Spotting High Risk Clients
The USA PATRIOT Act requires financial institutions to take a risk-based approach when designing their Customer Identification Program (CIP). As you know this is easier said than done.
This article suggests a systematic approach to determine your exposure to risk as an essential element of a CIP program. It approaches the challenge from a practical perspective and gives the reader hands on tools for the day to day operations.
- What are the required elements of a CIP
- How to translate risk-based approach into your daily job
- What are the required elements of a Customer Identification Program (CIP)?
Section 326 of the USA PATRIOT Act requires financial institutions to implement a risk-based CIP to identify and Know The Customers. While the CIP has to be an integral part of the institution's overall Anti Money Laundering (AML) and the Bank Secrecy Act (BSA) program, a CIP needs the following minimum elements:
1) General Rule - establish, document, and maintain a written CIP, which must enable it to form a reasonable belief that it knows the true identity of the customer; CIP must be in writing and has to be approved by the board of directors or trustees; CIP must be part of its anti-money laundering program
2) Identity Verification Procedures - base CIP on the risks associated with business operations; document-based or other methods
2a) Information required - name, address (mailing and residence), date of birth, identification number (SSN, Tax-ID, EIN for US-persons) (Tax-ID, passport number and country of issuance, alien identification card number, or similar safeguard for non-US-persons)
2b)Verification - before account opening or within a reasonable period of time thereafter, must describe circumstances when to use non-documentary methods to verify identity; e.g. contacting the customer after the account is opened; comparing the information against fraud and bad check databases (negative verification); credit reports or similar (positive verification); checking references with other financial institutions; maintain procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of a customer
3) Recordkeeping - must maintain copy of the document that the bank relied on for five years after the account is closed
4) Comparison with Governmental lists - determine whether customer appears on any list of known or suspected terrorist organizations provided to the bank by any government agency; bank must follow all Federal directives issued in connection with such lists.
5) Customer Notice - customers must be given adequate notice of verification of identity
6) Comment - Treasury and the Agencies believe that all banks have access to a variety of resources, such as computer software packages, that enable them to check lists provided by the Federal government; Treasury and the Agencies believe the CIP provisions in the proposed rule will impose minimal costs on banks
- How to translate risk-based approach into your daily job?
According to the PATRIOT Act, the key to any CIP is to take a risk-based approach. This means any of the elements above have to factor in your institution's special risk, based on the clients it does business with. Consequently, a global player like Citibank has to have a more comprehensive CIP than a small community bank with mostly local business.
Thus, at first you need to determine your bank's exposure to risk. This decides whether it is enough for you to just check the OFAC list or whether you have to do more. Keep in mind, failure to comply with the risk-based requirement might result in civil and criminal penalties. We recommend the following four step process to systematically determine the risk of your institution.
a) Develop a risk grid
We suggest taking a systematic approach by determining different risk >
Risk Category Type of Client Nationality Special Relationships
Powers of Attorney Miscellaneous 4. Extreme Politically Exposed Person (PEP)
Black-Listed Individuals or Entities Non cooperative Country according to FATF (Cook Islands, Egypt, Guatemala, Indonesia, Myanmar, Nauru, Nigeria, Philippines, Ukraine, as of June 2003) 3. High Customer derives from a foreign country with which the bank does not have any experience
Employees Country still being monitored by FATF (e.g. Hungary, St. Kitts&Nevis)
Countries known for tax sheltering, corruption (see transparency international corruption index) drug trafficking PoA to employees
Relatives of Employees Missing documentation for transaction monitoring 2. Medium Public Figures
Trusts, Family Office Outside of Western Europe or North America Issuance or cancellation of PoA
Friends of employees 1. Normal Normal individuals
Institutional Clients North America
Western Europe None None
b) Categorize your clients into risk > The second step proposes to review your client relationships and categorize them according to the risk grid shown previously. Depending on the number of clients, this might be a comprehensive and time-consuming task in which case the intelligent use of software is essential for efficiently mastering this challenge.
A number of vendors provide such software to help you, for example, identify clients who are black-listed, or clients who are PEPs (Politically Exposed Persons). Remember, section 326 requires all banks to screen for black-listed customers. This is easy to achieve, with or without third-party software. Section 312, on the other hand, requires banks with private banking clients to conduct enhanced due diligence if their client is a PEP. Thus, as a first step, financial institutions have to identify PEPs amongst their clients. This is much more difficult, yet equally important. Currently, there is an aggressive new strategy to try to trace "dirty" money in the United States to its foreign roots. The NY Times published an article on August 22, 2003, reporting that "US officials now want foreign leaders' laundered assets". A multi-agency task force has been established to, firstly, identify politicians together with their close associates and, secondly, locate those financial institutions at which their assets are hidden. Thus, if you want to avoid bad press and potential penalties, you need to know whether you have PEPs in your database. Naturally, it is insufficient to know that your client, Arnoldo Alem?n, is the former president of Nicaragua. It will be more important to know that Alfredo Fernandez is his former assistant or that Jeronimo Gadea is his son-in-law. These are individuals he might use to hide his funds within your institution. Unfortunately, it is a very time-consuming task to research those close associates. For example, at WorldCompliance, we employ 10 researchers who are responsible for identifying PEPs and their close associates. You should genuinely think about whether you want this task to be performed by your compliance department. In any event, you do need a list of names, which allows you to regularly scan your client database and identify those clients that are PEPs or those that are on a Black List. This will allow you to efficiently determine important criteria for the categorization of your clientele. This categorization is the key to a risk-based approach for your financial institution.
c) Review of CIP procedures
The third step suggests reviewing your CIP procedures and encourages you to reflect the risk-based approach in your guidelines and procedures. Obviously, you would want to treat clients which potentially pose a high risk to your organization differently than the "normal" customer. The following table gives you an idea about this. Please note that this table was designed as an example only and should not be used with further customization.
Risk Category Special Treatment upon Account Opening Special Procedures upon Account Monitoring 4. Extreme Account opening has to approved by Senior Management
Any customization of customer relationship requires compliance approval Account has to be monitored by member of Senior Management 3. High Any customization of customer relationship have to be documented
Account has to be approved by Senior Management Quarterly Reports to Senior Management
Yearly approval by Senior Management 2. Medium Any customization of customer relationship has to be documented
Account has to be approved by supervisor Yearly report to Senior Management 1. Normal None, unless otherwise specified by General Terms None d) Organizational implications
In the fourth step, you determine which >
Risk Category Screening Frequency 4. Extreme Daily screening, at least weekly screening 3. High Weekly screening 2. Medium Quarterly screening 1. Normal Semi-annually screening
Following the steps described above should allow you to master the task of designing a risk-based approach to achieve compliance with aspects of sections 326 and 312 USA PATRIOT Act. It gives you the option of performing many of the steps manually or integrating them into a more automated approach. As a result, you will enhance your compliance program and protect your reputation.
The author is president of WorldCompliance, a Miami based firm, which is a proud sponsor of the BOL Anti-Money Laundering page. WorldCompliance offers a modular database to automatically or manually minimize your compliance risk and protect your reputation. The modules detect known or suspected terrorists, narcotic traffickers, money launderers, fraudsters, and other most wanted criminals, as well as Senior Political Figures and their close associates that are hiding in your client database. The modular structure of the database allows you decide on the level of protection that you feel is necessary for your company. This enables you to build a cost efficient compliance tool to protect your company. Please feel free to contact a representative at email@example.com
? Dirk Mohrmann
First published on BankersOnline.com 09/8/03
First published on 09/08/2003