Risk-based approach and threat analysis

 

The basis for setting up an adequate security system to combat money laundering , terrorism financing and fraudulent activities at the expense of the institution is to conduct a threat analysis. This is designed to prevent damaging events which occurred in the past from happening again and to uncover and monitor potential areas of risk. The aim of the threat analysis is to record, identify, categorise and weight the institution-specific risks. But this alone does not protect a financial services provider against money laundering offences or fraud. Every identified risk must be stored with institution-specific measures appropriate to the risk. These measures eliminate the risk or reduce it to an acceptable residual risk. The risk-based approach obliges financial services providers to continually adjust the threat analysis so that they can counteract new developments in white-collar crime.

 

Risk assessment with SironRAS

With SironRAS, TONBELLER offers a comprehensive solution for practical and legally compliant creation and updating of the institution-specific threat analysis. The workflow stored in the system guarantees that all risks relating to money laundering , terrorism financing and fraud at the expense of the institution are identified, described and assessed. The recording of this individual risk situation is database-driven and thus audit-proof.


SironRAS allows the mapping of any institutional and product structures and customer groups to which the respective risks can be attached. Based on this “risk matrix”, concrete recommendations for measures to combat any threat can be stored in the system and their implementation monitored.


For ongoing checking of measures (with IT research scenarios), an interface to the research systems SironAML and SironFD is available. This interface continually supplies data from the ongoing money-laundering and fraud checks. Based on this data, the effectiveness of research scenarios can be determined and the threat analysis refined with up-to-date data.
 

Defined templates for potential risks

A comprehensive database with predefined risk descriptions links to the relevant legal texts and stored IT research typologies, acts as a valuable guide when recording the institution-specific risk situation and its prevention strategy. The expertise stored in the database leads to shorter implementation times when compiling the threat analysis. Financial services providers thus meet the standard imposed by the Financial Services Authority for provision of a threat analysis and are able to relieve their specialist departments through the use of pre-defined expertise.

 

SironRAS at a glance

  • Integrated workflow for recording, identifying, categorising and weighting institution-specific risks
  • System-based inventory of the organisational, customer and product structure as the basis for recording the institution-specific threat situation, as required by the Financial Services Authority
  • Comprehensive database with predefined potential money-laundering and fraud risks (including description, legal texts and possible research scenarios) supports central description and assessment of the institution-specific risks (for each organisational unit, customer group and product)
  • Creation of measures for risk prevention and minimisation, including implementation date for rollout of the measure and responsibilities
  • Internal control system for automatic monitoring of action-plan implementation and for sustained risk control in the financial institution
  • Definition and automated creation of target-group-specific threat analyses (e.g. department-specific threat analysis, threat analysis for a specific product or sales channel, …)
  • Interface between SironRAS and research systems SironAML and SironFD for testing the effectiveness of monitoring measures and for ongoing refinement of the threat analysis with up-to-date data
  • Permanent logging of all entries in the system for mapping the history of the threat analysis
  • Fulfilment of the duty to preserve records through audit-proof documentation of all actions, activities and decisions