Amber Management to Safeguard Compliance Risk

One of the biggest inefficiencies for compliance teams across the globe is delivering effective and efficient “Amber Management” processes. “Amber management” is a NorthRow coined term we use to describe an ambiguous result once you have onboarded a client. The result does not definitely answer whether you can safely do business with a customer or not and instead requires further due diligence. Often, only a small amount of KYC compliance costs come from implementing data and technology, and the vast majority of the cost is incurred through “amber management”. In this blog we discuss how you can improve your amber management processes, helping to reduce costs and business risk.

Posted on November 16, 2020
Written by Vanessa Richards

amber management

Protect Your Regulated Business with Amber Management to Safeguard Compliance Risk

KYC monitoring and remediation

KYC Monitoring and Remediation has become the ‘bete noire’ of many a Compliance team. This is particularly the case with larger, more established financial institutions, who most often suffer from the burden of multiple legacy systems, that may not talk to their KYC onboarding platform. Such stand-alone systems were undoubtedly viewed as the best option at the inset (a fairly economical ‘quick fix’ if you like), but the progressive needs of regulators in the AML arena, means that one-off onboarding is by no means satisfactory, instead, onboarding needs to be an ongoing and ‘joined-up’ exercise. Knowing Your Customer means knowing them at the outset and all through their journey with you.

The Financial Conduct Authority’s, (FCA), rules state that, “Firms must have in place policies and procedures in relation to customer due diligence and monitoring,” but they don’t specify how this should take place and in what form. They also don’t specify that there will be a need for periodic reviews, but there is an unspoken expectation that there will be.

In response to this expectation of a need to deliver periodic reviews – and in the absence of any set guidelines from the regulatory bodies – financial institutions, in a consultation with industry peers, have taken a Risk Based Approach. The agreed way forward outlines a standard of periodic reviews every 1, 2 or 3 years, depending on the identified risk: 1 year for high risk; 2 years for medium risk; and 3 years for low risk. But, to engage in these reviews, firms must have started the process by flagging customers with the appropriate risk marker in the first place. 

The FCA, says “Central to meeting your AML obligations is a risk assessment of your firm’s business, as it will help you develop effective and proportionate prevention procedures.” And it goes on to say “As the risks change over time, your risk assessment will need to be kept up-to-date………You will also need to keep monitoring the procedures…”

Strengthen your Risk Based Approach to KYC/CDD

In light of the FCA rules and additional statements it should be recognised that once onboarded, (ideally using the most up-to-date biometric facial recognition, documentation verification and authentication software), the customer should be continually monitored to avoid regulatory censure. The best digital monitoring systems will provide you with alerts only on those clients who materially affect you, enabling you to investigate any queries quickly (rather than being bogged down by red herrings) and remediate your records appropriately. By taking this Risk Based Approach, priorities can be identified with relevant resource allocated effectively.

The RAG (Red, Amber, Green) system we use at NorthRow acts as an adjunct to the risk-based approach, by identifying records that should be dropped from your books and/or reported to the appropriate regulatory/law enforcement authorities, i.e. Red records and those that require further investigation, Ambers, and those that are good to transact with, Green.

GREEN = No risk as it meets risk appetite

RED = Do not transact as it does not meet the business risk appetite with them

AMBER =There is an element of risk which should be investigated further

The strategy for dealing with Red records should be clearly laid out and swiftly performed together with the Greens. But, if anything, greater attention needs to be given to the Amber records, as these will either move into Red or Green depending on the outcome of your investigations. 

Amber Investigations

Amber investigations need to be thorough and cover a range of issues: where there is a substantive change, there needs to be a reassessment of the risk rating for that client; records should be checked against national and international PEPs and Sanctions lists; the customer’s basic information, as originally submitted, needs to be re-checked to ensure it is still valid, or if any corrections need to be made, which may or may not require a review of their risk status; the client’s transactions should be compared against forecast and anticipated levels/types; and lastly, re-check for any potentially suspicious activities that may not have been detected by your real-time monitoring platform.

By doing all of this, you will show that you are doing everything within your power to verify a client’s status and flag up any issues, remediating as you go along, which should set you in good stead if you’re unfortunate enough to sustain a breach.              

The Risk Based Approach is not just sanctioned by the FCA and FATF, but actively encouraged as it is regarded as best practice. Indeed, FATF regards the use of RBA as a prerequisite for the effective implementation of their standards.

Traditionally MLRO’s and Compliance Officers should report on any records that have suspicious activity or missing information that require remediation and/or investigation, i.e. Amber records, but in practice we know this is not the easiest of tasks to deliver.

Amber Management In Summary

Regulated businesses have always found it difficult to recognise, monitor and report on the number of Ambers. By using the NorthRow Amber approach, with the deployment of their highly configurable Risk Based Regulatory Rules Engine, businesses are able to identify the AMBERS that cause the pain points within the compliance function. We call it ‘Amber Management’ as we recognise that these are the records that can cost the business, in both financial penalties, as well as reputational damage. It is the Ambers that create friction and act as a drain on operational efficiencies.

NorthRow believes that using the RAG system is the best way of successfully implementing and sustaining an RBA, and that managing the Amber records is the key to delivering the most effective result. NorthRow has the capability and experience to guide you through your AMBER MANAGEMENT process, with a digital-first approach and using a powerful single-API to interrogate databases both national and international, alongside software delivering the most up-to-date authentication programs.