In early 2017, Protiviti published a white paper titled Remediate Risk, Not Files: Breaking the KYC Remediation Cycle. Primarily authored by my colleague Matt Taylor, the paper proffered that one of the main reasons financial institutions have found themselves caught in an endless cycle of Know Your Customer (KYC) remediation is that their remediation efforts are focused on papering the file and not truly assessing the risk. Two recent issuances, one an update to the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence (CDD) FAQs and the other a publication by The Wolfsberg Group (Wolfsberg) titled “FAQs on Source of Wealth and Source of Funds,” reinforce the importance of developing and implementing risk-based KYC standards.
The FinCEN update focuses on answering questions about information that should be gathered at account opening, requirements for risk rating customers, and KYC file refresh. Specifically, the questions are:
Q1: Is it a requirement under the CDD Rule that covered financial institutions:
- collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis;
- conduct media searches or screening for news articles on all customers or other related parties, such as beneficial owners, either at account opening or on an ongoing or periodic basis; or
- collect information that identifies underlying transacting parties when a financial institution offers correspondent banking or omnibus accounts to other financial institutions (i.e., a customer’s customer)?
Q2: Is it a requirement under the CDD Rule that covered financial institutions:
- use a specific method or categorization to risk-rate customers; or
- automatically categorize as “high risk” products and customer types that are identified in government publications as having characteristics that could potentially expose the institution to risks?
Q3: Is it a requirement under the CDD Rule that financial institutions update customer information on a specific schedule?
The answer to all three questions is: There is no requirement, it depends on the risk. To some institutions, FinCEN’s responses to these questions may provide welcome flexibility for how they manage each of these phases of KYC. To others that may prefer more prescriptive guidance, the responses introduce added uncertainty. Whichever the reaction, however, financial institutions have the undeniable responsibility to identify risk accurately and fully. While AML risk assessment methodologies have advanced significantly from the early days when geography was the major, if not only, determinant of risk, many institutions still struggle with developing sustainable risk assessment processes that appropriately balance quantitative and qualitative considerations and are dynamic enough to address rapidly evolving innovation and changing world events.
The Wolfsberg Group publication focuses on the relevance of source of wealth (SoW) and source of funds (SoF) checks to the assessment of customer risk. Among the key points included in the responses to the FAQs are the following:
- The due diligence process, when it includes SoW, involves the collection of relevant information and may include corroboration. This should not be seen as a documentary exercise, and consideration should be given to whether the customer’s SoW appears legitimate and the collected information is plausible (i.e., the information provided by the customer is reasonable) with regards to the customer’s overall wealth and other information that has been collected about the customer.
- SoF may relate closely to the purpose of the account and, in accordance with its risk-based approach, the financial institution should understand both the origin of initial deposits and, where other risk factors may be present, inquire about subsequent funding. SoF information may also be helpful for monitoring and reviewing of account activities.
Consistent with Protiviti’s whitepaper, the message here is that performing customer due diligence is not a documentary exercise and should be based on reasoned assessment of the risks. The Wolfsberg paper even goes on to suggest that in certain circumstances it may be necessary to use experts who understand the unique risks of certain markets/segments and any specific considerations that may apply.
The questions that AML Compliance Officers and their senior management should be asking as they consider these two publications are:
- Are we confident that we have the expertise in-house to assess all our AML risks? If not, what is our plan to address any gaps?
- Is our risk assessment methodology, and documentation of the results, reliable and defensible so that we can support our risk-based decisions?
- Is our risk assessment methodology applied accurately and consistently across the enterprise?
- Does our methodology or execution thereof result in excessive overrides or exceptions, suggesting either that the methodology is poorly designed or that some people may be gaming the system which, in turn, distorts the risk profile?
- Has our risk assessment methodology stood the test of time or are we frequently surprised to find we have taken on risks we did not anticipate?
- How are we enriching our risk assessment methodology and improving our execution? Are we keeping pace with competitors that are deploying advanced digital capabilities to assess and manage risk?
- If we do have gaps in data or process, what is our plan for addressing these efficiently and effectively?
Getting customer risk right upfront and recognizing promptly when the risk has changed are foundational to an effective AML compliance program.