FATF Guidance for a Risk-Based Approach for Money or Value Transfer Services
Chye Kit Chionh
SFF Ambassador | SFA Exco | RegTech | Entrepreneur | Compliance | Lecturer | Advisor | Author | Mentor
Fresh from the recent outcomes of the FATF Plenary Meeting where a number of interesting points are noted below:
- A statement on Brazil’s continued failure to address the serious deficiencies identified in its mutual evaluation reports;
- An update on AML/CFT improvements in Algeria, Angola and Panama;
- Malaysia welcomed as a member to the FATF;
- Israel welcomed as an observer to the FATF; and
- Adoption of Guidance on the Risk-Based approach for Money or Value Transfer Services.
FATF has just released its Guidance for a risk-based approach for money or value transfer services. https://www.fatf-gafi.org/publications/fatfrecommendations/documents/rba-money-or-value-transfer.html
It is a 71-page document to add to the very long list of guidances, rules and regulations in this space [I read this first thing this morning and I didn't go back to bed; so this is not exactly bed-time reading material :-)]. It is a good document to read nonetheless for people operating a money or value transfer services business in a traditional sense as well as the Fintechs entering this industry.
Interestingly and quite rightly so, FATF is telling everyone that because there is a big spectrum of players in this industry (the good, the bad and the ugly), people should not be "slapping" all participants with the same (high risk) categorisation because everything should be risk-based. It cannot emphasised more on the need to take a risk-based approach at each of the 3 levels: country, supervisory and participants. Bluntly put, "the application of a RBA is therefore not optional, but a prerequisite for the effective implementation of the FATF Recommendations by countries and financial institutions."
There is also a very sensible suggestion regarding blanket refusal or total restriction placed on money or value transfer services providers. I supposed this approach is typically referred to as "de-risking" and banks, FIs as well as DNFBPs who may find it all too hard to manage the risks and hence take the "easier" approach of refusing the business altogether. The effects of unintended consequences cannot be more apt.
FATF states that "wholesale refusal of services or termination of services to a class of customers may give rise to financial exclusion risk and may also give rise to reputational risk.". To say the least, it is in no one's interest to unintentionally drive anything underground as a result of conservatively interpreting guidances and regulations in this regard. A fine balance.
FATF then goes on in this Guidance to painstakingly re-iterate the importance of the risk assessment component of their Recommendations. It states "ML/TF risks may be measured using various categories. Application of risk categories provides a strategy for managing potential risks by enabling MVTS providers to subject customers to proportionate controls and oversight. The most commonly used risk criteria are: country or geographic risk; customer risk; product/service risk and agent risk. The weight given to these risk categories (individually or in combination) in assessing the overall risk of potential ML/TF may vary from one institution to another, depending on their respective circumstances and risk management. Consequently, MVTS providers will have to make their own determination as to the risk weights; however, parameters set by law or regulation may limit a business’s discretion.".
Conceptually, this sounds great. However, to operationalise a concept of risk assessment properly in a methodological, consistent and objective manner involving identifying risk categories, risk factors/drivers, risk quantification, risk weighting, risk scoring and risk bucketing is no easy feat. Large banks struggle with this but with deeper pockets, they get by with deploying an army of Compliance Officers to do this alongside whatever systems available to them. With all due respect, how much practical Compliance/regulatory/risk assessment expertise do Fintechs entering this space have? If they don't, what options do they have? What about other DNFBPs such as corporate services providers and real estate agents? Do they know about risk assessment?
When faced with a challenge, human beings typically have 2 options: Fight or Flight. Which option one takes depends on numerous other factors including one's value system, physiological well being and one's ability to assess risk at the moment.
In this case, I think there are 4 outcomes: (1) there will be enlightened ones who see the light and get on with it either attempting to do risk assessment internally/manually or outsource or get a cost effective system (FIGHT); (2) assume all clients are low risk and do minimum (PRETEND TO FIGHT); (3) de-risk or exclude (FLIGHT); (4) bring on the risk of non-compliance (SUICIDE).
Further, although this Guidance touches on screening for PEP/Sanction and even adverse media in passing, it is probably a well-embedded procedure these days. The lowest common denominator. There are a number of database providers out there. Some may argue that this database is better than the other, but on a grand scheme of things, whilst important, I personally don't think it really matters that much.
It is the attitude and approach that participants take in understanding the risks posed to them (and dealing with it) whenever they face a new customer or whenever an existing customer does a transaction. The regulators' acceptance of prevailing practices that may not fit squarely into the letter of the law also plays an significant part in shaping the right approach (not with more regulations, please).
For example, when face-to-face is impractical for a Fintech providing transfer services over the internet, how can the regulator assist in this respect in creating/accepting an approach that does not necessarily compromise on standards and yet get to the same outcome and end point desired?
Would say a short live video clip (recorded and stored) of the prospective customer sitting in front of the computer or smart phone answering a couple of questions (either recorded or via a call center) suffice in addressing customer verification process in lieu of face-to-face or in-lieu of stacks of papers to proof a person's identity? Granted, the accuracy of commercially viable facial recognition technology may be a while away before it becomes mass market. Biometric database may be the way forward but I think that is Nirvana; could be a possibility in the near future but it could also be a lightyear away. Who knows.
Whatever the case may be, there is so much more to be done and for the smaller participants constrained by monetary and human resourcing limitation, I suspect people will struggle to hold their hands to their heart and say they are in full compliance of relevant prescribed ML/TF regulations.
One thing for sure is that there will be increased complexity in this area over time and taking an easy approach to this now (PRETEND TO FIGHT, FLIGHT and SUICIDE options) somewhat validates the old English saying of penny wise, pound foolish.