When an institution is devising its risk-based approach to AML, and specifically to customer due diligence procedures, it needs to decide how many categories of risk it will recognise. The discussions can sometimes take a turn for the philosophical – is it better to talk of “higher risk” than “high risk”, and is it unwise to have an odd number of categories in case that encourages the indecisive/lazy client relationship manager to select the middle one – but eventually most places end up with high, standard and low risk categories.
Most attention – regulatory and media – tends to focus on the high risk end of things. For instance, the majority of AML-related Final Notices coming out of the UK’s Financial Conduct Authority have highlighted their subjects’ inability to (a) recognise, and (b) deal appropriately with high risk customers (often PEPs). But danger also lurks at the other end of the spectrum: the danger of complacency. Sometimes people make the mistake of thinking that “low risk” means “no risk” and – worse – acting accordingly. However, I can think of no jurisdiction that recognises a category of business that is so low risk that it is exempt from due diligence – after all, how can you tell the risk category of anything until you have done at least some due diligence on it? And how can you be sure that the initial low risk categorisation remains appropriate if you do not monitor that relationship?
I read a case study recently that highlighted the dangers of underestimating the vigilance that is needed around even the lowest-of-low risk business. M worked as a maid in Singapore, and every week she would go to her local bank and pay in her wages. Once a month, she would ask her bank to transfer some of her money to an account in Sri Lanka – her home country. After four years, the bank’s auditors noticed during a random sampling exercise that many more international bank transfers were being made from M’s account. But the bank manager hesitated: the very idea of M being a money launderer seemed ludicrous, and he didn’t want to scare off the other domestic servants with accounts at his branch by suddenly closing this one. So he looked more closely at M’s account. And he saw that over the past six months, a woman who had previously made small weekly deposits was how making much larger deposits on a random, but frequent, basis, and that she was also making wire transfers to other countries besides Sri Lanka. When he asked his tellers why no-one had reported these changes, he was told that the account was categorised as low risk, and therefore had been taken off the routine monitoring list. The matter was reported to the authorities, and they later confirmed that M was not the source of the money, but was allowing her account to be used for laundering in exchange for a small fee each month. A few hundred more account-holders like M, and that criminal organisation was making the low risk category work very well indeed for them.