Expect the unexpected: the NVB Baselines on ETPs

In our previous blog post, we introduced the recent standards issued by NVB, that emphasize the importance of a risk-based approach to fight money laundering and terrorist financing. In this blog we will dive deeper into one of the most relevant standards for modelling, namely the one on Expected Transaction Profile (ETP) examining it from both a compliance and modelling perspective. ETP is an approach in which banks identify a customer’s expected transaction behaviour and monitor their transactions for deviations from those expected patterns. Let us explore the significance of ETP and its impact on strengthening Anti-money laundering and Countering the Financing of Terrorism (AML/CFT) controls.

Understanding ETP

ETP serves as a valuable concept in detecting and addressing potential financial crime risks. To create an ETP, banks first need to establish a baseline of expected behaviour for each customer. Note that this does not need to be specific for each individual client but can be determined for a ‘peer group’ a group of clients with common characteristics. It is interesting to see how the NVB Baselines are specific, in listing various peer grouping characteristics that may be used. For example, for Natural Persons the Baseline gives as example to use variables such as Age group, Residency, Type of products, Length of client relationship, etc. to determine the client peer groups. Once peer groups are established, the ETP itself can be established. Also in this case, the Baseline is specific because it mentions concrete examples that can be used as components of ETP (see Figure 1). Let us consider an example. The easiest way to set-up a peer group for Natural Persons is to use ‘age groups’ only. Then, for each age group we define the percentage of transactions related to cash. Once this ETP is defined, we could define thresholds based on our risk appetite, and monitor if indeed the clients within each peer group have cash usage in line with the expectations based on their age group. If not, i.e., if the thresholds implied by our risk appetite our breached, additional investigation by analysts can take place.

Relevancy of using ETP

Why is the use of ETP relevant? First, because the AML Directive explicitly mentions in Article 13 that CDD measures should comprise of

“conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile”

More importantly, effective use of ETP can lead to a more risk-based and more efficient approach to AML and CTF. If peer groups are defined with sufficiently homogeneous groups, material deviations from the ETP of that group are useful signals, because with each signal, one of the following should be true:

1. Either the client profile is no longer up to date: it is valuable to detect this, because the client profile can be updated, and the client will move to a different peer group. This will improve effectiveness of future monitoring; or
2. The client profile is up to date but indeed a deviating transaction has taken place. Also in this case, it is worthwhile to investigate the signal. Based on the outcome, either the thresholds can be adjusted, or, in case of a confirmed unusual transaction, it can be reported to the FIU.

Without ETP, for example, many false positives may be generated for clients that regularly transfer money to EC High-risk countries because they have relatives in those countries that they want to support. With ETP, a separate peer group could be set-up for those clients, and the behaviour can be classified as ‘expected’ instead of ‘unexpected.’ Although in this case the client profile needs to include some information on these relatives, in fact using ETP in this case can prevent unnecessary requests and disproportionate measures imposed on these (potentially Low risk) clients.

Key insights from the NVB Baseline

The interaction between ETP and rule-based TM is not clearly described in the baseline. The ‘model landscape overview’ provided on page 4 is somewhat ambiguous. For example, item 3 on page 4 mentions anomaly detection based on groups. However, this seems similar from anomaly detection used to determine deviations from the ETP. Also, item 2b on that same page mentions client groups to fine-tune automated TM scenarios, which in itself is not a detection method. Therefore, we propose the following extended interpretation of Figure 1 of the NVB Baseline:

Here, we simply distinguish between:

1. Detection based on identifying deviations from the ETP
2. Additional detection

In principle, you try to include all relevant information in the ETP to facilitate efficient monitoring. However, specific scenarios are unusual for all clients (e.g., smurfing) or may be so specific (e.g., misuse of Covid government support measures) that you want specific business rules outside the ETP context. Similarly, certain models such as network analytics are not directly related to ETP and can therefore be classified under additional detection.

Challenges to expect

Although the NVB Baseline considers ETP a means instead of a goal, the Baseline clearly stresses the importance of making ETP part of the Financial Economic Crime model landscape. Also, in RiskQuest’s view, ETP is a valuable concept and by integrating ETP into the Financial Economic Crime model landscape, institutions can enhance their ability to address potential risks effectively. Of course, there are many unanswered questions: Is it possible to define peer groups that are sufficiently homogeneous? Is it possible to define ETPs that are sufficient to cover all relevant SIRA scenarios? Is it possible to calibrate thresholds to ensure only valuable deviations are investigated? Therefore, the NVB Baseline should not be seen as the document that concludes on the best ETP approach, but in fact guides us the way forward: we first need to know what to expect, before we know what is unexpected.