Our Compliance Help email service has been inundated with questions on compliance with beneficial ownership as part of the customer due diligence rule. While the focus on beneficial ownership is not unfounded, I am a bit concerned that many financial institutions may be overlooking something more basic but very crucial in BSA management—the new codified expectation of customer due diligence and how it intertwines with your suspicious activity surveillance system.
The final rule requires that covered financial institutions include in their anti-money laundering programs customer due diligence procedures, including understanding the nature and purpose of customer relationships and conducting ongoing monitoring. “Understanding” this information is required to develop a customer risk and activity profile that should be used to risk rate accounts and then to actively conduct the required ongoing risk-based monitoring of relationships to identify and report suspicious activities. For those customers determined to be high risk, ongoing monitoring should be documented in accordance with your institution’s high-risk monitoring policy.
Customer due diligence (CDD) is not a new concept. In fact, the 2014 Federal Financial Institutions Examination Council BSA/AML Examination Manual states the following:
The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.
So what does this mean to you, and what can you do to build a robust customer due diligence program? At account opening, are you gaining an understanding of the customer’s nature of business and expected transaction patterns? Gaining a knowledge of expected transaction levels is easier than you may think. Most businesses follow a routine pattern throughout a given time period and are aware of and able to articulate what their expected transaction levels will be. Simply put, you should be inquiring about expected transaction levels.
The next step is to develop a risk-based monitoring system that examines all types of transactions throughout your financial institution. The regulation does not require an automated surveillance monitoring system, but I must admit they can make it easier to implement a robust due diligence program. The regulation does, however, require your surveillance program to be thorough and strong. You must understand the risks your institution faces by completing a risk assessment that considers products offered, customer base, location, size, as well as all the other factors discussed in Appendix J of the FFIEC BSA/AML Examination Manual. Once the risks are understood, management should craft a surveillance program that is tailored to the risks.
In general, you should be looking at reports that cover the following areas:
- Cash activity
- ACH activity
- International ACH activity
- Wire transfers
- Balance fluctuation reports
- Cash-secured loans
- Loan disbursements
- Purchases of monetary instruments
- Other electronic transactions
Keep in mind that obtaining expected transaction levels at account opening is useless unless you can communicate the information to those who are implementing the surveillance program. Furthermore, transaction levels and patterns may change as the account holders’ business changes or matures, and your monitoring should provide for maintaining and updating the information. And then, your surveillance system must be dynamic and be able to adapt to changing transaction patterns.
The other part of a robust surveillance system includes looking over a period of time for smaller transactions that may be part of a placement or layering scheme. This may mean, in a manual environment, building reports to track activity over a period of weeks or months.
Remember, the first two stages of money laundering are where you have the greatest chance of detecting the activity.
Placement. The first and most vulnerable stage of laundering money is placement. The goal is to introduce the unlawful proceeds into the financial system without attracting the attention of financial institutions or law enforcement. Placement techniques include structuring currency deposits in amounts to evade reporting requirements or commingling currency deposits of legal and illegal enterprises.
Layering. The second stage of the money laundering process is layering, which involves moving funds around the financial system, often in a complex series of transactions to create confusion and complicate the paper trail.
Looking at the transaction or transactions is one thing; now you have to develop an understanding of whether the transaction or transactions make sense for the nature or type of business. A lot of patterns may look very strange and appear to be structuring, but may be completely legitimate when you understand the nature of the business and the expected transaction patterns. That is why CDD is, in essence, the bridge between account opening and your surveillance system, and while it is not a new concept, it will become part of the regulation on May 11, 2018.