Creating an AML Risk Model for your Business.

Since the 4th AML Directive came into force in 2018, Subject Persons in Malta had an obligation to start utilising a ‘risk-based approach’ to due diligence methodologies. The regulation provides certain mandatory factors within a risk model whilst providing ample flexibility for firms to take advantage of.
Such flexibility is of utmost importance when designing these risk models, for the main reason that each business may be exposed to different types of ML/FT risks, and therefore, may prefer to fine tune its AML risk model to capture these risks in a more efficient manner.
That said, however, we have seen several common weaknesses within AML Risk models that were reviewed by the Radix Compliance team. Apart from the occasional subject person which did not have a risk model (client risk assessment) in place, most subject persons reviewed had some form of CRA being utilised within the firm. There are two main issues being noted within AML risk models so far.

- AML Risk Model does not have all the pillars as guided by regulation; and
- AML Risk Model risk calculation is imbalanced or does not make logic sense.

The first issue noted is easy to identify. The regulation states that as a minimum the AML Risk model needs to have the following risk pillars in place:

i) Customer Risk Pillar
ii) Service Risk Pillar
iii) Channel Risk Pillar
iv) Jurisdiction Risk Pillar

In certain types of businesses, additional risk pillars would compliment the AML Risk model, making it more effective in practice. This is usually done by adding a transaction risk pillar and a high risk factors pillar. Certain sectors may have sector-specific risk models which take into consideration specific factors which are related only to that particular sector. The risk model can also take into consideration certain additional flexibilities provided by regulation to a particular sector. For example, low risk customer classification based on the amount of deposit within the VFA sector. Similar flexibilities also exist for the Gaming industry.
Finding the right balance
Experience of designing AML risk models would prove to be beneficial during the early stages of the model’s design and application of scores. There are two main types of risk models:

i. Risk models based on a scoring methodology
ii. Risk models based on factor combinations

Whilst regulation allows both types of risk models to be used, it is often noted that due to the large number of possible combinations of risk factors, using risk models based on factor combinations is not ideal in practice. Therefore, one should analyse and discuss with professionals whether it is worth considering a scoring methodology risk model for its business.
When dealing with scoring methodologies, one needs to give special attention to three main things:

i. The scoring weight of each factor
ii. The weight of each pillar
iii. The overall risk calculation

Applying a score for each factor may be considered as the easier part of the model design. The importance within this stage is to consult the National Risk Assessment and Supra-national Risk Assessment to identify any recommendations on certain factors. The AML Regulation and implementing procedures (part 1 and sector specific part 2) should be consulted to identify any factors demanding a high risk classification. This is also known as the ‘override’ factors. These are factors which when present would override the risk of the customer to high, irrespective of the scoring methodology within the other risk pillars. An example of such a scenario is when dealing with a Politically Exposed Person (PEP).
Finding the right balance across the pillars is another matter. The main issue within this exercise is that changing a small scoring of a factor or weight within a pillar would have a ripple effect on the whole balance of the model.

Having the right logic within the AML Risk Model is also important. There may be two different models, arriving at the same conclusion, however, the logic of the calculation of one of these models may not make sense. This may prove to be an issue when the risk model is analysed by a competent Authority, which would seek to understand the logic of a risk model. A common scenario the team noted in the past when reviewing models was that an average score was being done within the risk pillar.
For example, if a CSP takes into consideration the service risk pillar and is offering 3 main services being, Directorship service, Registered Office, and assistance with opening of bank account. The CSP established that the Directorship service is considered as Medium risk scoring, Registered office as high risk scoring and assistance with opening of bank account as low risk scoring. We have seen models which took an average of these scores within the service risk pillar. This would make little logic sense, because the high risk service exposure should not be averaged out by providing a lower risk service. The exposure to such high risk service will still be present, irrespective of whether the subject person provides additional lower risk services. Therefore, even if an adjustment is made on the actual scoring to make up for this averaging, the logic of such model makes little sense and should be avoided.
There are no shortcuts

It is only through experience, testing, and fine tuning, that one would find the right balance for the business. This may take months of work, especially if one is not experienced in the area. It is also important to note that the AML risk model is not static. With time, risks may change, and so will the subject persons’ exposure to these risks. AML professionals need to keep up-to-date with analysing these risks through the updating of the firm’s Business Risk Assessment. Following such an update and analysis, the firm would need to consider whether the present AML Risk Model requires further updates to remain effective in identifying the true risk of the customer, and therefore, the direction in which the firm requires to invest additional resources. An ineffective ML/FT Risk Model is expensive. It may cost the regulatory fines and reputational damage.