Tolerated Risk

When applying a risk-based approach to money laundering, there has to be a tolerated level of risk and, therefore, a tolerated level of money laundering. There is an acknowledgement, not all money laundering will be identified and prevented, but all too often this is not reflected in our collective approach to AML. Some AML practitioners perceive regulators have a zero-tolerance approach to money laundering. In the event this is true, it follows these regulators are not applying a risk-based approach.

The present risk models used in the majority of regulated firms and banks is one of low, medium (standard) and high-risk clients, products, countries, transactions and more. Some firms/banks also include a risk level which is unacceptable. This is smart, as it clearly articulates there are certain client types, businesses etc., the firm/bank will not undertake business with. All of that said, just how successful and efficient is this current model? Put bluntly, huge sums of private and public money is spent upon AML and overall we are not very good at it.

Don’t be offended by the statement above, it does not mean you are not working diligently and trying your best, but it does question, what are we doing, why and how? Okay, this is a question of strategy and we will save it for another time. In the meantime, we want to challenge the current AML risk assessment, risk categorisation and application model. Core to all of this is the discipline of ‘know your client/customer/counterparty’ (KYC), which assumes everyone is a money launderer, hence we need to know them and then determine they are not money launderers.

KYC posits we as AML practitioners do not know what or who we are looking for, so we look at everything and everyone, trying to find…… Exactly, what is it we are trying to find? Why are we looking at everything, how is it possible to look at everything? Where is the tolerance level of money laundering risk? Absent to tolerance, we cannot justify why we determine not to look at zero-risk customers, transactions etc.

Recently the AML guru that is Bob Mazur was interviewed by Stephen Platt on the KYC 360 platform and he made reference to know what you are doing through the analogy of looking for a specific species of tree within a forest. The point he made was, in such circumstances the experts know what tree they are looking, they know the leaf, they look for that leaf and that tree. They do not look at every tree to make sure it is not one of the specific species they are looking for. They may even tolerate the fact that they may miss one or two of the specific species they are looking for and they tolerate this.

This poses the question, do we, do you know what a money launderer looks like? If you don’t know, ask yourself why you don’t. Bob Mazur knows what they look like, he has met them and if you read his new book The Betrayal, you will develop an understanding of who he was dealing with, how they looked, how they dressed and most importantly, how they laundered money.

Back to tolerated risk, here’s the reverse view of tolerance, far too many AML practitioners tolerate the failed status quo and also tolerate a KYC discipline which is stuck in a time warp and has not developed over time, to better focus resources. By way of further confrontation, have you ever pondered, what is more important, who a customer is or what a customer does? How does a customer’s activity impact your tolerance and risk management?

To conclude, there is a better way than low, medium, high and unacceptable. There is tolerated, managed and rejected, which is precisely how the passenger airline industry confronts the risks posed by passengers/customers.



The tolerated risk is the maximum 100ml of liquid a passenger can carry onto a plane within the 20cm x 20cm clear plastic bag each passenger is allowed to bring into the cabin of a plane. The managed risk is for medication and baby food which exceeds the 100ml limit and the rejected risk is all other liquids which exceed the 100ml limit or do not fit into the 20cm x 20cm bag.

There is a science behind this model, which determines 100ml is a tolerated level of threat from sinister liquids. Of course, there are some of you who almost immediately assert two or more passengers could act together and therefore breach the limits, posing a threat. This too has been considered by the scientists and found to be a tolerated risk. You see, the airline industry never lost focus of why they are in business and how important passengers/customers are. The tolerated risk takes into account the day-to-day business of the airlines and airports.

So, what are your 100ml transactions and who are your 100ml customers. What can you, indeed should you, your firm/bank tolerate? KYC includes knowing who does not present a risk, who presents a tolerated risk and who is unacceptable. What do you think? Is this tolerable? Am I tolerable?