Why customer risk ratings are imperative for financial institutions

A recent webinar led by Alessa by Tier 1 Financial Solutions examined the objectives and fundamentals of customer risk scoring as well as a logical way to categorise types of risks.

The webinar was headed by Laurie Kelly, who discussed her experience with calculating customer risk ratings, models and things that every financial institution should consider. She also reviewed various risk factors to consider when assessing customer risk from a demographic/profile and relationships perspective.

Alessa said, “Customer risk rating is an integral part of the customer due diligence process, yet it can be a difficult tool to implement. The risk tolerance of the organization, what products are used, what data is available, and the weighting of each risk factor are just some of the variables that need to be considered to determine whether the overall aggregate score is considered high-, medium- or low- risk.”

There were some questions and answers from the event which covered a number of key aspects of the webinar and responses to it. One of the initial questions posed to Kelly asked how compliance officers can explain the scoring process.

She responded, “That can be a challenge, as more and more regulators are interested in model validation. Not being able to validate the model is a big problem. Keep pressing your vendor because it should not be a secret. They like to keep secret how they come up with their risk scoring, but they should be able to provide you with basic algorithms and what types of inputs they’re using, and how they’re weighting them. To me, that is unacceptable, so I would go back to the vendor and have the conversation with them. I know we have moved to more of a white box approach, where people can actually set the parameters, and then meet them according to their risk appetite. Go back to your vendor and have that honest conversation with them.”

A key issue in the financial world currently is the rise of money laundering. As a big risk for companies and customers alike, Kelly was asked some of the best learning tools to train frontline staff about money laundering.

She cited that according to the BSA (Building Societies Association), banks should be training all of their staff to some degree on a broad understanding of the AML program and money laundering, “Educate them on the three basic phases of the money laundering process. Then you provide them with, in my opinion, the best training tools, which are real-life examples or potential real-life examples so that they can see why this is a risk. And some people may never accept that. They will always have a positive view of their customer. Others may come to understand that this is why we ask these questions. Having regular periodic training is important.”

Kelly was also quizzed of what should be done to help teach IT departments on the topic of customer risk scoring and how much they need to influence the risk environment.

She said, “At my bank, with assistance from consultants, we put together a computer-based training module that was an overview of understanding money laundering and risks and the money laundering process and understanding what compliance does and why. Then we required every single employee to take that training.” Kelly mentioned that it would be updated a little bit every year, however it was an annual training topic.

What sort of due diligence would be done at a high level of a charity? Kelly answered, “I would look at who are the individuals who exert financial decision and are making control decisions. On our US beneficial ownership form, we have that. We have the owners and then we they require identifying one person with significant decision-making authority.

“Therefore, where it is a charity, there’s not going to be that same ownership sort of component, but you can look and see who the controlling interests are and see if they do have multiple levels of entity control. As well there could be another charity that sits on top of that, the client and charity. It is just a matter of making sure that you understand how this entity is formed and who is holding the purse strings and making the decisions.”

Kelly was then asked for FIs than offer a single product that is low risk, can an FI document not be required to have a customer risk profile at onboarding?

She answered, “Depending on the actual type of financial institution, if they are subject to the anti-money laundering regulations of the Bank Secrecy Act, then I believe they should individually risk rate their customers, even though they only offer one product. It all comes back to those institutions. What is their regulatory environment? And what is their regulatory requirement? And what is their perception of risk?  With an online loan, you have that anonymity factor. How much does use the product you are offering facilitate money laundering? So could someone get a loan and then say repay it back a week later? How much does that product facilitate money laundering? I personally would feel like you would want to do a risk assessment of your individual customer.”

Other questions

Is an ever more digitalised world, data is becoming key. Kelly was asked what are some of the steps that are being taken by organisations to resolve data problems in the short term, given the cost and time it takes to fix systems and the data.

Kelly remarked, “I guess primarily look at what your inputs are first of all, and the basic data entry controls around those inputs. How are you capturing the data in the first place? Are you educating the people who are doing the data entry as to what the right answers are, what data they are supposed to be putting in there? Education is key. If it is an online data entry type of process, are there validations occurring to make sure the data they are putting in there makes sense?

“Education and then periodic scrubbing of data is an unfortunate fact of life that we used to go through at my institution a couple times a year. We would do big data dumps out of the database of our customer base and start looking for anomalies and things that hadn’t been completed, like foreign customer addresses and so forth. You can identify the big anomalies and then just go through that clean-up process.

“You have to establish controls up front to make sure that the data that is going in is clean. It is the old garbage-in, garbage-out philosophy. Make it as clear and simple as possible for people to input data and input the right data, have validation controls within the system that make sure they’re not putting in the wrong data and then doing a scrubbing once a year if possible are really the best ways.”

What tools may a financial institution use to detect hidden connections? Kelly said, “Once the beneficial ownership rules took effect and we started collecting that information from new customers, we actually input it into our system. We created a new field within our customer database for beneficial owner names and data and then we could incorporate that into our transaction monitoring system.”

In the case of a client not being able to provide reasonable details of anticipated activity, would this be a red flag to watch out for? Kelly provided a balanced answer to this, stating, “If it is a brand-new business for example, and they have just opened their business and they are not too sure about what they are going to be doing that is a reasonable explanation.

“But they still should have something like a business plan or projections, a pro forma income statement or things like that. They should have some idea of what they are going to be doing through the accounts. So, if they absolutely insist that they have no idea then I would say that is a red flag.”

Should the customer risk-rating model be weighted according to the amount of risk it poses to said institution? To this, Kelly is in full agreement, “Absolutely. This is all based on your institution’s risk perspective. You may consider geographic risk, for example, to be more important than products and services and customer demographics. So perhaps you calculate it and then create a sub score for each one of those three categories. Then you apply a weighting factor to the geographic risk elements to make them more important.”

How often should risk profiles be reviewed and updated? Kelly mentioned that this can be chiefly from the perspective of your own institution, “I would say whenever something changes with that customer – whenever a major change occurs – you should be able to have some kind of a triggering mechanism.

“For an individual client, let us say their address changes, you may want to do a review at that time. If there are patterns of activity change, that is also a trigger that something has changed with them and it is time to go back and look at what is going on.

“With a business client, if their anticipated activity is writing cheques on their account and they get deposits and all of a sudden, they start doing foreign wire transfers, that is a flag that you need to go back and look at. You can speak to the client as maybe they are now doing some import or export business. It can often be a completely legitimate explanation, but something has changed. If nothing has changed with a client, I would say do the review on an annual basis.”

How does a company undertake a quality insurance process for risk ratings? How can you assess if the system is doing what it needs to do? For this, Kelly suggests that what she does is tests the model, “You can create some test customers with various risk factors and then see what their score comes out to be.

“You can also take what you know to be an existing client that is high risk and validate that the system is actually rating them that way. Look at their actual behavior and their demographics and products and services and so forth. What is the risk score you come up with and does that reflect what you think it should be?

“Testing is critical and it is not going to necessarily catch everything. You can do a wide range of test cases of all different types of clients that are representative of your different risk ratings and seeing that the system is actually rating them that way, and then you can be confident that it is doing what it is supposed to be doing. In addition, you should document your testing as well.”

What could be a good risk-based approach for updated customer information? Kelly answered, “One would be make sure that you have good front-end data controls that someone can’t enter, for example, a country code in the state field, or in an address or they can’t leave something blank. So making sure that in on your front end you have some good controls around data entry.

“A second one, which is a big effort, but it is an important effort to do periodically, is doing a data scrub to look for anomalies.  Then go back and have those anomalies fixed. Find the underlying root cause of that anomaly and try to find some controls in order to correct it.”

What is the best approach for the review of an organisation’s overall risk assessment program and how comprehensive should this be? How should it be documented?

Kelly said, “You want to clearly document your entire risk assessment process, such as the risk factors you are using, how the data entry occurs and why you chose those factors. I think that part is especially important to document your rationale, especially when someone else is going to be looking at this from the outside, such as a regulator. Also, it helps you think through as you are documenting it exactly why you are doing something a particular way.

“When you going through an examination, they will ask you how you came up with these risk factors and the rationale behind them and being able to have that documented is golden. That wins you many points with regulators as well as just making it a better program overall for everyone.”

Read the full post here.

Copyright © 2022 FinTech Global

The webinar was headed by Laurie Kelly, who discussed her experience with calculating customer risk ratings, models and things that every financial institution should consider. She also reviewed various risk factors to consider when assessing customer risk from a demographic/profile and relationships perspective.

Alessa said, “Customer risk rating is an integral part of the customer due diligence process, yet it can be a difficult tool to implement. The risk tolerance of the organization, what products are used, what data is available, and the weighting of each risk factor are just some of the variables that need to be considered to determine whether the overall aggregate score is considered high-, medium- or low- risk.”

There were some questions and answers from the event which covered a number of key aspects of the webinar and responses to it. One of the initial questions posed to Kelly asked how compliance officers can explain the scoring process.

She responded, “That can be a challenge, as more and more regulators are interested in model validation. Not being able to validate the model is a big problem. Keep pressing your vendor because it should not be a secret. They like to keep secret how they come up with their risk scoring, but they should be able to provide you with basic algorithms and what types of inputs they’re using, and how they’re weighting them. To me, that is unacceptable, so I would go back to the vendor and have the conversation with them. I know we have moved to more of a white box approach, where people can actually set the parameters, and then meet them according to their risk appetite. Go back to your vendor and have that honest conversation with them.”

A key issue in the financial world currently is the rise of money laundering. As a big risk for companies and customers alike, Kelly was asked some of the best learning tools to train frontline staff about money laundering.

She cited that according to the BSA (Building Societies Association), banks should be training all of their staff to some degree on a broad understanding of the AML program and money laundering, “Educate them on the three basic phases of the money laundering process. Then you provide them with, in my opinion, the best training tools, which are real-life examples or potential real-life examples so that they can see why this is a risk. And some people may never accept that. They will always have a positive view of their customer. Others may come to understand that this is why we ask these questions. Having regular periodic training is important.”

Kelly was also quizzed of what should be done to help teach IT departments on the topic of customer risk scoring and how much they need to influence the risk environment.

She said, “At my bank, with assistance from consultants, we put together a computer-based training module that was an overview of understanding money laundering and risks and the money laundering process and understanding what compliance does and why. Then we required every single employee to take that training.” Kelly mentioned that it would be updated a little bit every year, however it was an annual training topic.

What sort of due diligence would be done at a high level of a charity? Kelly answered, “I would look at who are the individuals who exert financial decision and are making control decisions. On our US beneficial ownership form, we have that. We have the owners and then we they require identifying one person with significant decision-making authority.

“Therefore, where it is a charity, there’s not going to be that same ownership sort of component, but you can look and see who the controlling interests are and see if they do have multiple levels of entity control. As well there could be another charity that sits on top of that, the client and charity. It is just a matter of making sure that you understand how this entity is formed and who is holding the purse strings and making the decisions.”

Kelly was then asked for FIs than offer a single product that is low risk, can an FI document not be required to have a customer risk profile at onboarding?

She answered, “Depending on the actual type of financial institution, if they are subject to the anti-money laundering regulations of the Bank Secrecy Act, then I believe they should individually risk rate their customers, even though they only offer one product. It all comes back to those institutions. What is their regulatory environment? And what is their regulatory requirement? And what is their perception of risk?  With an online loan, you have that anonymity factor. How much does use the product you are offering facilitate money laundering? So could someone get a loan and then say repay it back a week later? How much does that product facilitate money laundering? I personally would feel like you would want to do a risk assessment of your individual customer.”

Other questions

Is an ever more digitalised world, data is becoming key. Kelly was asked what are some of the steps that are being taken by organisations to resolve data problems in the short term, given the cost and time it takes to fix systems and the data.

Kelly remarked, “I guess primarily look at what your inputs are first of all, and the basic data entry controls around those inputs. How are you capturing the data in the first place? Are you educating the people who are doing the data entry as to what the right answers are, what data they are supposed to be putting in there? Education is key. If it is an online data entry type of process, are there validations occurring to make sure the data they are putting in there makes sense?

“Education and then periodic scrubbing of data is an unfortunate fact of life that we used to go through at my institution a couple times a year. We would do big data dumps out of the database of our customer base and start looking for anomalies and things that hadn’t been completed, like foreign customer addresses and so forth. You can identify the big anomalies and then just go through that clean-up process.

“You have to establish controls up front to make sure that the data that is going in is clean. It is the old garbage-in, garbage-out philosophy. Make it as clear and simple as possible for people to input data and input the right data, have validation controls within the system that make sure they’re not putting in the wrong data and then doing a scrubbing once a year if possible are really the best ways.”

What tools may a financial institution use to detect hidden connections? Kelly said, “Once the beneficial ownership rules took effect and we started collecting that information from new customers, we actually input it into our system. We created a new field within our customer database for beneficial owner names and data and then we could incorporate that into our transaction monitoring system.”

In the case of a client not being able to provide reasonable details of anticipated activity, would this be a red flag to watch out for? Kelly provided a balanced answer to this, stating, “If it is a brand-new business for example, and they have just opened their business and they are not too sure about what they are going to be doing that is a reasonable explanation.

“But they still should have something like a business plan or projections, a pro forma income statement or things like that. They should have some idea of what they are going to be doing through the accounts. So, if they absolutely insist that they have no idea then I would say that is a red flag.”

Should the customer risk-rating model be weighted according to the amount of risk it poses to said institution? To this, Kelly is in full agreement, “Absolutely. This is all based on your institution’s risk perspective. You may consider geographic risk, for example, to be more important than products and services and customer demographics. So perhaps you calculate it and then create a sub score for each one of those three categories. Then you apply a weighting factor to the geographic risk elements to make them more important.”

How often should risk profiles be reviewed and updated? Kelly mentioned that this can be chiefly from the perspective of your own institution, “I would say whenever something changes with that customer – whenever a major change occurs – you should be able to have some kind of a triggering mechanism.

“For an individual client, let us say their address changes, you may want to do a review at that time. If there are patterns of activity change, that is also a trigger that something has changed with them and it is time to go back and look at what is going on.

“With a business client, if their anticipated activity is writing cheques on their account and they get deposits and all of a sudden, they start doing foreign wire transfers, that is a flag that you need to go back and look at. You can speak to the client as maybe they are now doing some import or export business. It can often be a completely legitimate explanation, but something has changed. If nothing has changed with a client, I would say do the review on an annual basis.”

How does a company undertake a quality insurance process for risk ratings? How can you assess if the system is doing what it needs to do? For this, Kelly suggests that what she does is tests the model, “You can create some test customers with various risk factors and then see what their score comes out to be.

“You can also take what you know to be an existing client that is high risk and validate that the system is actually rating them that way. Look at their actual behavior and their demographics and products and services and so forth. What is the risk score you come up with and does that reflect what you think it should be?

“Testing is critical and it is not going to necessarily catch everything. You can do a wide range of test cases of all different types of clients that are representative of your different risk ratings and seeing that the system is actually rating them that way, and then you can be confident that it is doing what it is supposed to be doing. In addition, you should document your testing as well.”

What could be a good risk-based approach for updated customer information? Kelly answered, “One would be make sure that you have good front-end data controls that someone can’t enter, for example, a country code in the state field, or in an address or they can’t leave something blank. So making sure that in on your front end you have some good controls around data entry.

“A second one, which is a big effort, but it is an important effort to do periodically, is doing a data scrub to look for anomalies.  Then go back and have those anomalies fixed. Find the underlying root cause of that anomaly and try to find some controls in order to correct it.”

What is the best approach for the review of an organisation’s overall risk assessment program and how comprehensive should this be? How should it be documented?

Kelly said, “You want to clearly document your entire risk assessment process, such as the risk factors you are using, how the data entry occurs and why you chose those factors. I think that part is especially important to document your rationale, especially when someone else is going to be looking at this from the outside, such as a regulator. Also, it helps you think through as you are documenting it exactly why you are doing something a particular way.

“When you going through an examination, they will ask you how you came up with these risk factors and the rationale behind them and being able to have that documented is golden. That wins you many points with regulators as well as just making it a better program overall for everyone.”

Read the full post here.

Copyright © 2022 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.