Compound Risk

In risk management you come across a lot of terminology that many might believe to convey the same meaning when in reality something more complex, and often altogether different, is meant.

Over the years I have noticed that the risk assessment methodology that most are familiar with entails the quantification and weighting of a number of criteria.

These would be a combination of the classics:

• Customer Risk
• Product/Service Risk
• Transaction Risk
• Interface/Delivery Channel Risk
• Geographical Risk

Some tend to group Transactiion RIsk with Product/Service RIsk but, as financial services and digital assets evolve and get ever more complex, it may be useful to keep them separate.

This brings me to the next point which is the crux of this post; the simultaneous presence of certain risk criteria in a given scenario results in compounded risk. In simple terms the total risk is now more than the simple sum of all the risk criteria and the same applies to likelihood and residual risk.

An example that comes to mind is found in the Financial Intelligence Analysis Unit (FIAU) Malta Implementing Procedures Part II for the Virtual Financial Assets sector (these can be accessed at https://fiaumalta.org/app/uploads/2020/06/03.02.2020-IPs-Part-II-VFAs-Published.pdf). On page 9 of the aforementioned provisions it is stated that:

The payment or funding means accepted also have to be factored in, as some of the said means may expose the subject person to a higher ML/FT risk than others. While accepting funds held in accounts or made available by credit or financial institutions located within the EEA or other reputable jurisdictions may not increase the risk of ML/FT, accepting payment in cash or through pre-paid cards would increase the risk of ML/FT that a subject person is exposed to. The same applies where funds are made available through crypto-backed debit cards.

It is thus imperative that a transaction or a series of transactions that involves, for example, pre-paid instruments AND a virtual asset be treated as a higher risk one and subjected to additional scrutiny and mitigations. Naturally this is even more so if a higher risk jurisdiction or a higher risk customer(e.g. a Politcally Exposed Person) is involved. It is mission-critical that the transaction monitoring systems of EMIs, banks and other financial institutions, be they automated or hybrid manual/automated, take compounded risk into account and include dedicated rules that lead to the generation of an internal report to the AML department/MLRO who will then consider the need for an STR to the FIU.