Q&A Elements of Customer Risk: Profile and Relationships
September 30, 2020
Here are the questions and answers from our attendees at our recent webinars on Elements of Customer Risk: Profile and Relationships.
Q: I do not see vendors wanting to show how the risk matrix is built inside automated AML/BSA systems. How does a Compliance Officer explain the scoring process?
A: That can be a challenge because more and more regulators are interested in model validation. Not being able to validate the model is a big problem. Keep pressing your vendor because it should not be a secret. They like to keep secret how they come up with their risk scoring, but they should be able to provide you with basic algorithms and what types of inputs they're using, and how they're weighting them. To me, that is unacceptable, so I would go back to the vendor and have the conversation with them. I know we have moved to more of a white box approach, where people can actually set the parameters, and then meet them according to their risk appetite. Go back to your vendor and have that honest conversation with them.
Q: When referring to ownership org chart, would this be a corporate resolution?
A: More and more, we want to see this in order to validate the information they have provided as beneficial ownership. So if they say we have no beneficial owners, we can say show us an organization chart of who owns what. And especially if they say we are owned by another legal entity, then you definitely want to see it - keep taking this up higher and higher to see if there are any individuals at the top because there usually are.
Q: What if intermediary is a special purpose vehicle (SPV) - then what do you do for customer due diligence purposes? What if your customer or your legal entity customer is owned by an SPV?
A: You want to just continue to look at that ownership, Keep peeling back the layers of ownership. So who controls or owns the SPV? And if that is another legal entity, then who owns or controls that legal entity? You just keep going keep peeling back the layers. You would treat it just like you would any other type of legal entity.
Q: If an existing customer applies for a second checking account, does the FI have to run through the customer intake process again even though they are an existing customer?
A: You are required, according to the FinCEN CDD rule, to obtain beneficial ownership or update beneficial ownership information when a customer opens a new account, even if they are an existing customer. At my bank, we developed a process to have the customer review and provide us with an attestation that nothing had changed, or they would provide us with a new form if something had changed.
So you do need to update that information, and when a customer opens a new account, you also need to look at the timing of it. For example, we had a customer open a business checking account and then about a month later, they decided to open a separate payroll account. As it was such a short period of time between the first and the second account opening we decided that we did not really need to go back and get all new information because we just opened this account for them four weeks ago.
We established our own time period threshold as to whether we would go back and review our customer due diligence information to see if anything is really changed. It involves typically a conversation with the customer, and then you can decide as a bank, what time period you feel comfortable with in requiring a new beneficial ownership certification form.
Q: A business transacts foreign exchange, which is high risk. In doing a risk scoring form, should we lower the high risk score by mitigants, such as dealing only with banks, those who have a regulator in a relevant country, or where customer relationship is more than five years?
A: We don't take any risk factors in a vacuum. If you have a history with that client and all those things are listed as mitigating factors in terms of who their client base is and they are regulated, and if their activity is backing up that lower risk, then I would say you could lower that risk score because of what you're seeing.
Q: Have any US states made NIS firms illegal?
A: No, they have not. They are alive and well.
Q: What is a good approach for obtaining shareholder information for a company that tells you that a large percentage of shareholders are made of multiple investors?
A: I actually saw this in a number of business clients we had, where ultimately there were multiple layers of LLCs, but ultimately at the top of the chart was a hedge fund. Hedge funds do not like to disclose who their investors are. We would get a statement to that effect saying that this hedge fund is comprised of 20 individuals, and none of them holds a greater than 25 per cent interest overall.
The main question to ask is does any one single individual own, whatever threshold you have set. But, ask that question and just have them attest to that, because there's no way that you can validate it, unless you ask, unless they are publicly traded, in which case, you can see some shareholder data on the SEC website, and in their quarterly filings.
Q: What would do when you onboard clients who want to open joint accounts, but there is no blood relation?
A: I would just ask the question or ask more questions because of that increased risk of human trafficking and elder abuse. This is where a face-to-face interview with the potential clients is important. There could be a couple, who are living together, but not married. There could be many cases, but just having a conversation really helps.
Q: Would you require or request an updated business org chart throughout the life of the account?
A: Yes, it typically depends on how your how your CDD policies are established, but periodically, you should be going back and looking at your CDD information you have on that customer. It really depends on the nature of that business.
Many of my customers were in the agribusiness sector. They were closely held companies so typically there were family relations. And the ultimate ownership seemed to change constantly because family members would die, and then it would go to a living trust, and new family members would come in, others would leave, and there was a lot of churn in that beneficial ownership. But in other situations, that may never happen. Therefore, it really depends on the nature of the clients.
The relationship manager for that account should be keeping an eye on it to identify when a big change happens. Another trigger for that would be anytime you have an acquisition or merger because then things are going to change, obviously.
They may change the title on the account. They may open new accounts, close others, because of a merger of some kind. Those things that are good opportunities to get that new organization chart.
Q: When a customer provides an org chart only up to certain level and provides attestation that no one owns more than 10 per cent, is that sufficient, or should they ask the customer to provide the org chart up to the ultimate owner level?
A: That can be a bank's risk decision based on how comfortable you feel with that doing that. We would never let that happen. I would say you need to show me. If they say there are 50 people that all own it, then I would probably take that attestation. First, I would ask the question how many people are involved at the top and then go from there. I would press for more information and just decide how far you are willing to push it.
That becomes the customer relationship type of issue, whether or not you just accept that attestation or not.
Q: What are some of the best learning tools to train frontline staff about money laundering? How do you gain that knowledge and then also share that knowledge or train the other people on your staff on the type of questions they should be asking?
A: According to the BSA, you should be training all of your bank staff to some degree on sort of a broad understanding of the AML program and money laundering. So educate them on the three basic phases of the money laundering process. Then you provide them with, in my opinion, the best training tools, which are real-life examples or potential real-life examples so that they can see why this is a risk. And some people may never accept that. They will always have a positive view of their customer. Others may come to understand that this is why we ask these questions.
Having regular periodic training is important.
Q: What is the best quality of risk profiling model and how many variables make a risk-scoring model?
A: It is going to be unique to your institution. What maybe complex for one institution might be simple for another. I think many things that come into play are the size of the institution, the size of the customer base, and how diverse is your customer base.
Q: Have you heard anything about the U.S. moving towards beneficial ownership registration system?
A: I would imagine that there is going to continue to be in the U.S. huge pushback on this because several states make a lot of money from corporate formations. That is one of the primary sources of revenue of Delaware's corporate fees, for example.
They continue to promote this level of anonymity, as a way to draw formations to their states. A change would mean they would face the burden of having to collect information that they never have before.
I can just envision that will be a huge fight.
Q: The IT department and management do not understand the depth of the risk environment. They do not always know what the compliance team or compliance person is asking. What should they do to help teach them, and how much do they need to influence the risk environment?
A: At my bank, with assistance from consultants, we put together a computer-based training module that was an overview of understanding money laundering and risks and the money laundering process and understanding what compliance does and why.
Then we required every single employee to take that training.
We would update a little bit every year, but it was an annual training. In addition, every person from the mailroom, all the way up to the CEO had to take this training. All of our IT people had to take it as well.
We had a small team of IT staff who were dedicated to supporting individual applications. We had a team of people who supported our AML applications. We would work closely with them so they actually understood what this application is doing and why. It was a twofold way of training. We had the broad-based training that everyone had to take.
Those working in IT, who were supporting us in compliance specifically, really have to understand the application and why we were using it and what those risks were.
Q: What can be given up if you adopt a simplified due diligence process?
A: Obviously, you would be designing your customer due diligence process based on your institution's perceptions of risk, and, therefore, if you are simplifying that process, you are probably selecting the risk factors that you consider most significant based on your customer demographics.
Q: Some organizations might take a simplified due diligence process if they are already an existing customer. Is that correct?
A: Yes. If you are opening a new account for an existing customer, then it provides an opportunity to review the customer information that you have, and potentially updated to make sure that nothing has changed, so that you have current information.
However, not nearly the lengthy process happens when it is a brand new customer with a brand new account.
Q: A question came in from Bahrain saying that they have a platform database that is a commercial registration portal, run by the government. So you basically, you can enter the business registration number, and you get the information you need according to this comment.
A: For beneficial ownership information, different jurisdictions have different resources for accessing information. In the U.S., corporate formation is controlled at the state level, not the federal level.
Different states have different levels of data, and in my experience, they all have some type of an online portal where you can search for the existence of a business, but very few of them have any kind of information about who actually owns that business.
We typically would check for the good standing of a business entity, through the Secretary of State, which is the typical government office of each state that controls corporate formation or keeps track of them.
Companies are required to file very brief reports each year and pay a fee to maintain their registration in that state.
A very initial step in our due diligence process is always to make sure that that entity is in good standing. However, it is almost impossible to verify beneficial ownership.
Q: So If your organization is small, is the organization chart really needed?
A: Not necessarily, if you use your own judgment. If it is a partnership and you can validate based on the formation agreement or formation document who those partners are then you do not really need an organization chart. Similarly, to say a single member, LLC, which is pretty much the same thing as a sole proprietorship, only with the corporate veil protecting them.
Therefore, you do not necessarily need one if it is very simple.
Q: One person said they think the organization chart is a good asset for KYC; however, they wanted to know what regulatory platform you would recommend or have used to ask for that kind of information and maybe record it?
A: It typically needs to come directly from the customer. In the U.S., I am not aware of any particular regulatory source for this information. There is some detail when publicly traded companies file their quarterly and annual reports with the Securities and Exchange Commission.
If the customer is a publicly traded company, you do not need to obtain beneficial ownership certifications because that information is available. For smaller or more closely held entities or non-traded entities, I am not aware of any.
Q: What sort of due diligence would you do at a high level on a charity?
A: I would look at who are the individuals who exert financial decision and are making control decisions. On our U.S. beneficial ownership form, we have that. We have the owners and then we they require identifying one person with significant decision-making authority.
Therefore, where it is a charity, there's not going to be that same ownership sort of component, but you can look and see who the controlling interests are and see if they do have multiple levels of entity control. As well there could be another charity that sits on top of that, the client and charity.
It is just a matter of making sure that you understand how this entity is formed and who is holding the purse strings and making the decisions.
Q: Is this where you are looking at trends? Are you looking at the transactions more closely? Who is sending and receiving them?
A: And even more so, where the money is going here. Consider terrorist financing - there have been cases over the years where charities have been established and people have been donating to these charities thinking that they are for their stated purpose. In fact, the money is being funneled back to a terrorist organization.
Q: What type of document should we ask for government accounts to complete our CIP?
A: For CIP, or customer identification, on any kind of legal entity, you are looking for some sort of formation document, or other legal document that shows that this entity exists.
Q: What is your experience for money laundering cases via individuals or organizations in offshore jurisdictions? Is it more tax evasion, or less of money laundering?
A: Well, they are actually one in the same because technically the definition of money laundering is the use of proceeds obtained through an illegal activity. Tax evasion is an illegal activity.
That is what would be the precursor activity, and therefore the use or the movement or holding of those funds then constitutes money laundering. Sometimes we forget about that definition of it, and we think of it more as though the process that we're familiar with, the placement layering integration all that, but, as far as offshore goes, I think tax evasion is a prominent driver there.
I have seen offshore entities use the layering process as well. Wire transfers would come from one offshore entity through another offshore entity in a different jurisdiction then to the client.
Q: Are there any automatic triggers to go from transaction monitoring solution to CDD solution and vice versa?
A: Hopefully those two systems can talk to one another and interact, so that the CDD solution can calculate the risk score of that client.
Say they would file a SAR, then that should send a pre-determined trigger to the CDD system that says we'll make this customer high risk automatically because once a SAR has been filed, they should be considered high risk.
If the CDD solution has identified an entity as high risk, the transaction monitoring solution should follow a certain profile for high-risk entities and vice versa.
If the transaction monitoring system detects sort of high risk, activities should feed back into the system to reflect on the customer risk score.
Q: In the FFIEC 'Customer Due Diligence', it states "An understanding based on “categories of customers” means that for certain lower-risk customers, the bank’s understanding of the nature and purpose of a customer relationship can be developed by inherent or self-evident information such as the type of customer, the type of account opened, or the service or product offered.
The question is, in general for an FI that offers a single product (i.e. on-line loans), which is inherently low-risk – can an FI document that as such, and not be ‘required’ to have a customer risk profile (customer risk rating) at on-boarding?
A: Depending on the actual type of financial institution, if they are subject to the anti-money laundering regulations of the Bank Secrecy Act (BSA), then I believe they should individually risk rate their customers, even though they only offer one product.
That is my opinion, but again, it all comes back to those institutions again. What is their regulatory environment? And what is their regulatory requirement? And what is their perception of risk? With an online loan, you have that anonymity factor. How much does use the product you are offering facilitate money laundering? So could someone get a loan and then say repay it back a week later? How much does that product facilitate money laundering? I personally would feel like you would want to do a risk assessment of your individual customer.
So at a minimum, hopefully you are doing the CIP aspect where your OFAC screening your customer and obtaining identification on them.
Q: At our institution, we struggle with the long-held view that the online account opening process exposes the bank to additional risk, considering that is now an accepted channel to open accounts. You would have to give everyone points for this channel, which means very little since everyone would have those same points. What is your view?
A: I will give you an example from my institution on a service. Wire transfers in general are considered a higher money laundering risk, but at my institution, our primary product was a revolving line of credit.
For many years, the only way that our customers could advance money from that line or repay it was through wire transfer. So everybody used wire transfers. Therefore, we did not consider every customer slightly higher risk just because they used wire transfers.
It is the same thing here. If the majority of your accounts are being opened online, then you are correct that you would not necessarily add to your risk score on every single customer.
So you need to just look at how you are mitigating what procedures you have. Also, what data collection efforts and so forth are helping to mitigate that anonymity risk from online?
Q: Your risk assessment is only as good as the quality of data that feeds into it. Most FIs have a challenge with getting cleaner data to feed into the risk assessment. So in your experience, what are some steps taken by organizations to resolve data problems in the short term, given the cost and time it takes to fix systems and the data?
A: I guess primarily look at what your inputs are first of all, and the basic data entry controls around those inputs.
How are you capturing the data in the first place? And are you educating the people who are doing the data entry as to what the right answers are, what data they are supposed to be putting in there? Education is key. If it is an online data entry type of process, are there validations occurring to make sure the data they are putting in there makes sense?
Education and then periodic scrubbing of data is an unfortunate fact of life that we used to go through at my institution a couple times a year. We would do big data dumps out of the database of our customer base and start looking for anomalies and things that hadn't been completed, like foreign customer addresses and so forth. You can identify the big anomalies and then just go through that cleanup process.
At my institution, we often involved the relationship managers in that process to review their customers’ AML data and underlying data on an annual basis.
You have to establish controls up front to make sure that the data that is going in is clean. It is the old garbage-in, garbage-out philosophy. Make it as clear and simple as possible for people to input data and input the right data, have validation controls within the system that make sure they're not putting in the wrong data and then doing a scrubbing once a year if possible are really the best ways.
Q: How far in terms of family relationship should a person be linked to a Politically Exposed Person (PEP) and be considered a PEP? So, for example, the nephew of a mayor, the grandchild of a senator? The second part of this question is how long should a PEP be still be considered a PEP after leaving office?
A: Obviously, the person themselves would definitely be considered a PEP, but those family relationships fall under your institution’s perception of risk.
If you have many PEPs as customers, you may even want to go further down in that relationship to the accounts of children. It also depends on where you can you get that data. So how detailed is the PEP list that you have purchased from the AML vendor?
It can depend whether they step away when they have retired from their political position. That depends on the individual as well.
You can look at look back to that infamous case of Augusto Pinochet as he was a dictator in Chile, but he was also continuing to do business at Riggs Bank. So technically, he was no longer in his position, but he still had these connections and ties. So I think that is a matter for an individual-by-individual basis. It is up to that institution to decide and it may vary from jurisdiction to jurisdiction.
Q: What do you see examiners require, or expect, when it comes to refreshing CDD for existing customers?
A: That really depends on the examiners obviously depends on the regulatory agency and on the individual examiners who are examining your institution. In general, I think they look for something consistent.
As long as you have documented what your update process is, and your rationale behind it, that usually tends to satisfy examiners. I've found that over the years that they are less likely to question you or write you up, if you can hand them something that says here is our customer due diligence update process, here's what we're doing and here's why we decided to do it this way.
It is a totally a risk-based approach and every institution is going to perceive risk differently.
Q: Someone asked a question about cryptocurrencies and their money laundering risk, which is a big topic in itself. We have actually done a number of webinars on virtual currencies with an expert who works very intimately with this area.
A: Here is a link to a white paper: What FIs Need to Know About Cryptos. And here are links to webinars we have done: A Regulatory Understanding of Virtual Asset Types and Their Risks and What FIs Need to know about Cryptos
Q: What tools might a financial institution use to detect hidden connections?
A: Once the beneficial ownership rules took effect and we started collecting that information from new customers, we actually input it into our system. We created a new field within our customer database for beneficial owner names and data and then we could incorporate that into our transaction monitoring system.
Q: How can you be sure of beneficial ownership?
A: Well, you cannot unfortunately. That is the flaw in how the CDD rule has been designed. I am speaking purely from a U.S. perspective here because corporate formation is controlled at the state level not the federal level. Each state can set its own rules for what information it collects when an entity is domiciled there, when an entity is formed and so we have no national database of beneficial owners.
On a state-by-state basis, they may or may not be collecting that information. In most cases, they are not collecting it. They may collect the direct owner of a company that is being formed, but in many cases, it is another company and they do not go any further than that.
So the whole premise of the CDD Rule and collecting beneficial ownership data was that the institution is supposed to collect the data from the customer and then obtain and validate the identification or the identity of that person. You can do that through a driver's license or passport, but there is nothing to say that the person really is the ultimate beneficial owner of this structure of companies.
Q: How can you risk grade your customers when they are in the hundreds of thousands?
A: I do not think you have a choice. You can adopt a type of standardized risk scoring method.
Q: How often do you feel account holder should be revisited outside of OFAC searches?
A: Sanctions screening is be ongoing, but from a customer due diligence perspective, a lot of that depends on the type of account.
Obviously, smaller accounts are not going to be vetted as often, but say a larger business, especially business customer accounts, will often times have a relationship manager assigned to them.
In my institution, the relationship manager was a key player in all of this because they needed to be on top of what was going on with their customers, such as instances of mergers and acquisitions. We had changes in business models and all those types of things that relationship managers would be very aware of.
Q: Do you think that 25 percent ownership threshold for KYC/CDD purposes is enough?
A: Well, the 25 percent threshold is the suggested threshold for beneficial ownership. So in other words, a beneficial owner, according to FinCEN guidelines, is someone who owns 25 percent or more of a legal entity either directly or indirectly.
That is a guideline. Institutions commonly may go lower than that, especially with certain types of accounts. They may say for this type of account, we are going to say we want to identify beneficial owners at 15 percent. So, as far as 25 percent threshold, that is really where my understanding of the guidance comes in.
So then, what you are starting to see in law enforcement is beneficial owners who are only 24 percent or 24.5 percent because they are trying to avoid that threshold.
Q: How should anticipated transactions be documented?
A: Everything should be documented obviously, so you would want to ask your customer and this depends on the different product. But, volume is important and the level of cash activity is important to document. How much, how often do they anticipate this?
Also, wire transfer activity that is incoming or outgoing, domestic or foreign and how much, how often, from where to where, all that kind of information should be collected and documented.
Q: If a potential client cannot provide reasonable details of anticipated activity, would that be a red flag?
A: If it is a brand-new business for example, and they have just opened their business and they are not too sure about what they are going to be doing that is a reasonable explanation.
But they still should have something like a business plan or projections, a pro forma income statement or things like that. They should have some idea of what they are going to be doing through the accounts. So, if they absolutely insist that they have no idea then I would say that is a red flag.
Q: What do Delaware, Wyoming and Nevada do differently that makes it easier to maintain anonymity in forming corporations?
A: In the U.S., the laws governing the formation of corporations are controlled by each state government. In other words, there is no federal law for overall company formations.
These states are small and so they rely significantly on the fees that they charge for forming a corporation. Delaware and Wyoming especially promote that they are not going to collect any information.
In these three states, it is easier to form a corporation than to get a driver's license or a library card. You can do it in about five or 10 minutes online with a credit card to pay the fee. So those are some of the reasons why these have become money laundering havens.
Q: How should adverse media be examined when considering risk factors?
A: You can document that as a risk factor. It depends on the type of client that you have to because in the United States, the vast majority of our legal entities have 25 or fewer employees. So the media coverage tends to be on the big companies that everybody knows.
What I found in my experience was that I had very few clients that would ever have any kind of media attention. So it is not as cut and dry and it may even indicate that you do not even want to open an account for that client if there is a serious level of adverse media.
Q: Can you provide examples of good automated risk rating classification systems? How did you do the risk rating within your organization?
A: Within my organization, we chose our risk factors. We established a scoring methodology for each risk factor and it was cumulative. In other words, the higher your score the higher your risk rating. So, if a customer had very few risk factors, they would have a lower risk rating.
Remember we are not considering any factor in a vacuum. It is just the fact that someone that has many accounts and uses a lot of products and services has much more interactions in much more activity and has a lot more invested in the bank. It is not all encompassing as saying well, this customer has many accounts and they have been with us a long time. Therefore, we are just going to call them low-risk. That is not the case.
Q: Is it recommended that the customer risk-rating model be weighted according to the amount of risk that it poses to the institution?
A: Absolutely. This is all based on your institution’s risk perspective. You may consider geographic risk, for example, to be more important than products and services and customer demographics. So perhaps you calculate it and then create a sub score for each one of those three categories. Then you apply a weighting factor to the geographic risk elements to make them more important.
Q: How frequently should risk profiles be reviewed and updated?
A: We get that question a lot. This is also from the perspective of your institution. I would say whenever something changes with that customer - whenever a major change occurs - you should be able to have some kind of a triggering mechanism.
For an individual client, let us say their address changes, you may want to do a review at that time. If there are patterns of activity change, that is also a trigger that something has changed with them and it is time to go back and look at what is going on.
With a business client, if their anticipated activity is writing cheques on their account and they get deposits and all of a sudden, they start doing foreign wire transfers, that is a flag that you need to go back and look at. You can speak to the client as maybe they are now doing some import or export business. It can often be a completely legitimate explanation, but something has changed.
If nothing has changed with a client, I would say do the review on an annual basis.
Q: What is the quality assurance process for these risk ratings? How do you assess if the system is doing what it needs to do?
A: What we used to do is test the model. You can create some test customers with various risk factors and then see what their score comes out to be.
You can also take what you know to be an existing client that is high risk and validate that the system is actually rating them that way. Look at their actual behavior and their demographics and products and services and so forth. What is the risk score you come up with and does that reflect what you think it should be?
Testing is critical and it is not going to necessarily catch everything. You can do a wide range of test cases of all different types of clients that are representative of your different risk ratings, and seeing that the system is actually rating them that way, and then you can be confident that it is doing what it is supposed to be doing. In addition, you should document your testing as well.
Q: What is your recommendation for a risk-based approach for updating customer information?
A: That is a challenge for any institution and actually any business. There are a couple very high-level recommendations.
One would be make sure that you have good front-end data controls that someone can't enter, for example, a country code in the state field, or in an address or they can't leave something blank. So making sure that in on your front end you have some good controls around data entry.
A second one, which is a big effort, but it is an important effort to do periodically, is doing a data scrub to look for anomalies. Then go back and have those anomalies fixed. Find the underlying root cause of that anomaly and try to find some controls in order to correct it.
Q: What is the best approach for the review of an institution’s overall risk assessment program and how comprehensive should this be? And how should it be documented?
A: Well, you want to clearly document your entire risk assessment process, such as the risk factors you are using, how the data entry occurs and why you chose those factors. I think that part is especially important to document your rationale, especially when someone else is going to be looking at this from the outside, such as a regulator. Also, it helps you think through as you are documenting it exactly why you are doing something a particular way.
When you going through an examination, they will ask you how you came up with these risk factors and the rationale behind them and being able to have that documented is golden. That wins you many points with regulators as well as just making it a better program overall for everyone.
Q: Is the FI responsible to obtain missing information that is used for risk rating the customer prior to the CDD rule?
A: You are not required to go back and collect beneficial ownership information on your existing legal entity customers in the U.S. However, my strong recommendation is that if something changes where you need to go back and review the due diligence on that customer, such as opening a new account, then absolutely collect the beneficial ownership information at that time.
About Anu Sood
Anu Sood (LinkedIn | Twitter) is the Director Marketing at CaseWare RCM and is responsible for the company’s global marketing strategy. She has over 20 years of experience in product development, product management, product marketing, corporate communications, demand generation, content marketing and strategic marketing in high-tech industries.