Assessing AML Geographic Risk: A Methodology
November 13, 2020
Foreign transaction activity is an established risk factor for money laundering. But, what makes one country “riskier” than another from a money laundering or terrorist financing perspective? Financial institutions have no definitive source for country money laundering risk.
In this webinar, we explore one objective methodology financial institutions may consider to assess individual countries’ money laundering risk, which in turn may be used in transaction activity monitoring, customer risk scoring and the institution’s high level money laundering risk assessment.
Here are the questions and answers from the event.
Q: The CPI (Corruption Perception Index) is based on public sector corruption. How does this translate as risk for private businesses and individuals?
When there is a high risk of public sector corruption, this will automatically flow into private businesses and individuals because it might be a way of doing business in that country. And then whoever is receiving the bribe or/and making the bribe needs to hide the fact that that it may be occurring through laundering of proceeds. That is how I would say that high corruption in the public sector translates as risk for private businesses and individuals.
Q: Should an overall geographic risk score be determined, or should there also be a subset of geographic risks according to the various countries that an entity conducts business with?
That’s certainly an option. I won’t say that one is better than the other, but it’s an interesting idea that you could give a different risk score within the customer’s risk score to different elements of geographic risk.
I’m thinking an example might be if an entity does a lot foreign exports or imports, a lot of trade, then what countries are they trading with? And so you may choose to risk-score based on what those countries are, if they’re high-risk countries, especially those that may have ties to narcotics trafficking, human trafficking, or sanctions.
And then that could be a subset. And then you may have a second subset that might be, say, inter-company relationships, so where is that company domiciled? Where is its parent company or any affiliates domiciled, so that there is a potential for inter-company transactions from those high-risk countries back to your customer? And that could be a second type of risk score. And there are many other sorts of combinations. That’s certainly a different approach that is valid. You document your rationale for it and then put it together.
Q: So how would someone test their risk-scoring models?
A: Usually, the way I would test a risk scoring model is I would pick a sample of customers that I know were high-risk or low-risk or medium-risk based on their activities, and then I would run them through the model giving the different point values to what they’re doing, and then see, does it come out to the score that I expect it to.
If you’re just looking at your country risk scoring model, just look at what each country comes up with and then look at your overall sort of distribution of countries amongst their ratings. Are the countries that are clearly high-risk coming up as high-risk?
You will want to tweak your model so it reflects your perceptions of risk based on your information and the knowledge that you have from all the resources you’ve reviewed. It is not the highest-risk countries like North Korea and Iran that are hard to score but rather the ones in between that are the trickier ones.
Q: If you’re a financial institution that does not do business internationally, should you have a geographic risk score for specific regions within a country that has a history of high money laundering activity?
A: Sure, that can certainly be effective. I guess when you say doing business internationally, that could mean one of two things. That could mean that you have account holders outside of your country, but remember that another thing that you’re looking at here with geographic risk is what your customer is doing.
If your customer is transacting with a higher-risk country then you wanna be able to flag that in your model and in your transaction monitoring so that you could say, “Hey, okay, what are you guys doing here? Does this make business sense?”
Q: Any tips on how you used to get updates from regulators on any new guidance that have come out or are issued?
A: In my opinion, the best way to stay informed nowadays is to just subscribe to as many notifications email lists as you can from all the major risk sources and then just keep an eye on them. Get on your regulator’s email mailing list. Look at ACAMS’ mailing list too – anything that can alert you that way to new and emerging trends.
FinCEN will follow suit after FATF typically, where if FATF publishes information or updated information on certain countries that are failing or not making progress with their AML regime then, you know, a month or so later FinCEN will come along and publish guidance related or specific to those countries that the FATF talked about.
Q: So you talked about documenting your model and any changes you’re making. Are there any best practices or pitfalls that you’re aware of that are worth sharing with our audience in terms of documenting the process?
A: I think one of the most important things to document is your rationale for the choices that you made in building that model. Why did you choose each specific risk factor? Why did you choose to give this amount of points or weight them a certain way? And that’s especially important because as somebody else evaluates your model, they need to understand what your thought process was, and that it wasn’t just something arbitrary.
Especially from a regulator perspective, this really helps support you and your model because so much of this is perception-based, so you can support your position and have less of an opportunity for criticism when you have documented why you thought this was important or why you did this a certain way.
And then another important factor would be to make sure that your model documentation is very detailed because that helps ensure that everybody understands it, that someone else can pick it up and read it and be able to test it. Because if you’ve documented that, “Okay, this is supposed to happen this way and this happens this way.”
Then when you test the model, if it doesn’t match up to how you documented it then there is either a problem with your documentation or a problem with your model, and they’re not matching up.
So being very specific and detailed is important as well as documenting your rationale. And then making sure that as you do your annual review or periodic review of your model that you update the documentation as well.
Q: Are you aware of some common criticism that audit or examiners might give around geographic risk?
A: I have not, but I’ll step back and say in the U.S., our AML regulations are very broad and they talk about a risk-based approach but they allow then each financial institution to build their models around this risk-based approach, so they’re not setting very hard lines as to what you must do or must not do.
Now, certain regulators and individuals within regulatory organizations may have their own opinion about how something should be. And so that may or may not be entirely accurate.
So when you have documentation of anything that is a gray area that is basically an interpretation by your institution of that particular regulation or risk, then by having your rationale documented, it’s really harder for a regulator to say that, you’re wrong because, again, so much of this is perception-based. It’s based on the institution’s risk appetite.
Having documented rationale and your thought process gives a lot of substance to be able to stand up against as opposed to, “Well, we just did this because that’s what everybody else is doing” or, “That’s what somebody thought it should be.” Instead, you have a rationale behind it, and that’s much easier to support.
Q: Can you provide a link to the country-risk scoring resources mentioned during the webinar?
- INCSR Volume 2
- TRACE Matrix
- Transparency International CPI
- Basel Index
- FinCEN 311 Special Measures
- Secrecy for Sale
Q: What do you think will be the biggest risk that will be a result of the pandemic?
A: There are many possible outcomes or scenarios. I think we are going to see a big increase in fraud. We already are in the United States seeing the fraud attempts with phone calls to people asking for their bank information so the IRS can properly send everyone their stimulus money. That is one that has been making its way around.
There is going to be counterfeit checks. There is going to be lots of social engineering based fraud and then of course money that is gained through fraud has to be laundered, right?
I think another issue we may see globally is probably heightened levels of corruption and bribery because everyone is desperate for certain commodities to deal with this pandemic. There are rules that might need to be bypassed in order to get things faster. There is profiteering that is going on in terms of when a resources scarce. And so I those are the two big ones that I see.
We have not heard very much about other types of illegal activities right now or terrorist activity for example, but I would imagine that some of those illegal activities are going to happen. They may use this opportunity and the distraction that it is creating as a way to further their narcotics trafficking and illegal activities because no one is paying attention right now.
Q: Would you say that some countries would be a continued risk because there may be new geographic risks that pop up because of the pandemic?
A: I think the source of a lot of this fraud is going to be global. I think we will probably see it from many different locations as everyone tries to cash in on it.
Q: How/why is geographic risk not considered? Cases where geographic risk is not a consideration?
A: I guess you could say if your institution only deals with customers and transactions within your own country. I was also thinking the gaming industry as they probably have a lot less geographic risk, then financial institutions do. It all depends on your customer base and the type of activity that you see through your institution.
Q: We are a small firm and rely on the Basel country risk scoring. Do you think this is sufficient?
A: I think it does, definitely. It is extremely well documented. It has different nuances to it, but none of this is hard measurable data where you can quantifiably say this country has this much money laundering going on, and this country has that much money laundering going on.
So it is all a matter of judgment and certain data points. They have experts, so I would say that there is nothing wrong at all with using the Basel index.
Q: Who audited this listing of organizations that are black listed, and did they determine who set them up? My concern is organizations who upset a regional power by their politics is being unfairly blacklisted.
A: It is important to say that none of these is for the most part a blacklist. In other words. They are just risk indicators. So you are not forbidden from sending money to and from the Cayman Islands.
There are very few countries that are blacklisted and they are typically the ones that we see all the time: North Korea and Iran are the two that are come to mind. Pretty much everybody is trying to stay away from them right because of their activities.
It is how much it all comes down to an institution’s risk appetite. Are you willing to engage in transactions with for your customers with a certain country that has a high money laundering risk?
You certainly could if you decide you are going to tolerate that level of risk and what are you doing to mitigate that. Are you examining each transaction? You may be asking for a supporting documentation for a transaction. There are so many different things that you could do to try to mitigate that risk, but none of them, with those two exceptions, are what I would call blacklisted. They are simply indicators.
I do not really know who audits the Basel index. It is considered independent. It comes out of Switzerland, so it is very independent.
How they came up with every risk ranking. I think that is really the key. So whether it’s the Basel index, the Corruption Perceptions Index, the TRACE Matrix, all of those are they’re very transparent in how they have decided why they’re giving a particular ranking to a country so you can read that and make your own judgment about it.
Q: When you have countries that have set up organizations that other countries call terrorist organizations, how do you distinguish between those?
A: I am thinking of, for example, Hezbollah, which is primarily based in Lebanon. So the U.S. sanctions program is titled the Lebanon sanctions, but it is not on Lebanon or the government of Lebanon or the people of Lebanon.
It is about the terrorist activities within Lebanon. So that’s why you have to be careful about the names that they give these programs and then identify, who is really being sanctioned.
So a terrorist organization like Hezbollah is supposedly based in Lebanon, but they operate all over, so there is not really a specific country.
Q: Why are we not listening States within the U.S. for regional risks?
A: The United States has many issues. In fact, the CDD rule that was passed and went into final effect a couple of years ago was, in my opinion, a knee-jerk reaction to multiple mutual evaluation deficiencies that the U.S. has incurred through FATF for us not doing anything about beneficial ownership.
But the way our government is designed, corporate formation law resides under the control of the states.
So every state has the right to do pretty much whatever they want in terms of what information they collect, how anonymous they make their corporate formation, whether they collect any pertinent information at all, and we know the for the most part we know the big players in this are Delaware, Wyoming and Nevada.
And so it would be very interesting to see kind of a risk ranking of states by their levels of corporate secrecy.
Nobody is actually ranked that other than the ones that are very well known for it and actively promoted.
Q: Would you consider whether a country is an OFC (offshore financial center) as a risk factor?
A: Potentially. Being an offshore financial center does not necessarily indicate that it has a lack of transparency. It can certainly be used I would think it is appropriate to use it.
It’s a little bit broader as well than a then say the financial secrecy index which to me is more targeted toward what we’re looking for, which is levels of actively promoted secrecy.
But offshore financial center is it is sort of a tangential or companion factor that you could certainly include in a risk model.
Q: What about Syria, is not it included under FinCEN 311 Special Measures?
A: No, not at the moment. There are Syrian OFAC sanctions, but they are not under 311 right now.
Q: How would you specifically use the 311 special measures into a model, some measures a country related and some are bank related?
A: What I did with my model was I only used the country related ones. As I mentioned, there have been a number of countries over the years (at the present time there is only two) but I would give a point value to those countries that were listed under special measures.
Q: What is your opinion on KnowYourCountry website?
A: It provides a lot of information, which is certainly a good resource. But you need to take that information and then make your own judgments about it.
It has some key information but it is not going to address many of these specific risk factors. It can certainly be used as a knowledge resource.
Q: What data source or list do you use for sanctions? We certainly covered some of this and in detail in a previous webinar is technically called Tackling Hidden Risks in AML Screening Programs, and you can certainly go to some of the enforcement agencies, you can order from third parties some of these sanction list or is there anything else you’d want to add?
A: Being with a U.S.-based financial institution, I always used the Office of Foreign Assets Control (OFAC) for US economic sanctions.
Because my institution was also involved in heavily in trade finance, there are also separate watch lists and blacklists that are published by the Bureau of Industry and Security, which is a division of the U.S. Commerce Department.
There are rules around countries you may have to follow depending on what kind of commodity you are exporting. Then, they have sort of watch lists of parties and other countries that you need to possibly report when you’re doing an export to so there’s we use that one as well in our screening.
Q: Where do you see a major risk a money laundering in terms of countries where drugs are produced and not necessarily, where they are sold?
A: If you read the INCSR report in detail, they will also talk about and actually list the major money laundering countries. They also have a list of countries that are sources for production of illegal narcotics and then even further countries that provide the precursors for illegal narcotics.
So it is like who is growing the poppies and then who is taking the poppies and making them into opium or heroin? Then who is selling them to the rest of the world?
So they do go into that level of detail and you certainly could expand her model to incorporate those countries as well. It is an exhaustive list to be honest.
Q: What advice do you have for small countries with regional Geographic risk? And a similar question is can you provide any guidance on Geographic risk models?
A: You could risk areas or regions within a country, such as provinces and states. You could then perform the same sort of risk modeling that you do for your country.
Q: Wouldn’t you risk artificially inflating the impact of the TRACE matrix and/or CPI on your risk model if you included those items in addition to Basel AML Index, since they are included in the Basel Index already?
A: Yes, you would as they are already in the Basel index. Basel includes both of those as risk elements and it gives them equal weight as well.
There is one is one is public sector focused and one is business sector private sector focus. But, you would not want to add them again because you would be double counting.
Q: How do you deal with the challenge of adding countries own risk?
A: In my opinion it when I was working with a US based financial institution, I was not going to give a country risk to the US because it is where we all are. It is kind of, as you know, all our customers were US-based know the fact that they are US based does not increase or decrease their risk one way or the other.
If participants on the go back and listen to the first webinar in the series where we talk about characteristics of customers, we talked a lot about on the business customer side about domicile and about the we talked about the shell companies and domiciling in one of those big three, Delaware, Wyoming and, Nevada in sort of a due diligence model.
Q: How much of a detailed rationale do you need to provide from a regulatory standpoint given that there is no strict threshold?
A: In my opinion the good results come from documentation, the more detailed and clear you can be about why you decided to do something a certain way, the better. Especially when you are dealing with something, where there are no hard and fast rules like country risk.
I think regulators appreciate the fact that you have put thought into it and made an informed decision based on these factors that you have listed.
It is when you do not have documentation that regulators will scrutinize you much more closely because they do not know how you came up with this, and then that could lead to them making their own assumptions. Whereas this way, nobody is making any assumptions.
You have it all written down exactly why you did this a certain way, why you weighted something a certain way, why you included this as a risk factor.
It just needs to be straightforward so that a person who would not necessarily have expertise in this could still understand it.
Q: Can you provide an example of a point methodology used in a modified Basel index model?
A: So obviously, this would kind of depend on your own situation, but you could start with potentially the Basel score and then add points onto it for the things that Basel does not include.
Use whatever point range seems appropriate to you. You could just start with the Basel point value as the base and then add, or take away from it, depending whether it is a risk-mitigating factor that you perceive. That is how I would do it.
Q: If we have a customer doing business in Country A, but that customer in order to complete a transaction needs to do business and Country B, do we need to have a country risk or for Country B?
A: What you are looking here at two different areas here. Here is the customer due diligence piece of it. So where they domiciled and where do they do business.
So then in this particular example, they are based in the US, but they also do business in the UK. So if you have a money laundering risk score for the U.S. and for the UK or if you are not based in the U.S. But if you are based in the U.S., you would have a risk score for the UK and then you could take that into account as you are calculating your customer risk score.
Now, you also have a transaction. So if that customer receives money from the UK then you could risk score that transaction based on the country that is coming from.
We looked at this in a previous webinar Elements of Customer Risk: Products & Services, Activity Patterns and Behaviors.
Q: What other mitigating factors would you define in geographic risk scoring aside from FATF membership?
A: That was really the only one that I have used, the FATF membership or a FATF regional body membership, which takes a little bit more legwork to research.
You can find the names of the regional style FATF regional bodies on the FATF website, but then you need to go to the website of each one of those to find out their member countries.
Q: What is the best practice is to deal with transactions coming from high-risk countries?
A: I believe that when you are looking at those, No. 1 you are looking at your customer. So is this typical for your customer?
In other words, do you know whether they sell their products to particularly high-risk countries?
If so, receiving funds from those countries would be normal for them. And if they are not normal, or if the dollar amount is say abnormal, then you can contact your customer or have some kind of a relationship type person, contact that customer and ask for some more information about it.
I think when you approach customers, approach it from that perspective of we are looking out for your perspective.
If you do not like the answer, then probe a little bit more and if you still do not like the answer then that is probably justification for a SAR filing.
Q: We are a small firm and do not do operations abroad so do we have to follow the country risk approach?
A: Correct, if you have no dealings outside of the US, no. The only thing you might consider is within your customer due diligence you may consider specific states.
Commercial customers who are domiciled in those anonymity-promoting states might suggest a little bit more due diligence. Especially if they are domiciled in one of those states, but they actually operate somewhere else.
Then you might want to take a regional approach.
Q: What would be a good reference or guide for an AML/CFT risk Matrix?
A: What I did when I built my own model. I just used a big Excel spreadsheet and I had every country listed in the first column and then I had my risk factors in columns going across.
I would put points in for each country that had that particular risk factor and then add them all up. It was not really anything especially fancy, but it is tallying up scores.
If there were a risk mitigation, then I would have a negative point value for that country.
I’ve seen risk matrices for high-level risk assessments of an institution that have been put out by us regulators, but I haven’t actually seen anything that detailed of a level that we’re talking about AML country risk, other than what Basel has put out.
Q: Some comments question the methodology of the Basel Index and the fact mutual evaluations are only done every few years. What would you say to that?
A: First, they do not have to use the Basel Index. I would re-emphasize that I do not believe there is one particular simplified index that reflects all the different factors surrounding a country’s money laundering risk.
And so looking only for examples using only the corruption perceptions index or only the financial secrecy index, I think, misses some of the broad range of areas of risk that could be considered .
Most of your highest risk countries are going to be high risk for a number of reasons. And so maybe you want to keep that model as simple as possible by looking at just a smaller subset of risk factors. But again that is entirely up to your institution’s decision process.
My recommendation is that you develop your risk model and document why you chose this risk model over say why you did not like the Basel Index.
Say why you are not using it or why did you select these particular risk factors to use in your model and not others.
It’s just that having that documentation and explaining on the record for posterity this the rationale you used, takes away that anecdotal factor and gives something that you can show to two others, to regulators, to your management about how you came to these conclusions.
Q: How would you assess equivalency of AML legal and regulatory frameworks between different jurisdictions? Say an EU member states, which are all under the same AML directives versus the US legal framework. Which factors would you take into consideration?
A: I think I would start with that whether the framework follows the FATF recommendations as they have been agreed upon as the gold standard of regulatory of legal and regulatory framework for anti-money laundering regulations.
I do not think there is any country that has met all of them, especially the United States. I think at the last mutual evaluation we had substantially met 21 of the recommendations and fully met only like six or nine of them and there is at least 40. So clearly, we are not doing in the U.S. everything that FATF believes a country should.
So we are getting there but little by little. So evaluating one country versus another is a big job and I think maybe use the FATF for that country or the group of countries as standards as countries meet the standards set by their regulatory body.
Q: How valuable do find the perception indices?
A: I think that they play a part. But no one is keeping track of who bribed whom. There is no ledger where someone is keeping track of that corruption.
It does need to be based on perceptions. And I think depending on whom you are asking and the case of the corruption perceptions index (CPI), they are asking business people who have a valued opinion on what is it like to deal with the government in this country.
And perceptions can have a lot of value, I think especially in in terms of corruption and bribery, but nobody keeps records. So we cannot ever get a hard and fast count of how much is going on.
Q; Which criteria do you use to convert, for example CPI scores, to risk level?
A: If you are mathematically inclined, you could statistically create a bell curve. It is purely subjective. You might want to take the total scores and divide them by the number of categories.
But I use that broader context because there were so many nuances to it and ranges where the country may be high but yet they were listed as medium or they were somewhere in between.
So that is why I picked those five different category levels, and then I just literally looked at the numbers. So from year to year, sometimes you would see a small change from one year to the next but often they were pretty much in the same places.
Sometimes there are changes in regulatory regimes or improvements are being made and so their perceptions are changing because their government is trying to fight corruption, so it is all just it is very subjective.
Sometimes you will have a country that is very low on the corruption side but is higher on the financial secrecy side, or has this strong AML regulatory framework, but as high corruption.
There are so many different things that come into play, which is why I had mentioned that just picking one single index like a corruptions index or financial secrecy index or something does not give you the full flavor of that country.