The Reserve Bank of India issued a new guidance document on 10th October 2024, for its Regulated Entities (RE) detailing how to deal with risks related to money laundering (ML), terrorist financing (TF) and proliferation financing (PF). It outlines key principles and methodologies to aid REs in developing their own risk-based approach.
Applicability of Guidance: The guidance is intended for all REs of the Reserve Bank including banks, NBFCs, Authorised Persons and Payment System Operators.
Key highlights of the guidelines for REs:
- The RBI says that there should be dual levels of Internal Risk Assessment (IRA) for ML/TF risks:
- Business Level IRA – The ML/TF/PF risk resulting from the specific business model, viz., nature and complexity of their business.
- Individual Level IRA – The ML/TF risk resulting from entering a business relationship with their customers or carrying out an occasional transaction for walk-in customers.
- Each risk assessment level should focus on the identification of ML/TF risk factors and assessment of ML/TF risk and its impact.
- Refer the IRA to determine the level of Customer Due Diligence (CDD) required for types of customers, products, services and delivery channels.
- Use information obtained from all relevant internal and external sources for the IRA exercise.
- Avoid siloed approach where only the AML team is involved in the IRA exercise and include other functions such as product/service, audit, compliance etc.
- Adopt a data oriented objective approach to avert any kind of bias in the IRA exercise.
- Ensure the integrity of the critical processes for ML/TF risk management such as CDD, Transaction Monitoring, Sanction Screening under Targeted Financial Sanctions (TFS), Alert generation/management, CTR/STR reporting, etc.
- Ensure proper documentation, review and communication of the IRA exercise and the methodology used.
- Adopt a Weighted Risk Scoring Methodology for calculating inherent and residual risk related to ML/TF/PF.
- The RBI says that there should be dual levels of Internal Risk Assessment (IRA) for ML/TF risks:
Suggested steps include:
- Identify inherent risk factors (RF) and further sub-risk factors (SRF) and assign weights as per their contribution to the overall (enterprise-wide) ML/TF/PF risk.
- Calculate the weighted inherent risk score for the RF and map to appropriate risk levels viz., ‘High’, ‘Medium’ and ‘Low’ to arrive at the ‘inherent risk level’.
- Identify and define the main control factors (CFs) which help mitigate and control the inherent risk of the concerned RF/ SRF. Assign weightage to each CF.
- Calculate the Control Score and Map to ‘Strength of Control Measures’ viz., ‘Strong’, ‘Satisfactory’ and ‘Weak’ for the Risk factor.
- Thereby RE can arrive at Residual Risk score for each RF from ‘inherent risk level’ and ‘Strength of Control Measures’.
- The enterprise-wide residual risk may, thereafter, be derived using the weighted average of residual risks (RRs) of the RFs.
- Determine the remediation action plan or risk mitigation plan.
Conclusion
There is always an elevated level of risk exposure due to factors such as evolving business landscape, complex products/ services offered by REs, emergent technologies, and newer methods of payments. REs are accordingly required to have appropriate level of controls/mitigating measures in place so as to ensure that the elevated ML/TF/ PF risks do not result into loss of reputation and/or other financial losses.
In addition, the REs should also consider a tech-enabled risk management approach such as adopting Integrated Risk Management Software which will not only automate but also integrate and streamline the risk management activities with better visibility and transparency.
Authors
Ms. Jaya Vaidhyanathan
CEO, BCT Digital
Ms. Jaya Vaidhyanathan is an independent Director on several Boards and is focused on bringing in the best global corporate governance principles to India. Her work has found coverage in top news websites like The Hindu and The Times of India. Recently, she pioneered award-winning Early Warning Systems for Indian banks, which have found acclaim in the industry and among counterparts.
Shankar Ravichandran
Senior Manager at BCT Digital
His profound expertise in the field of corporate and retail banking spanning across Credit Risk, Transaction Banking, Service Delivery and Product Management is close to decade. He is an MBA graduate from Indian Institute of Management, Bangalore.
Author
Prashanth Belugali N
Principal Product ManagerPrashanth has two decades of experience working with large banks, asset managers, trading & capital markets models and model risk domain. He has worked as a quantitative analyst, delivery manager, and product engineer, and provided bespoke solutions in quants (asset management, trading) and risk management practices (credit risk, market risk, model risk), and data engineering to a global clientele
Author
Swaminathan KS
Associate Vice President – Products, BCT DigitalSwami has 18+ years of experience in the areas of Governance, Risk Management, and Compliance working with Fortune 500 clients across diverse industries such as Banking & financial services, Energy & Utilities, Hi-Tech & Manufacturing clients. He has spearheaded multiple projects focused on Enterprise Risk, Trading Risk, IT Risk, Business Continuity, and Third-Party Risk Management. He is also a PECB Certified ISO 31000 Senior Lead Risk Manager.
Author
Tanaya Chakraborty
Tanaya is a GRC professional with 11 years of experience. She has worked with leading GRC product company as functional consultant for multiple products including ERM, Internal Audit, TPRM, Policy Management etc. She has experience in GRC pre-sales and solutioning across various industries.