery and corruption training
Examples of financial crime risk indicators:
Internal and external suspicious activity or suspicious transaction reports are a great place to start. As shown above, if a business categorises their reports into the core financial crime threats of money laundering, terrorist financing, fraud, tax evasion, corruption and sanctions they will have good data points on their main financial crime risks. By using these risk indicators and assessing your exposure to these risks through your risk assessment and MI, you will be able to effectively see if you are operating outside of your risk appetite and should look to mitigate or accept the risk.
A more mature business may look to set a risk appetite for the percentage of high risk customers it accepts or how many high risk transactions it processes, although financial inclusion should be carefully considered here as limiting the number of customers in or transactions to certain jurisdictions could negatively impact particular customer groups. Customers may fall outside of a business’s risk appetite, be it through their behaviours or the cost of safely managing the risks and requirements posed by that customer type. For example, certain industries may be off-limits, and if a client refuses to provide information or documentation, the business relationship may be terminated.
Backlogs can represent as big of a risk to financial crime exposure and suggests that a framework is either under resourced or not efficient. If a FinTech is continuously operating from a backlog that continues to grow, they will be unable to manage the operational processes that exist to help mitigate financial crime risks. If a business sets a risk appetite for outstanding processes such as sanctions screening, transaction monitoring alerts or SAR filing, they will know when any backlogs exceed their risk appetite. This will give the firm a clear indication that there is a need for better efficiency or further resource.
For new products or new business lines, a firm should consider setting an initial risk appetite to manage any new risks and monitor financial crime levels as they establish a control environment. This could include limits on transactions, such as cash deposits, or limits on the amount or type of customers onboarded. These appetite statements can and should evolve over time as the firm starts to understand where the major risks lie and what behaviours they are able to tolerate and manage, and which they are not.
Set a risk appetite early in your journey, and if you are a mature business without a risk appetite, set one now, and use your data to determine whether you have been operating within it.
Work with your senior management team to set your risk appetite limits.
Link your risk appetite to your risk assessment.
Quantify your risk appetite using reliable data points.
Consider how you then practically implement your tolerance to risk into your wider financial crime framework
Communicate your financial crime risk appetite so the business knows what is and what is not acceptable.
Assess and escalate scenarios or key risk indicators that fall outside your risk appetite with a view to reject, accept or control.
Track deviations from the risk appetite as part of monthly MI
Get in Contact
If you would like to discuss the issues in this post, or wider anti-financial crime topics in an increasingly digital FinTech world, please feel free to get in touch with one of our team or at firstname.lastname@example.org.