What generates financial crime risk?
14 November 2019
A financial services organisation generates financial crime risk (‘inherent risk’) through its business activities: by being in business it is exposed to the risk of being used in the furtherance of financial crime either through its clients’ activities (e.g. money laundering, fraud) or through its own and its employee’s activities (e.g. Bribery and Corruption; Market Abuse).
Whilst there is no unanimity of views from regulators and other bodies regarding risk definitions, it is generally accepted that inherent risk is generated through activities based around the following clusters: the jurisdictions an entity is operating in and the jurisdiction of its clients (often countries designated as ‘higher’ risk’ for money laundering and /or bribery and corruption); the products, services and transactions it offers (e.g. structured finance, mortgages); the types of clients it serves (e.g. High Net Worth, PEPS, Trusts etc); and its distribution channels (e.g. through intermediaries, non-face to face). I always recognise a third category that might generate risk - which I loosely call ‘other risks’!
This ‘other risks’ category enables an organisation to recognise that other operational factors can influence its inherent risk. For example, an expansionist strategy can create financial crime risk, either through the acquisition of risk through an entity or a portfolio or through pressure being placed on personnel to deliver enhanced results. Also whilst recognising that having a control framework is a mitigant to inherent risk, the absence of a suitable control framework is a breach of regulatory requirements which can lead to regulatory action and as such, in my mind, regulatory action should be considered as an inherent risk.
When considering inherent financial crime risk therefore it is essential that organisations fully understand their operational activities and consider all aspects of risk including ‘other’ risks.
By fully recognising the business activities that generate financial crime risk, organisations can manage their inherent risks by flexing their exposure to those factors: e.g. they can exit a higher risk product if it is generating a lot of risk but little return; they can delay the offer of a full suite of products in a new high risk jurisdiction until the mitigating controls are operating effectively. Understanding and managing their inherent risks through the operation of their business activities is the first step to an organisation effectively managing and defining its financial crime risk.