What do you consider when building your customer risk model for AML?
Every customer you have represents a risk. Today most banks, casinos and money services businesses (MSBs) adopt technology solutions to monitor transactions, but what about having the full picture of a customer to determine more accurately the risk they pose?
If I asked you how risky any given customer is to you, right this second, would you be able to tell me? Would you have a clear picture of what the customer’s typical activity patterns look like, if they are on a sanctions list, if they are a politically exposed person (PEP), if they have particularly risky relationships, or if they’ve ever been investigated by regulators? All of these factors directly influence the risk the customer presents to you.
Most financial institutions use a model in their AML program to determine a customer’s risk level. I spoke with a few customers to determine what they consider most important and consolidated the insights below.
How do you balance complexity and interpretability?
When it comes to risk scoring, you have to consider the interpretability of the model versus the mathematical accuracy. Can you reasonably defend why one customer’s risk score is significantly higher than another? Some models are “black box” and—while mathematically accurate—can be difficult to interpret unless there is a concerted effort to validate the score.
Some more interpretable models are made up of risk factors, weights, weighted factors and logic to calculate the score.
Risk factors customers shared with me may be grouped into three areas:
The profile category includes factors specific to the customer: their industry, nature of business, profession, country of residence, citizenship, length of relationship and so on.
Activity includes their level of cash transactions, alerts generated from the transaction monitoring system, suspicious activity reports (SARs) and currency transaction reports (CTRs) filed, etc.
Relationships examine the strength of relation between customers. This can be determined using demographics like house holding or based on the parties’ transactions that, directly or indirectly, imply a connection.
What are some of the nuances in making models operational?
Models will not always score every customer accurately, so most organizations need a way to adjust the score for select customers. Obviously, this can be risky so it must be controlled and auditable.
Another consideration is decaying some risk scores over time. For example, if your Compliance team filed a number of SARs for a customer two years ago and that resulted in a high-risk score, should that still be the case today if the customer’s activity since then has been low risk?
The final issue is changing the model and assessing the impact before moving it into operations. Do you know how a change will affect the portfolio?
Can third-party risk intelligence assist?
Will you be considering only internal data, which will give you information on your customers’ activities and insights into their relationships based on demographics and transactions? Or will you also be using third-party sources? These sources (e.g., World-Check or Dunn and Bradstreet) bring useful insights ranging from sanctions lists to negative news. It can also give you insights into risky relationships that may not be apparent in your internal data.
What risk factors are most relevant to you in the areas of customer profiles, activity and relationships? Are there other considerations built into your models?
About Andrew Simpson:
Andrew Simpson has close to two decades of experience in the information systems audit and security business; specifically data analytics, interrogation and forensics. He is a regular contributor to various auditing conferences and is acknowledged as an expert on continuous controls monitoring and revenue assurance.
Connect: Andrew Simpson