Q&A from Elements of Customer Risk – Products and Services
October 15, 2020
Here are the questions and answers from our attendees at our both recent webinars on Elements of Customer Risk - Products & Services.
Question: There were a number of questions that came in around risk scoring. Someone was asking you to clarify or reiterate what automated risk scoring meant.
Answer: That just means that you have a model. Your risk score model is built into your AML system - or potentially if your system is designed this way if it has a customer due diligence model module. Things that are risk factors, and the point values you have assigned to those, and the weighting that you have assigned to those are all automatically built in. As the data about that customer comes in, the system can automatically calculate the risk score based on those parameters. So it is just doing something automatically that you could do manually, theoretically. But there should always be judgment, especially for customers that come out as high risk. Compliance should be taking a closer look at those customers that an automatic system scores as high risk just to make sure that everything was input correctly.
Q: How do you engage management and review their customer risk scoring?
A: You should have an overall assessment of your customer risk from an institution wide perspective - a sort of a summary of everything that you have determined, based on your individual customer risk scores.
Then the board should be made aware of it so that they know about the assessment. How risky are our customers, and how does this fit in with the risk appetite that the institution holds. As far as details of the model, senior management does not usually want to know that, but you should be able to be able to present it to them if they want to know.
Therefore, that is where the documentation comes in about how your model works.
Q: This probably varies by institution, but how many criteria or what maximum would you recommend to avoid complexity?
A: It is unique to each institution. For example, a community bank with 90 per cent of its customers are local members of the community, and their personal and household accounts, for them to have hundreds of risk factors, may not make sense.
Instead, you really target the risk factors that could come into play with your customer base, or a subset of customers. What a number of financial institutions are doing is coming up with what they believe to be a good, complete set of potential risk factors, and then they decide from each line of business, which of those risk factors from that pool or collection that they have come up with apply to this line of business.
So, the answer is, it really depends on your situation and what the nature of your customer base is as to how many risk factors you would include.
Q: Would you recommend adding rules to the model?
A: The model is based on your institution, but there could be rules, but we are talking about the customer risk score model as opposed to transaction activity and whether that's risky or not, because there will be rules incorporate into your transaction monitoring system. That will help to decide what is suspicious or not, other than out of pattern.
Some high-risk countries would be an example of one of those things, but from the customer risk-scoring model perspective, you could potentially have some rules built in just based on what that particular risk element is.
If it makes sense, you certainly could incorporate rules.
Q: Maybe the technology also would be a factor of what you can and cannot do?
A: If you do want to incorporate various, such as if/then kind of rules, then your technology will do that for you.
Q: So if a customer is structuring legitimate funds should their risk score be increased?
A: Yes. Because if they are just the act of structuring, in the US that is a felony. It is separate from the money laundering laws. There is another law that says this is illegal to do this.
So a bank could consider whether it may be legitimate funds, but perhaps they are trying to evade taxes or some other reason that they are trying to structure their deposits this way because they do not want it to be reported.
Maybe they are underreporting their income at the end of the year so they know they know that cash transaction reports go to the IRS.
You should be filing a SAR if you believe that structuring is going on whether or not it is dirty money or legitimate money.
Q: Would you agree that it may be hard to be able to tell if it is legitimate or illegitimate?
A: Yes. It is probably better to cover yourself because it depends on how you perceive structuring. If it is blatant, where they are coming in earlier in the day and depositing a certain amount of under $10,000 in cash. And then they come in at the end of the day and they deposit another amount, there could be a legitimate reason for that if they are a cash-based business that comes in the morning and then they deposit the end of day cash receipts because they don't want cash sitting around in their business.
It really depends on the nature of the business and what they are doing, are they cash based? Is there a standard pattern to what they are doing because it could be a business decision, rather than structuring.
Q: For your commercial clients, do you also include in the risk, or their customers, and the products and services they offer?
A: That can be a risk element. Yes. So that is something that we call know your customer's customer. And that can get pretty challenging, But I think it starts with the nature of your customer’s business in general, and what types of customers they may be dealing with.
What also can come into play is that geographic risk element. So if they are doing business in countries that have higher money laundering risks, that makes them higher risks. I think it's a bit of overkill to try to risk assess your customers' customers unless you've got a broad idea of what types of customer they serve.
Q; How can we structure customer risk scores in a multi-currency economy? This person's bank is located in a high-risk country, with multiple currencies making it nearly impossible to give a more holistic model of scoring.
A: I would not consider currency to have any bearing on a customer's risk score. Because we are talking about characteristics, we are talking about activities, and products, and so forth. And so it does not really matter what currency they are doing it in now.
The question could be thinking about how specifically do you designate a foreign transaction if they are dealing in multiple currencies?
If they are doing transactions among different currencies, it all comes back to that pattern of activity. Is this normal and expected for the type of business? Come back to that.
The types of behaviors and activities that a customer does could potentially be related to different currencies if they are normally transacting in one currency, and all of a sudden, they start transacting in another currency.
That could be a red flag. You would want to find out why they are doing that. There may be a legitimate reason, or maybe not.
Q: Someone is asking your opinion about how soon the high-risk customer can be lowered if there is no suspicious activity present, and risk factors are indicating customer is no longer that higher risk?
A: Examiners typically recommend after one year. That is something that is based on the institution’s perception of risk. So if they are very risk averse, than you would want to wait longer, maybe three years.
If you were less risk averse, I would say a year is a minimum amount of time.
How much risk do you want to assume? Because there is that risk that if you lower their risk score after year one and year two, they start doing something more suspicious and you may have missed something because you were not monitoring them as closely.
So I think it is completely a judgement call and a risk perception call. If you disagree with the one-year, I do not think any regulator would have a problem with any institution taking longer than a year. I think regulators are saying a year is the minimum that you should wait before you lower somebody's risk score.
So, if you believe that a longer risk or longer time is needed, then document and justify it and proceed.
When you are getting ready to lower a customer’s risk score, you should be going back and doing some more due diligence to make sure that you have all the factors right, based on what the real nature of that customer is, and the type of activity that they plan to do. So especially for a commercial customer.
So looking back again at what their ownership structure is and who they are paying and who their primary, what they are the nature of their business lines of business, their payment patterns and all that.
Q: How often should you update your customer rating rescoring model?
A: Well, it only really needs to be updated if something changes. Due diligence becomes more important, though.
The bigger that customer is, especially commercial customers, they tend to be, in general, less risky. And their risk is much more tied to behavior. For a commercial customer, it is good to do a review of the due diligence on their customer, to make sure that you have everything up to date.
It has typically prompted by compliance, but done by someone on the sales side that has the customer relationship. And they can go back and say, how is business going? What are you doing differently? What do you project for the coming year? Any change in ownership? All those kinds of questions, and then you can update any of the risk factors that may have not been present and that may or may not change the customer's score.
The overall model should be reviewed periodically - at least once a year just to make sure that everything is documented and everything is operating the way you expect it to be. Especially if it is built into your AML system, because you want to make sure that everything is coded, and programmed the way you intended it to be.
Q: Are offshore jurisdictions considered as high country risk score?
A: It is not just one factor in a vacuum. But it can definitely be something that can be a higher risk factor.
Q: Do off the shelf customer rescoring models allow the institution to customize it based on their own needs?
A: You really should be using a tool that allows you to customize because every institution is going to be different. Many applications that I have seen will often include standard risk elements. But definitely, if you have one of those solutions where you cannot modify anything, you should at least be very clearly aware of what that model is, and how it is coming up with a risk score. What risk elements is looking into or it is using.
Q: There is the question about how some risk models come up with numbers based on all these factors and weightings.
A: You would need to bucket those ranges of numeric scores, and at my institution, we had four buckets, low, medium, medium, high, and high. And so, that way, because there is going to be slight nuances in how these points and scores are calculated and how different things are weighted. You just understand it better. We can relate much better as humans to the word high versus a number, if you actually do not know what that number represents.
You should have documented how those risk scores are calculated, how those point values are calculated. And then why you decided that for example, a score of 75 to 100 or higher is a high risk, versus 25 or lower as low risk. You need to document the rationale behind that.
Q: How do you assign percentages, or weighting, to different risk factors?
A: That really depends on your unique situation. You want to weight certain risk elements, if you think they are more significant, or more important than others are.
I did not use a weighting system in my risk scoring models. Because I found that I could just provide that extra weight, by giving more points to the risk factors that I thought were more significant.
Look at these categories of risk: the customer demographics, their product services, activities, and behavior patterns, and then geographic risk.
If the nature of your customer base is that, it is very unlikely that you would ever have any geographic risk, based on the nature of your customers, and then perhaps you give a higher risk factor to that, because, if that were to happen, it would be a big red flag for you.
So weighting to me just means what is the biggest deal for you in terms of risk, or particular risk element, or category of risk.
Q: How do you document this rationale?
A: Really, just in a write-up, an official document. One thing that I had within my compliance department was, everything, every decision we made, was written up in a formal document. And documents would lay out specific things, especially in terms of, if we had chosen to say a particular regulatory requirement was vague. Then we would write a decision document to say, this is how we are interpreting this with respect to how it affects us as a financial institution. And why we decided to do X, Y, or Z.
But with a model, you want to have a document that provides the details of that model. What, what does it comprise? Why did you choose each one of these particular risk factors?
And so therefore, we are giving it this point score and so, it is just really explaining how you came up with this. I know many people ask about how, how to do that, if their AML system uses a risk model that has been developed by the developer of that product and so then if you don't have documentation, you need to go to that vendor and say, we want a detailed documentation of your model. And in proving the validity of models has become a huge issue, as more and more things are automated.
That is something that you need to get from your vendor if you do not have it.
Q; Now, how often would you recommend to people review their model? And also, how frequently would you test the model?
A: This depends on how often things change in your institution. If your institution is one where the customer base is fluctuating frequently or your institution is constantly adding new products and services or new markets. You know, looking at that on an annual basis is probably pretty important.
If you have established the validity of the model to begin with, and at your institution, things pretty much just plug along with, with the same products and services, the same customer base, which can certainly happen then maybe you look at it every two years.
But one recommendation I would have is, that if you add a significant new product line or a brand new customer base, you should make sure that you review your model to make sure that it is going to appropriately include that new stuff that has been added.
Q: How frequently should a bank conduct and EDD based on risk?
A: Enhanced due diligence is really based on the nature of each customer. It is really just digging deeper. Let's say you have a question for a business clients such as do you do foreign exports or imports? If they say no, then, OK, fine. If they say yes, then that's a trigger to do more enhanced due diligence in terms of what countries they deal with, what's the volume of payments you're going to be expecting or making? What is the pattern of activity? It seasonal or is it going to be steady? All those kinds of questions that then will help to establish what is normal and expected for that customer with their export or import activity.
So it is really triggered by either factors in the nature of the customer itself or suspicious activity also can drive a need for enhanced due diligence.
It is just really drilling down, or digging down to get a better answer, or more information.
Q: I think your answer sort of touched on a point that we discussed in today's webinar, which, which can be a source of tension between compliance and the customer teams. After doing due diligence or investigations you may find that this particular individual or entity is, is very high risk, and they should close the account. You may not get agreement from other teams within your organization, that that is the right approach. What does compliance do at this point?
A: That is the age-old dilemma that is never going to go away because the sales side of the house thinks every customer is golden, and they are making money for the institution. So, why would we ever want to make them go away?
What needs to happen up front, is that compliance should be able to push through, at the highest levels, a set of criteria that the bank will apply to whether they make a decision to terminate a customer relationship. Some banks have a three strikes and you are out kind of thing.
So three SARs filed, you are gone. That is much more common when you have a depository account relationship because then you can just say, OK, sorry, customer, here is your money.
But when you're like in my institution, where you're in a lending relationship, long term lending relationship, that's to call a loan based on suspicious activity that compliance identifies is probably a contract violation because that's not a legitimate reason for a loan contract to be terminated. Usually it's nonpayment is that the primary reason why alone the contract is terminated.
So then what has to happen is compliance needs to continue its work if the account is not going to be closed. You just need to continue monitoring those high-risk customers and continue to file SARs.
As you see activity, continue to inform management, especially at the highest level, to the board of directors on a regular basis. You should be reporting your SAR activity and let them know that, you know about the activities of a customer X.
I always thought that we should keep SARs as confidential as possible. So members of the board of directors did not need to know the actual customer names of clients we were filing SARs on, so keep that anonymous. But keep referring to the same client as, you know, customer X every time you do a board report showing SAR activity.
Sometimes reputational risks are what might tip the management side of the house over to being willing to terminate the relationship.
Q: Could you please define "anonymity" as you need to do know your customer (KYC) at onboarding of new clients and you have their specimen signature on file?
A: It relates to online account opening where you are not sitting face-to-face across the desk with someone. That is a form of anonymity, more so in terms of the level or types of transactions that they can conduct.
Anonymity is something that is almost inherent in so many of our products and services today with online mobile banking. We are not coming into a branch where you know the teller, or the teller sees the same customers all the time as we used to do in the old days. We knew who our customers were.
Now, there is nothing face-to-face so you do not know who is actually making this deposit. You do not know who is doing this transaction and that could be from a money-laundering perspective or fraud.
Q: How should an FI update its customer risk scoring along with other activities such as fraud?
A: We actually had our fraud and AML people work together, even though some people were specializing in fraud monitoring and the others were in AML monitoring.
An outer pattern transaction might be flagged by the fraud monitoring system that was not flagged by the AML system. So, our fraud analyst and our AML analyst could work together.
If a customer had actual identity theft or account takeover activity, I do not think that makes them higher risk from a money laundering perspective.
It obviously does make them a higher risk from a fraud risk perspective and so within the fraud-monitoring tool there should be a way to set up controls on that account.
Q: Did you say an FI may not exit a relationship with a company with suspicious activities due to its size and volume of business? If so, it begs the question as to why have a risk rating if there is no action based on the results or ratings.
A: That is a huge challenge. In the example I provided we could not prove the activities were money laundering. It had all the hallmarks of a textbook case, but it is that classic case of the sales side of the house and the income-generating side of the house versus the client side of the house.
We could show the sales side that there were unusual things happening. But being a lender, these are long-term contracts and they do have the ability to call the loan.
They make hundreds of thousands of dollars for the bank every year. They pay their bills on time. They pay their interest. They purchase additional products and services. Unless law enforcement came and told us that these people were doing something illegal, there was no way they would do anything about that account.
Of course, law enforcement will never tell you what they are doing. Typically, they do not want you to close the account because they want to see if suspicious activity continues. If you close the account, you are just tipping off the customer and then they go somewhere else.
Q: Do you foresee AML requirements increasing for payment networks?
A: I would hope so, to be honest. It seems like right now the emphasis on cyber currency, Bitcoin and so forth, is getting the most attention because it can truly be anonymous and outside of all the banking regulations and controls.
But I am not sure what is going to happen. It is as if the product development is going faster and the regulatory environment is a slow process.
Q: What is the biggest risk associated to correspondent accounts? And how do you mitigate it?
A: That could be the subject for a whole webinar. In the United States, we have some specific USA Patriot Act sections around requirements for banks that have foreign correspondent accounts and relationships.
They are a higher risk for a number of reasons because essentially one bank is carrying out the financial transactions of another bank's customers. When you have a foreign bank involved, a U.S. bank is giving access to the U.S. financial system to a foreign bank’s customers. There are many risks associated with it.
So U.S. banks move funds between each other on behalf of their customers through the Federal Reserve, but if a bank does not have access to the FED, like a foreign bank, they need a U.S. bank to run their transactions.
For a U.S. institution, a foreign correspondent bank account is especially risky because they create this relationship where a U.S. financial institution is giving foreign bank customers direct access to the financial system, and the American bank has zero information on these customers.
You cannot really detect suspicious activity because you do not know what is normal and expected and the amount of money that can flow through correspondent accounts can be huge.
Q: What leverage does a bank have to update know your customer (KYC) documents from a commercial loan customer?
A: We simply ask for them. Typically, if a customer does not have some reason to hide something, they will be willing to do so.
If somebody refuses to provide this, you suggest their business to another bank, but remind them that another institution is going to ask you the exact same questions.
Sometimes we would phrase and in terms that made it more palatable for the customer. We would say we want to make sure that we have current information about you and your activities so that we can make sure that no fraudulent activity occurs on your account.
We asked for anticipated- and normal-activity pattern information under the guise of protecting you against fraud - which is true. It also helps from the money laundering perspective as well.
Q: How would you describe the risk level of a financial advisor?
A: If you are a financial advisor, you can only be responsible for something that you have knowledge of. So, if you have the knowledge of what your customer is doing and you see suspicious patterns there, then you would have a responsibility to report those patterns of behavior.
The same thing if you are seeing the KYC information at onboarding and there are things that are left off or things that do not make sense.
Q: Is an account with a SAR automatically high risk?
A: I would say that is a matter of perspective. So sometimes you have one SAR and then what I would do is say OK, a SAR has been filed for something like one bizarre transaction, which makes them a high risk.
Then, over time, that transaction never happens again, so it may very well not have been something truly suspicious. It may have been an anomaly. It may have been something that was actually legitimate, but you could not determine that, so you filed a SAR.
If it never happens again and nothing else ever happens, then that risk score can be brought back down to wherever they were before on your risk appetite -- maybe keep them medium-high at this point or medium, but it is all about what they are doing.
It is up to your institution and your risk perspective. If you feel more comfortable saying we filed this SAR, they are going to be high for the rest of their relationship, then go with that.
Q: You said that an average person could structure transactions to avoid the IRS finding out about the sale of his boat for $12,000. This is something we still need to report as structuring, right?
A: Yes. I was just giving that example of a person who is structuring, but he may not be a criminal so to speak. Ordinary people have many misconceptions about cash transaction reporting.
They just think they are protecting themselves from Big Brother or whatever. Therefore, the trick is to try to identify whether they are doing it on a regular basis and for what reasons.
There is also the possibility where this could be a funnel account or this person is acting as a money mule kind of a thing.
Q: Should you stop a transaction if there is a risk of money laundering?
A: No. In the money laundering case, you do not want to stop a transaction with the risk of money laundering.
For fraud, you absolutely stop it. If this is a fraud against your client, you absolutely want to stop the transaction, but money laundering; you want to let that go through because it is suspicious.
There is nothing in the regulations that say you have to close an account. However, it is up to every bank to decide what to do. Your responsibility as a bank is to report suspicious activity.
Q: How would you risk rate these types of services: bill pay, ACH and debit card activity?
A: You have to think like a money launderer. Think about how I could use these activities. Obviously, ACH risks would be in the integration, the layering or the integration phase, so it could be used for that purpose.
Q: What is your opinion around money laundering risks and brokerage accounts? What would you think should qualify as an unusual activity or a potential money laundering risks?
A: I guess that depends on individual brokerage accounts as they can have many different features. Typically, it is used to hold money that has not been invested already.
There are some specific behaviors and activities that can involve say churning -- buying and selling stocks rapidly and putting money into the brokerage account and then taking it out. It is sort of the same thing as a checking account, but it is usually harder to do that than it would be for a checking account.
Therefore, it depends on the features.
Q: So are you thinking like the velocity of transactions would be a factor?
A: Yes. Usually you cannot deposit cash and there is no actual currency into a brokerage account. You have to move it from somewhere else or you are writing a check and sending it to be put into an account, so usually it does not have those cash placement risks.
It is more of a layering issue -- the layering two-phase risk of money moving in and out of it. Is it being used for what it would normally be intended for or does it appear to be being used for something that was not intended for?
Q: There have been questions around changing behaviors and fraud around COVID-19 Could you provide some advice on areas that compliance teams should look into in terms of behaviors?
A: We have two things going on here. We have got potential fraud committed against the bank's customer and we have the proceeds of fraud being laundered potentially through the bank.
The recommendation I would have from the fraud side of the house is to make sure that your fraud monitoring tools are looking for patterns of unusual or different behavior. Also, make sure that you follow up with your customer when you start to see things that look unusual.
If customers are paying for something that they are being coerced and/or fooled into making a big donation or whatever, that's when you want to confirm with your customer that they have actually initiated this transaction.
On the money laundering side, look for unusual patterns in existing accounts or in new accounts, where you would be seeing money coming in and then immediately going out. Someone who is laundering the proceeds of fraud is going to put it into the financial system through depositing it into an account. Then they are moving it out immediately.
It fits all those same standard patterns or well-known patterns for money laundering. Red flags are going to be here, just possibly in greater volume.
Q: Many of the cash intensive businesses are not deemed essential services under COVID-19 and they are closed. What do you think about monitoring their deposits because if they are closed they should not be having money coming in?
A: That is a very good point. Therefore, if you can tweak your systems, there may be a flag on all business accounts for large cash deposits. For cash based businesses that are still open, they are going to continue to have activity and potentially more activity.
Businesses like grocery stores and convenience stores are open and are typically cash-based. Therefore, you may even see kind of a spike in those types of businesses. It is worth a look.
Q: One more person said the risk scoring should not only consider the behavior of one financial institution. But what about focusing on a country. How could this be implemented?
A: There is all kinds of risk factors of a particular country that can make it at a higher propensity to facilitate money laundering. So look at all institutions in that country.