Risk tolerance for money laundering and terrorist financing or ML/TF is usually set as zero tolerance by the entities because any incident related to ML/TF may destroy the organization’s image and result in financial and reputational losses.
ML/TF risk tolerance is the acceptable variation in expected ML/TF risk incidents. It describes the range of acceptable outcomes for achieving a business objective within the risk appetite. It also provides an approach for measuring whether risks to achieving strategic and business objectives are acceptable or unacceptable.
Understanding the tolerance for variation in performance enables management to enhance the entity’s value. For instance, the right boundary of acceptable variation should generally not exceed where the risk profile intersects risk appetite. But where the right boundary is below risk appetite, management can shift its targets and remain within its overall risk appetite. The maximum point where the performance target could be set is where the right tolerance boundary intersects with risk appetite.
Understanding Risk Tolerance with the Perspective of AML/CTF
Unlike risk appetite, which is broad, tolerance is tactical and focused. That is, it should be expressed in measurable units (preferably in the same units as the business objectives), be applied to all business objectives, and be implemented throughout the entity. In setting tolerance, the organization considers the relative importance of each business objective and strategy.
For instance, for those objectives viewed as highly important to achieving the entity’s strategy, or where a strategy is highly important to the entity’s mission and vision, the organization may wish to set a lower tolerance range. Tolerance focuses on objectives and performance, not specific risks.
Operating within defined tolerance gives management greater confidence that the entity remains within its risk appetite and provides a higher degree of comfort that it will achieve its business objectives.
Performance measures related to a business objective help confirm that actual performance is within an established tolerance. Performance measures can be either quantitative or qualitative. Tolerance also considers both exceeding and trailing variation, sometimes referred to as positive or negative variation. Note that exceeding and trailing variation is not always set at equal distances from the target.
The amount of exceeding and trailing variation depends on several factors. An established organization, for example, with a great deal of experience, may move exceeding and trailing variation closer to the target as it gains experience managing a lower variation level. The entity’s risk appetite is another factor: an entity with a lower risk appetite may prefer less performance variation than an entity with a greater risk appetite.
Organizations should also understand the relationship between cost and tolerance to deal effectively with associated risks. Typically, the narrower the tolerance, the greater the resources required to operate within that level of performance.
The risk that may impact the achievement of strategy and business objectives must be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
The board approves and reviews risk appetite and tolerance statements depending on the business’s nature, size, complexity, current financial condition, and the bank’s strategic direction. The risk appetite and tolerance statement should capture the past and future aspects as part of their risk management and capital assessments.
The organizations may express ML/TF risk appetite, tolerance level, and possible impact through “Compliance Risk Control Self-Assessment” remedial action plans and Key Risk Indicators or KRI thresholds. Moreover, with the change of business, customers, and overall regulatory compliance environment, the board should regularly review the appropriateness of threshold for specific ML/TF risks and overall risk tolerance.
Final Thoughts
Risk tolerance is an important concept in the field of anti-money laundering (AML) and countering the financing of terrorism (CTF). AML/CTF measures are designed to prevent the use of the financial system for illicit purposes, such as money laundering and terrorist financing.
Risk tolerance refers to an organization’s willingness to accept and manage risks associated with AML/CTF. This is based on factors such as the organization’s risk appetite, its legal and regulatory obligations, and its business model. In general, organizations with a higher risk tolerance are willing to take on more risk in pursuit of their business goals, while those with a lower risk tolerance are more cautious and may be more conservative in their approach.
Risk tolerance is an important concept in AML/CTF, but it needs to be balanced against the need for compliance. Organizations need to adopt a risk-based approach to AML/CTF, so that they can manage risks effectively while also pursuing their business goals.