Nigel's Eyes

20220518 The priorities forced on financial crime risk and compliance officers.

I was replying to a post on LinkedIn and my note turned into a bit more than allowed. Here it is.

The biggest problem is that when the term "risk-based" was adopted it came with a whole load of baggage. Worse, it puts financial institutions into having to prioritise risk-based approach v compliance - and the wrong one is winning.

When I first described financial crime risk in the mid 1990s, it was highly focussed: it was the risk that the bank (etc.) would be used by money launderers and those funding terrorism.

The term "risk-based" came along later and it lost focus but the core remained the same. If you know your customer (and those you deal with) you can assess the risk that they present.

However, the understanding of the term flew out of the window because banks, etc. already knew about risk and it was all to do with credit risk. And they knew about compliance because they had compliance officers.

The bridge to understanding the risk that a person will use the institution was lost between the two. Financial crime risk was an adjunct and the prime culprit for that is regulators which focus on compliance because it is measurable and they need "metrics" to prove their own value.

Measuring success

Risk successes cannot be measured; only failures and so we see graduated responses by regulators and media because it gives them a platform to shout from.

The simple thing to remember is that you can't assess risk if you don't understand your own business, that of your customers and that of those you deal with and that means much, much more than the simple name, address and "source of ....." information that sausage machines decide is enough.

So the original poster's list of things that are needed for risk analysis helpful but it doesn't solve the underlying problem that so many organisations are stuck in a tunnel that says "the regulator says do this so if we do it, we're safe."

Regulatory risk is now a far bigger threat to regulated businesses than actual money laundering. That's back to front - it's the cart before the horse. The focus should always be on detecting, deterring and reporting suspicions of financial crime.

Sadly, while regulators say "go and buy in a tech fix for this," that is, as the original poster implied, only going to go so far and, in any case, until the various fixes are compatible (on every tech level imaginable) they cause additional problems.