Fingerprint, close-up

How do you successfully operationalize your client risk rating model?

Photographic portrait of Kaulin McKowen
Kaulin McKowen

Director, Business Consulting in Financial Services | EY Switzerland

7 minute read 07 Sep 2023

CRR models play an important role in managing money-laundering risks – but need to be operationalized effectively

In brief:

  • What are client risk rating (CRR) models and how do they work?
  • What are the key challenges of CRR models and how can they be mitigated with best practices?

Money laundering presents a significant challenge in today’s economy – and to the financial institutions seeking to combat it. Financial institutions invest heavily in measures and solutions to identify clients involved in money laundering and to comply with regulations. Yet, as the complexity and sophistication of financial crime increases, penalties and fines persist.

Using client risk rating models is one of the primary ways financial institutions detect money laundering. Unfortunately, while operationalizing client risk rating models, financial institutions often face challenges relating to inaccurate risk ratings and the resulting increased level of effort. This article seeks to provide insight into what client risk rating models are and how financial institutions can address the issues that arise from them.

What are client risk rating (CRR) models and how do they work?

Client risk rating models typically classify the client into a certain risk category (e.g., low, medium, high) based on a set of client risk factors, such as source of wealth, source of funds, client domicile, transaction behavior, complex ownership structures, high-risk industries, negative news, wealth volume and politically exposed person status. The perceived risk from the perspective of anti-money laundering (AML) is reflected in the client’s client risk rating and typically drives how the financial institution monitors that client through varying degrees of due diligence during the whole lifecycle from onboarding, periodic review to offboarding.

To properly capture AML risk financial institutions should ensure the model considers all relevant risk factors and to potentially add an additional weighting to those factors that contribute to a higher degree of AML risk. In addition to weighting for those factors which have a very high correlation with AML risk, financial institutions will also set automatic “high” risk triggers if a certain factor or combination of factors are met.

There is no one-size-fits-all approach to client risk rating models. Each financial institution has its own complexities with differing regulatory requirements, business lines and geographical footprint. Financial institutions with a global footprint or operations across multiple business lines (e.g., wealth management, investment banking, asset management, retail banking) will have an increased degree of complexity in their model. They have to contend with many dependent questions and potential varying ways to apply risk factors to different lines of business. Furthermore, the approach to the model often differs across financial institutions. An example of a simpler model is a “risk point” model. This typically associates a certain amount of risk points (e.g., 1, 2, 3) to each risk factor and after adding all the points up, and considering automatic “high risk” triggers, the client is assessed relative to the classification thresholds (e.g., low, medium, high). More complex or advanced models are common in financial institutions with a higher degree of variety in the client base due to differences in business lines. Although models may differ across institutions, the primary focus should be to ensure that all relevant risk factors are included in the model, that the financial institution can manage the complexities associated with its respective model and that the model can be properly tested and calibrated to identify AML risk.

How EY can help

What are the key challenges of CRR models and how can they be mitigated with best practices?

We observe four key challenges of CRR models. For each of these, there are certain best practices that financial institutions can adopt to optimize the quality and results of their CRR models.

  1. Upstream data accuracy
    Data is only as good as what is requested by the financial institution and provided by the client. Therefore, policies on minimum data requirements and data validation controls are essential to ensure the front office obtains the required data from the client and it is validated effectively. Data validation and corroboration controls are especially important for information that depends more on the client’s input and has a higher degree of AML risk such as source of wealth/funds and rationale for third- party transactions. Moreover, putting these controls into practice is typically driven by the tone from management and the AML risk culture within the financial institution.
    In addition to information capture policies and controls, system controls are also very useful to drive data accuracy. All data required for the CRR model should be captured once in the respective gold-source system (e.g., CRM) and required fields should be made mandatory, taking into account the dependent question logic required by the model. The CRR model should simply operate in the background as a consumer of data from the gold source. Duplicate data entry should be discouraged so as to remove the risk of data in the golden source not matching that in the CRR model. Other relevant data sources for CRR can be the actual transactions of the client, negative news search results or sanctions lists.

  2. Client risk rating model accuracy and calibration
    Due to the complexity of identifying clients involved in money laundering, it is very common for client risk rating models to produce false positives, which may drive unnecessary due diligence effort, and false negatives, which may result in fines or penalties for not identifying the money laundering activities. Due to the implications of these false positives and false negatives financial institutions are increasingly seeking to test and calibrate their models to reduce these false results.
    A common approach to calibration is to run simulations on the model, applying different weightings on the risk factors and comparing results to independent sample checks of clients where expert guidance on the desired client risk classification is known. This approach seeks to ensure those risk factors with the higher degree of AML risk contribute toward the overall rating of the client.
    Certain financial institutions are also exploring AI/machine learning models to classify the clients and produce explanations on the rationale behind the risk classification. While this appears to be the mid to long term-trend, many regulatory complexities remain in properly complying with current regulations and explaining why the model made certain decisions.

  3. Client risk rating model governance
    Client risk rating model governance can become complex given the coordination and alignment required between the front office and compliance. In simple terms, compliance should typically own the model while the front office should own the data which is directed into the model. That said, both the compliance team and the front office should ensure alignment in how the model operates within the financial institution so as to ensure an efficient front office approach while applying an effective model to identify money laundering risk.
    Relating to the governance involved around the model, a financial institution typically has a dedicated client risk rating team that owns the model and is responsible for ensuring all risk factors are properly considered and the model has a high degree of accuracy. In practice this typically translates into a regular (e.g., annual) review of the risk factors in the model relative to regulatory requirements and how these risk factors contribute to the risk ratings of clients within the bank. Furthermore, the financial institution should incorporate a regular (e.g., annual) calibration and/or validation of the model to maximize model accuracy.
    Regular reviews of the model may result in potential model changes. Financial institutions should have a clearly defined governance that dictates how model changes are tested and approved prior to being rolled out. If the model change does not require any new data, this change is typically simulated and substantially tested to understand the impact it would have on the client population. If the change requires new data from the client, the financial institution needs to assess whether proactive outreach is critical to obtain this information or if it can be captured during the next periodic review cycle.

  4. Dynamic risk factors
    In addition to static risk factors (e.g., domicile), which do not change or only change very infrequently, certain risk factors are dynamic and change frequently. Examples of these dynamic factors include transaction behavior, assets with the financial institution and product types owned by the client. Generally, it is expected that financial institutions incorporate dynamic factors on a regular basis (e.g., quarterly, semi-annually) to ensure the risk correctly reflects the current client situation. This is especially important with transaction behavior as this risk factor is relatively important to detect money laundering activities.
    Incorporating dynamic transaction behavior into the client risk rating model can be very complex due the vast amounts of data, fragmented IT landscapes and differences between the transaction monitoring system lens and CRR lens. We often see financial institutions setting up specific transaction behavior scenarios for the CRR model that differ from the scenarios currently set up in the transaction monitoring system. There is also often the need to define different thresholds depending on specific client groups due to differences experienced across business lines (e.g., transaction volume in retail vs. corporate banking).

Summary

Although client risk rating models are associated with various challenges and complexities, there is a path forward for many of these. Financial institutions also need to keep up with emerging advancements in technology, asmany financial institutions and regulators are exploring the benefits AI may bring to client risk rating models.

About this article

Photographic portrait of Kaulin McKowen
Kaulin McKowen
Director, Business Consulting in Financial Services | EY Switzerland
Globally connected digital transformation leader in the Wealth and Asset Management Industry. Passionate about driving innovative client centric solutions to make a positive impact on society
Related topics
Disrupting financial crime
Forensics
Financial services
Trust

Related articles

Do you see name screening as a journey or a destination?

Four questions to guide financial institutions on ongoing KYC that effectively – and continuously – mitigates the risk of financial crime.

Madhumita Jha

The EU AI Act: What it means for your business

The EU regulation for artificial intelligence is coming. What does it mean for you and your business in Switzerland?

Konrad Meier + 1

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.