Jul 19, 2022

Simple Monitoring Strategies

Risk factors will always evolve, but uncomplicated, broad detection methods go a long way in preventing significant financial loss. This month, FinCEN released a joint agency message regarding the importance of taking a risk-based approach to customer relationships and due diligence. We’re going to cover three different types of activity monitoring that early-stage startups can implement quickly and can use as building blocks to develop more sophisticated methods in the future. Because even with FinCEN’s guidance on how businesses should tailor their risk programs, early-stage startups are still losing money when simple detection methods could help ease the pain.

The first thing risk teams need to identify is what should be considered normal behavior for their customers and what level of risk their firm is willing to accept based on their customer and product mix. This is commonly referred to as “determining the firm’s risk appetite”; something that is completed before the monitoring strategies are implemented. Once a risk aversion level is established the quickest way to protect the business is to implement hard limits on client behavior: limits on the number of transactions or the amount of money moved are the most common. Examples of activity limits for a cross-border remittance company would be to block end-users who try to conduct 50 ACH debits in under a minute. For startups offering retirement fund services, allowing their end-users to withdraw 100% of their net worth to an unrelated party with an international account may be beyond an acceptable risk tolerance. Where the limits are set is up to each firm and heavily dependent on the product and client mix, but implementing basic hard stop functionality is a great first step for risk mitigation. Another easy method is to monitor based on customer segmentation.

Segmentation is the practice of breaking down a customer base along axes and assessing risk within these various customer segments. This helps risk teams categorize clients and monitor clients by groupings. Breaking out customers by their tenure is a common segmentation strategy. Newer clients will have tighter monitoring limits. New customers are treated as a higher risk until enough time has lapsed without risky incidents, and an accurate baseline of activity can be established. Segmentation based on customer activity like transaction counts, product utilization, or remittance corridors is also common. Using these parameters helps management understand the persona of their top clients and how these clients use the company’s products. The 10 clients who move the most money on the platform could present higher money laundering exposure to a business than others. Remittance corridors risk can surprise even seasoned firms like MoneyGram, as they were recently penalized for not addressing a spike in money movement between locations in China and New York. A general idea of where risk originates will help risk teams at startups protect themselves from easily stoppable, large-dollar losses.

An especially important metric to use when segmenting a client base is the categorization of businesses by the industry they are in. The Standard Industrial Classification code, or “SIC code”, is a great tool to understand what industry your corporate customers operate in. For North American-based entities you could also use the North American Industry Classification System code (“NAICS code”). SIC/NAICS codes are collected during due diligence at the time of onboarding or during periodic know your customer reviews. These codes are used by compliance analysts to determine the specific industry a business operates in. Behavior that is normal for operators in one industry may be wildly abnormal for another; this helps inform risk assessments made by officers. Many fintechs that were created in the last decade cater to specific subsets of customers or offer very specific financial products to their clients. Monitoring based on this classification system and gauging product fit for each segment may expose behavioral mismatches. If Sandbar’s business banking partner shows our SIC code for “software publishers” but observes us depositing $50,000 a month in cash, that should trigger an alert. It’s a simple setup, but a mismatch of NAICS codes versus product utilization, counterparty geography, or other simple metrics happens too often with no “alert” and follow-up. Missed alerts mean missed investigations, and worst of all, potential “Suspicious Activity” going unreported.

These are just a few examples of detection methods to get a risk team started when creating their monitoring program. There’s elegance and effectiveness in their simplicity, and it is unfortunate that the monitoring approaches described above are often overlooked in favor of fancier sounding, more complex, more expensive, yet less effective methods. Startups focus on growing their business and serving their clients first. Applying the same scrappy MVP approach to risk management should be obvious: start with simple detection methods first, then build, enhance, and iterate as the business scales.

Get started today.

Talk with our team to learn how we can scale your AML systems, with less