Scrutiny of the overall “quality” of customer due diligence (CDD) and enhanced due diligence (EDD) is increasing from examiners and auditors alike.
CDD begins with knowing your customer. Once all the information is obtained, it is used for risk scoring each customer from a Bank Secrecy Act (BSA) perspective (e.g., rating the vulnerability of the entity for being a conduit for money laundering, terrorist finance, or other illicit crimes). Risk scoring is often included as part of the BSA monitoring system that considers a variety of factors, such as industry type, length of the relationship, geography (foreign or domestic), products and services used, and customer type (e.g., PEPs, MSBs, PSPs etc).
There may be dominant risk factors that will override the calculated risk factors and place the customer immediately into the “high risk” category. Examples of this could be:
- Customers for whom SARs have been filed
- Foreign corporations
- Accounts that have shown unusual activity and for which alerts have been generated
- Customers for whom criminal subpoenas have been received, and reviews of which have shown evidence of suspicious activity
We have noted that examiners and auditors have been placing greater emphasis on the BSA monitoring system not just being optimized for suspicious activity monitoring but for customer risk scoring. Many monitoring systems include onboarding software utilized for customer risk scoring. We have noted instances where examiners have cited concerns relative to customer risk scoring accuracy. These concerns include whether the number of high-risk customers and the customer risk rating methodology is appropriate and the detail or lack thereof in the resultant EDD reviews.
Once a customer is rated high risk, appropriate and comprehensive EDD must be applied. The EDD must be sufficiently documented and a review of all accounts that the customer owns or is a signer on, should be analyzed, including loan relationships. The EDD is often performed using a document or form. The information documented should include all active accounts, current balances, open or closed date, and a detailed business or occupation description. Sources may include a business’ webpage, secretary of state search, credit approval summary, or other documentation. The source of revenue for a business and the source of income or wealth should be documented.
Next, determine if the NAICS code is appropriate. Include the names of beneficial owners (equity and control), as well as principals, partners, officers, directors and perform negative news searches. Are any individuals PEPs, NRAs, or foreign individuals? If so, then document the country of citizenship and consider if it is a high-risk jurisdiction. If applicable, include previous SAR filings and any alerts or cases during the scope of the review.
The scope of the review period should be documented and there should not be any lapse in time (e.g., if the review is performed every twelve months, the scope of the review should be for twelve months). A transactional review of activity is performed, and debits and credits reviewed to understand the flow of funds. Consider if the flow of funds is consistent with the expected activity and/or expected transactions from what is known about the industry. You may need to conduct research and negative news inquiries on the customer’s counterparties.
Explain any significant spikes in activity, based on anticipated/expected activity or the previous review activity. You may have to reach out to the relationship officer, branch manager and or branch for an explanation. State if the actual activity is or is not reasonable when compared to anticipated/expected activity and always provide an explanation to justify the conclusion. The level of additional due diligence may change based on the type of customer, such as for a marijuana-related business, money services business, politically exposed person, non-governmental organization, non-bank financial institution, third-party payment processor, among others.
The written conclusion requires a certain level of finesse and should be precise and consistent. How so, you may ask? We all have varying writing styles. Nonetheless, analysts should be taught to follow a consistent approach. Finally, include a statement indicating whether activity is unusual/suspicious or not, a summary of the recommendation for maintaining the current risk profile or any other recommendation and the rationale.
Additionally, examiners expect that EDD reviews are also performed on the bank’s moderate risk customers and the format and content should mirror that of high-risk customers.
Low-risk customer EDD reviews should be performed only if the customer is a subject of an alert that raises the risk profile. The thought behind this is that a bank’s monitoring is an ongoing process through its automated transaction software.
We at Capco are financial crimes experts, consisting of previous BSA officers and regulators and are prepared to assist your financial institution with EDD reviews, training your BSA analysts, as well as providing a myriad of other support services.
We hope this information is helpful and encourage you to stay tuned for Capco RISC Services Financial Crime Insights Edition 2!