As noted in my last post on this area, working out who to deal with in some countries is very difficult. Trying to use the do not deal lists in any form of modern banking practice is very tricky and error prone at best.
A truly risk-based system, though, is going to need to apply differing weights to the differing circumstances of each deal.
Operating on the principle that no deal should be banned unless explicitly forbidden by legislation (a truly risk based system must deal on this basis) a possible, if very simple, way to organise this would be to assign differing risk weights to each deal, with the countries involved being allocated percentages.
As the risk percentage increases then higher and higher approval levels should be sought (and the regulators kept informed).
Under this system, dealing with a counterparty that the bank has been dealing with for decades, and the bank well understands the business and there have been no recent changes to cash flow may attract only a nominal risk weight – say 1%. Dealing with a new counterparty in the US would be, say, 10% and a new counterparty in a known tax haven 50%. Dealing with, say, North Korea, would attract an automatic 70%, with any North Korean government enterprises attracting an additional 30%, placing them in the highest-risk category.
Combine this with percentages based on information on other aspects of the deal and you have a system.
Deals with a total risk weight of under (say) 20% would get the usual process, with between 20 and 50% needing the sign-off of the head of risk management, deals between 50% and 75% needing CFO sign-off (and AUSTRAC notification) and deals over 75% needing Risk, CFO, CEO sign-off and AUSTRAC notification.
This sort of system would be easy to automate – at the simplest level put into a spreadsheet or simple database and could be implemented in a few days. Provided it is done on as part of the initiation of every new deal with the counterparty and updated on a regular basis (say quarterly) this should allow you to claim compliance with the relevant parts of the AUSTRAC requirements.
This is obviously going to slow down the deal process, though. Getting this into your primary databases, along with some further KYC work, will be needed for business reasons.
It is not too late to get this done by 12 December, as required under the regulations. Better hurry, though – AUSTRAC is already sounding annoyed with the apparent lack of progress. You do not want to be the one they choose to make an example of.