Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
White Paper Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations Knowledge is power and protection. Design a due diligence program that supports business growth. February 2010 Written by: Debra Geister, Director, AML & Compliance Solutions LexisNexis® Risk Solutions Financial Services Customer due diligence (CDD) is one of the best defenses a financial institution can maintain to guard against the dangers of money laundering and other financial crimes. Sometimes referred to as “knowing your customer,” customer due diligence encompasses other aspects of an Anti-Money Laundering (AML) program, such as customer identification and Enhanced Due Diligence (EDD). Moreover, the need for customer due diligence is integral to suspicious activity reporting requirements because the data collected during the CDD process gets transferred to the report. The primary best practices on customer due diligence can be found in several documents by international organizations. Such a best practice can be found in the Financial Action Task Force “40+9 Recommendations,” a document that was created by the Financial Action Task Force on Money Laundering (FATF), an inter-governmental body whose purpose is the development of international standards and the promotion of policies aimed at combating money laundering and terrorist financing. Another main contributor to customer due diligence standards is the Basel Committee on Banking Supervision, which is a committee under the Bank for International Settlements. The committee published their guidance “Customer Due Diligence for Banks” in 2001. Additionally, there are several sets of AML principles on topics such as correspondent and private banking, and the risk-based approach, outlined by the Wolfsberg Group, an association of 12 global banks who publish best practices for anti-money laundering. Many jurisdiction’s laws and regulations are based on the practices that were outlined in these documents, as are the concepts detailed below. Concept 1: A risk-based approach It is important to keep in mind that CDD begins at account opening and that the process of determining the level of AML risk that your new customer poses to your institution should also be a fundamental part of this process. The first step in efficient CDD is getting as much information as possible at the beginning of your institution’s relationship with the customer. Having a senior management approved customer identification program (CIP) that includes thorough information gathering and verification procedures is essential for assuring that you have enough data to assign an accurate level of risk to your new customer. Not having enough information or having inaccuracies in the information that you do collect is likely to create a “domino effect” that may lead to your institution being used to launder funds and a subsequent regulatory or criminal penalty. In addition to having a risk-based approach, regulators expect your institution’s written CIP to have processes for verifying customer data. This can be done both through physical documents or nondocumentary methods. The first method requires the collection of a driver’s license, passport or other government-issued identification. Methods for the latter include speaking to the customer, consumer credit-reporting agencies, the Internet, other financial institutions and publicly available databases. Documentary methods today are not enough to cover the entire spectrum of risk. You should also review nondocumentary methods that are consistent with your institution’s policies. If the identity of your customer cannot be verified, your CIP should also include policies that detail when an account should not be opened, when it should be closed and when a suspicious activity report should be filed. Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 2 Government watch lists have become an integral part of the fight against terrorist financing and money laundering. In addition to U.S. Office of Foreign Assets Control (OFAC) lists, the United Nations, the European Union, the Bank of England and other organizations issue separate lists. Periodic scrubs of your customer database against politically exposed persons (PEP) lists should also be a vital part of your program. It should be documented in your CIP to which lists your customers are compared. This can be done either manually or through the use of software, depending on your institution’s needs. Some institutions do both; preferring to manually compare those customers that have a higher risk rating. Finally, all of the information collected at account opening should be kept for five years after the account is closed. These records should include copies of IDs, an explanation of any nondocumentary methods that were used and the outcome of any verification discrepancies that may have occurred during the CIP process. Case study A cease and desist order issued in 2006 to a Nevada bank by the U.S. Federal Deposit Insurance Corporation (FDIC) clearly illustrates the link between good risk-based account opening procedures, customer due diligence and suspicious activity monitoring. The bank was cited for having serious deficiencies in its Bank Secrecy Act (BSA) compliance that were found in its affiliated trust company during an examination. According to the enforcement action, the bank had to review its CDD procedures to make sure that the information gathered when an account was opened was sufficient to ensure proper monitoring for suspect behavior. The FDIC also ordered the bank to include in their CDD written program procedures for assessing the risk of their customers and ensuring that the transaction monitoring software that they chose had the ability to perform according to that assessment. Additionally, the written program had to be approved by the board of directors of the bank. Regulatory expectations A sound customer identification program should have procedures intended to give your institution as much information necessary in order to make an accurate evaluation of who a customer is and what to expect from them. It should be risk-based and approved by management. All related records should be kept organized and accessible; and above all else should convey that your institution understands the connection between customer identification and the ability to efficiently monitor for suspicious activity. If a regulator is examining your CIP program, it is likely that they will request the following records: • A copy of the CIP that covers all products, services and regulatory requirements • A copy of board minutes approving the CIP (or BSA program that includes CIP) • A copy of audit procedures for CIP and any audit reports • A copy of the CIP training program (or BSA training program that includes CIP) • List of accounts opened with an application for a tax identification number (TIN) • List of accounts opened where verification is incomplete or exceptions were made • List of accounts identified as high-risk by the institution Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 3 •N ames of any institutions relied on for CIP, whether they are required to maintain an AML program and regulated by a U.S. agency; copies of contracts; the CIP procedures used and certifications made •N ames of third-party agents or service providers that perform CIP; copies of contracts, CIP procedures used by the third-party, and policies/procedures for ensuring adequate third party performance Meeting the challenge Many institutions find it difficult to risk rate a customer on account opening. And in some cases, the risk that you associate with a new customer will change after transactions are made. However, it is necessary to have a clear picture of the type of activity to expect from the customer in order to properly monitor the account later. The largest challenge around this type of requirement is making sure that policy is clearly identified and moved into a process. However, some of these processes can be very manual and time consuming. Transactional information that is important to know includes the source of funds; frequency of anticipated transactions; dollar volume; or if foreign or domestic wire transfers are expected. Some institutions have implemented an up front questionnaire that they give to a potential customer in order to better meet their needs and to better advise them on products and services. This is a great way to make the customer feel more comfortable, conduct your customer identification and at the same time gather some marketing and sales intelligence. On the other hand, it can also feel invasive to the customer and present additional manual steps and time to the process. Once you obtain that information you can begin to quantify the risk associated with that customer. Characteristics, such as where a customer resides or what type of business that customer is in are instrumental in gauging how much of a possible threat that person or company poses. For instance, Figure A, taken from the 2006 BSA/AML Examination Manual, shows how a non-resident customer or a small business are at a higher risk level than that of a resident consumer account. The graph also portrays how the risk rating affects the amount of due diligence that is necessary to perform on the account. The challenges of this type of risk ranking are also very obvious. In addition to the manual processes, many of the factors used to determine what constitutes risk are subjective. Without very clear and granular definitions and directions, staff will be left to make their own judgment calls. Using a model like this, an institution can pen policies that detail when escalation to enhanced due diligence is required. Again, clearly defining those escalation points and minimizing the amount of subjectivity is key to a successful process. Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 4 The chart is perhaps oversimplified, however, as it is difficult to keep track of all the information collected from new customers—especially in larger institutions or those with several different components such as the Nevada Bank mentioned above. One way that this overwhelming amount of data can be better organized and managed is through an automated CDD solution. Figure A: Courtesy of 2006 BSA/AML Examination Manual Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 5 Concept 2: Enhanced due diligence Enhanced Due Diligence is a process that has come under greater scrutiny with the passing of the regulations set out by the USA PATRIOT Act Section 312 and the implementation of the Third EU Money Laundering Directive into Member State’s domestic legislation. Both mandate an increased level of monitoring for customers who are considered high-risk. The EU Third Directive calls for EDD in the case of non face-to-face customers, correspondent banking relationships and politically exposed persons; whereas Section 312 focuses on foreign correspondent bank accounts and foreign private bank accounts, particularly if they might be linked to a PEP. A PEP is a person who is or has been in an influential political position, as well as family members or close associates of that person. Although this definition blurs when institutions try to interpret how long after retiring from office is a PEP still a PEP, or if domestic PEPs should also be considered PEPs. Typically institutions err to the side of caution, however it is crucial that you clearly state your PEP policies in your written procedures and get them approved by upper management. Regardless, regulators and examiners have come to expect EDD on all customers that are considered as posing a higher risk. For example, the “2006 Federal Financial Institutions Examination Council’s BSA/AML Examination Manual,” published in the U.S., states that these customers and their transactions should be reviewed more closely at account opening and more frequently during their relationship with the institutions. It also lists other examples of risky customers, including: • Foreign financial institutions, including banks and money services businesses (MSBs) •N on-bank financial institutions, such as casinos, MSBs, securities dealers, pawnbrokers, auto dealers, boat dealers, jewelers and travel agencies • Non-resident alien accounts, particularly if they are from a high-risk jurisdiction • Foreign corporations, particularly offshore corporations •B usinesses that are cash intensive, including bars and restaurants, privately owned ATMs, parking garages, laundromats and car washes • Foreign and domestic charities or non-governmental organizations •P rofessional service providers, such as real estate agents, insurance agents, mortgage brokers, lawyers and accountants Case study Another cease and desist order issued by the FDIC in 2007, specifically instructs a South Florida bank to determine the appropriate levels of enhanced due diligence for customers deemed to be of higher risk through an assessment. The bank had failed to hire appropriate staff and implement effective systems to properly monitor high-risk accounts, according to the regulatory action. The regulator further details what enhanced due diligence procedures should entail, including processes for confirming the identity and business activity of the customer; understanding the expected transaction activity; and ensuring the identification of the customer for the purpose of reporting suspicious activity. Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 6 Regulatory expectations When an examiner comes to your institution, they will require assurance that your EDD procedures include steps for obtaining the correct information on high-risk customers. Your written CDD program should also include specific details describing the decision-making process for deciding whether an account is subject to EDD. If the customer warrants EDD, the purpose of the account, source of wealth, beneficial ownership, bank references and explanations for changes in account activity should all be included in their profiles. Customer types to which regulators pay special attention include foreign correspondent accounts, PEPs, corporate vehicles and non-bank financial institutions. Meeting the challenge Each of the four customer types listed above require specific EDD measures. For the first example, the foreign correspondent account, financial institutions should identify the owners of the foreign bank, conduct enhanced scrutiny of the account and find out if the foreign correspondent bank provides correspondent accounts to other foreign banks. This is above and beyond the normal requirements for correspondent accounts, which include checking for certification. PEPs should also be scrutinized; steps that should be taken particularly in the realm of private banking to conduct EDD on a potential PEP include seeking information from the account holder, identifying the country of residence, obtaining employment or source of funds information, checking references, collecting data on immediate family members and close associates and determining the purpose of the account. Institutions should check the account holder’s name against public sources of information. Many institutions rely on vendor databases for this purpose, such as LexisNexis®. Additional high-risk customers that have been in the spotlight lately are corporate vehicles or business entities. These businesses include international business corporations and limited liability companies. The articles of incorporation should be collected upon account opening, as well as clear documentation of expected account activity that can later be used as a basis for transaction monitoring. Efforts should be made to identify the beneficial owner of these companies. Your institution’s CDD program should also contain guidance on what steps should be taken if beneficial ownership information is not available or cannot be verified. Lastly, EDD on non-bank financial institutions should include obtaining the information necessary to ensure an accurate risk assessment of the business. Questions that should be asked include: • What types of products and services does it offer? • Where is the institution located and what markets does it serve? • What type of activity is anticipated on the account? • What is the purpose of the account? Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 7 Concept 3: Using technology With all the requirements today for identifying customers, conducting due diligence and enhanced due diligence and monitoring transactions, it would be nearly impossible to comply without the assistance of a high-tech system designed specifically for that purpose. Major financial institutions are extremely complex entities with vast branches in numerous cities and states. Under the law, in order to “know their customers” banks and others must monitor countless transactions, often made with little or no face-to-face contact. To do so without an equally complex and yet flexible computer system would be impractical. However, when choosing these systems you must also perform due diligence, but this time on your vendor. Case study A bank in Missouri received a cease and desist order from the FDIC in 2006 that specifically addressed the need to have proper procedures in place to manage technological solutions. The action listed that the bank was in violation for operating with an inadequate BSA and OFAC program, as well as a faulty information technology program. The enforcement action ordered the institution to perform a technology risk assessment, as well as develop vendor management policies. The FDIC also required the bank to create an IT committee, who would meet monthly with the board of directors. Items that the committee was mandated to address include methods for the identification, development, acquisition and maintenance of IT solutions; the development of IT policies and procedures; the testing of solutions and the rectifying of negative technology related audit or examination results. Regulatory expectations Guidance published by the FDIC in 2004, “Computer Software Due Diligence Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance,” marked the first time a U.S. regulatory agency weighed in on the reliance by financial institutions and businesses on software technology to guard against money laundering. The guidance suggested that financial institutions include a “regulatory requirement clause” in its licensing agreements with software providers that would require vendors to maintain applications that comply with pertinent regulations. The FDIC also recommended two steps that should be taken when evaluating software: Buyers should validate the process by which the product has been developed; and evaluate the quality and functionality of the product. Meeting the challenge If you do choose to use a vendor to aid your institution in performing its customer due diligence duties, you must make sure that you are not wasting money. But even more so, you must be positive that the CDD technology does not put your institution at regulatory risk. One way of performing due diligence on your vendor is to ask around before you buy; people to ask include colleagues at other institutions or even your regulator. Although a regulator cannot endorse a specific product, they do possess industry knowledge of CDD technology and may be able to discuss general options with you. Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 8 Items that should be collected from the vendor include: • Proof of liability insurance • At least three references • Financial statement that ensures financial viability • Proof of sufficient qualified staff to perform services Additionally, in order to be effective, a customer due diligence solution must be easily customizable, have flexible risk-scoring capabilities, manage sanctions lists, have a user-friendly work-flow process and integrated research tools. Though this step seems rudimentary, ensure that your institution’s definition of CDD is in sync and commensurate with the vendor or provider. If your vendor’s approach to due diligence does not reflect your written BSA program, you run the risk of negative regulatory scrutiny. Return on information = return on investment An ever increasing percentage of an institution’s budget goes towards AML compliance and customer due diligence. However, instead of being seen as a drain on your institution’s assets, a good due diligence program with a technological component can actually increase your profits. The information that is collected during the customer identification process, customer and enhanced due diligence procedures can be used for targeted marketing and sales; in order to up-sell and cross-sell to already existing clients. In this way, CDD products can turn your return on information into a return on investment. In addition, making an initial investment in a reliable CDD product may save your institution from incurring much larger regulatory and reputational costs in the future. Besides the potential revenue drain caused by civil money penalties in the millions, such as those incurred by ABN Amro, Riggs and AmSouth, an institution can also lose millions daily from damage done to its reputation. For instance, a publicly announced cease and desist order such as those detailed here can cause investors and customers to lose trust in an institution leading to funding withdrawals and business loss. Also the cost of the corrective actions that are mandated in these enforcement actions can far outweigh the price of proactive compliance. A good example of this is the “lookback,” which has recently been a favored demand by regulators in cease and desist orders. These transactional reviews done by independent consulting firms can be a huge drain on a financial institution’s budget. When all of these factors are analyzed for cost effectiveness it is clear to see that an investment in thorough customer due diligence compliance is far less expensive than the alternative. The concepts laid out here will assist you and your institution in this venture, which will result in regulatory approval and even increased profits. Regulatory expectations can be challenging but are not impossible. The implementation cost, both in time and money, of adequately assessing risk, properly conducting enhanced due diligence and choosing the appropriate CDD solution is well worth it. In the end, these steps may ultimately save your institution’s reputation and millions of dollars in lost revenue. Concepts in Customer Due Diligence: Meeting the Challenge of Regulatory Expectations 9 For more information: Call 866.858.7246 or visit lexisnexis.com/risk/financial-services About LexisNexis® Risk Solutions LexisNexis Risk Solutions (www.lexisnexis.com/risk) is a leader in providing essential information that helps customers across all industries and government predict, assess and manage risk. Combining cutting-edge technology, unique data and advanced scoring analytics, we provide products and services that address evolving client needs in the risk sector while upholding the highest standards of security and privacy. LexisNexis Risk Solutions is part of Reed Elsevier, a leading publisher and information provider that serves customers in more than 100 countries with more than 30,000 employees worldwide. Our financial services solutions assist organizations with preventing financial crime, achieving regulatory compliance, mitigating business risk, improving operational efficiencies and enhancing profitability. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products and services may be trademarks or registered trademarks of their respective companies. Copyright © 2011 LexisNexis. All rights reserved. NXR01321-1 1211