Money laundering risk as with financial crime risks more broadly can be managed through the cycle of risk management activities shown here. The cycle is performed in a clockwise direction and it never ends. Rather, the activities are repeated to deliver ongoing risk management for enduring client relationships. Let's start with risk acceptance. It is efficient for risk owners to know what type of prospective clients are beyond the firm's risk appetite because this helps them to avoid wasting time and effort in trying to onboard prohibited customers. When the risk of a client is within the firm's appetite for taking on new clients, the risk owner can accept the risk of the prospect and begin the onboarding. Once a client has been determined to be of a broadly acceptable risk level, the next step in the process is onboarding. Onboarding is the firm's opportunity to perform initial customer due diligence or CDD on the customer collecting information about its owners, the business sector it operates in, the countries where they have major operations and the products and services of the financial services firm, which the customer intends to use. The intended purpose, expected usage, and major counterparties of the potential customer are details the firm will request to establish a blueprint for the customer's expected pattern of transactions. In addition, a record of the customer's standing information referred to a static data is created in the firm's systems during onboarding, after screening has taken place for sanctions, matches and negative news.

Next is the monitoring and surveillance step. After a client has been onboarded and they start doing business with the financial services firm, the firm must monitor the customer's transactions to see that they are in line with the purpose of the account and the anticipated account activity. However, this doesn't need to be carried out in real time. Monitoring can be carried out after the customer's transactions have settled. If any transactions appear unusual, they should be escalated to financial crime compliance for investigation. If a second opinion is needed, an employee may discuss potentially unusual transactions with their line manager or with the firm's money laundering reporting officer, but must not discuss them with colleagues or anyone else. The purpose of this restriction is to limit knowledge of potentially unusual transactions to the smallest possible number of people following the need to know principle. This in turn limits the risk of tipping off the customer. Let's now use an example scenario to illustrate the steps a firm takes after unusual activity has been detected and escalated. In this example, an existing commercial customer owns four souvenir shops in London. Our firm is a commercial bank and it expects some of the sales revenue that the customer will deposit into its current account to be cash since that's the nature of a small business serving tourists. Historically for this client, typical Cash deposits rarely exceeded 3000 pounds per week, and they're usually made only once per week. On Mondays transaction monitoring identified a sudden change in this pattern. Cash deposits are now seen every day of the week, and the weekly total now averages between 50,000 and 60,000 pounds, sometimes denominated in other currencies. The firm sought an explanation from the customer and learned that it recently acquired a license to operate a money changing business. The customer has installed a money exchange counter in each of its shops, and this new business has taken off immediately and spectacularly. So is the customer's explanation plausible and what should the firm do next? Yes, it's plausible. Furthermore, it can be corroborated by a copy of the customer's money changing license and site visits to the customer's shops. But let's recall that money service operators a cash intensive, high risk clients.

The firm must now ask itself if the additional financial crime risk presented by the customer can be mitigated. That's the next activity in the risk management cycle, and also if the customer is commercially worth retaining, given the increased time, effort, and cost of the enhanced due diligence that will be needed.

Risk mitigation techniques in this scenario could include stepping up transaction monitoring or restricting the products and services offered to the customer. For example, denying the customer a current account and offering only fixed deposits. This brings us to the last activity in the risk management cycle. If the financial crime risk of a customer cannot be mitigated and is now beyond the firm's risk appetite, it will be necessary to exit the customer relationship. Continuing with our scenario, the souvenir shop owners will not be happy if we decide to exit and tell them that they need to find another bank. An exit policy is helpful in making exit decisions consistently and is possible only after thorough consideration by the risk committee. An explanation must be given to the customer and depending upon the reasons for the exit, it may be possible for the customer to be given a grace period in which to find another financial services provider. Looking back at our scenario again, do the circumstances make it appropriate to offer the souvenir shop owners a grace period to this? The answer would most probably be yes, provided the bank has no reason to think dirty money has been deposited in the customer's current account. The grace period is a gesture of goodwill that is most likely reasonable in this scenario. If on the other hand, if the bank had been informed by the authorities that the customer's money changing business was a front for dirty money, they may also have received an order to stop providing any financial services to the customer, in which case no notice or grace period would be given.