Regulatory bodies worldwide recommend a risk-based approach to AML for traditional financial organizations, as well as Fintechs. A risk-based approach simply means that how you evaluate a transaction is informed by the risk factors associated with such a transaction.
In the US, the Bank Secrecy Act (BSA) advocates a risk-based approach, and internationally, the Financial Action Task Force (FATF) lists a risk-based approach as their number one recommendation in their guidance for anti-money laundering and combating the financing of terrorism.
The premise is simple: apply the adequate scrutiny to a user or a transaction based on the risk that such user or transaction poses to the business. The intended benefit for a risk-based approach is to focus the compliance teams in those cases that are meaningful, such that the overall cost of compliance (operations and tools) goes down, and the chances of catching the bad guys are increased. In other words, achieving compliance and risk reduction cost effectively.
Sometimes the cost of realizing this cost-effectiveness is high. Organizations have to spend significant effort in performing a risk assessment, then design a program to address risks. Once the program is defined, organizations have to implement the processes and systems that allow them to characterize and measure the risk, and the processes and systems to deal with these risks. These are non-trivial endeavors for organizations that have grown over the years with a disparate set of systems. The overall process, especially in small- and medium-sized organizations, may impose a financial burden, making it hard to execute.
Having said that, most trained compliance analysts and officers would agree that a risk-based approach is right. Professional compliance and risk personnel want their work to be meaningful and effective. But moreover, they are also driven by catching and stopping the bad guys. This sounds idealistic, but this was one of the first things that I noticed about this profession when I entered this market. So, they have a strong willingness to adopt adequate systems and technologies that will help them in their day-to-day operations and focus their work so they can be more effective in protecting their organizations.
Large organizations spend significant amounts of human resources and money to go through this process. In contrast, most small- and medium-sized organizations usually build their own solutions by putting together a few tools here and there, where Microsoft Excel (or similar spreadsheet products) is sometimes the center of it all. These home-grown solutions are inadequate, most of the time, to achieve the level of efficiencies the business demands, and are certainly not what compliance analysts and officers are actually looking for. (Listen to this webinar with an expert panel to why spreadsheets are not sufficient). This is especially true for businesses that are looking to expand, and even more so for those that want to expand internationally. Regardless of the size of the organization, especially in Fintech, compliance and risk officers struggle to find internal resources to advance their home-grown solutions, as those resources are overtasked to deliver business-needed, revenue-generating functionality.
Achieving a Risk-Based Approach with IdentityMind Trusted Digital Identities (TDI)
Organizations looking to implement a risk-based approach should first perform a risk analysis and decide which policies to apply based on the assessed risk (the risk matrix). This risk matrix should be part of the documented AML policy (or an equivalent document) that governs what your organization does for transaction monitoring.
As with any other “paper-based” analysis, the key is to take that theoretical implementation of risk and put it into practice.
A recent Forrester report* outlined the major pieces to be considered when building an organization’s AML architecture. A solid customer identification and a due diligence program are major components, made up of identity verification, document verification, entity disambiguation, enhanced due diligence for riskier customers (that is, a risk-based approach), and understanding interrelations inside the whole ecosystem.
Digital identities play a vital part in tying all of these requirements together, as they allow multiple attributes to be bundled, and related and mapped to each other, resulting in better-informed risk management decisions and improved detection rates. The IdentityMind platform utilizes digital identities and offers a set of specific tangible elements: reputation, identity graph score, and tag framework, that allows you to put that risk matrix into action.
Trusted Digital Identities (TDI): Reputation and Identity Graph Score
Understanding the risk of doing business with a user in real-time every time there is a transaction yields a very effective implementation of a risk-based approach. IdentityMind’s TDI captures and maintains a continuous risk assessment of a customer to evaluate the risk of a transaction in real time.
A TDI is a digital representation of an online individual or business. It conveys the risk of the transaction based on two metrics: reputation and identity graph score. The Reputation is defined as Trusted, Suspicious, Bad, and Unknown. You can find and learn all about TDIs in this Trusted Digital Identities guide. The graph score is a representation of the risk of the transaction based on machine learning algorithms that evaluate specific business model risks and how they apply to our clients. The lower the score the higher the risk of the transaction. You can learn all about our identity graph score by looking at these videos.
In the IdentityMind platform, every user and every transaction can be further annotated with tags. These tags are either set by the system or set by our clients. System tags are generic evaluations of the risk of the identity (e.g. “Synthetic Identity,” “Bot,” etc.), or statements about the condition of the identity (e.g. “Household,” “Shared Biz Address,” and so on) A user-specific tag is arbitrary and meaningful to the operational workflows of each client. Examples of tags by our clients are “Source of Funds Verified,” meaning that users have provided our clients with verification of funds (say for funding a wallet) and our clients have validated them. Another example is classifying users on their current KYC (Know Your Customer) state with a tag like, “Partial KYC” or “Completed KYC.”
The combination of tags, identity reputation, and identity graph score can then be utilized to apply fraud policies in real time, and rules for meeting regulatory transaction monitoring requirements for anti-money laundering (AML).
Version 2.0 of IdentityMind Platform: Dynamic, Contextual, and Transparent
The use of TDIs to continuously measure the risk of an individual in real-time as the basis for a risk-based approach is key to IdentityMind’s strategy for transaction monitoring for AML.
Risk is fluid. The process of defining a risk matrix and have it defined on static terms is limiting. Risk parameters have to adapt to the current conditions of the business and the environment. Both are necessary. The IdentityMind platform maintains an up-to-date picture of users and their risk profiles, informed by their behaviors at the business and across IdentityMind’s client base. Through the use of tag framework, the platform allows compliance and risk analysts to take the current situation and use it as part of the risk definition.
Users and transactions can’t be analyzed in isolation from the overall state of the business or its current conditions. Outlier behaviors when compared to a similar user base are very relevant, be it when comparing to peers in the same risk profile, geographic location, or by overall business behavior. The context of the market is also very relevant. Currencies may be very volatile, especially cryptocurrencies, and the overall risk may need to be adjusted to the current value of the currency.
The use of machine learning and artificial intelligence is without a doubt a significant step in uncovering complex and emerging models of risk. But, that can’t be at the expense of officers not understanding why certain users and/or transactions were selected for review. Furthermore, explaining to auditors and examiners why a particular user or transaction was not evaluated when it should have been can become even more complicated. The IdentityMind platform is very transparent about why a given alert was generated and makes it easy to use the information presented in the results to report to auditors and examiners. There are visualization tools, heuristics, and historical reporting/analytics that justify intelligence graph scoring and its implications, along with full transparency across the tags framework. Moreover, compliance and risk analysts can utilize the same framework to adjust, as they see necessary, either to streamline operations or to satisfy regulatory requirements.
A digital representation of a customer that enables organizations to capture their customers’ risk on a continuous basis is necessary. The more you know, the easier it is to make a decision. The risk profile of your customers will evolve over time, the same way your business does. You need to have the ability to adapt to these changes to reach cost-effectiveness in your risk and compliance operations while maintaining the ability to catch the bad guy. Because that matters to us all.
IdentityMind’s TDIs convey a real-time risk assessment of the users that is always up-to-date. Reputation, identity graph score, and the tag framework enable the mapping and automation of the risk analysis to effectively implement a risk-based approach. Version 2.0 of the IdentityMind platform offers AML transaction monitoring that is dynamic, contextual, and transparent.
*Forrester, Vendor Landscape: Anti-Money-Laundering Solutions, 2017. April 20, 2017. Andras Cser and Nick Hayes.