Not All High Risk Customers Are Created Equal
October 30, 2020
High-risk customers are typically put into one big box that has the same approach, management, and reporting. However, not all high-risk customers present an equal amount of risk to the institution. If customers are unregulated or function under less regulations, it often presents a higher degree of risk to the institution banking them. This is called the transference of risk.
In this webinar, we review the various types of higher risk customers, what makes them high risk, and methods for effective management.
Topics covered during the webinar include:
- Regulated vs. Unregulated Industries
- Common high-risk customer types
- Transference of risk
- Common threats and vulnerabilities of high-risk customers
- What an effective high-risk customer review looks like
- How a high-risk customer review can change the overall management of the customer
Here are the answers from Sarah Beth Felix CAMS, M.F.S., Founder/President at Palmera Consulting to some of the questions that were asked during the session.
Q: How do you verify the risk of intangible businesses such as marketing, media, affiliate and marketing companies?
A: I start by trying to verify that the revenue is legitimate. I always start with open-source research. If I Google that marketing company and I can’t find anything on them, that’s always a good sign to me that they probably can’t justify as much revenue as I see coming in. Because if I can’t find it, then how are other people going to find them in order to engage with them and pay them for their advice?
When you see any business that has any type of revenue, whether or not it’s a service or a product, if you can’t find them in the first one or two pages of Google, you will want to dig into how do their customers find them. That is where I would start.
Q: What about the customers that serve riskier businesses, such as attorneys specializing in real estate transactions?
A: There are no AML regulations in the U.S. for attorneys, real estate or closing agents or title agents. If you go to the EU, Australia, etc., they’re fully prescriptive.
So if you are dealing with this group of customers, you have to deal with two different threats. You have to deal with an attorney that knows exactly how to get around the rules because they know the law, and that’s one of the inherent threats with lawyers. And then you’re also dealing with the anonymity and the kind of blind spot that comes when dealing with real estate where money is flowing back and forth.
Really, the only thing that I urge my clients to do is to do as much research as they can on the wires that are coming in and out. Go to the county tax assessor site, look at taxable value of the house at that address and compare it to the amounts being sent on the wires. If it is hundreds of thousands of dollars less, that’s a red flag.
Now, that doesn’t necessarily mean that they’re doing something illegal, but that’s something that you can’t resolve. If you’re seeing that they’re also depositing cash, that should be something that should go into that riskier bucket.
If you know that that title agent is in a GTO (a geographical targeting order) that came out from FinCEN, that should automatically go in the riskier bucket. So there are different flags that when used together gives you that feeling of, “I think they’re okay for now, but I’m gonna keep an eye on them”.
Q: Are you able to elaborate on how to effectively obtain information via 314(b)? As you’re stating some banks don’t want to share this.
A: In my experience, U.S. institutions aren’t going to respond if you are using a 314(b) to ask about fraud or money laundering. Instead ask specific questions or say you’re performing an EDD (Enhanced Due Diligence) review on this customer.
If you see that a customer is writing large dollar checks from their account, ask if they can provide the source of funds and either the names or the industries on any details on inbound money to the account from which they’re writing checks from.
If you’re reaching out to a big credit card company, I would ask what are the merchant codes of where their payments are going out to. I had one time where we had to investigate large payments to a large credit card company. We wanted to know what the client was spending their money on where they were paying hundreds of thousands of dollars every quarter out to their credit card.
You have to be specific with exactly what you’re looking for. If you just state, “Hey, can you give me all the transactional information on this customer,” they aren’t gonna respond.
Q: What kind of key documentation is essential to maintain for high-risk customers?
A: It depends. If you’ve done a 314(b) request, or if you’ve asked the customer to provide their bank statements from their other relationship, you obviously want to keep all that information in the high-risk customer file.
I always keep an export of the activity from the anti-money laundering system. I think they are more accurate and I find statements to be useless. There are so many high-risk, cash, wire, cash exchanges, foreign currency orders that never flow through to the statement.
I would also keep any snippets from your open-source investigations – your Google search results and Google Earth drive by views. If you’re looking at revenues for a convenience store, record the busy times for a store, I would record these kind of snippets of information.
Q: The risk acceptance form (RAF), is this submitted to an institution? If so, what institution? Or is it an internal form?
A: It is an internal form and it should be submitted when the anti-money laundering officer does not have true authority.
A quick litmus test to see if you have actual authority, or if you have the illusion of authority – How many times do you have to ask for something, right? Do you have to ask for one new person? Do you have to ask for something really minor or immaterial multiple times? Do you have to hire an external consultant in order to prove the request that you asked? These are all signs you have the illusion of authority. So that’s going to trickle over to how you manage your high-risk customers.
So if you have board or executive management saying, “We need to open up our servicing of title companies,” and you say, “I can’t, unless you give me people” and they decide not to give you people and they go forward, that’s a perfect time for the RAF.
The RAF is where you clearly state the risks, the threats that are posed, the things that you’ve asked for, and then you send it to your boss. If you don’t feel comfortable sending it to your boss, then I would keep it as a memo to file.
That’s really your best defense against any risks, threats or issues that will come out of them going forward, especially when you’ve clearly stated that you don’t have the right amount of people or the right system to manage the risks.
Q: What would you do if management doesn’t wanna sign the risk acceptance form?
A: If they don’t want to sign it, to me that tells you everything you need to know about the institution that you’re in. Do you want to be working for an institution that is not willing to listen to your clear supported issues, and also not willing to go on record that they’re not willing to listen to you? To me that’s a risky situation.
I know it’s a lot easier to say you need to change jobs than it is to actually do it, especially if you really love this area. But I think that’s something that you need to consider if they’re not willing to sign it, and they state that, whether it’s verbally or via email, they will completely ignore the form that you sent.
I always had a file folder on my desktop that I would put anything in there that would help me later. And when people said, “Hey, why didn’t you tell us about this risk?” I would say, “Hey, I sent this email on x date and I never heard back.” Or if my boss told me on x date that they were not gonna sign it, I would just write the facts in a memo and save it.
If they don’t sign it, it doesn’t diminish the value of what you were able to document.
Q: Are high-risk customers required to have separate transaction monitoring rules or enhanced transaction monitoring?
A: No, I wouldn’t say there’s a regulatory requirement. I mean, there’s no regulatory requirement to screen for sanctions either. You know to not do business with anyone on the OFAC list in the U.S.. But there’s no regulatory requirement that says you have to screen for OFAC. It’s the same type of thing here.
There is nothing that says that you have to have separate rules for monitoring of high-risk customers or scenarios. I think if you have a bucket of high-risk customers that are being subjected to your general monitoring rules, you will be missing customers that you should be looking at that are not those high-risk customers.
Let’s say you have a group of convenience stores, and they’re all cash-intensive, I would take them out of your normal monitoring rules that you have for cash. If you leave them and your general monitoring for businesses for cash activity, is every three days, weekly, monthly and quarterly, I guarantee you that you’ve adjusted your parameters and your threshold for the average cash dollar amount is inflated by your cash-intensive businesses that are convenience stores.
So for me, I want know what I don’t know. So the best way to close that gap of what you don’t know is to take those high flyers, those high cash-intensive businesses that are falsely inflating what your cash view is, extract those from your normal cash rules, and have your own cash rules for that activity.
As far as an effectiveness requirement, yes. I would say there should be clear guidance about how monitoring should be tailored for the risks associated with the customers and their activity.
Q: After quitting a position, how long is the person considered a PEP?
A: There’s no magic answer to that. The perfect example of that would be a client of mine that is in a higher risk industry, they’re money remitters, and one of the beneficial owners on it is a former high-up federal employee.
They have been out of that position for years but that doesn’t necessarily mean that the threats go away. You don’t want to make a blanket statement like “All politicians, if they have been out of the position for more than two years, they’re therefore not risky to our institution.”
You want to look into what their position is in the company, what their position was with the government. Do they still have influence? Are they a lobbyist now, right? Are they still able to influence policy decision just based off of their name?
Those are all things that I would take into account. I strongly urge institutions to not ever make blanket statements, because you always need to be open to the threats that they still pose, even though they may not still be in office.
Other things to consider include, Do they have a spouse, a son, a daughter that are they now in the government? Is there still some type of influence there? Were they at such a high level in the government that regardless of how many years that they’ve been out that they’re still able to have a say on policy decisions, on contractual arrangements, etc.
There’s no secret answer but those are the things that I would account for if someone is no longer active in office.