Account Opening Process as Basis For Risk-Based AML Monitoring
By Micah Hallock
With the regulations and exam procedures to support the USA Patriot Act being finalized, there have been questions raised about whether bankers can be expected to detect terrorist financing.
The unofficial response has been that banks should only concern themselves with identifying the suspicious activities and report them. Making the determination that a transaction or transactions is supporting terrorist activity is up to law enforcement. This is helpful, but it still seems to mean bankers are expected to detect suspicious activity at a more granular level or from a different perspective than has been required up to now.
A robust risk-based monitoring program is going to have to look at several different pieces of information and how they are, or are not, interrelated. How well these pieces of information fit together coherently can help determine whether or not a transaction or transactions are high risk.
Any risk-based monitoring program is going to have several interrelated components. This article will lay out what four critical components of a risk-based account opening program for individual customers could look like and how these can interact with risk-based monitoring of transactions. The four components are:
• Customer ID and Demographics
Generally, this is information that either should or could be captured at account opening. These four components would interact or combine to produce the risk rating you assign your customer to utilize in your risk-based monitoring program. To see how the interaction takes place, this article will look at each component in more detail with some examples of situations that, in most cases, would require follow up.
Customer ID and Demographics
This component includes the Customer Identification Program required information and some additional information you probably want to capture if you aren’t doing so already.
Forms of ID – The jointly-issued CIP exam procedures encourage banks to obtain more than one form of ID to “ensure it has a reasonable belief that it knows the customer’s true identity.” At issue is how recently the form of ID was obtained. If it was very recently obtained, you want to take note of that and compare the address on the ID to the address the customer has reported. You should inquire, in a friendly manner, what the reasons for different addresses might be.
Date of Birth – Taken on its own, the date of birth doesn’t necessarily impact your risk-based profile, other than dealing with minors. However, it may become more important when you are validating other facts you have gathered about your customer. Obviously you cannot jump to any conclusions; however, it is fair to ask follow-up questions.
Address – Ideally the address given should correspond to the address on the two forms of ID. If not, then additional documentation is required to confirm their given address. You will also want to note if the address given is generally considered outside of your bank’s marketing area.
Capturing some explanation as to why an out-of-area customer is using your institution will help determine the risk rating assigned to them and may provide good marketing information for you as well. Another piece of information to capture is how long a customer has been at an address. At least two years at the current address is a standard threshold in personal credit. If they have been at the current address less than two years, you may want to capture the customer’s previous address.
Occupation – When you capture a customer’s occupation there are two things to be on the lookout for: whether or not they work in a designated “high risk” industry, and whether or not their occupation fits the rest of their demographic profile. The types of questions you would want you or your sales representatives asking themselves are along the lines of, “Is this person the typical age of a student? Does the school they claim they are attending or the job they claim, have the type of reputation that will draw out-of-state or out-of-country students?” Again, anything is possible and it is not against the law for someone to be a foreign born, middle-aged student; but follow up inquiries should be made.
Source of Funds
The source of funds information is not necessarily something that has been captured at account openings. For a personal or individual account, source of funds usually means source of income, which you would expect to be a steady cash stream or cash flow. However, for some individuals it means a source of wealth or a fixed amount, which may be a steady cash stream, a lump sum or a lump sum that generates a steady cash stream. When you capture this kind of data it is important to be sensitive to the fact that most people regard their financial situation as personal. However, it is fair to ask how a customer will be funding an account. If it is through their paycheck, most likely you can at least inform them of direct deposit. This is also true if the source of funds is Social Security or other benefits programs.
The next step is to compare the answer given for source of funds versus the answer given for occupation. If the potential customer reveals some source of wealth like securities, you should ask about the source of those securities. Again, keep in mind the sensitivity that potential customers may have to this issue.
BANK PRODUCTS/PURPOSE OF ACCOUNT
Obviously, the account opening process is where you will capture what type of accounts a customer wants to open. Clearly, transactional accounts carry more risk for money laundering than savings accounts. The money laundering risk in credit accounts depends on factors that are part of the credit decision, such as source of repayment, and will be treated separately.
Deposit accounts – To make the risk-based approach more effective, you need to start to compare the demographic information you have collected to the given source of funding and the type of account(s) opened. Does all of the information make sense or tell a coherent story? It should and, in many cases will, make sense. Most of the time you will get the typical personal account: families with incomes will open transactional accounts and maybe a savings account or two; or an individual or group with a small business they have established. Some accounts however, may require further questioning on your part to understand what is actually going on.
Credit accounts – The process of capturing credit information, retail or wholesale, and the credit decision is usually a separate process from the transaction account opening process. Obviously the demographic information is essentially the same. A key item of information that is captured in the credit process that should be included in a risk-based AML profile is the source of repayment.
In a typical credit situation, if a loan is being paid as agreed but the information provided by the client doesn’t show where this cash flow is coming from, it may not have been considered an issue. For AML monitoring, a loan that is paying as agreed without a documented source of cash-flow is an issue, and a credit analyst or an account relationship manager should follow up.
FLOW OF FUNDS
This information or measurement is the traditional metric for AML monitoring and is still very important. When looking for drug money laundering, volume in and of itself used to be a reliable indicator. Huge sums traveling through an account was one way to spot this traditional laundering and it still is.
To spot suspicious terrorist financing is, as mentioned before, much more difficult and not necessarily going to involve large volumes of funds flowing through an account. It is inconsistencies between a given profile combined with an unusual flow of funds or an abrupt change in the flow of funds in and out of an account that would be an indicator of suspicious activity. Inconsistencies can be loosely defined as things that don’t necessarily add up, such as a student who wires funds (not necessarily large amounts) out of the country; or a customer whose account experiences a measurable spike in activity after months of dormancy. These things may have reasonable explanations, which you should inquire of the customer and get.
By capturing and analyzing these four, interrelated data points, your institution can start to put together a real risk-based profile. There is no denying that it will take more time for your sales representatives to look at accounts at this level, and their time is precious. The alternatives are to try to put together this information after the fact, based on remote monitoring within your BSA department. The latter alternative is much harder and can end up being even more expensive in terms of time and money.
Micah “Mike” Hallock is a manager in the Corporate Governance Services practice area of Cohn Consulting Group, a division of J.H. Cohn LLP. He has extensive experience in business risk, primarily in the financial services industry. He can be reached at email@example.com.