Risk-based AML Compliance has Problems, Bank Official Says

The risk-based approach to anti-money laundering and know-your-customer compliance is not without its problems, especially in the context of client onboarding and transaction monitoring, a senior Standard Chartered Bank official said. 

Kenneth Pemberton, regional intelligence head for Greater China and North Asia, said banks were under pressure to open accounts and be inclusive, but they also had to protect their institutions' interests.

"The Hong Kong Monetary Authority ('HKMA')'s guidance says to take a risk-based approach, so that we do not exclude companies from banking services, for obvious reasons. That in itself presents a challenge for the banks because if it is risk-based, how are you determining what the risks are? How good is your information? Quite often, when we take a risk-based approach. To some extent, we are setting up ourselves to fail, which is fine, because it's not a zero-loss game," Pemberton told a panel discussion at an event hosted by consulting group Protiviti at Thomson Reuters' office in Hong Kong.

He said one solution was for banks to fall back on what they had learned to date, because before a client was taken on by a financial institution, the risks they might pose were more speculative than actual.

"We need to review our experience because when an account is opened, we do not know, unless we have fantastic intelligence, that the account is actually going to be used for fraud. Yet, clearly we all have experiences of accounts that are opened which are subsequently used for the receipt of funds from fraud. So, for all of us…the way banks handle this [needs to be] by a process of 'reverse engineering'. With the experience we have gained over a period of time, we review the activities on accounts that have included financial crime and then look for all the common factors," Pemberton said.

Such factors may include, for instance, opening accounts for people or entities for whom hardly any information exists in the public domain.

"Look at open source media to see if there is little or no information about a person or entity. Find accounts opened by a person from the mainland [China] from a certain particular location on the mainland, say, two-way permit holders, or if there is no logical nexus to Hong Kong. So, [we are] looking for common factors that would indicate that this is a risk. That is how I think banks nowadays would try to risk-assess going forward, primarily from the experience that they have gained," Pemberton said.

Practical Challenges

Yet, while reverse engineering AML and KYC protocols and procedures in an environment where risk is hard to gauge and identifying common factors that may constitute red flags may sound workable in theory, it may not be so in practice.

"It has to be a pretty dynamic process. As far as I know, right now, it is rather linear across the banks," said Hue Dang, the Asia-Pacific head of the Association of Certified Anti-Money Laundering Specialists (ACAMS).

Dang asked Pemberton whether the feedback or learning loop of information at most regional institutions was adequate to deal with the type of evolving, experience-based risk assessments he advocated.

Pemberton, a former Royal Hong Kong Police Force inspector, said all banks were set up differently, with different intelligence teams and functions. Reflecting on his own institution's approach, he said the first step was to conduct data analytics and come up with a list of potential red flags, which were then considered by his business colleagues. The presence of risk factors did not necessarily mean that potential business would be turned away, because the totality of the circumstances needed to be considered, he said.

"It does not mean we will not open an account if several of the red flags are ticked off, but what it might mean is that we monitor such accounts. So, the business [side] monitors those accounts going forward for a period of time, depending on our own experience," he said.

For example, Pemberton said, when Standard Chartered monitored accounts opened in the first half of 2016 versus those opened in the second half, when it came to those that might have been used for fraudulent purposes, they were used much more quickly in the second half of the year.

"That gives an indicator of how long we should monitor the accounts for," he said.


Ajay Shamdasani is a senior staff writer with Thomson Reuters Regulatory Intelligence in Hong Kong. He covers regulatory developments in Hong Kong, India and South Korea. He also writes about money laundering, fraud, corruption, data privacy and cybercrime.