Q&A from Elements of Customer Risk – Products and Services

Here are the questions and answers from our attendees at our both recent webinars on Elements of Customer Risk – Products & Services.


Q: Could you please define “anonymity” as you need to do know your customer (KYC) at onboarding of new clients and you have their specimen signature on file?

A: It relates to online account opening where you are not sitting face-to-face across the desk with someone. That is a form of anonymity, more so in terms of the level or types of transactions that they can conduct.

Anonymity is something that is almost inherent in so many of our products and services today with online mobile banking. We are not coming into a branch where you know the teller, or the teller sees the same customers all the time as we used to do in the old days. We knew who our customers were.

Now, there is nothing face-to-face so you do not know who is actually making this deposit. You do not know who is doing this transaction and that could be from a money-laundering perspective or fraud.


Q: How should an FI update its customer risk scoring along with other activities such as fraud?

A: We actually had our fraud and AML people work together, even though some people were specializing in fraud monitoring and the others were in AML monitoring.

An outer pattern transaction might be flagged by the fraud monitoring system that was not flagged by the AML system. So, our fraud analyst and our AML analyst could work together.

If a customer had actual identity theft or account takeover activity, I do not think that makes them higher risk from a money laundering perspective.

It obviously does make them a higher risk from a fraud risk perspective and so within the fraud-monitoring tool there should be a way to set up controls on that account.


Q: Did you say an FI may not exit a relationship with a company with suspicious activities due to its size and volume of business? If so, it begs the question as to why have a risk rating if there is no action based on the results or ratings.

A: That is a huge challenge. In the example I provided we could not prove the activities were money laundering. It had all the hallmarks of a textbook case, but it is that classic case of the sales side of the house and the income-generating side of the house versus the client side of the house.

We could show the sales side that there were unusual things happening. But being a lender, these are long-term contracts and they do have the ability to call the loan.

They make hundreds of thousands of dollars for the bank every year. They pay their bills on time. They pay their interest. They purchase additional products and services. Unless law enforcement came and told us that these people were doing something illegal, there was no way they would do anything about that account.

Of course, law enforcement will never tell you what they are doing. Typically, they do not want you to close the account because they want to see if suspicious activity continues. If you close the account, you are just tipping off the customer and then they go somewhere else.


Q: Do you foresee AML requirements increasing for payment networks?

A: I would hope so, to be honest. It seems like right now the emphasis on cyber currency, Bitcoin and so forth, is getting the most attention because it can truly be anonymous and outside of all the banking regulations and controls.

But I am not sure what is going to happen. It is as if the product development is going faster and the regulatory environment is a slow process.


Q: What is the biggest risk associated to correspondent accounts? And how do you mitigate it?

A: That could be the subject for a whole webinar. In the United States, we have some specific USA Patriot Act sections around requirements for banks that have foreign correspondent accounts and relationships.

They are a higher risk for a number of reasons because essentially one bank is carrying out the financial transactions of another bank’s customers. When you have a foreign bank involved, a U.S. bank is giving access to the U.S. financial system to a foreign bank’s customers. There are many risks associated with it.

So U.S. banks move funds between each other on behalf of their customers through the Federal Reserve, but if a bank does not have access to the FED, like a foreign bank, they need a U.S. bank to run their transactions.

For a U.S. institution, a foreign correspondent bank account is especially risky because they create this relationship where a U.S. financial institution is giving foreign bank customers direct access to the financial system, and the American bank has zero information on these customers.

You cannot really detect suspicious activity because you do not know what is normal and expected and the amount of money that can flow through correspondent accounts can be huge.


Q: What leverage does a bank have to update know your customer (KYC) documents from a commercial loan customer?

A: We simply ask for them. Typically, if a customer does not have some reason to hide something, they will be willing to do so.

If somebody refuses to provide this, you suggest their business to another bank, but remind them that another institution is going to ask you the exact same questions.

Sometimes we would phrase and in terms that made it more palatable for the customer. We would say we want to make sure that we have current information about you and your activities so that we can make sure that no fraudulent activity occurs on your account.

We asked for anticipated- and normal-activity pattern information under the guise of protecting you against fraud – which is true. It also helps from the money laundering perspective as well.


Q: How would you describe the risk level of a financial advisor?

A: If you are a financial advisor, you can only be responsible for something that you have knowledge of. So, if you have the knowledge of what your customer is doing and you see suspicious patterns there, then you would have a responsibility to report those patterns of behavior.

The same thing if you are seeing the KYC information at onboarding and there are things that are left off or things that do not make sense.


Q: Is an account with a SAR automatically high risk?

A: I would say that is a matter of perspective. So sometimes you have one SAR and then what I would do is say OK, a SAR has been filed for something like one bizarre transaction, which makes them a high risk.

Then, over time, that transaction never happens again, so it may very well not have been something truly suspicious. It may have been an anomaly. It may have been something that was actually legitimate, but you could not determine that, so you filed a SAR.

If it never happens again and nothing else ever happens, then that risk score can be brought back down to wherever they were before on your risk appetite — maybe keep them medium-high at this point or medium, but it is all about what they are doing.

It is up to your institution and your risk perspective. If you feel more comfortable saying we filed this SAR, they are going to be high for the rest of their relationship, then go with that.


Q: You said that an average person could structure transactions to avoid the IRS finding out about the sale of his boat for $12,000. This is something we still need to report as structuring, right?

A: Yes. I was just giving that example of a person who is structuring, but he may not be a criminal so to speak. Ordinary people have many misconceptions about cash transaction reporting.

They just think they are protecting themselves from Big Brother or whatever. Therefore, the trick is to try to identify whether they are doing it on a regular basis and for what reasons.

There is also the possibility where this could be a funnel account or this person is acting as a money mule kind of a thing.


Q: Should you stop a transaction if there is a risk of money laundering?

A: No. In the money laundering case, you do not want to stop a transaction with the risk of money laundering.

For fraud, you absolutely stop it. If this is a fraud against your client, you absolutely want to stop the transaction, but money laundering; you want to let that go through because it is suspicious.

There is nothing in the regulations that say you have to close an account. However, it is up to every bank to decide what to do. Your responsibility as a bank is to report suspicious activity.


Q: How would you risk rate these types of services: bill pay, ACH and debit card activity?

A: You have to think like a money launderer. Think about how I could use these activities. Obviously, ACH risks would be in the integration, the layering or the integration phase, so it could be used for that purpose.


Q: What is your opinion around money laundering risks and brokerage accounts? What would you think should qualify as an unusual activity or a potential money laundering risks?

A: I guess that depends on individual brokerage accounts as they can have many different features. Typically, it is used to hold money that has not been invested already.

There are some specific behaviors and activities that can involve say churning — buying and selling stocks rapidly and putting money into the brokerage account and then taking it out. It is sort of the same thing as a checking account, but it is usually harder to do that than it would be for a checking account.
Therefore, it depends on the features.


Q: So are you thinking like the velocity of transactions would be a factor?

A: Yes. Usually you cannot deposit cash and there is no actual currency into a brokerage account. You have to move it from somewhere else or you are writing a check and sending it to be put into an account, so usually it does not have those cash placement risks.

It is more of a layering issue — the layering two-phase risk of money moving in and out of it. Is it being used for what it would normally be intended for or does it appear to be being used for something that was not intended for?


Q: There have been questions around changing behaviors and fraud around COVID-19 Could you provide some advice on areas that compliance teams should look into in terms of behaviors?

A: We have two things going on here. We have got potential fraud committed against the bank’s customer and we have the proceeds of fraud being laundered potentially through the bank.

The recommendation I would have from the fraud side of the house is to make sure that your fraud monitoring tools are looking for patterns of unusual or different behavior. Also, make sure that you follow up with your customer when you start to see things that look unusual.

If customers are paying for something that they are being coerced and/or fooled into making a big donation or whatever, that’s when you want to confirm with your customer that they have actually initiated this transaction.

On the money laundering side, look for unusual patterns in existing accounts or in new accounts, where you would be seeing money coming in and then immediately going out. Someone who is laundering the proceeds of fraud is going to put it into the financial system through depositing it into an account. Then they are moving it out immediately.

It fits all those same standard patterns or well-known patterns for money laundering. Red flags are going to be here, just possibly in greater volume.


Q: Many of the cash-based and intensive businesses are not deemed essential services under COVID-19 and they are closed. What do you think about monitoring their deposits because if they are closed they should not be having money coming in?

A: That is a very good point. Therefore, if you can tweak your systems, there may be a flag on all business accounts for large cash deposits. For cash based businesses that are still open, they are going to continue to have activity and potentially more activity.

Businesses like grocery stores and convenience stores are open and are typically cash-based. Therefore, you may even see kind of a spike in those types of businesses. It is worth a look.


Q: One more person said the risk scoring should not only consider the behavior of one financial institution. But what about focusing on a country. How could this be implemented?

A: There is all kinds of risk factors of a particular country that can make it at a higher propensity to facilitate money laundering. So look at all institutions in that country.



Elements of Customer Risk: Products & Services, Activity Patterns and Behaviors

In this webinar we explore how a customer’s anticipated transaction activity, products and services can impact their risk score. We delve into various patterns of higher risk and red flag customer transactions and behaviors, and how these and other factors impact an evolving risk score over the life of the customer relationship.


Elements of Customer Risk: Profiles and Relationships

Customer risk rating is an integral part of the customer due diligence process, yet it can be a difficult tool to implement. The risk tolerance of the organization, what products are used, what data is available and the weighting of each risk factor are just some of the variables that need to be considered to determine whether the overall aggregate score is considered high-, medium- or low- risk.

In Part 1 of this webinar series, Laurie Kelly, CAMS will discuss her experience with calculating risk ratings and things that every financial institution should consider. Attendees will learn about the objectives and fundamentals of customer risk scoring, as well as a logical way to categorize types of risks.

She will then review various risk factors to consider when assessing customer risk from a demographic/profile and relationships perspective.

Finally, Laurie will explore separately individual and business/commercial customers risk factors but with a greater focus on business customers, which have more nuanced and complex risk considerations.


Q&A Elements of Customer Risk: Profile and Relationships

Here are the questions and answers from our attendees at our recent webinars on Elements of Customer Risk: Profile and Relationships.

Q: In the FFIEC ‘Customer Due Diligence’, it states “An understanding based on “categories of customers” means that for certain lower-risk customers, the bank’s understanding of the nature and purpose of a customer relationship can be developed by inherent or self-evident information such as the type of customer, the type of account opened, or the service or product offered.

The question is, in general for an FI that offers a single product (i.e. on-line loans), which is inherently low-risk – can an FI document that as such, and not be ‘required’ to have a customer risk profile (customer risk rating) at on-boarding?

A: Depending on the actual type of financial institution, if they are subject to the anti-money laundering regulations of the Bank Secrecy Act (BSA), then I believe they should individually risk rate their customers, even though they only offer one product.

That is my opinion, but again, it all comes back to those institutions again. What is their regulatory environment? And what is their regulatory requirement? And what is their perception of risk?  With an online loan, you have that anonymity factor. How much does use the product you are offering facilitate money laundering?  So could someone get a loan and then say repay it back a week later? How much does that product facilitate money laundering? I personally would feel like you would want to do a risk assessment of your individual customer.

So at a minimum, hopefully you are doing the CIP aspect where your OFAC screening your customer and obtaining identification on them.


Q:  At our institution, we struggle with the long-held view that the online account opening process exposes the bank to additional risk, considering that is now an accepted channel to open accounts. You would have to give everyone points for this channel, which means very little since everyone would have those same points. What is your view?

A: I will give you an example from my institution on a service. Wire transfers in general are considered a higher money laundering risk, but at my institution, our primary product was a revolving line of credit.

For many years, the only way that our customers could advance money from that line or repay it was through wire transfer. So everybody used wire transfers. Therefore, we did not consider every customer slightly higher risk just because they used wire transfers.

It is the same thing here. If the majority of your accounts are being opened online, then you are correct that you would not necessarily add to your risk score on every single customer.

So you need to just look at how you are mitigating what procedures you have. Also, what data collection efforts and so forth are helping to mitigate that anonymity risk from online?


Q: Your risk assessment is only as good as the quality of data that feeds into it. Most FIs have a challenge with getting cleaner data to feed into the risk assessment. So in your experience, what are some steps taken by organizations to resolve data problems in the short term, given the cost and time it takes to fix systems and the data?

A: I guess primarily look at what your inputs are first of all, and the basic data entry controls around those inputs.

How are you capturing the data in the first place? And are you educating the people who are doing the data entry as to what the right answers are, what data they are supposed to be putting in there? Education is key. If it is an online data entry type of process, are there validations occurring to make sure the data they are putting in there makes sense?

Education and then periodic scrubbing of data is an unfortunate fact of life that we used to go through at my institution a couple times a year. We would do big data dumps out of the database of our customer base and start looking for anomalies and things that hadn’t been completed, like foreign customer addresses and so forth. You can identify the big anomalies and then just go through that cleanup process.

At my institution, we often involved the relationship managers in that process to review their customers’ AML data and underlying data on an annual basis.

You have to establish controls up front to make sure that the data that is going in is clean. It is the old garbage-in, garbage-out philosophy. Make it as clear and simple as possible for people to input data and input the right data, have validation controls within the system that make sure they’re not putting in the wrong data and then doing a scrubbing once a year if possible are really the best ways.


Q: How far in terms of family relationship should a person be linked to a Politically Exposed Person (PEP) and be considered a PEP? So, for example, the nephew of a mayor, the grandchild of a senator? The second part of this question is how long should a PEP be still be considered a PEP after leaving office?

A: Obviously, the person themselves would definitely be considered a PEP, but those family relationships fall under your institution’s perception of risk.

If you have many PEPs as customers, you may even want to go further down in that relationship to the accounts of children. It also depends on where you can you get that data. So how detailed is the PEP list that you have purchased from the AML vendor?

It can depend whether they step away when they have retired from their political position. That depends on the individual as well.

You can look at look back to that infamous case of Augusto Pinochet as he was a dictator in Chile, but he was also continuing to do business at Riggs Bank. So technically, he was no longer in his position, but he still had these connections and ties. So I think that is a matter for an individual-by-individual basis. It is up to that institution to decide and it may vary from jurisdiction to jurisdiction.


Q:  What do you see examiners require, or expect, when it comes to refreshing CDD for existing customers?

A: That really depends on the examiners obviously depends on the regulatory agency and on the individual examiners who are examining your institution. In general, I think they look for something consistent.

As long as you have documented what your update process is, and your rationale behind it, that usually tends to satisfy examiners. I’ve found that over the years that they are less likely to question you or write you up, if you can hand them something that says here is our customer due diligence update process, here’s what we’re doing and here’s why we decided to do it this way.

It is a totally a risk-based approach and every institution is going to perceive risk differently.


Q: Someone asked a question about cryptocurrencies and their money laundering risk, which is a big topic in itself. We have actually done a number of webinars on virtual currencies with an expert who works very intimately with this area.

A: Here is a link to a white paper: What FIs Need to Know About Cryptos. And here are links to webinars we have done: A Regulatory Understanding of Virtual Asset Types and Their Risks and What FIs Need to know about Cryptos


Q: What tools might a financial institution use to detect hidden connections?

A: Once the beneficial ownership rules took effect and we started collecting that information from new customers, we actually input it into our system. We created a new field within our customer database for beneficial owner names and data and then we could incorporate that into our transaction monitoring system.


Q:  How can you be sure of beneficial ownership? 

A: Well, you cannot unfortunately. That is the flaw in how the CDD rule has been designed. I am speaking purely from a U.S. perspective here because corporate formation is controlled at the state level not the federal level. Each state can set its own rules for what information it collects when an entity is domiciled there, when an entity is formed and so we have no national database of beneficial owners.

On a state-by-state basis, they may or may not be collecting that information. In most cases, they are not collecting it. They may collect the direct owner of a company that is being formed, but in many cases, it is another company and they do not go any further than that.

So the whole premise of the CDD Rule and collecting beneficial ownership data was that the institution is supposed to collect the data from the customer and then obtain and validate the identification or the identity of that person. You can do that through a driver’s license or passport, but there is nothing to say that the person really is the ultimate beneficial owner of this structure of companies.


Q: How can you risk grade your customers when they are in the hundreds of thousands?

A: I do not think you have a choice. You can adopt a type of standardized risk scoring method.


Q: How often do you feel account holder should be revisited outside of OFAC searches?

A: Sanctions screening is be ongoing, but from a customer due diligence perspective, a lot of that depends on the type of account.

Obviously, smaller accounts are not going to be vetted as often, but say a larger business, especially business customer accounts, will often times have a relationship manager assigned to them.

In my institution, the relationship manager was a key player in all of this because they needed to be on top of what was going on with their customers, such as instances of mergers and acquisitions. We had changes in business models and all those types of things that relationship managers would be very aware of.


Q:  Do you think that 25 percent ownership threshold for KYC/CDD purposes is enough?

A: Well, the 25 percent threshold is the suggested threshold for beneficial ownership. So in other words, a beneficial owner, according to FinCEN guidelines, is someone who owns 25 percent or more of a legal entity either directly or indirectly.

That is a guideline. Institutions commonly may go lower than that, especially with certain types of accounts. They may say for this type of account, we are going to say we want to identify beneficial owners at 15 percent. So, as far as 25 percent threshold, that is really where my understanding of the guidance comes in.

So then, what you are starting to see in law enforcement is beneficial owners who are only 24 percent or 24.5 percent because they are trying to avoid that threshold.


Q: How should anticipated transactions be documented? 

A: Everything should be documented obviously, so you would want to ask your customer and this depends on the different product. But, volume is important and the level of cash activity is important to document. How much, how often do they anticipate this?

Also, wire transfer activity that is incoming or outgoing, domestic or foreign and how much, how often, from where to where, all that kind of information should be collected and documented.


Q: If a potential client cannot provide reasonable details of anticipated activity, would that be a red flag?

A: If it is a brand-new business for example, and they have just opened their business and they are not too sure about what they are going to be doing that is a reasonable explanation.

But they still should have something like a business plan or projections, a pro forma income statement or things like that. They should have some idea of what they are going to be doing through the accounts. So, if they absolutely insist that they have no idea then I would say that is a red flag.


Q: What do Delaware, Wyoming and Nevada do differently that makes it easier to maintain anonymity in forming corporations? 

A: In the U.S., the laws governing the formation of corporations are controlled by each state government. In other words, there is no federal law for overall company formations.

These states are small and so they rely significantly on the fees that they charge for forming a corporation. Delaware and Wyoming especially promote that they are not going to collect any information.

In these three states, it is easier to form a corporation than to get a driver’s license or a library card. You can do it in about five or 10 minutes online with a credit card to pay the fee. So those are some of the reasons why these have become money laundering havens.


Q: How should adverse media be examined when considering risk factors?

A: You can document that as a risk factor. It depends on the type of client that you have to because in the United States, the vast majority of our legal entities have 25 or fewer employees. So the media coverage tends to be on the big companies that everybody knows.

What I found in my experience was that I had very few clients that would ever have any kind of media attention. So it is not as cut and dry and it may even indicate that you do not even want to open an account for that client if there is a serious level of adverse media.


Q: Can you provide examples of good automated risk rating classification systems? How did you do the risk rating within your organization? 

A: Within my organization, we chose our risk factors. We established a scoring methodology for each risk factor and it was cumulative. In other words, the higher your score the higher your risk rating. So, if a customer had very few risk factors, they would have a lower risk rating.

Remember we are not considering any factor in a vacuum. It is just the fact that someone that has many accounts and uses a lot of products and services has much more interactions in much more activity and has a lot more invested in the bank. It is not all encompassing as saying well, this customer has many accounts and they have been with us a long time. Therefore, we are just going to call them low-risk. That is not the case.


Q: Is it recommended that the customer risk-rating model be weighted according to the amount of risk that it poses to the institution?

A: Absolutely. This is all based on your institution’s risk perspective. You may consider geographic risk, for example, to be more important than products and services and customer demographics. So perhaps you calculate it and then create a sub score for each one of those three categories. Then you apply a weighting factor to the geographic risk elements to make them more important.


Q: How frequently should risk profiles be reviewed and updated?

A:  We get that question a lot. This is also from the perspective of your institution. I would say whenever something changes with that customer – whenever a major change occurs – you should be able to have some kind of a triggering mechanism.

For an individual client, let us say their address changes, you may want to do a review at that time. If there are patterns of activity change, that is also a trigger that something has changed with them and it is time to go back and look at what is going on.

With a business client, if their anticipated activity is writing cheques on their account and they get deposits and all of a sudden, they start doing foreign wire transfers, that is a flag that you need to go back and look at. You can speak to the client as maybe they are now doing some import or export business. It can often be a completely legitimate explanation, but something has changed.

If nothing has changed with a client, I would say do the review on an annual basis.


Q: What is the quality assurance process for these risk ratings? How do you assess if the system is doing what it needs to do?

A: What we used to do is test the model. You can create some test customers with various risk factors and then see what their score comes out to be.

You can also take what you know to be an existing client that is high risk and validate that the system is actually rating them that way. Look at their actual behavior and their demographics and products and services and so forth. What is the risk score you come up with and does that reflect what you think it should be?

Testing is critical and it is not going to necessarily catch everything. You can do a wide range of test cases of all different types of clients that are representative of your different risk ratings, and seeing that the system is actually rating them that way, and then you can be confident that it is doing what it is supposed to be doing. In addition, you should document your testing as well.


Q: What is your recommendation for a risk-based approach for updating customer information? 

A: That is a challenge for any institution and actually any business. There are a couple very high-level recommendations.

One would be make sure that you have good front-end data controls that someone can’t enter, for example, a country code in the state field, or in an address or they can’t leave something blank. So making sure that in on your front end you have some good controls around data entry.

A second one, which is a big effort, but it is an important effort to do periodically, is doing a data scrub to look for anomalies.  Then go back and have those anomalies fixed. Find the underlying root cause of that anomaly and try to find some controls in order to correct it.


Q: What is the best approach for the review of an institution’s overall risk assessment program and how comprehensive should this be? And how should it be documented? 

A: Well, you want to clearly document your entire risk assessment process, such as the risk factors you are using, how the data entry occurs and why you chose those factors. I think that part is especially important to document your rationale, especially when someone else is going to be looking at this from the outside, such as a regulator. Also, it helps you think through as you are documenting it exactly why you are doing something a particular way.

When you going through an examination, they will ask you how you came up with these risk factors and the rationale behind them and being able to have that documented is golden. That wins you many points with regulators as well as just making it a better program overall for everyone.


Q: Is the FI responsible to obtain missing information that is used for risk rating the customer prior to the CDD rule?

A: You are not required to go back and collect beneficial ownership information on your existing legal entity customers in the U.S. However, my strong recommendation is that if something changes where you need to go back and review the due diligence on that customer, such as opening a new account, then absolutely collect the beneficial ownership information at that time.



About Anu Sood

Anu Sood (LinkedIn | Twitter) is the Director Marketing at CaseWare RCM and is responsible for the company’s global marketing strategy. She has over 20 years of experience in product development, product management, product marketing, corporate communications, demand generation, content marketing and strategic marketing in high-tech industries.


Product Manager


We are the good guys. Every year billions of dollars are laundered internationally, supporting drug trafficking, smuggling, fraud, extortion and corruption, enabling organized crime to continue their criminal activities. CaseWare RCM (www.caseware.com/alessa), a division of CaseWare International Inc., is one of the fastest-growing companies creating advanced and comprehensive solutions (Alessa) to combat theft, money laundering, bribery and many other forms of financial crime.


About the Role:

The Product Manager is a key role in the product team focusing on creating fresh solutions to help our clients fight financial crime and maintain compliance.

You will lead the charge in innovating and growing Alessa’s AI-driven analytics and enhanced investigative and compliance capabilities.

You will also always be in touch with customers to thoroughly understand their needs, define the product vision, gather and prioritize product requirements, and partner with engineering, design, sales, marketing and operations to ensure revenue and customer satisfaction goals are met.

The role requires considerable knowledge of suspicious activity monitoring, investigations in a financial institution setting and reporting to regulators, but if you get excited about creating beautifully simple solutions to complex problems, then CaseWare RCM is the perfect place for your creative energies.



  • Communicate, enroll and create excitement and commitment for the product roadmap and vision both internally and externally
  • Identify new growth opportunities, backed by business cases, for AML suspicious activities monitoring capabilities within the Alessa platform.
  • Acts as the voice of the customer and become obsessed with making compliance officers’ lives simpler
  • Prioritize analytics opportunities using continuous market research and competitive analysis
  • Understand and define clients’ pain points and develop solution artifacts and use cases for the Engineering teams
  • Work closely across sales, marketing and engineering (both internally and with partners) to help establish the strategy and execution
  • Support sales activities as a product expert required to drive new client acquisition and retain client base
  • Be an evangelist with a relentless sense of curiosity in demonstrating and validating product capabilities
  • Collaborate with customers, team members, and outside influencers to drive innovation



  • Bachelor’s degree or equivalent
  • At least 2 years’ experience as a Product Owner/Manager translating business requirements and analysis into consumer facing digital products
  • 3-5 years of AML suspicious activities and transaction analytics and investigation in relevant industries
  • Experience in Agile product management and/or pragmatic product marketing
  • Quantitative and business analysis skills; Strong project management and time management skills
  • Interpersonal skills with keen ability to explain complex concepts across the organization and to large audiences
  • Experience as a public speaker or influencer would be an asset

Product Support Analyst


We are the good guys. Every year billions of dollars are laundered internationally, supporting drug trafficking, smuggling, fraud, extortion and corruption, enabling organized crime to continue their criminal activities. CaseWare RCM (www.caseware.com/alessa), a division of CaseWare International Inc., is one of the fastest-growing companies creating advanced and comprehensive solutions (Alessa) to combat theft, money laundering, bribery and many other forms of financial crime.


About the Role:

CaseWare RCM is looking for a passionate and driven Product Support Analyst that is obsessed with customers having an awesome experience.

You bring a wealth of technical and business acumen to the business and your hands-on approach and analytical skills are second to none. With a broad and deep understanding of various areas within the infrastructure and applications realm, you thrive in a fast-paced and dynamic environment.

As a member of the Technical Operations Group, you will identify risks and opportunities and proactively manage them as required. If you are interested in bringing your excellent technical expertise and shining personality to CaseWare RCM, we want to hear from you!


What you will be doing:

  • Provide beginning-to-end resolution to reported issues for Alessa solutions
  • Work with clients on technical issues such as dashboard visualization, workflows, case management and other product features
  • Work closely with technical writer to drive customer education
  • Provide methodical guidance to customers, distribution partners, and colleagues as required
  • Interact with CaseWare Agile teams in reporting and documentation of defects and enhancement requests
  • Work directly with our development team and participate in the development/enhancement of Alessa solutions and projects. This may include needs analysis, documentation, script development, testing, and installation/implementation tasks
  • Work and act in accordance with our core values
  • Communicate effectively, both verbal and written



  • Ability to explain complicated technical issues in a easy to understand way for end users
  • Experience in customer education
  • Working knowledge of networking in corporate environments
  • Excellent troubleshooting and issue resolutions skills
  • Experience with electronically licensed software
  • Understanding of database platforms, data analysis and retrieval
  • Excellent communication skills – written and verbal
  • Strong sense of ownership, urgency, and drive
  • Ability to multi-task and work with little or no supervision
  • Ability to work under pressure
  • Good time management and priority handling
  • Fluency in Spanish or other languages would be an asset
  • Minimum 3 years of proven working experience in support positions and/or customer service
  • Excellent customer service skills
  • Experience working in an Agile environment and demonstrated expertise in communication for the success of all agile teams
  • Ability to interface on a technical level with both management and development teams
  • Good understanding of cloud computing, AI, ML, computer software, web services, micro services, and other technologies


Preferred Requirements:

  • Minimum 3 years of proven working experience in support positions and/or customer service
  • Excellent customer service skills
  • Experience working in an Agile environment and demonstrated expertise in communication for the success of all agile teams
  • Ability to interface on a technical level with both management and development teams
  • Good understanding of cloud computing, AI, ML, computer software, web services, micro services, and other technologies


Technical Writer


We are the good guys. Every year billions of dollars are laundered internationally, supporting drug trafficking, smuggling, fraud, extortion and corruption, enabling organized crime to continue their criminal activities. CaseWare RCM (www.caseware.com/alessa), a division of CaseWare International Inc. , is one of the fastest-growing companies creating advanced and comprehensive solutions (Alessa) to combat theft, money laundering, bribery and many other forms of financial crime.


About the Role:

CaseWare RCM is looking for a creative and passionate Technical Writer who wants to break the mold of content that nobody uses. You want to be different, daring and create content that resonates with its audience.

We would love for you to be curious and obsessed about learning how things work, and then channel that knowledge to create reference content, tutorials and guides. You will work closely with all our teams and customers to identify ways to improve our technical content and its delivery.


What you will be doing:

  • First order of business is to move the organization away from producing content for the sake of producing content.
  • Catalog what is available, organize and understand what is already created.
  • Interact with stakeholders and customers to understand what they really want and identify the gaps.
  • Bridge the gaps in innovative ways while taking risks to exceed expectations.
  • Design new ways for content to be delivered and how it interacts with the audience.
  • You will at a minimum create and maintain documentation covering:
  • Participate in our Agile processes
  • Apply industry best practices for information management and localization through the use of authoring tools and source control
  • Review user interface and participate in user experience and design sessions
  • Develop and maintain a strong understanding of subject matter, use cases, and scenarios
  • Assist in process optimization
  • Participate in the creation of educational content
  • Consistently presenting product information in an engaging manner while providing relevant industry examples and use cases while ensuring the quality, accuracy, and time to deliver.
  • Communicate effectively, both verbal and written
  • User manuals, guides, tutorials, etc.
  • APIs
  • Deployments (Cloud, Hybrid and On-Premises)



  • Expert in style guidelines for user interface and ability to enhance the overall user experience by providing clear and succinct instructions for the products
  • Ability to present product information in an innovative manner without sacrificing quality, accuracy, and time to deliver
  • Champion of current industry best practices with respect to information architecture and management tools while also up-to-date on current industry trends
  • Strong attention to detail and organizational skills
  • Team oriented, and thrives in highly collaborative situations
  • Strong sense of ownership, urgency, and drive
  • Passion for delivering projects and communications on time with the highest quality
  • Minimum 3 years of proven working experience in technical writing of software documentation, including building from scratch and implementing documentations for APIs
  • Excellent communication skills, both written and verbal
  • Experience working in an Agile environment and demonstrated expertise in communication for the success of all agile teams
  • Ability to interface on a technical level with both management and development teams
  • Experiencing partnering with Developers and technical cross-functional teams to translate technical concepts for all audiences
  • Experience producing high-quality internal and external documentation that meets applicable standards and is appropriate for its intended audience
  • Demonstrated experience working with tools like MadCap Flare and/or other authoring tools and standard MS Office tools (e.g. PowerPoint, Visio, Word, Excel, etc.) to produce visually appealing and concise documents and diagrams for the intended audiences
  • Good understanding of Cloud computing, AI, ML, web services, micro services, and other technologies


Preferred Requirements:

  • Minimum 3 years of proven working experience in technical writing of software documentation, including building from scratch and implementing documentations for APIs
  • Excellent communication skills, both written and verbal
  • Experience working in an Agile environment and demonstrated expertise in communication for the success of all agile teams
  • Ability to interface on a technical level with both management and development teams
  • Experiencing partnering with Developers and technical cross-functional teams to translate technical concepts for all audiences
  • Experience producing high-quality internal and external documentation that meets applicable standards and is appropriate for its intended audience
  • Demonstrated experience working with tools like MadCap Flare and/or other authoring tools and standard MS Office tools (e.g. PowerPoint, Visio, Word, Excel, etc.) to produce visually appealing and concise documents and diagrams for the intended audiences
  • Good understanding of Cloud computing, AI, ML, web services, micro services, and other technologies


Beneficial Ownership: Update on U.S., Canada, and EU Rules

Legislation and regulations around beneficial ownership information is changing across various jurisdictions: Private registry? Public registry? Access? Information collected? Obligations? Privacy? – there are many issues and aspects to consider.

In this webinar, James Cohen, Executive Director at Transparency International (TI) Canada, will provide an overview of current corporate transparency regulations across various jurisdictions and the status of their implementation. He will pay special attention to the progress that has been made in Canada – both at a provincial and federal level. Finally, James will outline the framework that TI Canada has set forth for a made-in-Canada registry and the reasons for their position.


Q&A from Beneficial Ownership Rules: Global and Canada Perspective

James Cohen, executive director of Transparency International Canada hosted a webinar with CaseWare RCM’s Alessa recently to discuss the state of beneficial ownership requirements globally and in Canada.

Here are the questions and answers from our attendees:


Q: What is that Transparency International Canada is asking for?

A: We want to see a centralized, publicly accessible registry of beneficial ownership within Canada where all jurisdictions can feed their information. We would also like to see beneficial ownership disclosure in real estate transactions. We want to see verification of that information. Any registry would need strong enforcement and sanctions within it. We also want to see strong sanctions that criminals don’t see is just the cost of doing business.


Q: Why a public registry? Why does it need to be accessible?

A:  We believe it is a deterrent effect and an example of this is Scottish limited Partnerships within the UK that up to 2015 were not required to disclose ultimate beneficial ownership.  They were being used by a number of entities coming from known secrecy jurisdictions such as Cyprus or Malta. But the second they became public, there was an 80% drop off in registry of Scottish limited Partnerships.


Q: One of the questions that came in was as a publicly traded company regulated by number of organizations.

A: I would say yes for board members of publicly traded companies. This is often a public information. And the idea is that this is to distinguish between individuals. This is why we would call for unique identifier numbers so that people on a registry can be more easily identified with less and less of their information being known.


Q: How do you feel about public registries having confidential information available to relevant authorities, i.e. kidnapping and other safety concerns in vulnerable countries?

A: In a country like Canada, there is a low expectation of privacy under the Charter of Rights for the information that we are asking be disclosed. We believe in following the example set by the U.K. that on a case-by-case basis people can apply for their information to be withheld for safety reasons. We’d note that in the UK with thousands of companies, only a few hundred applied for exemption and only about three actually got an exemption. There has not been a spike of kidnappings in the UK. For a publicly traded company, much of this information has been disclosed already.  Why should information not be disclosed just because you are in a private company?


Q: This is a Canadian question. How does the beneficial ownership requirements impact credit issuers who issue credit cards for a commercial business?

A: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) has updates on credit cards. There are a number of law firms who have been posting reviews of the PCMLTFA. I would encourage you to look through their posts to get the credit card information updates. There is also a lot of information on the FINTRAC guidance website.  And I also know that there are updates coming on cryptocurrencies.


Q: Where can we find out more on beneficial ownership?

A: For Canada, the definition of beneficial owner is listed on Finance Canada’s website and with FINTRAC. So at least for Canada you can find it on the government’s website and that would be your working definition for regulation compliance.


Q: Do you think that having the definition on the website would be the same for almost every regulator?

A: I would search for beneficial ownership at each regulator. I would start there as that explains what is the percentage ownership. For Canada, there is a 25% threshold.


Q: Coming back to the corruption index, someone asks if the 2019 results are available as it would be interesting to see where Russia landed?

A: Everything is available for the CPI, which you can find at transparency.org. It is a composite index that comes from a number of different sources. So sometimes there can be a lag if issues were implemented in 2019, they might be reflected in the 2020 index that would come out next year.


Q: Will the Land Owner Transparency Act (LOTA) in B.C. expose money laundering or proceeds of crime?

A: It’s not in implementation yet. We’re still waiting for it to go online. However, there’s some initial numbers showing that price of housing prices have cooled in Vancouver.

I believe its reports on anonymous ownership have gone down and that not just because of LOTA coming in but also because of taxes on foreign ownership. There are reports of criminals moving to Ontario casinos to conduct the exact same operations.


Q: Do you foresee properties being repossessed possibly by the government if washing is confirmed?

A:  Yes, if the cases can be made as potentially money laundering, we could see asset seizure there.


Q: Are there third party vendors that collect and provide beneficial ownership information in Canada?

A: There are some third party vendors that investigate information to confirm it. There is no one who holds on to beneficial ownership information, but there are companies that will review it and verify it if possible.


Note: Some of the questions that were sent in were not answered as they were very specific to some financial industries or specific job-related tasks.

For more information on Transparency International Canada, visit the TI Canada website to learn more about the organization and their campaign to push for a national beneficial ownership registry and ways to shine a light on “snow washing.”  For those of you who want to support Transparency International Canada, you can also become a member or donor.

CaseWare RCM’s Alessa website features a number of articles, videos and best practices surrounding beneficial ownership, including our white paper on complying with the FinCEN final rule – stay tuned for more updates!


Edeka: Using Alessa for Tax Compliance

About Edeka

Edeka is one of the largest food companies in Germany with more than 11,000 supermarkets in its retail food chain. In 2018, the Edeka Group, which includes EDEKA Südwest, had total annual sales of EUR 53.6 billion.



For large corporations, the implementation of a tax compliance system is particularly important for ongoing compliance and audits. Some of the challenges include:

  • Tracking thousands of items with different tax rules, depending on country of origin and item types
  • Knowing what tax rates to apply and reporting correctly
  • Creating an auditable process

“It is a challenge to establish a tax compliance culture in a company and to actively manage and monitor compliance and implementation of tax obligations across all areas of the company,” explains Florian Faißt, head of taxes at Edeka Südwest.

In addition to enhancing compliance to taxation rules, Edeka Südwest needed to comply with Germany’s GoBD directive, which governs management and storage of electronic data. These directives and a number of internal issues gave the company reasons to review their previous compliance culture and internal control systems.



The company’s financial administrators decided to use the Alessa by CaseWare RCM to help them improve their compliance to tax regulations, conform to the GoBD directive, enforce internal controls and prevent fraud.

“When searching for a solution for mass data analysis and implementation of automatic controls, we focused on the amount of data to be processed, the process automation capabilities and what would be acceptable for the financial administration department. It was also crucial for us that the solution be implemented by Audicon and Alessa met all these requirements,”says Faißt.

In partnership with Audicon, Edeka Südwest implemented a company-wide compliance and risk management system using Alessa. They developed and implemented testing procedures in the solution to ensure that the correct sales tax was applied for every invoice. These are checked each day with the push of a button.

Edeka Südwest also decided to implement additional standard controls including:

  • Automatic online confirmation of the validity of VAT IDs (sales tax identification number) of foreign customers. The query is carried out daily online and is documented in the system with a timestamp
  • Search for insurance bills where the input tax has been deducted. The goal is to reduce the unauthorized deduction of input taxes
  • Use of potentially incorrect tax codes (comparison of tax codes with business partner country)
  • Identify mismatches in payment terms of suppliers. The aim is to standardize payment terms.
  • Flag invoices for which no cash discount has been deducted
  • Identify invoices that were paid twice
  • Comply with the Money Laundering Act (EU Directive 2018/843) by identify customers who pay invoices with more than EUR 10,000 in cash
  • Identify cases where several invoices from the same payee are posted again using an anonymous accounts payable account
  • Comply with segregation of duties policies by identifying users who are both allowed to change vendor master data and to post invoices. The goal is a clean and documented controlled segregation of duties and to avoid instances of fraud.

Depending on relevance and need, these automatic tests are scheduled to run daily, weekly, quarterly or annually.



Alessa made it possible to process large amounts of data automatically with high speed and low system load. The ability to automatically check every invoice has not only increased the company’s compliance to internal controls, it has also has reduced the chances of errors and fraud.

“In the past, these tests were largely manual and random, but now they are completely automatic with Alessa,” says Faißt. “The time they saved is now used to carry out other analysis.”

With Alessa, responsibilities can be clearly organized and the integrated workflow and escalation management ensures that the appropriate responses are set in motion for any issue that needs further investigation.

Finally, Alessa’s ability to adapt to the company’s own processes and across all departments allows Edeka Südwest to keep an eye on risk points. Without this tool, compliance officers would not be able to conclusively demonstrate to management and regulators that compliance is a top priority for the company.

“This is an advantage over competing solutions, because standardized solutions do not have the flexibility to address the complexities of our processes and therefore do not deliver satisfactory results,” said Faißt.


Audicon as a strong partner

“The decisive factor for our cooperation with Audicon was that we got to know Audicon GmbH as a powerful partner with a lot of project experience. It was also important for us that Audicon worked with financial authorities and auditors and the resulting knowledge and experience, which can also be transferred and applied well to Edeka Südwest,”said Faißt.