Methodology for Automated Updates to the Financial Crime Risk Assessment

Introduction

Cable’s Automated Testing tests the effectiveness of a firm’s controls and its adherence to relevant regulatory requirements. Cable ingests a firm’s customer and transaction data, processes it through an analytics engine, and tests for any failures of controls.

Cable’s Financial Crime Risk Assessment is based on regulatory guidance, industry experience, and user feedback. It’s designed to be responsive to information provided by users in a questionnaire about their firm’s risk exposures, and it provides automatically calculated, dynamically updated suggested inherent and residual risk ratings on a risk category, risk area, and business-wide level. The Financial Crime Risk Assessment methodology can be found here.

Updating the Risk Assessment based on Automated Testing

When used with Automated Testing across financial crime controls, Cable’s Risk Assessment automatically updates based on the actual efficacy of controls, eliminating manual work and providing real-time insights to drive business priorities.

As described in the Risk Assessment Methodology, residual risk ratings for each risk category are a function of inherent risk rating and overall control efficacy, which is the product of control adequacy and control effectiveness. Control adequacy should be manually input based on a firm’s assessment of how well designed a given control is, relative to the risk it is designed to mitigate. Control effectiveness measures how consistently a control works, as a percentage of when the control was designed to apply. Since Cable can test 100% of customer and transaction data, Cable can automatically update the control effectiveness percentage for relevant controls.

Methodology

Cable’s Risk Assessment suggests potential common controls for each risk category. Where the control effectiveness can be automatically calculated based on Automated Testing, a plug icon appears next to the control effectiveness score. Automated Testing happens across the following areas of the financial crime framework: CDD, IDV, EDD, KYB, PEP, Sanction, Risk Assessment, TM and SARs. This means that Cable can automatically update the control effectiveness percentage for relevant controls in these areas.

Multiple tests in a control area

Most control areas have more than one test making up that control, and so Cable calculates an aggregated score across the control area.

For example, if a firm selects “CDD” as a control, there are likely to be three tests included in that control area:

• All customers have provided names
• All customers have provided addresses
• All customers have provided valid dates of birth

Cable will calculate a percentage of effectiveness for each of the tests under CDD by taking the population that met the criteria and dividing it by the total population that should have met the criteria. For example:

• All customers have provided names (100 customers provided names/100 customers should have provided names = 100% effective)
• All customers have provided addresses (100 customers provided addresses/100 customers should have provided addresses = 100% effective)
• 95 customers have provided valid dates of birth (95 customers provided valid dates of birth/100 customers should have provided = 95% effective)

Cable averages the effectiveness across all the tests in the CDD control area, which in this example would be 98%. In the Risk Assessment, anywhere that the CDD control is applied to a Risk, the effectiveness score would automatically update to 98%. This would then feed into the residual risk calculation, which also updates automatically.

Population

The effectiveness calculation of a single test will look at whatever the relevant population is for the test. Therefore, different tests may apply to different populations, such as beneficial owners, cardholders, companies, transactions, etc. Alternatively, if a test only applies to a specific population such as high risk customers, the effectiveness calculation would also only apply to the specific population.

Timespan

Cable updates the effectiveness calculation from whatever date a firm began using Automated Testing. This means the effectiveness percentage provides the full picture of a firm’s control effectiveness and not simply a snapshot in time. This does mean a control won’t immediately return to 100% effectiveness as soon as it’s fixed, but instead the effectiveness percentage will increase as more subjects are added and the control continues to work effectively.