AML guidance for enhanced due diligence
INSIGHT ARTICLE |
U.S. regulators give banks latitude to create customized anti-money-laundering programs, but trouble can lurk in the gray areas.
Requiring all banks to adopt the same program would be unrealistic, especially for mid-size or smaller banks. But the lack of specific guidance can result in some banks taking an incomplete approach to enhanced due diligence (EDD). Some institutions will collect information at the account opening, but will neglect to monitor against the information collected or periodically refresh the information on file. Neglecting to take these additional steps can create additional BSA/AML risk, particularly in those instances where the customers are high-risk entity types, such as money service businesses, non-bank financial institutions, customers with privately owned ATMs, and other types of entities considered to be high risk per the BSA examination manual.
“A lot of times institutions will gather information, but that will be all they do,” said Othel Rife, manager, Risk Advisory Services at RSM.
A two-step framework for creating an effective AML program specific to a bank’s business is found in the government’s “Bank Secrecy Act/Anti-money-laundering Examination Manual.”
The first step is to perform a risk assessment that identifies the bank’s vulnerabilities to money laundering and terrorism financing. As part of this process the bank evaluates its products, services, customers, entities, types of transactions and geographic locations. No single indicator determines the risk profile. The manual states, “The assessment of risk factors is bank-specific,” and every institution should take a customized approach to assessing its BSA/AML risks.
“There are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format,” the manual states.
The manual advises that banks reassess their BSA/AML risk profiles “at least every 12 to 18 months,” even if nothing in their business has changed.
The second step involves a granular analysis of specific customers to help management lay a foundation for ongoing monitoring and risk mitigation. The risk analysis should include:
- Purpose of the account
- Actual or anticipated activity in the account
- Nature of the customer’s business/occupation
- Customer’s location
- Types of products and services used by the customer
While institutions may decide to accept higher levels of risk, they must adapt their policies, procedures and processes to address the risks accepted. The riskier the business, the more robust the AML program must be.
Once policies and procedures are in place to identify, research and report suspicious activities, ongoing monitoring can spotlight patterns of concern. For example:
- A business that anticipated $10,000 in weekly cash deposits when it opened its account has been routinely taking in $100,000 a week.
- A personal account has business-type transactions occurring within it
- A business that is making large routine payments to an unrelated individual or business
Ongoing scrutiny is particularly important in the case of customers that pose enough of a money-laundering or terrorist-financing risk to warrant enhanced due diligence. The bank must clearly understand the anticipated transactions of such clients and use this information in its suspicious-activity monitoring of these customers.
The FFIEC’s BSA/AML Examination Manual states, “Customers that pose higher money-laundering or terrorist-financing risks present increased exposure to banks; due diligence policies, procedures and processes should be enhanced as a result.”
According to the manual, EDD could include:
- Purpose of account
- Source of funds
- Beneficial owners
- Types of business/occupation
- Financial statements
- Banking references
- Where business is organized
- Proximity to the financial institution
- Primary trade area
- Description of business and anticipated activities
- Explanation for changes in account activity
Many institutions are gathering such information. “Where we see issues is what is done with this information going forward and whether or not the information is periodically updated,” Rife said.
In addition to keeping EDD customer information current, institutions must create a risk-based monitoring procedure.
The manual contains a wide-ranging list of the types of customers that may require enhanced due diligence and risk-mitigating controls, including:
- Foreign banks, currency exchanges and money transmitters
- Casinos, stockbrokers and dealers in precious metals or jewels
- Senior foreign political figures, their families and their associates
- Nonresident aliens
- Foreign corporations, shell companies and offshore entities in higher-risk geographic locations
- Foreign deposit brokers
- Cash-intensive businesses such as convenience stores, restaurants, liquor stores, privately owned ATMs, vending machine operators and parking garages
- NGOs and charities
- Attorneys, accountants, doctors and real estate brokers
- Money service businesses and non-bank financial institutions