COVID-19 Financial Crime Series
The COVID-19 pandemic has forced financial institutions (FIs) to adopt new business processes quickly as they become agencies channelling government stimulus funding whilst operating under the pressures of increased demand for digitalisation, increased loan origination volumes, remote working constraints and other operational challenges. The adequacy of existing financial crime risk management frameworks will be tested during this time and FIs should consider the risk implications discussed in this series to ensure that risk appetites and control frameworks remain fit for purpose and pragmatic, given this changed environment.
This is the first of a series of articles considering the financial crime implications of COVID-19 for European FIs.
The financial crime risk an organisation is willing to accept within the parameters of its business and strategic objectives is a vital component of good corporate governance. The acceptable risk forms the basis of the organisation’s risk appetite statement as approved by the board of directors. FIs must periodically review their risk appetite statements to meet changes in the business and changes in applicable risk factors. Times of crisis, when the external and internal environment changes dramatically, may necessitate a close consideration of the shifting risk landscape to which the institution is exposed.
An effective governance process for the risk appetite should not only allow institutions to adapt to changes in the economic landscape and/or the regulatory environment, but ensure that the necessary review and approval process for adjustments is clear. The European Banking Authority (EBA) expects FIs to regularly monitor their actual risk profile against their risk appetite and to analyse trends for new or emerging risks or an increase in risk due to changing circumstances and conditions. In the UK, the Financial Conduct Authority (FCA) has recognised that the effectiveness of anti-money laundering (AML) controls depends on senior management “setting and enforcing a clear level of risk appetite”.
To ensure it is acting within its stipulated financial crime risk appetite, an FI needs to assess the risk inherent in its business model, such as risks to which it is exposed through its customer base, products and services offered, geographic locations, and delivery channels. It then measures how these risks are off-set by financial crime controls, such as customer due diligence measures, sanctions and negative news screening, and transaction and ongoing monitoring. The remaining residual risk should be within the FI’s risk appetite, or the FI should enhance the controls necessary to achieve the acceptable level of risk.
In its statement on actions to mitigate financial crime risks in the COVID-19 pandemic of 31 March 2020, the EBA restated its expectation that FIs must continue to maintain and implement effective systems and controls to manage money laundering risks, even in times of crisis such as the COVID-19 pandemic. As a result, the EBA urged the competent authorities to “ensure that credit and other financial institutions remain alert to money laundering/terrorist financing (ML/TF) techniques that might change due to the economic downturn and where necessary, update their ML/TF risk assessments accordingly.”
FIs should review the risks, controls, and their risk appetites to determine whether the current climate, and the impact of new or emerging risks arising from COVID-19, necessitates changes to the financial crime risk assessment or risk appetite and what the impact of those changes will be for the institution.
It is critically important that senior management can demonstrate the following key attributes when reviewing and adjusting, if necessary, the organisation’s financial crime risk appetite:
A risk-based approach to AML and combating the financing of terrorism is recognised as central to the management of financial crime risks by FIs. The general principle of a risk-based approach is to focus efforts and resources on mitigating areas of higher risk exposure. This is an iterative process, achieved through allocation of resources and development of policies, procedures, and controls to effectively manage the risks identified.
Recent regulatory and industry guidance regarding a risk-based approach to COVID-19 indicates the following:
It is not practicable to expect FIs to completely reperform their risk assessment, which typically takes several months to complete, during a time of crisis. However, for each substantial change to the manner in which business is conducted or how controls operate, FIs should document (in short form, if required) the impact on the inherent risk and the relevant controls to mitigate such risk and consider how the residual risk aligns to the risk appetite. This process could be positioned much like the new product approval process FIs typically have in place for interim amendments in between their annual risk assessment updates.
Where the assessment concludes that a change, or combination of changes, would move the FI outside its financial crime risk appetite, alternatives should be considered, such as:
Specific to the current COVID-19 crisis, the following practical categories are helpful when considering implementation of potential changes:
Any approved changes may require revision or temporary amendments to the procedures (and high-level training to roll the new procedures out) to ensure the teams responsible for performing these tasks do so correctly and consistently.
It would be valuable now and in the future for FIs to implement a method to ringfence customers impacted by changes specifically implemented as part of the FI’s COVID-19 response to enable a risk-based approach to that population. The FI, for example, can limit the transaction flows or product utilisation rules in accordance with the risk-assessment outcomes.
The three most important things for FI leaders to remember during this period are:
The next article in the series will cover key financial crime considerations for FIs in the customer due diligence process during and after COVID-19.