Download Concepts in Customer Due Diligence

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Moral hazard wikipedia , lookup

Financialization wikipedia , lookup

Overdraft wikipedia , lookup

Systemic risk wikipedia , lookup

Bank wikipedia , lookup

Transcript 
White Paper
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
Knowledge is power and protection. Design a due
diligence program that supports business growth.
February 2010
Written by:
Debra Geister, Director,
AML & Compliance Solutions
LexisNexis®
Risk Solutions
Financial Services
Customer due diligence (CDD) is one of the best defenses a financial institution can maintain to guard against
the dangers of money laundering and other financial crimes. Sometimes referred to as “knowing your customer,”
customer due diligence encompasses other aspects of an Anti-Money Laundering (AML) program, such as customer
identification and Enhanced Due Diligence (EDD). Moreover, the need for customer due diligence is integral to
suspicious activity reporting requirements because the data collected during the CDD process gets transferred to
the report.
The primary best practices on customer due diligence can be found in several documents by international
organizations. Such a best practice can be found in the Financial Action Task Force “40+9 Recommendations,” a
document that was created by the Financial Action Task Force on Money Laundering (FATF), an inter-governmental
body whose purpose is the development of international standards and the promotion of policies aimed at
combating money laundering and terrorist financing.
Another main contributor to customer due diligence standards is the Basel Committee on Banking Supervision, which
is a committee under the Bank for International Settlements. The committee published their guidance “Customer
Due Diligence for Banks” in 2001.
Additionally, there are several sets of AML principles on topics such as correspondent and private banking, and the
risk-based approach, outlined by the Wolfsberg Group, an association of 12 global banks who publish best
practices for anti-money laundering.
Many jurisdiction’s laws and regulations are based on the practices that were outlined in these documents, as are the
concepts detailed below.
Concept 1: A risk-based approach
It is important to keep in mind that CDD begins at account opening and that the process of determining the level of
AML risk that your new customer poses to your institution should also be a fundamental part of this process.
The first step in efficient CDD is getting as much information as possible at the beginning of your institution’s
relationship with the customer. Having a senior management approved customer identification program (CIP) that
includes thorough information gathering and verification procedures is essential for assuring that you have enough
data to assign an accurate level of risk to your new customer. Not having enough information or having inaccuracies in
the information that you do collect is likely to create a “domino effect” that may lead to your institution being used to
launder funds and a subsequent regulatory or criminal penalty.
In addition to having a risk-based approach, regulators expect your institution’s written CIP to have processes for
verifying customer data. This can be done both through physical documents or nondocumentary methods. The first
method requires the collection of a driver’s license, passport or other government-issued identification. Methods
for the latter include speaking to the customer, consumer credit-reporting agencies, the Internet, other financial
institutions and publicly available databases.
Documentary methods today are not enough to cover the entire spectrum of risk. You should also review nondocumentary methods that are consistent with your institution’s policies. If the identity of your customer cannot be
verified, your CIP should also include policies that detail when an account should not be opened, when it should be
closed and when a suspicious activity report should be filed.
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
2
Government watch lists have become an integral part of the fight against terrorist financing and money laundering.
In addition to U.S. Office of Foreign Assets Control (OFAC) lists, the United Nations, the European Union, the Bank of
England and other organizations issue separate lists. Periodic scrubs of your customer database against politically
exposed persons (PEP) lists should also be a vital part of your program.
It should be documented in your CIP to which lists your customers are compared. This can be done either manually or
through the use of software, depending on your institution’s needs. Some institutions do both; preferring to manually
compare those customers that have a higher risk rating.
Finally, all of the information collected at account opening should be kept for five years after the account is closed.
These records should include copies of IDs, an explanation of any nondocumentary methods that were used and the
outcome of any verification discrepancies that may have occurred during the CIP process.
Case study
A cease and desist order issued in 2006 to a Nevada bank by the U.S. Federal Deposit Insurance Corporation
(FDIC) clearly illustrates the link between good risk-based account opening procedures, customer due diligence
and suspicious activity monitoring. The bank was cited for having serious deficiencies in its Bank Secrecy Act (BSA)
compliance that were found in its affiliated trust company during an examination. According to the enforcement
action, the bank had to review its CDD procedures to make sure that the information gathered when an account was
opened was sufficient to ensure proper monitoring for suspect behavior.
The FDIC also ordered the bank to include in their CDD written program procedures for assessing the risk of their
customers and ensuring that the transaction monitoring software that they chose had the ability to perform
according to that assessment. Additionally, the written program had to be approved by the board of directors
of the bank.
Regulatory expectations
A sound customer identification program should have procedures intended to give your institution as much
information necessary in order to make an accurate evaluation of who a customer is and what to expect from them. It
should be risk-based and approved by management. All related records should be kept organized and accessible; and
above all else should convey that your institution understands the connection between customer identification and
the ability to efficiently monitor for suspicious activity.
If a regulator is examining your CIP program, it is likely that they will request the following records:
• A copy of the CIP that covers all products, services and regulatory requirements
• A copy of board minutes approving the CIP (or BSA program that includes CIP)
• A copy of audit procedures for CIP and any audit reports
• A copy of the CIP training program (or BSA training program that includes CIP)
• List of accounts opened with an application for a tax identification number (TIN)
• List of accounts opened where verification is incomplete or exceptions were made
• List of accounts identified as high-risk by the institution
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
3
•N
ames of any institutions relied on for CIP, whether they are required to maintain an AML program and regulated by
a U.S. agency; copies of contracts; the CIP procedures used and certifications made
•N
ames of third-party agents or service providers that perform CIP; copies of contracts, CIP procedures used by the
third-party, and policies/procedures for ensuring adequate third party performance
Meeting the challenge
Many institutions find it difficult to risk rate a customer on account opening. And in some cases, the risk that you
associate with a new customer will change after transactions are made. However, it is necessary to have a clear
picture of the type of activity to expect from the customer in order to properly monitor the account later. The largest
challenge around this type of requirement is making sure that policy is clearly identified and moved into a process.
However, some of these processes can be very manual and time consuming.
Transactional information that is important to know includes the source of funds; frequency of anticipated
transactions; dollar volume; or if foreign or domestic wire transfers are expected.
Some institutions have implemented an up front questionnaire that they give to a potential customer in order to
better meet their needs and to better advise them on products and services. This is a great way to make the
customer feel more comfortable, conduct your customer identification and at the same time gather some marketing
and sales intelligence. On the other hand, it can also feel invasive to the customer and present additional manual
steps and time to the process.
Once you obtain that information you can begin to quantify the risk associated with that customer. Characteristics,
such as where a customer resides or what type of business that customer is in are instrumental in gauging how much
of a possible threat that person or company poses. For instance, Figure A, taken from the 2006 BSA/AML Examination
Manual, shows how a non-resident customer or a small business are at a higher risk level than that of a resident
consumer account. The graph also portrays how the risk rating affects the amount of due diligence that is necessary
to perform on the account. The challenges of this type of risk ranking are also very obvious. In addition to the manual
processes, many of the factors used to determine what constitutes risk are subjective. Without very clear and
granular definitions and directions, staff will be left to make their own judgment calls.
Using a model like this, an institution can pen policies that detail when escalation to enhanced due diligence is
required. Again, clearly defining those escalation points and minimizing the amount of subjectivity is key to a
successful process.
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
4
The chart is perhaps oversimplified, however, as it is difficult to keep track of all the information collected from new
customers­—especially in larger institutions or those with several different components such as the Nevada Bank
mentioned above. One way that this overwhelming amount of data can be better organized and managed is through
an automated CDD solution.
Figure A: Courtesy of 2006 BSA/AML Examination Manual
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
5
Concept 2: Enhanced due diligence
Enhanced Due Diligence is a process that has come under greater scrutiny with the passing of the regulations
set out by the USA PATRIOT Act Section 312 and the implementation of the Third EU Money Laundering Directive
into Member State’s domestic legislation. Both mandate an increased level of monitoring for customers who are
considered high-risk.
The EU Third Directive calls for EDD in the case of non face-to-face customers, correspondent banking relationships
and politically exposed persons; whereas Section 312 focuses on foreign correspondent bank accounts and foreign
private bank accounts, particularly if they might be linked to a PEP.
A PEP is a person who is or has been in an influential political position, as well as family members or close associates
of that person. Although this definition blurs when institutions try to interpret how long after retiring from office is a
PEP still a PEP, or if domestic PEPs should also be considered PEPs. Typically institutions err to the side of caution,
however it is crucial that you clearly state your PEP policies in your written procedures and get them approved by
upper management.
Regardless, regulators and examiners have come to expect EDD on all customers that are considered as posing a
higher risk. For example, the “2006 Federal Financial Institutions Examination Council’s BSA/AML Examination
Manual,” published in the U.S., states that these customers and their transactions should be reviewed more closely at
account opening and more frequently during their relationship with the institutions. It also lists other
examples of risky customers, including:
• Foreign financial institutions, including banks and money services businesses (MSBs)
•N
on-bank financial institutions, such as casinos, MSBs, securities dealers, pawnbrokers, auto dealers, boat dealers,
jewelers and travel agencies
• Non-resident alien accounts, particularly if they are from a high-risk jurisdiction
• Foreign corporations, particularly offshore corporations
•B
usinesses that are cash intensive, including bars and restaurants, privately owned ATMs, parking garages,
laundromats and car washes
• Foreign and domestic charities or non-governmental organizations
•P
rofessional service providers, such as real estate agents, insurance agents, mortgage brokers, lawyers
and accountants
Case study
Another cease and desist order issued by the FDIC in 2007, specifically instructs a South Florida bank to determine
the appropriate levels of enhanced due diligence for customers deemed to be of higher risk through an assessment.
The bank had failed to hire appropriate staff and implement effective systems to properly monitor high-risk accounts,
according to the regulatory action.
The regulator further details what enhanced due diligence procedures should entail, including processes for
confirming the identity and business activity of the customer; understanding the expected transaction activity; and
ensuring the identification of the customer for the purpose of reporting suspicious activity.
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
6
Regulatory expectations
When an examiner comes to your institution, they will require assurance that your EDD procedures include steps for
obtaining the correct information on high-risk customers. Your written CDD program should also include specific
details describing the decision-making process for deciding whether an account is subject to EDD.
If the customer warrants EDD, the purpose of the account, source of wealth, beneficial ownership, bank references
and explanations for changes in account activity should all be included in their profiles.
Customer types to which regulators pay special attention include foreign correspondent accounts, PEPs, corporate
vehicles and non-bank financial institutions.
Meeting the challenge
Each of the four customer types listed above require specific EDD measures. For the first example, the foreign
correspondent account, financial institutions should identify the owners of the foreign bank, conduct enhanced
scrutiny of the account and find out if the foreign correspondent bank provides correspondent accounts to other
foreign banks. This is above and beyond the normal requirements for correspondent accounts, which include
checking for certification.
PEPs should also be scrutinized; steps that should be taken particularly in the realm of private banking to conduct
EDD on a potential PEP include seeking information from the account holder, identifying the country of residence,
obtaining employment or source of funds information, checking references, collecting data on immediate family
members and close associates and determining the purpose of the account. Institutions should check the account
holder’s name against public sources of information. Many institutions rely on vendor databases for this purpose,
such as LexisNexis®.
Additional high-risk customers that have been in the spotlight lately are corporate vehicles or business entities. These
businesses include international business corporations and limited liability companies. The articles of incorporation
should be collected upon account opening, as well as clear documentation of expected account activity that can
later be used as a basis for transaction monitoring. Efforts should be made to identify the beneficial owner of these
companies. Your institution’s CDD program should also contain guidance on what steps should be taken if beneficial
ownership information is not available or cannot be verified.
Lastly, EDD on non-bank financial institutions should include obtaining the information necessary to ensure an
accurate risk assessment of the business.
Questions that should be asked include:
• What types of products and services does it offer?
• Where is the institution located and what markets does it serve?
• What type of activity is anticipated on the account?
• What is the purpose of the account?
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
7
Concept 3: Using technology
With all the requirements today for identifying customers, conducting due diligence and enhanced due diligence
and monitoring transactions, it would be nearly impossible to comply without the assistance of a high-tech system
designed specifically for that purpose. Major financial institutions are extremely complex entities with vast branches
in numerous cities and states. Under the law, in order to “know their customers” banks and others must monitor
countless transactions, often made with little or no face-to-face contact. To do so without an equally complex and yet
flexible computer system would be impractical.
However, when choosing these systems you must also perform due diligence, but this time on your vendor.
Case study
A bank in Missouri received a cease and desist order from the FDIC in 2006 that specifically addressed the need to
have proper procedures in place to manage technological solutions. The action listed that the bank was in violation
for operating with an inadequate BSA and OFAC program, as well as a faulty information technology program. The
enforcement action ordered the institution to perform a technology risk assessment, as well as develop vendor
management policies.
The FDIC also required the bank to create an IT committee, who would meet monthly with the board of directors.
Items that the committee was mandated to address include methods for the identification, development, acquisition
and maintenance of IT solutions; the development of IT policies and procedures; the testing of solutions and the
rectifying of negative technology related audit or examination results.
Regulatory expectations
Guidance published by the FDIC in 2004, “Computer Software Due Diligence Guidance on Developing an Effective
Computer Software Evaluation Program to Assure Quality and Regulatory Compliance,” marked the first time a U.S.
regulatory agency weighed in on the reliance by financial institutions and businesses on software technology to guard
against money laundering.
The guidance suggested that financial institutions include a “regulatory requirement clause” in its licensing
agreements with software providers that would require vendors to maintain applications that comply with
pertinent regulations.
The FDIC also recommended two steps that should be taken when evaluating software: Buyers should validate the
process by which the product has been developed; and evaluate the quality and functionality of the product.
Meeting the challenge
If you do choose to use a vendor to aid your institution in performing its customer due diligence duties, you must
make sure that you are not wasting money. But even more so, you must be positive that the CDD technology does not
put your institution at regulatory risk.
One way of performing due diligence on your vendor is to ask around before you buy; people to ask include colleagues
at other institutions or even your regulator. Although a regulator cannot endorse a specific product, they do possess
industry knowledge of CDD technology and may be able to discuss general options with you.
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
8
Items that should be collected from the vendor include:
• Proof of liability insurance
• At least three references
• Financial statement that ensures financial viability
• Proof of sufficient qualified staff to perform services
Additionally, in order to be effective, a customer due diligence solution must be easily customizable, have flexible
risk-scoring capabilities, manage sanctions lists, have a user-friendly work-flow process and integrated research tools.
Though this step seems rudimentary, ensure that your institution’s definition of CDD is in sync and commensurate
with the vendor or provider. If your vendor’s approach to due diligence does not reflect your written BSA program, you
run the risk of negative regulatory scrutiny.
Return on information = return on investment
An ever increasing percentage of an institution’s budget goes towards AML compliance and customer due diligence.
However, instead of being seen as a drain on your institution’s assets, a good due diligence program with a
technological component can actually increase your profits.
The information that is collected during the customer identification process, customer and enhanced due diligence
procedures can be used for targeted marketing and sales; in order to up-sell and cross-sell to already existing clients.
In this way, CDD products can turn your return on information into a return on investment.
In addition, making an initial investment in a reliable CDD product may save your institution from incurring much larger
regulatory and reputational costs in the future. Besides the potential revenue drain caused by civil money
penalties in the millions, such as those incurred by ABN Amro, Riggs and AmSouth, an institution can also lose millions
daily from damage done to its reputation. For instance, a publicly announced cease and desist order such as those
detailed here can cause investors and customers to lose trust in an institution leading to funding withdrawals and
business loss.
Also the cost of the corrective actions that are mandated in these enforcement actions can far outweigh the price
of proactive compliance. A good example of this is the “lookback,” which has recently been a favored demand by
regulators in cease and desist orders. These transactional reviews done by independent consulting firms can be a
huge drain on a financial institution’s budget.
When all of these factors are analyzed for cost effectiveness it is clear to see that an investment in thorough customer
due diligence compliance is far less expensive than the alternative. The concepts laid out here will assist you and
your institution in this venture, which will result in regulatory approval and even increased profits. Regulatory
expectations can be challenging but are not impossible. The implementation cost, both in time and money, of
adequately assessing risk, properly conducting enhanced due diligence and choosing the appropriate CDD solution
is well worth it. In the end, these steps may ultimately save your institution’s reputation and millions of dollars in
lost revenue.
Concepts in Customer Due Diligence:
Meeting the Challenge of Regulatory Expectations
9
For more information:
Call 866.858.7246 or visit
lexisnexis.com/risk/financial-services
About LexisNexis® Risk Solutions
LexisNexis Risk Solutions (www.lexisnexis.com/risk) is a leader in providing essential information that helps
customers across all industries and government predict, assess and manage risk. Combining cutting-edge
technology, unique data and advanced scoring analytics, we provide products and services that address evolving
client needs in the risk sector while upholding the highest standards of security and privacy. LexisNexis Risk
Solutions is part of Reed Elsevier, a leading publisher and information provider that serves customers in more
than 100 countries with more than 30,000 employees worldwide.
Our financial services solutions assist organizations with preventing financial crime, achieving regulatory
compliance, mitigating business risk, improving operational efficiencies and enhancing profitability.
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products and services may be trademarks or
registered trademarks of their respective companies. Copyright © 2011 LexisNexis. All rights reserved. NXR01321-1 1211
Related documents
Reduce Time to Market
Reduce Time to Market
Stephen_A_Keenan
Stephen_A_Keenan
Marketing due diligence - College of Business « UNT
Marketing due diligence - College of Business « UNT
Sale Memorandum Template
Sale Memorandum Template
Due Diligence PPT (26 June 2014)
Due Diligence PPT (26 June 2014)
Legal Elements of the Development Process Acquiring Real Property
Legal Elements of the Development Process Acquiring Real Property
RUZICH, Richard T.
RUZICH, Richard T.
Program Description:​ The marketing program provides students an
Program Description:​ The marketing program provides students an
INVESTING IN SOCIAL VENTURES (B8767) FALL 2015
INVESTING IN SOCIAL VENTURES (B8767) FALL 2015
AML and CTF Questionnaire
AML and CTF Questionnaire