Bovill publishes its study into how foreign banks are assessing customer risk as part of their overall financial crime framework.
In 2016 Bovill undertook a survey and gained views from 23 foreign banks on how they identify, quantify and document customer risk. The attached publication explores the common themes from our research, including our survey results, but also provides commentary from our own experience in dealing with a large number and range of regulated firms, providing valuable insight into how firms are assessing customer risk.
Download the Foreign Banks Study [PDF].
Here are the top 10 key findings from our research featured within the report:
- Firms implement a wide variety of Customer Risk Assessment (CRA) models (e.g. scoring, decision tree, matrix and tick box approaches); however a hybrid methodology combining one or more of these approaches is the most common method for determining customer risk. This is perhaps reflective of the need to implement a methodology which is both tailored and proportionate to the size and complexity of an individual firm.
- From our survey results, we found that the majority of CRA models determine ‘country’ as the most common risk factor to be consistently used. When used as part of a scoring approach it is also the highest weighted factor within a firm’s CRA model.
- In addition to the prescribed, or as Bovill terms ‘core’ risk factors, that a firm is required to consider as part of their risk-based approach – the customer’s country, their products and services, the industry and/or occupation, legal entity type and distribution channel – firms are typically including ‘additional’ risk factors within their CRA models. For example, Politically Exposed Person (PEP) status, exposure to sanctioned countries, the identification of relevant and credible adverse media on a customer, customers with trade finance products and whether there is a correspondent banking relationship.
- These more ‘binary’ additional risk factors may account for why the most common method to developing a comprehensive CRA model is a hybrid approach combining a number of methodologies to determine an overall risk rating for a customer (see 1. above).
- The majority of firms surveyed (92%) use 3 or more data sources to help determine ‘country risk’, with over half of firms (53%) using 4 or more data sources to inform their CRA models. This is reassuring given the regulatory expectation to incorporate a wide variety of country risk sources within a firm’s CRA model, without over reliance on one particular source.
- 87% of firms that took part in our survey use the resulting overall risk rating of a customer to inform the type and level of due diligence conducted. For example, the risk rating has an impact on the level of sign-off required before on-boarding or continuing a relationship with the customer, as well as additional verification requirements for source of funds or wealth information.
We also found that the overall customer risk rating also typically impacts the level of ongoing monitoring of the customer. For example, 78% of firms stated that a risk-based approach to the application of transaction monitoring parameters or the frequency of periodic review (83% of firms) is increased for a customer classified as higher risk, compared with a lower risk customer.
- We found that 35% of firms surveyed do not use the outputs of their CRA model to identify customers, or potential customers, who sit outside of their risk appetite. Furthermore, it was identified that 22% of firms do not use data from their CRA model in their Management Information (MI) reporting. Only with appropriate and accurate MI can a firm be sure that their CRA model is operating effectively and within the firm’s risk appetite.
- In more than half of firms surveyed (61%) the CRA model is owned by the second line of defence (i.e. Compliance or Risk functions) who are responsible for maintaining the methodology. Given that the most popular method of gaining assurance on the CRA model is the commissioning of a thematic review by the second line of defence within the firm (74%), our survey findings do bring into question independence of monitoring and potential conflict issues within some firms.
- For 74% of firms surveyed, business operations or front office staff (i.e. the first line of defence) are responsible for assigning the overall risk rating to a customer relationship. However, only in 52% of firms have front line staff received training on the CRA model, which also highlighted a potential training and awareness gap within some firms.
All firms surveyed have conducted some form of compliance monitoring or testing to assess the operational effectiveness of their CRA model within the last 2 years, with the majority of firms using a variety of methods to assess whether their model is operating as designed and that outputs are appropriate. Some firms are even supplementing their understanding by benchmarking themselves against their peer group (39%).
- Whilst firms are on the whole comfortable with the accuracy of their CRA model, if resources were available and improvements were to be made most firms (87%) would like their CRA model to be more automated and have improved connectivity with other financial crime processes (e.g. transaction monitoring systems).
The survey provides great insight into some of the challenges associated with maintaining an effective CRA model. Foreign banks are clearly recognising the importance of a CRA, demonstrating a significant commitment of time, effort and investment into developing effective CRA processes. From developing underlying risk lists (such as country risk) to defining processes, utilising technology and applying the CRA throughout the customer lifecycle and it is clear that this is not a simple task for firms.
Ultimately, the value of a good CRA model comes through its ability to appropriately target resource and effort on the highest risk customers. Whether that is realised in the level of due diligence applied, or the amount of ongoing monitoring, a well-tuned and effective CRA is critical to the application of a meaningful risk-based approach.
Should you have any questions or wish to discuss your own CRA further, then please do get in touch.