Once the customers demand for services increases and business growth ensues, transaction volumes and variety become so large that a one-size-fits-all transaction monitoring approach no longer becomes feasible or effective. Traditional transaction monitoring rules tend to be set as thresholds impacting most of the customer-base with the least-risk cut-off point. This results in rules that flag many customers, most of which, after investigation, result in false positives.
The FATF, and local implementing bodies (such as the FIAU), emphasise the importance of adopting a risk-based approach to transaction and customer monitoring which challenges the business to direct human intervention and investigation to the areas that are deemed most at risk. The recommendation to adopt a risk-based approach is very effective as long as risk factors are well thought through and expressive enough to capture the various facets of customer risk. An effective customer risk assessment should consider the following factors:
- Customer Risk: What type of customer is this and what information do you have about them?
- Product/Service Risk: What industries does the customer operate in and what services are they subscribed to?
- Delivery Channel Risk: What methods does the customer use to transfer funds between accounts and/or countries?
- Geographical Risk: What is the risk associated to the customer country and the countries they are transacting with?
- Sector Specific Risk: Are there any patterns or risks that are specific to the services that you offer the customer?
When selecting a transaction monitoring solution for your business it is important to keep the above risk factors in mind and make sure that the implementation can capture and calculate customer risk that addresses all of these. For example, the customer profile needs to support the details that determine risk (such as type, age, and KYC status) as well as results extracted from PEP, sanction, and adverse media screening services. Transactional information should be accessible to be able to compare customer activity statistics to their expected volumes. Customer details and activities can be compared against managed lists with different risk scores/ratings for the different channels, services, and countries. Finally, event-based behavioural factors can track red flags and patterns in customer activity.
A good risk-based approach should consider each risk factor individually, but also be able to combine the various risk factors into a single risk rating. Combining these risk factors may not necessarily contribute to a simple accumulation of risk, by summing up or averaging risk across the factors. There might be interdependence between various factors that could avoid over-inflation of the customer risk rating. For example, payment method risk is only considered if the customer has done sufficient transactions to merit that increase in risk.
The overall risk score and underlying risk composition and factors need to be made available to the compliance user when looking at the customer profile, together with visibility to the historic trend of changes. This can inform user decisions when investigating and reviewing a customer. The risk score/rating can be used to adjust rules, that set different conditions or thresholds based on customer risk. Lastly this information can be used to initiate automated processes when customer risk reaches some level such as suspend account or initiate an enhanced due diligence process.