Until about two or three decades ago, customer profiling in financial institutions primarily meant gathering details around identification, address verification and occupation of retail customers. The details for entities included additional information around legal documents authorizing the entity to conduct its business, their financial statements, authorized signatories, and so on. Once recorded in the financial institution’s registers, these details were rarely reviewed, unless the customers initiated the changes themselves.
With the turn of this century, as regulators across the globe started formalizing know your customer (KYC) and anti-money laundering (AML) guidelines, the need for assessing customer risk while onboarding new customers, conducting due diligence and monitoring them throughout their lifecycle based on their risk level were recognized. Financial institutions then started defining risk models for their different customer categories (e.g., retail, corporate, banks, government bodies). Risk models of this generation relied on static parameters (e.g., risk models for retail customers used country of domicile, country of residence, source of wealth, industry from which a customer’s income is derived, length of relationship with the financial institution). Scores for each parameter were assigned based on the input value, and finally an aggregated score was determined. The customer was then assigned a risk rating of low, medium or high by matching the score with the score range for the risk levels.
This absolute risk-scoring model had a limitation as it failed to take into account the weights of each of the risk factors used in calculation. The weighted average risk-scoring model was thus born, factoring in the weights to be associated with each risk parameter, which varied with risk models of different customer categories. This risk model is the most widely used by banks and financial institutions today.
Moving from Static to Dynamic
Whether absolute or weighted, both customer risk models use static customer information that do not change frequently. The risk ratings of customers are reviewed at pre-defined frequencies, based on the risk levels assigned to such customers—the higher the risk, more frequent the review and vice versa. Therefore, every customer remains in his or her risk bucket for a specified period of time, which could range from six months to three years, until the next review and change of risk level if so assessed.
With advancements in technology and the opening up of various banking channels, customer behavior has significantly changed in the past decade. From brick-based branch banking to click-based digital banking round the clock, transferring funds across geographies has become very easy and even instant in some cases. Such transformations have benefitted customers, but have also provided financial criminals additional ways to launder money. In such a dynamic setup, risk profiling of customers using static information at periodic intervals may mean exposing the financial institution to the threat of financial crimes. This why customers need to be continuously risk scored based on their activity (financial and non-financial), using a combination of static and dynamic parameters, and monitored based on their updated risks at all times.
How Customer Risk Profiling Impacts AML Compliance
Financial institutions are increasingly using customer risk profiles for building risk-based AML compliance frameworks. Though their maturities may vary in this aspect, we are witnessing a global trend of financial institutios transforming their financial crimes compliance systems, processes and policies to risk based programs. Customer risk profiling is now being integrated into the AML process flow, to strengthen oversight and create triggers for enhanced monitoring. Financial institutions now follow the rules below as a discipline:
- Periodic review of customer profiles are based on their risk levels (i.e., higher the risk level, more frequent is the review)
- Controls are applied on customers and their activities based on their risk levels. Enhanced due diligence (EDD) is conducted on high risk customers, and lower thresholds applied on their transaction limits across various products for stringent monitoring
- Specific scenarios are designed to monitor financial and non-financial activities of high-risk customers, triggering alerts on deviations or breaching thresholds
- Alerts generated on suspicious transactions are risk-scored higher if the customer involved is a higher risk one. This results in prioritization of such alerts and greater due diligence for investigation
Using Machine Learning for Dynamic Customer Risk Profiling
From suspicious alert and fraud detection engines to network and linkage analysis of customers and transactions, machine learning has been transforming the way compliance is conducted in banks and financial institutions by digging into the massive amounts of data available with these organizations. Machine learning can also be leveraged to use the same customer, associated parties, account and transaction data to monitor the former’s financial and non-financial activities continuously, and incorporate the analysis into the risk engine. An ecosystem can aid in machine learning-powered dynamic risk profiling of customers for a future-proof risk based AML infrastructure as follows:
- Creating a dynamic risk-scoring engine for customer risk profiling. Such an engine should calculate an overall risk score, preferably daily, as a weighted average of both dynamic and static risk attributes. Dynamic risk attributes can include alerts generated on the customer (weights can be associated with scenarios triggering the alerts), alert likelihood of being suspicious, alert closed as false or reported to FIU, actual transaction behavior going beyond expected behavior, and so on.
- Leveraging machine learning algorithms for incorporating dynamic customer behavior data into the risk calculation engine. The machine learning models can analyze the transaction behavior and match them against customer and their peer profiles to arrive at deviations, generate likelihood scoring of alerts being suspicious and similar results. These details can then form input for the dynamic risk engine to populate the daily customer risk scores and profiles.
- Designing an automated workflow for monitoring change of customer risk ratings.As the engine generates new risk scores for customers every day, any adverse change to risk ratings of customers should be subjected to manual approval and oversight. An automated workflow can help in triggering escalations for review and approval, when a customer risk profile moves from either low or medium to high.
- Triggering event driven review for dynamic downgrade of customer risk rating. EDD needs to be triggered for all customers who move into the high-risk category through the dynamic risk profiling. This will ensure an updated review of high-risk customers at all times. A complete audit trail should also be maintained.
Adopting of Dynamic Customer Risk Profiling
Financial crimes across the globe have steadily risen in the last two decades—not just in volume, but also in terms of complexity and sophistication. Even as regulations are becoming more stringent globally around AML and financial crimes compliance, both banks and criminals are trying to strengthen their systems and processes in an attempt to outsmart each other. Managing financial crimes risk continues to remain among top priorities of financial institutions, with millions of dollars being set aside every year for upgrading systems and processes around prevention, detection, investigation and reporting of such crimes. Dynamic customer risk profiling promises to help realize benefits across this functional value chain. In order for this to happen, financial crime risk managers may look at integrating dynamic customer risk profiling in AML for the following functions:
- Dynamic review and KYC of customers, as opposed to periodic review, whenever there is a change in customer risk rating, as generated by machine learning-based dynamic risk engine
- Alert generation and auto escalation when a customer risk category moves from low or medium to high during dynamic risk scoring
- Updating of customer profile based on change in risk rating. This would mean changes to customer limits and thresholds for various financial and non-financial activities. This process also needs to be automated and manual review/approval need to be incorporated.
- Refreshing customer data residing in other systems for the changed profiles in real time (e.g., data used for transaction monitoring scenario runs).
Risk profiling customers on a dynamic basis is becoming increasingly important, even as new data sources are being explored for gaining insights into customer behavior that can be used to assess their risk. Social media behavior is being seen as a storehouse of customer activity data, and social network analysis is already becoming a risk management buzzword. It is just a matter of time social media data gets integrated into customer risk engines, and dynamic risk profiling becomes part of the routine AML landscape.