Maximising the potential of the CRA from design to implementation

Is there clarity and consensus on how the CRA will be executed in the context of the customer lifecycle and the organisation’s control framework?

The following key points should be agreed prior to implementation:

• Timing of the CRA as the customer relationship evolves, and the split of automated and manual steps

• The systems and processes required to enable effective and timely execution of the CRA, and whether change is required to deliver against the new or updated design

• Process mapping to show the consequences of each potential CRA outcome, including related processes such as customer outreach and enhanced due diligence, and how these may look different depending on the primary driver of the risk rating

• It can be tempting to dive straight into detailed definition of the CRA Model among a confined audience of financial crime professionals, particularly where there is time pressure at play. However, discussion of example customer personas with wider business stakeholders can help to highlight points of differing opinion on risk appetite, by translating theoretical scenarios into real-life customer cases
• This exercise can help to better understand characteristics which would be considered unusual, highlight areas of ambiguity surrounding specific risk factors and sub-risk factors, and define more precise high-risk indicators. Ideally, clarity should be reached and reflected in the firm’s risk appetite statement, policies, standards and procedural guidance before changes are made to the live CRA

Where an existing CRA is in place, have learnings from historic cases been incorporated into the design of a revised Model?

• Engagement with front line staff and operational financial crime colleagues is useful to identify areas where the CRA has been perceived to drive unnecessary referrals and bloated risk ratings, or has failed to rate customers appropriately where they present genuinely increased risk

• Reviewing cases of increased customer risk, as well as the actual materialisation of risk, may help to illuminate features about customers which could have been identified using the CRA earlier in the customer relationship

• Whilst not all risk is possible to codify into a CRA and accurately predict, reviewing outputs such as trends in SAR disclosures may be useful here

Does your organisation have the ability to accurately test the potential impact of a new or updated CRA Model?

• Use of real customer data to determine the distribution of risk ratings in the context of a given change to the CRA enables assessment of the impact of these changes, such as the volume of referrals at onboarding and periodic reviews. It also supports understanding of the effect on other controls such as transaction monitoring, as customer risk rating should influence scenarios and thresholds

• Where a new CRA introduces data attributes not currently held for existing customers, proxy data points or external information should be used to predict the impact of such a change. Where this is not possible, agreement should be reached on the degree to which blank data will impact a customer’s risk score and rating, until the point that data gaps are addressed

Are the underlying reference data lists which drive customer risk ratings comprehensive, up-to-date and reflective of the firm’s current risk appetite?

• Most CRAs rely at least in part on lists of data attributes, with corresponding risk ratings at attribute level. For example, countries, industries, entity types and product types

• It is important that the risk ratings associated with these granular attributes are up to date and reflective of external threats and trends, as the combination of these will determine a customer’s overall risk rating

Are systems and processes to capture, store and update data specified in your CRA Model fit-for-purpose?

The following key points should be agreed prior to implementation:

• What may be considered trivial updates to customer journeys to add or amend key data fields, or to incorporate external data sources, can require significant technical development which should be factored into delivery timelines

• For example, while the concept of an industry list or list of business activities is simple, the level of detail of such lists can vary significantly. Where lists within application journeys mirror standard classifications such as SICs, it is important to ensure that there is sufficient specificity in the industries a customer or colleague can select from to enable an accurate understanding of the risk. Where options are not specific enough, the outputs of the CRA may be flawed

• In particular, emerging business activities which are of increased risk such as vape shops, may not feature in fields within application journeys which were implemented some time ago. The technical effort to update such journeys and underlying data flows should be incorporated into the delivery plan

• The accuracy of risk ratings generated from the CRA is heavily reliant on data quality. It is imperative that systems and processes are in place to enable the refresh of relevant customer data attributes throughout the customer relationship, over and above basic touch points such as new product applications. External sources should be explored, where these can provide data of sufficient quality. As customers become increasingly digitally enabled, periodic and targeted data refresh via web and app journeys has become a powerful tool in maintaining customer due diligence information, which should automatically feed into the ongoing CRA solution to re-assess the customer’s risk rating

• Language used to pose CRA related questions to customers should be kept as simple and human readable as possible to reduce the likelihood of incorrect data entry

• Engagement with digital teams and user experience experts is critical to ensure information is captured in as smooth a manner as possible, with the fewest questions. External data sources and background behavioural data should be leveraged as much as possible, however in some cases the most reliable source of information will be the customer’s input

• User testing can help to identify pain points in customer journeys, such as confusion around how the user is expected to respond, or technical niggles. Many customers may not be familiar with language that is used in risk and compliance circles, or may not be confident speakers of the language in question, which can lead to erroneous data entry

• Consideration should be given as to whether every data input is truly mandatory e.g. could a personal customer’s industry be inferred from their occupation, without the need to ask both questions?

• Clumsily implemented CRA related customer journey steps can lead to customer drop-out, dissatisfaction or the population of incorrect data, driving poor quality risk ratings

Are mechanisms in place to measure the performance of the CRA, and amend as required?

• The ability to analyse large amounts of CRA related data attributes is useful to understand what is driving the distribution of risk ratings

• Often, analysis can identify data attributes which appear to be over or under presented, which may point to issues to the way in which data is being captured or assessed

• Analysis of the ultimate outcome of cases generated from the automated CRA from an operational perspective (e.g. downgrades) can be helpful in identifying improvements to future iterations of the CRA, to better identify truly high-risk customers

• While continuous analysis and refinement of the CRA is important, wholesale changes may come with considerable technical impacts, as well as process and procedural uplift. Such changes should be carefully planned and communicated to impacted colleagues, with full assessment of the change, including on the customer, carried out in advance