Risk Assessment Methodology

Version 1.2 - April 2024

Financial crime risk assessments are essential to assess a firm’s risk of financial crime exposure and to meet regulatory requirements for an effective, risk-based compliance program.

Cable’s Risk Assessment is based on regulatory guidance, industry experience, and user feedback. It’s designed to be responsive to information provided by users in a questionnaire about their firm’s risk exposures, and it provides automatically calculated, dynamically updated suggested inherent and residual risk ratings on a risk category, risk area, and business-wide level.

This document details the structure of Cable’s Risk Assessment and the methodologies used for each risk rating calculation. A key feature of Cable’s Risk Assessment to keep in mind is that users are always able to manually adjust any automatically calculated risk ratings as needed to reflect their own assessment of risk.

Risks

Cable’s Risk Assessment is organised by 10 high-level risk areas that firms should consider in financial crime risk assessments, according to regulatory guidance or expectations (e.g., from the Wolfsberg Group, FATF, JMLSG Guidance, FFIEC, or national risk assessments) and industry practice.

The 10 risk areas are as follows: Regulatory Risk, Operational Risk, Geographic Risk, Size and Nature of Business Risk, Processes and Systems Risk, Product/Services Risk, Delivery Channel Risk, Customer Risk, Transaction Risk, and Typology Risk.

Each of these risk areas is subdivided into further specific risk categories. For each risk category, based on information provided by users in their questionnaire responses, Cable’s Risk Assessment enables firms to assess their inherent risk, the strength of their relevant controls, and their residual risk.

  • Inherent risk is a measure of a firm’s exposure to a risk without any controls mitigating the risk.
  • Residual risk is a measure of the risk remaining after mitigating controls are applied to the inherent risk, and is dependent on inherent risk and the overall efficacy of controls.

Cable’s Risk Assessment automatically identifies relevant risk categories for firms, but users have full flexibility to add custom risk categories to any risk area or disable suggested risk categories. The following sections of this document give in-depth detail about Cable’s risk rating calculation methodologies for determining inherent and residual risk ratings, as well as the particular risk rating methodologies used for each of the 10 risk areas and associated risk categories.

Controls

To calculate residual risk, firms’ controls applicable to a particular risk category need to be assessed for both control adequacy and effectiveness.

  • Control adequacy is a measure of whether controls are properly designed to fully mitigate the risk.
  • Control effectiveness is a measure of whether controls, however designed, are operating effectively and as expected.

Users provide their own assessments of control adequacy and effectiveness for each risk category. Future planned developments to Cable’s Risk Assessment will enable firms to see automatically calculated control ratings if they conduct ongoing controls monitoring and assurance using Cable’s Automated Assurance product. Based on control adequacy and effectiveness, Cable’s Risk Assessment then calculates overall control efficacy for each risk category, as well as the effect on the residual risk rating.

Cable’s Risk Assessment suggests potential common controls for each risk category (see Appendix B). However, users also have full flexibility to add custom controls to any risk category.

Aggregate Risk Ratings

Once inherent and residual risk ratings and overall control efficacy for each risk category have been determined, Cable’s Risk Assessment automatically aggregates these risk ratings into an overall risk score for each high-level risk area. Subsequently, a business-wide risk score is determined by Cable’s Risk Assessment based on the risk scores for the risk areas.

Risk Assessment Administration

Risk assessments are foundational for firms’ compliance programs. Cable’s Risk Assessment enables firms to document and obtain senior management or other stakeholder approval for the risk assessment. Cable’s Risk Assessment also gives firms’ compliance teams a workflow to collaborate and track actions to address gaps or weaknesses identified in the risk assessment.

Risk Rating Key

RatingDescription
1Lowest risk
2Low risk
3Medium risk
4High risk
5Highest risk

Risk Category Risk Rating

Inherent risk calculation

  • Binary: Any exposure to the risk category means the firm faces the full risk associated with the risk category. Therefore, if the firm has any exposure to the risk, the firm’s inherent risk rating is equal to the initial risk score of the risk category. In certain cases, Cable automatically deems firms to have exposure to a risk category, based on regulatory guidance as to the prevalence of the risk, and the risk category is displayed by default.
  • Quantitative exposure: The firm’s inherent risk depends on its amount of exposure to the risk category, which can be assessed through quantitative metrics (e.g., % of customers or transactions). Based on the firm’s responses about its percent exposure amount to the risk category, an inherent risk rating is assigned as follows, with the maximum value capped at the initial risk score of the risk category:
    • 1 - None
    • 2 - < 1%
    • 3 - 1-5%
    • 4 - 6-10%
    • 5 - < 10%
  • Qualitative exposure: The firm’s inherent risk depends on its exposure to certain risk factors associated with a risk category, which can be assessed through qualitative characteristics or thresholds. Based on the firm’s responses about its exposure to relevant risk factors, an inherent risk rating is assigned based on the presence or absence of these risk factors.

Overall control efficacy calculation

  • Overall control efficacy for each risk category is the product of control adequacy and control effectiveness, expressed as a percentage.

    • Control adequacy is a measure of whether controls are properly designed to fully mitigate the risk, expressed as a percentage.
    • Control effectiveness is a measure of whether controls, however designed, are operating effectively and as expected, expressed as a percentage.
  • Overall Control Efficacy = Overall Control Adequacy * Overall Control Effectiveness

    • Overall Control Adequacy = simple average of the Control Adequacy for all active controls for the risk category
    • Overall Control Effectiveness = simple average of the Control Effectiveness for all active controls for the risk category

Residual risk calculation

  • Residual risk ratings for each risk category are a function of the previously calculated inherent risk rating and overall control efficacy.
  • Standard residual risk rating calculation methodology:
    • 1 - 96-100% overall control efficacy
    • 2 - 91-95 % overall control efficacy
    • 3 - 86-90% overall control efficacy
    • 4 - 81-85% overall control efficacy
    • 5 - 80% or less overall control efficacy
    • Maximum residual risk rating is capped at the inherent risk rating.

Risk Area Risk Rating

  • Maximum risk rating: Inherent and residual risk ratings equal the highest risk ratings for any risk category in the risk area.
  • Evenly weighted: Inherent and residual risk ratings are simple averages of the risk ratings for each risk category in the risk area.
  • Weighted by exposure: Inherent and residual risk ratings are weighted averages of the risk ratings for each risk category in the risk area, with weighting corresponding to the firm’s exposure to each risk category.
  • Manually weighted: Inherent and residual risk ratings are weighted averages of the risk ratings for each risk category in the risk area, with weighting manually assigned by Cable for each risk category.

Business-wide Risk Rating

  • Manually weighted: Inherent and residual risk ratings are weighted averages of the risk ratings for each risk area, with weighting manually assigned by Cable for each risk area as follows, based on regulatory guidance and industry practice (e.g., the Wolfsberg Group, JMLSG Guidance, and the FFIEC):
    • 15% - key risk areas to account for in risk assessments as commonly identified in regulatory guidance (Geographic Risk, Product/Services Risk, Customer Risk, Transaction Risk)
    • 10% - other significant risk areas identified in regulatory guidance or industry practice (Delivery Channel Risk, Regulatory Risk)
    • 5% - additional risk areas to account for in risk-based approach based on regulatory guidance or industry practice (Operational Risk, Size and Nature of Business Risk, Processes and Systems Risks, Typology Risk)

Other Calculation Methodologies

Cable mathematical calculations are rounded and stored at 6 decimal points of precision (e.g., 0.123456). For ease of use, the Risk Assessment user interface only displays rounded integers.

Methodologies Used by Risk Area

Regulatory Risk

Risk Categories with Initial Risk Score

  • Regulated activity - 5, binary exposure
  • Registration/Licence Requirement - 5, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 10%, other significant risk area identified in regulatory guidance or industry practice

Operational Risk

Risk Categories with Initial Risk Score

  • No designated AML compliance officer with sufficient expertise/experience - 5, binary exposure
  • No Board-level compliance committee - 5, binary exposure
  • Inadequate governance and management oversight - 5, binary exposure
  • Inadequate policies, procedures, and controls - 5, risk displayed by default
  • Inadequate company-wide training - 5, binary exposure
  • Inadequate independent testing and oversight - 5, binary exposure
  • Inadequate compliance staffing and resources - 5, binary exposure
  • Reliance on third party firm for CDD measures - 5, binary exposure
  • Recent enforcement actions or supervisory matters - 5, binary exposure
  • Remediation projects or initiatives related to AML compliance matters - 5, binary exposure
  • Recent AML compliance employee turnover - 1-5, depending on qualitative exposure
    • Factors: AML compliance employee turnover rate; Key personnel turnover
  • Recent/planned acquisitions - 1-5, depending on qualitative exposure
    • Factors: Target is regulated financial institution; Target maintains AML compliance program; Weaknesses or deficiencies in target AML compliance program; Target financial crime risk assessment
  • Recent internal audit or other material findings - 1-5, depending on qualitative exposure
    • Factors: Regulatory breaches; Control failures; High risk findings

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional risk areas to account for in risk-based approach based on regulatory guidance or industry practice

Geographic Risk

Risk Categories with Initial Risk Score

  • Own Bank/FI Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Customer Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Transactions Geographic Risk - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings

Inherent Risk Rating Calculation Methodology

  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key risk area to account for in risk assessment as commonly identified in regulatory guidance

Size and Nature of Business Risk

Risk Categories with Initial Risk Score

  • Multiple geographies - 1-5, depending on qualitative exposure
    • Factors: Number of geographies
  • Expected geographic expansion - 1-5, depending on qualitative exposure
    • Factors: Number of geographies; Country risk ratings
  • Multiple subsidiaries, branches or agent networks - 1-5, depending on qualitative exposure
    • Factors: Number of subsidiaries, branches or agent networks
  • Client base stability - 1-5, depending on qualitative exposure
    • Factors: Annual change in customer base
  • Number of customers - 1-5, depending on qualitative exposure
    • Factors: Total number of customers
  • Expected customer growth - 1-5, depending on qualitative exposure
    • Factors: Expected customer growth per month
  • High estimated annual revenue - 1-5, depending on qualitative exposure
    • Factors: Estimated annual revenue
  • High expected annual revenue growth - 1-5, depending on qualitative exposure
    • Factors: Estimated annual revenue growth
  • Nature of business risk, binary exposure
    • Asset Management - 3
    • Brokerage - 4
    • Wholesale/Commercial Banking - 4
    • International Correspondent Banking - 5
    • Credit & Other Card Banking - 3
    • Investment Banking - 3
    • Retail banking - 4
    • Private Banking/Wealth Management - 5
    • Money service business - 4
    • Payment services/e-money services - 3
    • Capital markets/wholesale markets - 4
    • Trade finance - 4
    • Investment firms/managers - 3
    • Investment funds - 3
    • Crowdfunding platform - 3
    • Currency exchange services - 4
    • Corporate finance - 3
    • BaaS Platform/Provider - 4
    • Virtual asset service provider - 4

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional risk area to account for in risk-based approach based on regulatory guidance or industry practice

Processes and Systems Risk

Risk Categories with Initial Risk Score

  • Limitations, issues, or gaps involving complex technologies (e.g. AI/ML) - 1-5, depending on qualitative exposure
    • Factors: AI/ML experts explaining or maintaining tools; Duration of use; AI/ML models designed or validated using real customer data
  • Limitations, issues, or gaps due to recent/planned introduction of new technologies - 1-5, depending on qualitative exposure
    • Factors: Integration with legacy systems; Technical experts explaining new technology; Technical experts maintaining new technology
  • Limitations, issues or gaps in integration of IT systems - 1-5, depending on qualitative exposure
    • Factors: Identified data integrity gaps in AML/sanctions compliance systems; Experts overseeing data management between IT and AML/sanctions compliance systems; End-to-end data mapping for AML/sanctions compliance program
  • Reliance on third party service providers - 1-5, depending on qualitative exposure
    • Factors: Third party service providers used for AML/sanctions compliance measures

Inherent Risk Rating Calculation Methodology

  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional risk areas to account for in risk-based approach based on regulatory guidance or industry practice

Product/Services Risk

Risk Categories with Initial Risk Score

  • Private Banking/Wealth Management - 1-5, depending on quantitative exposure
  • International Correspondent Banking, binary exposure
    • International Wire Transfers - 5
    • Pouch Services - 5
    • Banknotes - 5
    • Pass-through/Payable-through accounts - 5
    • Nested or downstream correspondent clearing - 5
    • Bank draft services - 5
    • Other correspondent banking - 5
  • Special Use/Concentration/Omnibus Accounts - 1-5, depending on quantitative exposure
  • Brokered Deposits - 1-5, depending on quantitative exposure
  • Safe Deposit Services - 1-5, depending on quantitative exposure
  • Precious Metals (Delivery) Services - 1-5, depending on quantitative exposure
  • Unlimited Cards - 1-5, depending on quantitative exposure
  • Alternative Investment/Structured Products - 1-4, depending on quantitative exposure
  • Trade/Export Finance - 1-4, depending on quantitative exposure
  • Pooled client accounts - 1-4, depending on quantitative exposure
  • Bearer shares - 1-4, depending on quantitative exposure
  • Fiduciary deposits - 1-4, depending on quantitative exposure
  • Prepaid access/stored value cards - 1-4, depending on quantitative exposure
  • Remote Deposit Capture - 1-4, depending on quantitative exposure
  • Cash letter - 1-4, depending on quantitative exposure
  • Monetary instruments - 1-4, depending on quantitative exposure
  • Mobile phone payments - 1-4, depending on quantitative exposure
  • Internet-based payments - 1-4, depending on quantitative exposure
  • Bulk cash delivery - 1-4, depending on quantitative exposure
  • Foreign exchange - 1-4, depending on quantitative exposure
  • Commercial letters of credit or bills for collection - 1-4, depending on quantitative exposure
  • Virtual assets (e.g., cryptocurrencies) - 1-3, depending on quantitative exposure
  • Insurance - 1-3, depending on quantitative exposure
  • Investment account - 1-3, depending on quantitative exposure
  • Credit cards - 1-3, depending on quantitative exposure
  • Expense management - 1-3, depending on quantitative exposure
  • Lending - 1-3, depending on quantitative exposure
  • Savings accounts - 1-3, depending on quantitative exposure
  • Current accounts - 1-3, depending on quantitative exposure
  • May be used by or on behalf of unknown or unidentified third parties - 5, risk displayed by default
  • Recent/planned introduction of new products or services - 5, binary exposure
  • Cash-intensive - 4, binary exposure
  • High or unlimited thresholds for transaction value, transaction frequency or account balance - 4, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key risk area to account for in risk assessment as commonly identified in regulatory guidance

Delivery Channel Risk

Risk Categories with Initial Risk Score

  • Face-to-face account origination - 1, binary exposure
  • Mix of face-to-face and non-face-to-face account origination - 3, binary exposure
  • Non-face to face account origination - 5, binary exposure
  • Unsolicited account origination (including walk-ins) - 4, binary exposure
  • Customer introduced from third parties or other parts of the same financial group, but firm cannot be satisfied it knows its customer and the level of risk of the business relationship - 5, binary exposure
  • Face-to-face account servicing - 1, binary exposure
  • Mix of face-to-face and non-face-to-face account servicing - 3, binary exposure
  • Only non-face-to-face account servicing, and customer is known through reliable form of non-face-to-face CDD - 3, binary exposure
  • Only non-face-to-face account servicing via intermediary/agent - 3, binary exposure
  • Only non-face-to-face account servicing, and customer is not known - 5, binary exposure

Inherent Risk Rating Calculation Methodology

  • Binary

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Maximum risk rating

Default Risk Area Weighting for Business-Wide Risk Rating

  • 10%, other significant risk area identified in regulatory guidance or industry practice

Customer Risk

Risk Categories with Initial Risk Score

  • Subject to or target of government sanctions or other economic restrictive measures - 5, binary exposure
  • High Net Worth Individuals - 1-5, depending on quantitative exposure
  • Politically Exposed Persons (PEPs) - 1-5, depending on quantitative exposure
  • Nonresidents/foreign individuals - 1-3, depending on quantitative exposure
  • Retail - 1, binary exposure
  • UK companies and partnerships - 1-4, depending on quantitative exposure
  • Shell companies - 1-4, depending on quantitative exposure
  • Complex ownership and control structures (e.g., offshore trusts, private investment companies or offshore vehicles) - 1-4, depending on quantitative exposure
  • Publicly held companies on recognised stock exchange with adequate ownership transparency information requirements - 1, binary exposure
  • Publicly held companies not listed on recognised stock exchange - 1-3, depending on quantitative exposure
  • Privately held operating companies - 1, binary exposure
  • Privately held non-operating companies - 1-3, depending on quantitative exposure
  • Privately held companies with bearer shares or nominee shareholders - 1-5, depending on quantitative exposure
  • Government entities - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings
  • Banks, non-bank financial institutions or regulated firms listed on recognised stock exchange and located in jurisdiction with effective AML/CTF regime and supervised for compliance with local AML/CTF obligations - 1-2, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms not listed on recognised stock exchange but located in jurisdiction with effective AML/CTF regime and supervised for compliance with local AML/CTF obligations - 1-3, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms not listed on recognised stock exchange and not located in jurisdiction with effective AML/CTF regime - 1-5, depending on quantitative exposure
  • Banks, non-bank financial institutions or regulated firms subject to supervisory action for failure to comply with AML/CTF obligations or wider conduct requirements in past 5 years - 1-5, depending on quantitative exposure
  • Money services businesses - 1-4, depending on quantitative exposure
  • Intermediaries/commission agents - 1-4, depending on quantitative exposure
  • Real estate/letting agents - 1-4, depending on quantitative exposure
  • High value goods dealers - 1-4, depending on quantitative exposure
  • Art market participants - 1-4, depending on quantitative exposure
  • Precious metals & stones dealers - 1-4, depending on quantitative exposure
  • Gatekeepers/professional service providers (e.g., accountants, lawyers, trust and company service providers) - 1-4, depending on quantitative exposure
  • Arms dealers - 1-4, depending on quantitative exposure
  • Private military firms - 1-4, depending on quantitative exposure
  • Virtual asset service providers - 1-4, depending on quantitative exposure
  • Construction industry - 1-4, depending on quantitative exposure
  • Pharmaceuticals and healthcare industry - 1-4, depending on quantitative exposure
  • Defence industry - 1-4, depending on quantitative exposure
  • Extractive industries - 1-4, depending on quantitative exposure
  • Public procurement - 1-4, depending on quantitative exposure
  • Cash-intensive businesses - 1-4, depending on quantitative exposure
  • Independent ATM owners/operators - 1-4, depending on quantitative exposure
  • Investment advisers not subject to effective AML/CTF compliance regime or supervised for AML/CTF compliance - 1-4, depending on quantitative exposure
  • Casinos (including Internet gambling) - 1-3, depending on quantitative exposure3
  • Charities and non-profit organisations - 1-3, depending on quantitative exposure
  • Payment services/e-money services/third party payment processors - 1-3, depending on quantitative exposure
  • Crowdfunding platforms - 1-3, depending on quantitative exposure
  • Customer has provided false or stolen identification documentation or information - 5, risk displayed by default
  • Customer or beneficial owner has been previously subject of a SAR - 1-4, depending on quantitative exposure
  • Customer or beneficial owner has adverse media reports or other relevant information sources - 1-4, depending on quantitative exposure
  • Customer or beneficial owner has been subject to administrative or criminal proceedings or law enforcement sanctions in relation to proceeds-generating crimes, or allegations of terrorism or terrorist financing - 4, risk displayed by default
  • Customer cannot reasonably be expected to produce detailed evidence of identity and may be financially excluded - 1-4, depending on quantitative exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key risk area to account for in risk assessment as commonly identified in regulatory guidance

Transaction Risk

Risk Categories with Initial Risk Score

  • Significant or unusual cash/cash-like - 1-5, depending on quantitative exposure
  • Pass-through/payable-through transactions - 1-5, depending on quantitative exposure
  • Nested or downstream accounts - 1-5, depending on quantitative exposure
  • Rapid in/out (high velocity turnover) - 5, risk displayed by default
  • Smurfing - 5, risk displayed by default
  • Structured transactions - 5, risk displayed by default
  • Suddenly active - 5, risk displayed by default
  • International funds transfers - 1-4, depending on qualitative exposure
  • Related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory and other items related to protected species, and other items of archaeological, historical, cultural and religious significance, or of rare scientific value - 1-4, depending on quantitative exposure
  • Transactions initiated by noncustomers - 1-5, depending on quantitative exposure
  • Transactions to noncustomer beneficiaries with no specific account to deposit funds into (i.e., payable upon proper identification transactions) - 1-5, depending on quantitative exposure
  • Bank transfers - 1-3, depending on quantitative exposure
  • Third-party payments - 1-3, depending on quantitative exposure
  • High-value real estate transactions - 1-4, depending on quantitative exposure
  • Mirror trades - 1-4, depending on quantitative exposure
  • Low-priced securities transactions - 1-4, depending on quantitative exposure
  • Securities transaction cleared/settled through an unregulated entity - 1-4, depending on quantitative exposure
  • Transactions to or from illegal/high-risk sources - 1-5, depending on quantitative exposure
  • Transactions missing originator or beneficiary, customer or transactional information - 4, risk displayed by default
  • Overpayments where not normally foreseen - 1-4, depending on quantitative exposure
  • High value transactions - 4, risk displayed by default
  • High aggregate volume or frequency of transactions - 1-5, depending on quantitative exposure
  • Transactions that are complex or unusually large, part of an unusual or unexpected pattern, or having no apparent economic or legal purpose - 4, risk displayed by default
  • Increasing number of SARs - 1-5, depending on qualitative exposure
  • Factors: Estimated annual percentage increase in SAR filings
  • Increasing number of TM alerts - 1-5, depending on qualitative exposure
  • Factors: Estimated annual percentage increase in transaction monitoring alerts
  • Increasing number of CTRs - 1-5, depending on qualitative exposure
  • Factors: Factors: Estimated annual percentage increase in CTR filings
  • Transactions involving high-risk virtual assets - 1-4, depending on quantitative exposure
  • Virtual asset and fiat currency exchange - 1-4, depending on quantitative exposure
  • Transfer of virtual assets between virtual asset exchanges- 1-4, depending on quantitative exposure
  • Peer-to-peer virtual asset transfers - 1-4, depending on quantitative exposure

Inherent Risk Rating Calculation Methodology

  • Binary
  • Quantitative exposure
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Weighted by exposure

Default Risk Area Weighting for Business-Wide Risk Rating

  • 15%, key risk area to account for in risk assessment as commonly identified in regulatory guidance

Typology Risk

Risk Categories with Initial Risk Score

  • Money Laundering - 1-5, depending on qualitative exposure
    • Factors: Nature of business risk
  • Terrorist Financing - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Charities and non-profit organisation customers; Retail banking; Money services business
  • Bribery/Corruption - 1-5, depending on qualitative exposure
    • Factors: PEPs; Country risk ratings; Government entity customers
  • Sanctions - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings
  • Cybercrime - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Virtual asset products; Internet-based payments
  • Account Takeover Fraud - 1-5, depending on qualitative exposure
    • Factors: Non-face to face account servicing; accounts that can hold balance
  • Authorised Push Payment Fraud - 1-5, depending on qualitative exposure
    • Factors: Bank transfers
  • Unauthorised Card Fraud - 1-5, depending on qualitative exposure
    • Factors: Card products
  • First-party Fraud - 5, risk displayed by default
  • Second-party Fraud - 5, risk displayed by default
  • Third-party Fraud - 1-5, depending on qualitative exposure
    • Factors: Non-face to face account servicing
  • Transnational Criminal Organisation Activity - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Cash-intensive products; Virtual asset products; Money services business
  • Drug Trafficking Organisation Activity - 1-5, depending on qualitative exposure
    • Factors: Sanctioned customers; Country risk ratings; Cash-intensive products; Virtual asset products; Money services business
  • Human Trafficking and Human Smuggling - 1-5, depending on qualitative exposure
    • Factors: Country risk ratings; Cash-intensive products
  • Proliferation Financing - 1-5, depending on qualitative exposure
    • Factors: Factors: Sanctioned customers; Country risk ratings; Virtual asset products; Money services business

Inherent Risk Rating Calculation Methodology

  • Binary
  • Qualitative exposure

Residual Risk Rating Calculation Methodology

  • Standard residual risk rating calculation

Risk Area Risk Rating Methodology

  • Evenly weighted

Default Risk Area Weighting for Business-Wide Risk Rating

  • 5%, additional risk area to account for in risk-based approach based on regulatory guidance or industry practice

Appendix A - Cable Country Risk Ratings

Risk Rating Key

RatingDescription
5Highest risk: activity potentially restricted
4High risk: listed jurisdiction for AML deficiencies; subject to multiple sanctions programs; regulatory guidance identifying heightened concerns
3Medium risk: some higher AML/sanctions/corruption concerns
2Low risk: some moderate corruption concerns
1Lowest risk: no significant concerns identified

Country Risk Ratings

CountryRating
Democratic People’s Republic of Korea (North Korea)5
Iran5
Syria5
Cuba5
Ukraine Sanctioned Regions (Luhansk, Donetsk, Crimea)5
Russia5
Barbados4
Burkina Faso4
Cambodia4
Cayman Islands4
Haiti4
Jamaica4
Jordan4
Mali4
Morocco4
Myanmar (Burma)4
Nicaragua4
Pakistan4
Panama4
Philippines4
Senegal4
South Sudan4
Uganda4
Yemen4
Albania4
Turkey (Türkiye)4
United Arab Emirates4
Gibraltar4
Afghanistan4
Trinidad and Tobago4
Vanuatu4
Zimbabwe4
Belarus4
Bosnia and Herzegovina4
Central African Republic4
Democratic Republic of the Congo4
Iraq4
Lebanon4
Somalia4
Sudan4
Venezuela4
China4
Hong Kong SAR, China4
Libya4
Ukraine4
Burundi3
Armenia3
Azerbaijan3
Croatia3
Ethiopia3
Guinea3
Guinea Bissau3
Kosovo3
Montenegro3
North Macedonia3
Serbia3
Tunisia3
Slovenia3
Mozambique3
Madagascar3
Mauritania3
Solomon Islands3
Sri Lanka3
Cabo Verde (Cape Verde)3
Bahamas3
Bhutan3
Tanzania3
Palau3
Thailand3
Kyrgyzstan3
Mongolia3
Zambia3
Tajikistan3
Macao SAR, China3
Bangladesh3
Malawi3
Fiji3
Honduras3
Malaysia3
Malta3
Turks and Caicos Islands3
Mauritius3
Samoa3
Seychelles3
Saint Lucia3
Egypt3
Guatemala3
Saudi Arabia3
Mexico3
Hungary3
Equatorial Guinea3
Turkmenistan3
Chad3
Comoros3
Congo3
Eritrea3
Nigeria3
Cameroon2
Uzbekistan2
Angola2
Liberia2
Dominican Republic2
Bolivia2
Djibouti2
Kenya2
Laos2
Paraguay2
Togo2
Gabon2
Niger2
Papua New Guinea2
Eswatini2
Algeria2
Nepal2
El Salvador2
Sierra Leone2
Moldova2
Peru2
Cote d’Ivoire2
Ecuador2
Gambia2
Kazakhstan2
Indonesia2
Argentina2
Brazil2
Lesotho2
Colombia2
Guyana2
Suriname2
Vietnam2
India2
Maldives2
Timor-Leste2
Bahrain2
Benin2
Bulgaria2
Ghana2
Kuwait2
South Africa2
Romania2
Sao Tome and Principe2
Greece2
Namibia2
Slovakia1
Oman1
Cyprus1
Grenada1
Rwanda1
Czechia1
Botswana1
Georgia1
Dominica1
Italy1
Poland1
Costa Rica1
Latvia1
Israel1
Saint Vincent and the Grenadines1
Spain1
Lithuania1
South Korea1
Portugal1
Qatar1
United States of America1
Chile1
Taiwan1
France1
Japan1
Uruguay1
Belgium1
Australia1
Canada1
Ireland1
Austria1
Iceland1
Estonia1
United Kingdom1
Germany1
Luxembourg1
Netherlands1
Switzerland1
Singapore1
Sweden1
Norway1
New Zealand1
Denmark1
Finland1
Antigua and Barbuda1
Bermuda1
San Marino1
Cook Island1
Andorra1
Brunei1
Kiribati1
Lichtenstein1
Marshall Islands1
Micronesia1
Monaco1
Nauru1
Saint Kitts and Nevis1
Tonga1
Tuvalu1

Appendix B - Potential Common Controls

  • AML Corporate Governance
  • Management Oversight and Accountability
  • Designated AML Compliance Officer/Unit
  • Management Information/Reporting
  • Previous Other Risk Assessments
  • Policies and Procedures
  • KYC
  • CDD
  • EDD
  • Intermediary/agent due diligence
  • Identity Verification
  • Sanctions Screening
  • PEP Screening
  • Adverse Media Screening
  • Detection and SAR filing
  • Ongoing Monitoring
  • Recordkeeping and Retention
  • Training
  • Independent Testing and Oversight
  • Licence obtained/registration completed and up-to-date
  • Blockchain analysis

Revision Log

Mar 21, 2023 - Jonathan Wong
Add explanation for risk area weighting; add risk calculation methodology type for each risk; add crypto-related transaction risks; add Blockchain analysis to Appendix B;

Apr 25, 2024 - Jonathan Wong
Add calculation rounding details

For any questions or comments about Cable’s Risk Assessment, or to learn more about Cable, please visit our website at cable.tech or email customers@cable.tech.