Q&A Elements of Customer Risk: Profile and Relationships
March 12, 2020
Here are the questions and answers from our attendees at our recent webinars on Elements of Customer Risk: Profile and Relationships.
Q: In the FFIEC ‘Customer Due Diligence’, it states “An understanding based on “categories of customers” means that for certain lower-risk customers, the bank’s understanding of the nature and purpose of a customer relationship can be developed by inherent or self-evident information such as the type of customer, the type of account opened, or the service or product offered.
The question is, in general for an FI that offers a single product (i.e. on-line loans), which is inherently low-risk – can an FI document that as such, and not be ‘required’ to have a customer risk profile (customer risk rating) at on-boarding?
A: Depending on the actual type of financial institution, if they are subject to the anti-money laundering regulations of the Bank Secrecy Act (BSA), then I believe they should individually risk rate their customers, even though they only offer one product.
That is my opinion, but again, it all comes back to those institutions again. What is their regulatory environment? And what is their regulatory requirement? And what is their perception of risk? With an online loan, you have that anonymity factor. How much does use the product you are offering facilitate money laundering? So could someone get a loan and then say repay it back a week later? How much does that product facilitate money laundering? I personally would feel like you would want to do a risk assessment of your individual customer.
So at a minimum, hopefully you are doing the CIP aspect where your OFAC screening your customer and obtaining identification on them.
Q: At our institution, we struggle with the long-held view that the online account opening process exposes the bank to additional risk, considering that is now an accepted channel to open accounts. You would have to give everyone points for this channel, which means very little since everyone would have those same points. What is your view?
A: I will give you an example from my institution on a service. Wire transfers in general are considered a higher money laundering risk, but at my institution, our primary product was a revolving line of credit.
For many years, the only way that our customers could advance money from that line or repay it was through wire transfer. So everybody used wire transfers. Therefore, we did not consider every customer slightly higher risk just because they used wire transfers.
It is the same thing here. If the majority of your accounts are being opened online, then you are correct that you would not necessarily add to your risk score on every single customer.
So you need to just look at how you are mitigating what procedures you have. Also, what data collection efforts and so forth are helping to mitigate that anonymity risk from online?
Q: Your risk assessment is only as good as the quality of data that feeds into it. Most FIs have a challenge with getting cleaner data to feed into the risk assessment. So in your experience, what are some steps taken by organizations to resolve data problems in the short term, given the cost and time it takes to fix systems and the data?
A: I guess primarily look at what your inputs are first of all, and the basic data entry controls around those inputs.
How are you capturing the data in the first place? And are you educating the people who are doing the data entry as to what the right answers are, what data they are supposed to be putting in there? Education is key. If it is an online data entry type of process, are there validations occurring to make sure the data they are putting in there makes sense?
Education and then periodic scrubbing of data is an unfortunate fact of life that we used to go through at my institution a couple times a year. We would do big data dumps out of the database of our customer base and start looking for anomalies and things that hadn’t been completed, like foreign customer addresses and so forth. You can identify the big anomalies and then just go through that cleanup process.
At my institution, we often involved the relationship managers in that process to review their customers’ AML data and underlying data on an annual basis.
You have to establish controls up front to make sure that the data that is going in is clean. It is the old garbage-in, garbage-out philosophy. Make it as clear and simple as possible for people to input data and input the right data, have validation controls within the system that make sure they’re not putting in the wrong data and then doing a scrubbing once a year if possible are really the best ways.
Q: How far in terms of family relationship should a person be linked to a Politically Exposed Person (PEP) and be considered a PEP? So, for example, the nephew of a mayor, the grandchild of a senator? The second part of this question is how long should a PEP be still be considered a PEP after leaving office?
A: Obviously, the person themselves would definitely be considered a PEP, but those family relationships fall under your institution’s perception of risk.
If you have many PEPs as customers, you may even want to go further down in that relationship to the accounts of children. It also depends on where you can you get that data. So how detailed is the PEP list that you have purchased from the AML vendor?
It can depend whether they step away when they have retired from their political position. That depends on the individual as well.
You can look at look back to that infamous case of Augusto Pinochet as he was a dictator in Chile, but he was also continuing to do business at Riggs Bank. So technically, he was no longer in his position, but he still had these connections and ties. So I think that is a matter for an individual-by-individual basis. It is up to that institution to decide and it may vary from jurisdiction to jurisdiction.
Q: What do you see examiners require, or expect, when it comes to refreshing CDD for existing customers?
A: That really depends on the examiners obviously depends on the regulatory agency and on the individual examiners who are examining your institution. In general, I think they look for something consistent.
As long as you have documented what your update process is, and your rationale behind it, that usually tends to satisfy examiners. I’ve found that over the years that they are less likely to question you or write you up, if you can hand them something that says here is our customer due diligence update process, here’s what we’re doing and here’s why we decided to do it this way.
It is a totally a risk-based approach and every institution is going to perceive risk differently.
Q: Someone asked a question about cryptocurrencies and their money laundering risk, which is a big topic in itself. We have actually done a number of webinars on virtual currencies with an expert who works very intimately with this area.
A: Here is a link to a white paper: What FIs Need to Know About Cryptos. And here are links to webinars we have done: A Regulatory Understanding of Virtual Asset Types and Their Risks and What FIs Need to know about Cryptos
Q: What tools might a financial institution use to detect hidden connections?
A: Once the beneficial ownership rules took effect and we started collecting that information from new customers, we actually input it into our system. We created a new field within our customer database for beneficial owner names and data and then we could incorporate that into our transaction monitoring system.
Q: How can you be sure of beneficial ownership?
A: Well, you cannot unfortunately. That is the flaw in how the CDD rule has been designed. I am speaking purely from a U.S. perspective here because corporate formation is controlled at the state level not the federal level. Each state can set its own rules for what information it collects when an entity is domiciled there, when an entity is formed and so we have no national database of beneficial owners.
On a state-by-state basis, they may or may not be collecting that information. In most cases, they are not collecting it. They may collect the direct owner of a company that is being formed, but in many cases, it is another company and they do not go any further than that.
So the whole premise of the CDD Rule and collecting beneficial ownership data was that the institution is supposed to collect the data from the customer and then obtain and validate the identification or the identity of that person. You can do that through a driver’s license or passport, but there is nothing to say that the person really is the ultimate beneficial owner of this structure of companies.
Q: How can you risk grade your customers when they are in the hundreds of thousands?
A: I do not think you have a choice. You can adopt a type of standardized risk scoring method.
Q: How often do you feel account holder should be revisited outside of OFAC searches?
A: Sanctions screening is be ongoing, but from a customer due diligence perspective, a lot of that depends on the type of account.
Obviously, smaller accounts are not going to be vetted as often, but say a larger business, especially business customer accounts, will often times have a relationship manager assigned to them.
In my institution, the relationship manager was a key player in all of this because they needed to be on top of what was going on with their customers, such as instances of mergers and acquisitions. We had changes in business models and all those types of things that relationship managers would be very aware of.
Q: Do you think that 25 percent ownership threshold for KYC/CDD purposes is enough?
A: Well, the 25 percent threshold is the suggested threshold for beneficial ownership. So in other words, a beneficial owner, according to FinCEN guidelines, is someone who owns 25 percent or more of a legal entity either directly or indirectly.
That is a guideline. Institutions commonly may go lower than that, especially with certain types of accounts. They may say for this type of account, we are going to say we want to identify beneficial owners at 15 percent. So, as far as 25 percent threshold, that is really where my understanding of the guidance comes in.
So then, what you are starting to see in law enforcement is beneficial owners who are only 24 percent or 24.5 percent because they are trying to avoid that threshold.
Q: How should anticipated transactions be documented?
A: Everything should be documented obviously, so you would want to ask your customer and this depends on the different product. But, volume is important and the level of cash activity is important to document. How much, how often do they anticipate this?
Also, wire transfer activity that is incoming or outgoing, domestic or foreign and how much, how often, from where to where, all that kind of information should be collected and documented.
Q: If a potential client cannot provide reasonable details of anticipated activity, would that be a red flag?
A: If it is a brand-new business for example, and they have just opened their business and they are not too sure about what they are going to be doing that is a reasonable explanation.
But they still should have something like a business plan or projections, a pro forma income statement or things like that. They should have some idea of what they are going to be doing through the accounts. So, if they absolutely insist that they have no idea then I would say that is a red flag.
Q: What do Delaware, Wyoming and Nevada do differently that makes it easier to maintain anonymity in forming corporations?
A: In the U.S., the laws governing the formation of corporations are controlled by each state government. In other words, there is no federal law for overall company formations.
These states are small and so they rely significantly on the fees that they charge for forming a corporation. Delaware and Wyoming especially promote that they are not going to collect any information.
In these three states, it is easier to form a corporation than to get a driver’s license or a library card. You can do it in about five or 10 minutes online with a credit card to pay the fee. So those are some of the reasons why these have become money laundering havens.
Q: How should adverse media be examined when considering risk factors?
A: You can document that as a risk factor. It depends on the type of client that you have to because in the United States, the vast majority of our legal entities have 25 or fewer employees. So the media coverage tends to be on the big companies that everybody knows.
What I found in my experience was that I had very few clients that would ever have any kind of media attention. So it is not as cut and dry and it may even indicate that you do not even want to open an account for that client if there is a serious level of adverse media.
Q: Can you provide examples of good automated risk rating classification systems? How did you do the risk rating within your organization?
A: Within my organization, we chose our risk factors. We established a scoring methodology for each risk factor and it was cumulative. In other words, the higher your score the higher your risk rating. So, if a customer had very few risk factors, they would have a lower risk rating.
Remember we are not considering any factor in a vacuum. It is just the fact that someone that has many accounts and uses a lot of products and services has much more interactions in much more activity and has a lot more invested in the bank. It is not all encompassing as saying well, this customer has many accounts and they have been with us a long time. Therefore, we are just going to call them low-risk. That is not the case.
Q: Is it recommended that the customer risk-rating model be weighted according to the amount of risk that it poses to the institution?
A: Absolutely. This is all based on your institution’s risk perspective. You may consider geographic risk, for example, to be more important than products and services and customer demographics. So perhaps you calculate it and then create a sub score for each one of those three categories. Then you apply a weighting factor to the geographic risk elements to make them more important.
Q: How frequently should risk profiles be reviewed and updated?
A: We get that question a lot. This is also from the perspective of your institution. I would say whenever something changes with that customer – whenever a major change occurs – you should be able to have some kind of a triggering mechanism.
For an individual client, let us say their address changes, you may want to do a review at that time. If there are patterns of activity change, that is also a trigger that something has changed with them and it is time to go back and look at what is going on.
With a business client, if their anticipated activity is writing cheques on their account and they get deposits and all of a sudden, they start doing foreign wire transfers, that is a flag that you need to go back and look at. You can speak to the client as maybe they are now doing some import or export business. It can often be a completely legitimate explanation, but something has changed.
If nothing has changed with a client, I would say do the review on an annual basis.
Q: What is the quality assurance process for these risk ratings? How do you assess if the system is doing what it needs to do?
A: What we used to do is test the model. You can create some test customers with various risk factors and then see what their score comes out to be.
You can also take what you know to be an existing client that is high risk and validate that the system is actually rating them that way. Look at their actual behavior and their demographics and products and services and so forth. What is the risk score you come up with and does that reflect what you think it should be?
Testing is critical and it is not going to necessarily catch everything. You can do a wide range of test cases of all different types of clients that are representative of your different risk ratings, and seeing that the system is actually rating them that way, and then you can be confident that it is doing what it is supposed to be doing. In addition, you should document your testing as well.
Q: What is your recommendation for a risk-based approach for updating customer information?
A: That is a challenge for any institution and actually any business. There are a couple very high-level recommendations.
One would be make sure that you have good front-end data controls that someone can’t enter, for example, a country code in the state field, or in an address or they can’t leave something blank. So making sure that in on your front end you have some good controls around data entry.
A second one, which is a big effort, but it is an important effort to do periodically, is doing a data scrub to look for anomalies. Then go back and have those anomalies fixed. Find the underlying root cause of that anomaly and try to find some controls in order to correct it.
Q: What is the best approach for the review of an institution’s overall risk assessment program and how comprehensive should this be? And how should it be documented?
A: Well, you want to clearly document your entire risk assessment process, such as the risk factors you are using, how the data entry occurs and why you chose those factors. I think that part is especially important to document your rationale, especially when someone else is going to be looking at this from the outside, such as a regulator. Also, it helps you think through as you are documenting it exactly why you are doing something a particular way.
When you going through an examination, they will ask you how you came up with these risk factors and the rationale behind them and being able to have that documented is golden. That wins you many points with regulators as well as just making it a better program overall for everyone.
Q: Is the FI responsible to obtain missing information that is used for risk rating the customer prior to the CDD rule?
A: You are not required to go back and collect beneficial ownership information on your existing legal entity customers in the U.S. However, my strong recommendation is that if something changes where you need to go back and review the due diligence on that customer, such as opening a new account, then absolutely collect the beneficial ownership information at that time.
About Anu Sood
Anu Sood (LinkedIn | Twitter) is the Director Marketing at CaseWare RCM and is responsible for the company’s global marketing strategy. She has over 20 years of experience in product development, product management, product marketing, corporate communications, demand generation, content marketing and strategic marketing in high-tech industries.