The COVID-19 pandemic has forced financial institutions (FIs) to adopt new business processes quickly as they become agencies channelling government stimulus funding whilst operating under the pressures of increased demand for digitalisation, increased loan origination volumes, remote working constraints and other operational challenges. The adequacy of existing financial crime risk management frameworks will be tested during this time and FIs should consider the risk implications discussed in this series to ensure that risk appetites and control frameworks remain fit for purpose and pragmatic, given this changed environment. 

This is the first of a series of articles considering the financial crime implications of COVID-19 for European FIs.

Overview of a financial crime risk appetite

The financial crime risk an organisation is willing to accept within the parameters of its business and strategic objectives is a vital component of good corporate governance. The acceptable risk forms the basis of the organisation’s risk appetite statement as approved by the board of directors. FIs must periodically review their risk appetite statements to meet changes in the business and changes in applicable risk factors. Times of crisis, when the external and internal environment changes dramatically, may necessitate a close consideration of the shifting risk landscape to which the institution is exposed. 

An effective governance process for the risk appetite should not only allow institutions to adapt to changes in the economic landscape and/or the regulatory environment, but ensure that the necessary review and approval process for adjustments is clear. The European Banking Authority (EBA) expects FIs to regularly monitor their actual risk profile against their risk appetite and to analyse trends for new or emerging risks or an increase in risk due to changing circumstances and conditions. In the UK, the Financial Conduct Authority (FCA) has recognised that the effectiveness of anti-money laundering (AML) controls depends on senior management “setting and enforcing a clear level of risk appetite”. 

To ensure it is acting within its stipulated financial crime risk appetite, an FI needs to assess the risk inherent in its business model, such as risks to which it is exposed through its customer base, products and services offered, geographic locations, and delivery channels. It then measures how these risks are off-set by financial crime controls, such as customer due diligence measures, sanctions and negative news screening, and transaction and ongoing monitoring. The remaining residual risk should be within the FI’s risk appetite, or the FI should enhance the controls necessary to achieve the acceptable level of risk.

In its statement on actions to mitigate financial crime risks in the COVID-19 pandemic of 31 March 2020, the EBA restated its expectation that FIs must continue to maintain and implement effective systems and controls to manage money laundering risks, even in times of crisis such as the COVID-19 pandemic.  As a result, the EBA urged the competent authorities to “ensure that credit and other financial institutions remain alert to money laundering/terrorist financing (ML/TF) techniques that might change due to the economic downturn and where necessary, update their ML/TF risk assessments accordingly.”  

FIs should review the risks, controls, and their risk appetites to determine whether the current climate, and the impact of new or emerging risks arising from COVID-19, necessitates changes to the financial crime risk assessment or risk appetite and what the impact of those changes will be for the institution.

Governance considerations

It is critically important that senior management can demonstrate the following key attributes when reviewing and adjusting, if necessary, the organisation’s financial crime risk appetite:

1. Senior management involvement and approval of material changes to the risk appetite
2. Clearly documented change management procedures (for example, risk acceptances)
3. Clear and informed risk assessments before changes are implemented
4. Mechanisms to monitor and/or contain the impact of any changes

A risk-based approach in responding to the impact of COVID-19

A risk-based approach to AML and combating the financing of terrorism is recognised as central to the management of financial crime risks by FIs. The general principle of a risk-based approach is to focus efforts and resources on mitigating areas of higher risk exposure. This is an iterative process, achieved through allocation of resources and development of policies, procedures, and controls to effectively manage the risks identified.

Recent regulatory and industry guidance regarding a risk-based approach to COVID-19 indicates the following: 

• The FCA observed in a statement on 27 April 2020 regarding the UK coronavirus business loan schemes that while management of financial crime risks by firms is essential to a well-functioning financial services system, the management of financial crime risks should be “balanced against the need for the fast and efficient release of funds to businesses under the Government’s schemes."
• In a May 2020 publication addressing the COVID-19-related ML/TF risks and policy responses, the Financial Action Task Force encouraged the full use of a risk-based approach to customer due diligence to support the swift and effective implementation of measures to respond to COVID-19, while managing new risks and vulnerabilities.  
  The statements above echo regulatory sentiments around the world and highlight that FIs must balance the pressure to process loan applications quickly whilst still maintaining the necessary control environment. This underscores the importance of using a risk-based approach as FIs may become pre-occupied with maintaining business operations under great pressure whilst still having to cope with monitoring suspicious transactions and meeting other regulatory obligations.

Practical steps for financial institutions

It is not practicable to expect FIs to completely reperform their risk assessment, which typically takes several months to complete, during a time of crisis. However, for each substantial change to the manner in which business is conducted or how controls operate, FIs should document (in short form, if required) the impact on the inherent risk and the relevant controls to mitigate such risk and consider how the residual risk aligns to the risk appetite. This process could be positioned much like the new product approval process FIs typically have in place for interim amendments in between their annual risk assessment updates.

Where the assessment concludes that a change, or combination of changes, would move the FI outside its financial crime risk appetite, alternatives should be considered, such as:

• Not implementing the change(s).
• Implementing the change(s) in a different way.
• Adding or enhancing controls to reduce the residual risk.
• Adjusting the financial crime risk appetite with appropriate approvals and a documented rationale.

Specific to the current COVID-19 crisis, the following practical categories are helpful when considering implementation of potential changes: 

Any approved changes may require revision or temporary amendments to the procedures (and high-level training to roll the new procedures out) to ensure the teams responsible for performing these tasks do so correctly and consistently.

It would be valuable now and in the future for FIs to implement a method to ringfence customers impacted by changes specifically implemented as part of the FI’s COVID-19 response to enable a risk-based approach to that population. The FI, for example, can limit the transaction flows or product utilisation rules in accordance with the risk-assessment outcomes.

Conclusion: Where to from here?

The three most important things for FI leaders to remember during this period are:

1. Don’t act impulsively: Ensure that the impact of any material changes to controls or the way in which business is conducted have been assessed and documented.
2. Ensure clear risk ownership: Include senior management in all decision-making processes that impact the risk appetite of the FI. Whilst financial crime teams must act swiftly to support the business in achieving its objectives, financial crime risk is ultimately owned by the business and, as such, senior management approval must be a pre-requisite for making any material changes.
3. Stay informed: FIs should be alert to any guidance issued by governments or regulatory bodies on emerging risks and trends, as well as temporary changes to regulatory requirements that impact their financial crime risk posture.

The next article in the series will cover key financial crime considerations for FIs in the customer due diligence process during and after COVID-19.