Threat vectors: Enhancing the architecture of financial crime risk assessment

Written By Stefania Cirignano
Image of woman's eye with title overlaid. Title reads Risk Assessment Reframes, Threat vectors: Enhancing the architecture of financial crime risk assessment

Most firms can describe their customers. Fewer can describe their risks. Almost none can clearly articulate how criminals would actually exploit their business.

This uncomfortable truth underpins many recent FCA observations: firms produce BWRAs out of obligation, not insight, and rarely reflect on how criminals would actually exploit their business.

As we have stated previously, firms often treat the BWRA as a bureaucratic checklist, reviewing risk factors rather than examining opportunity, behaviour, and exposure. Adding more risk factors or categories doesn’t solve the problem, the industry needs better architecture. That’s where threat vectors come in.

What threat vectors are, and aren’t

Threat vectors are the structural points of exploitation within a business: the places where criminals interact with processes, people, and systems. In our enhanced methodology, we use three vectors:

  • Relationship: How external parties connect to the institution, onboarding, identification, ownership structures, intermediaries, access routes.

  • Activity: How value flows through the institution, transactions, account usage, trade flows, product functionality.

  • Facilitator: How insiders (employees, agents, introducers, brokers, service providers) can enable, assist, or collude.

These are not customer types, products, or channels, nor are they traditional risk factors. They are attack surfaces, each describing the high-level principle in which a criminal could target the business and which process would be exploited.

Risk factors describe characteristics. Threat vectors describe behaviour. That distinction is foundational.

The limits of risk-factor-only thinking

The regulatory regime assumes that considering the “right” set of customer, product, geography, transaction and delivery channel factors will reveal risks. The FCA’s review shows the opposite: firms list, score, and justify factors, yet still fail to understand the risks.

Why?

Because risk factors are descriptive, not explanatory. They indicate where risk might exist, but not how a process could be abused, who would abuse it, what the actor would do, which weaknesses enable the behaviour, or how controls respond in practice. Put simply: risk factors are inputs. They are not the crime.

Examples: The value of threat vectors

1. Criminal uses a corporate structure to obscure identity: A Relationship-vector risk, often misclassified as a ‘customer type’.

2. Criminal uses a cash-intensive business to commingle proceeds: An Activity-vector risk, typically treated as a product or sector risk.

3. Staff member colludes with customer to circumvent controls: A Facilitator-vector risk, rarely visible in BWRAs.

Without threat vectors, these risks appear abstract and difficult to score. With threat vectors, they become structured and comparable.

Anchoring risk events and sharpening inherent risk

Moving from risk factors to risk events is foundational. But risk events need structure, a way to group, classify, and compare them. Threat vectors provide this by answering: Where in the business would this risk manifest?

This approach transforms the BWRA in four key ways:

1. Clarity of exposure: Vectors allow the business profile to express exposure in a targeted way; complex structures weight the Relationship vector, high-value flows the Activity vector, reliance on introducers the Facilitator vector.

2. Better weighting of risk factors: Risk factors now map through the vector, avoiding over-weighting tangential factors and under-weighting those that drive actual abuse.

3. Sharper control evaluation: Controls mitigate vectors and their corresponding risk events, not just risk factors. For example, KYC prevents Relationship-vector risks; transaction monitoring detects Activity-vector risks; staff screening and segregation of duties mitigate Facilitator-vector risks.

4. Improved cross-domain integration: Fraud, ML, TF, PF, sanctions, and bribery risks can all be expressed through the same vector framework, facilitating consolidation, removing duplication and highlighting overlaps.

What changes when firms adopt threat vectors?

Firms that adopt threat vectors see improvements in four areas that matter to MLROs and regulators:

1. The BWRA becomes specific, not generic: Threat vectors force firms to consider “how we could be targeted”, not just “what the guidance says”.

2. Controls become functional, not listed: Firms can evaluate preventive, detective, corrective, and directive controls per vector, leading to better remediation and stronger regulatory narratives.

3. Senior management finally sees what matters: Threat vectors turn diffuse risk language into actionable structure for decision-making on investment, resourcing, monitoring, governance, and appetite.

4. Multi-domain assessments become possible: Different risk events can exploit the same vector, a connection missed by traditional approaches.

Conclusion: Threat vectors as the grammar of financial crime

Risk factors alone cannot explain behaviours. Processes alone cannot explain opportunities. Controls alone cannot explain effectiveness. Threat vectors supply the missing structure (the grammar) that links actors, acts, processes, weaknesses, and controls. If the goal of a BWRA is to understand how the business could be targeted, a threat-vector-based approach is not just an enhancement, it’s essential.

Stefania Cirignano
Previous

‘Tis the season for the streamlining of ESG reporting
Next

AI: Actionable Intelligence… the missing link in financial crime risk management