Financial Crime Risk Assessment (FCRA)
No matter if you are a bank, exchange house or insurance company, assessing your financial crime risk is a regulatory requirement by the Federal Decree Law No. (20) of 2018 and the Cabinet Decision No. (10) of 2019.
But how to do it? Read our insights below:
Identifying, assessing and managing risk are the key components of every successful Financial Crime Compliance Framework. Therefore, establishing a comprehensive FCRA is a key requirement by regulators.
Having said that, all regulated entities are aiming to fulfil regulatory requirements and expectations. But what are the regulatory requirements? Why is it beneficial to do an FCRA in the first place? What should be avoided when conducting an FCRA? What is best practise?
In this article we cover the legislative background in the UAE, the methodology of the FCRA and some pitfalls that should be avoided. Also, we aim to establish reasonable expectations that any entity should have before carrying out an FCRA.
Legislative Background
As per Article 4 of the Cabinet Decision No. (10) of 2019, all “Financial institutions and DNFBPs are required to identify, assess, and understand their crime risks in concert with their business nature and size”. While doing so, regulated entities should consider “all the relevant risk factors such as customers, countries or geographic areas; and products, services, transactions and delivery channels, before determining the level of overall risk and the appropriate level of mitigation to be applied.”
The above applies to all entities in the UAE, irrespective if they are regulated by CBUAE, DFSA, FSRA or the Ministry of Economy. All regulators have implemented the requirement in their rulebook but have not specified in great detail how the FCRA has to be carried out. Although regulated entities surely wish for more detailed guidance, it is obvious that the design of an FCRA highly depends on the specific business model and complexity of operations of each entity: Banks, Exchange Houses, Asset Managers, Insurances, FinTechs and DNFBPs are very different from each other.
Regulators have subsequently issued further guidance on how the FCRA should be carried out. The main point of reference for Financial Institutions is the Guidelines on AML/CFT that have been prepared as a joint effort between the Supervisory Authorities of the UAE and set out the minimum expectations. A very similar guidance document exists for DNFBPs. Point 4 in the Guidelines contains details relating to the FCRA.
Further, considerable guidance and requirements have been given for example to Exchange Houses regulated by the CBUAE (see point 4.1 of “Guidance for Licensed Exchange Houses”) which might be an interesting read for other entities as well.
What are the advantages of Conducting a Risk Assessment?
Usually, benefits of an FCRA are not imminently obvious for many entities since the process can be long, cost-intensive and time consuming. Nevertheless, entities should understand that the FCRA is not a process that is solely done to fulfil a regulatory requirement. The “Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption” name some of the major benefits:
- identify gaps or opportunities for improvement in AML policies, procedures and processes
- make informed decisions about risk appetite and implementation of control efforts, allocation of resources, technology spend
- assist management in understanding how the structure of a business unit or business line’s AML compliance programme aligns with its risk profile
- develop risk mitigation strategies including applicable internal controls and therefore lower a business unit or business line’s residual risk exposure
- ensure senior management are made aware of the key risks, control gaps and remediation efforts
- assist senior management with strategic decisions in relation to commercial exits and disposals
- ensure regulators are made aware of the key risks, control gaps and remediation efforts across the FI
- assist management in ensuring that resources and priorities are aligned with its risks.
Sometimes it might take a couple of cycles of the FCRA to make those benefits tangible for regulated entities.
How to conduct an FCRA?
On a very high level, the FCRA starts with the identification and rating of inherent risks (without the application of any controls) considering the specific business of the entity (at the minimum: customers, products, locations, channels). Then controls are mapped to the risks, and it is assessed if those controls cover the risks effectively (testing of control design and effectiveness). In the last step, the entity assesses if the controls reduce the inherent risk levels to a residual risk level that is accepted by management/board and does not constitute a treat to the entity.
It is important to understand that the risk assessment is not solely the responsibility of the compliance department. Each front-line unit conducts their assessment of inherent and residual risk including the gathering of the relevant data (e.g., how many customers from high- risk countries, volume of cash deposits, etc.).
Front line unit’s assessments should be then aggregated to the line of business, then to the legal entity and then to the group level. Ratings usually include low, medium and high but could also have risk level nuances (low/medium, medium/high).
At each aggregation level, risks should be compared to previous years since the FCRA should be refreshed yearly or if a major event occurs (e.g., merger and acquisition, product retirement, etc.). The entity should be aware if residual risks are increasing, stable or declining.
Testing of controls can be a major obstacle because it is time intensive and there is a likelihood that the testing is incomplete and not all controls are tested. First, second and third line of defence have to contribute to the testing of the design and effectiveness of controls: risk and control self-assessment, compliance testing/assurance, internal audit reports, any reports from external/regulatory audits can give valuable insights into the effectiveness of controls.
The process usually results in the identification of issues or gaps and a respective remediation plan should be drafted and approved by management/board.
At the end of this section, we want to emphasize the need for continual refinement and evolution of the process over time, since the FCRA is not a static process but dynamic in nature.
Is it advisable to use a ‘tool’ or ‘system’ to conduct the FCRA?
Throughout the years and with growing regulatory expectations, various compliance consultants and technology providers have attempted to create “off the shelf” FCRA solutions to support regulated entities. Generally, this can be an option, but a few factors should be considered before spending money on the above:
#Question 1: Does the benefit justify the costs? Is it necessary?
Especially for smaller entities with fewer products/customers and limited geographical reach the costs are oftentimes not justifiable and an inhouse solution might be more cost effective. Do not forget: Even when buying an off-the shelf solution, much time and effort will be needed to tailor it to the entity and the regulator expects the entity to fully understand the methodology and outcome of the FCRA.
# Question 2: Does the provider support the implementation and tailoring of the solution to the specific business of the regulated entity?
The entity has to assess if the solution has the ability to cater to regional/local specifics (e.g., the requirement to consider the results from the National Risk Assessment, see AML/CFT Guidelines) and if not, how can this be added?
#Question 3: Does the solution support the integration of data from the regulated entity (considering customers, locations, products and delivery channels)?
The calculation of inherent risk is highly dependent on data. As an example: PEPs are high risk in general, but it makes a difference if the entity has one or 1000 PEPs in its portfolio. Transactions with high-risk countries are generally considered high-risk but it makes a difference if 1% of the overall transactions are with high-risk countries or if 50% of overall transactions are with high-risk countries. If this essential part is not featured by the solution, the entity has to assess how this can be integrated or considered nonetheless.
What to avoid?
Of course, each entity faces various obstacles along the way, and it is expected that from cycle to cycle of conducting an FCRA, the process will improve including its efficiency. The following points are therefore only to be seen as common pitfalls regulators have observed while reviewing FCRAs of regulated entities:
#Pitfall 1: FCRA is solely a task carried out by the compliance department.
This might work for very small entities and DNFBPs and the involvement of the business units and management might be limited to the communication of results of the FCRA. But if the entity is large and has various business units, the business should be involved in the identification of inherent risk and the control testing. Remember: the business owns the risk – not compliance or risk management.
#Pitfall 2: The identification of inherent risk is not data driven and very generic.
As explained earlier, to build an individual risk profile of an entity, actual transaction and customer data is essential. Extracting data is a challenge but necessary to assess inherent risk. Therefore, it is advisable that entities spent some time and resources on the building of a data map that defines the data that is needed to conduct the risk assessment and that can be extracted with the press of a button and without much manual intervention.
#Pitfall 3: The control testing is not comprehensive.
There are controls, relating to financial crime prevention that have never been tested. Generally, design and effectiveness of controls should be tested but since the testing of the effectiveness of controls is time and resource intensive, some entities do not comprehensively test effectiveness.
#Pitfall 4: The results of the risk assessment are not used to draft a remediation plan.
A remediation plan with concrete actions, timelines and responsibilities should be drafted after each cycle of the risk assessment and the same should be approved by management/board. Resources that are required to remediate shortcomings should be requested and approved.
#Pitfall 5: The risk assessment has no link to the risk appetite statement.
As mentioned earlier, at the end of the process, the entity must evaluate and decide if the residual risk is within a range that is acceptable to the entity. This can be separate for categories of risk or organizational units that carry risk (e.g., risk acceptance within retail, corporate and private banking sector can differ).
What is Best Practise?
Let us say first: Aiming for best practice is great! The challenge is that the FCRA is highly individual, and it is hard to compare the process or the outcome with another entity since each risk profile is unique and what one entity does, might not make sense for another entity. So, comparing the FCRA of a fintech with the FCRA of an insurance company obviously does not make sense. Comparing a small corporate bank with a large retail bank does not make sense either. If you would compare entities that are in the same business and offer similar products etc., a comparison and an assessment which entity has the better FCRA might be possible. So, let’s take 10 entities that are very similar and let’s review all of their FCRAs – probably the one that is the best could be seen as best practice:
1. Follows the regulation & additional guidance given,
2. Includes all relevant departments & gets buy-in
3. Avoids the pitfalls
4. Appreciates that the process can always be improved
5. Is pro-actively trying to enhance it
6. Works on the shortcomings that have been identified through the control testing with the approval and support of senior management/board
Final Thoughts
The establishment of the FCRA process is difficult, time intensive and potentially costly but with the increased scrutiny by UAE regulators, entities cannot take this part of financial crime compliance lightly.
The FCRA is not only an important pillar of financial crime compliance but also contributes to the broader integrity and security of the financial industry, since risks are identified and managed accordingly.
With time and further reviews by regulators/external parties, financial institutions and DNFBPs will become more experienced and confident in the conduct of an FCRA. This in turn will provide them with valuable insight into their individual financial crime risks and the respective management of risks.