Customer Due Diligence - 2/19/2007

Customer Due Diligence
A New BSA Requirement
Another added twist to the ongoing Bank Secrecy Act/Anti Money Laundering (BSA/AML) saga is the mandate for comprehensive customer due diligence (CDD) policy. This policy should define procedures and processes for obtaining customer information and assessing the value of this information in detecting, monitoring, and reporting suspicious activity.

The CDD mandate comes from our friends at the Federal Financial Institution Examining Council (FFIEC). They view the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a high risk for money laundering and terrorist financing, as a "cornerstone" of a strong BSA/AML compliance program.

The objective of CDD procedures should be to enable the credit union to predict with relative certainty the types of transactions in which a customer is likely to engage. These procedures should assist the institution in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer's identity and assessing the risks associated with that customer. Procedures should also include enhanced CDD for high-risk customers and ongoing due diligence of the customer base.

Effective CDD policies, procedures, and processes provide the critical framework that enables the credit union to comply with regulatory requirements and to report suspicious activity. CDD policies, procedures, and processes are, in the eye of the regulators, critical to the credit union because they can aid in:
Detecting and reporting unusual or suspicious transactions that potentially expose the credit union to financial loss, increased expenses, or reputational risk.
Avoiding criminal exposure from persons who use or attempt to use the credit union's products and services for illicit purposes.
Adhering to safe and sound banking practices.

BSA/AML policies, procedures, and processes should include CDD guidelines that:
Are commensurate with the credit union's BSA/AML risk profile,
paying particular attention to high-risk customers.
Contain a clear statement of management's overall expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customer's risk rating or profile, as applicable.
Ensure that the credit union possesses sufficient customer information to implement an effective suspicious activity monitoring system.
Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.
Ensure the credit union maintains current customer information.

Management should have a thorough understanding of the money laundering or terrorist financing risks of the credit union's customer base. Under this approach, the credit union will obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer's occupation or business operations.

CDD procedures should include periodic monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).

Customers that pose high money laundering or terrorist financing risks present increased exposure to credit unions and due diligence policies, procedures, and processes should be enhanced as a result. Enhanced due diligence for high-risk customers is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the credit union's reputation, compliance, and transaction risks. High-risk customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their relationship with the credit union.

The credit union may determine that a customer poses a high risk because of the customer's business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving high-risk jurisdictions. If so, the credit union should consider obtaining, both at account opening and throughout the relationship, the following information on the customer:

Purpose of the account.
Source of funds and wealth.
Beneficial owners of the accounts, if applicable.
Customer's (or beneficial owner's) occupation or type of business.
Financial statements.
Banking references.
Domicile (where the business is incorporated).
Proximity of the customer's residence, place of employment, or place of business to the credit union.
Description of the customer's primary trade area and whether international transactions are expected to be routine.
Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
Explanations for changes in account activity.

What do you have to do? CDD, to me looks and smells an awful lot like profiling. The FFIEC is very careful to stay away from that kind of language, but when I read between the lines it sure feels like profiling. My interpretation of CDD is the government expects credit unions to evaluate each individual customer at the time an account is opened to determine if the customer presents a high money laundering risk.

A few weeks ago we sent you some information about producing an institution wide BSA/AML Risk Assessment. As you recall, that overall Risk Assessment was geared toward establishing the risk level for the institution on a "macro" level. In evaluating the risk as a whole, you had to consider such things as: 1) the types of products and services offered (checking accounts have higher risk than savings accounts, and business checking accounts have higher risk than consumer checking accounts, and so forth); 2) whether your institution is located in a high financial crime area (HIFCA) or high drug trafficking area (HIDTA); 3) whether you open accounts via the telephone and/or Internet (remote account opening raises risk); 4) is the credit union located near a major university that might attract a number of foreign students; 5) the number of branches; 6) the BSA/AML monitoring systems in place within the institution, and more. In general, this assessment tells you if your credit union is exposed to higher BSA/AML risk.

CDD procedures call for a risk assessment on an individual customer by customer basis, or a "micro" level assessment. When you open an account you need to identify if that account or customer relationship presents potentially higher risk. For example: If you open a regular share account for a documented US citizen who lives in the same town or city where your institution is situated, this member/account would have low risk. However, if you open a business checking account for a non US citizen who lives in Miami, and is in the import/export business in Columbia, there may possibly be some high risk associated with this relationship.

The CDD process requires you to flag this high risk account and monitor activity to this account more diligently that you would for the account with low risk.

As I see it, CDD is primarily targeting suspicious activity reporting. A few years ago one of our clients was criticized by an FDIC regulator because they had not filed any Suspicious Activity Reports (SAR) during the year. The FDIC examiner told that bank that based on their size; location and volume of business, there had to have been at least one transaction during the year that raised suspicion. Therefore, the bank was deficient in their AML procedures because they did not file any SARs.

I believe that most credit unions and banks are already monitoring customers for BSA/AML compliance in the currency transaction reporting, OFAC and FinCEN areas at a high risk level! Almost all of our clients have established very sound Customer Identification Policies (CIP). Extensive diligence is being used to properly establish and document the identities of all new customers. OFAC and FinCEN checks are, for the most part being performed for all new account relationships. Virtually all of our clients are screening their entire member base every month, in many instances more frequently, against the OFAC and FinCEN updated lists. In addition, our clients are monitoring all large currency transactions for all accounts on a daily basis. In my opinion, this level of monitoring constitutes at minimum, a moderate risk level of diligence, and may very well be of a high risk level.

Where many credit unions may stumble a bit is in the SAR process. You first need to be certain that your BSA/AML policies adequately address suspicious activity reporting. The following activities will be considered suspicious and require the filing of an SAR:
Structuring/money laundering (as defined in the Bank Secrecy Act)
Bribery or gratuity
Check fraud
Consumer lending fraud
Check kiting
Counterfeit checks
Counterfeit credit or debit cards
Other counterfeit instruments
Credit card fraud
Debit card fraud
Defalcation or embezzlement
False statements
Misuse of position or self-dealing
Mortgage loan fraud
Mysterious disappearance
Wire transfer fraud
Then you must implement adequate training so all staff members will understand how to recognize suspicious activity and when to prepare and file an SAR. Recently we had a client dismiss an employee for being involved in check kiting. No SAR was filed because the credit union did not understand their obligation. On the flip side we have a client where the tellers were preparing SARs by the box full. A kid would bring in their piggy bank full of coins and the tellers would prepare an SAR. Management was spending hours reviewing SARs, most of which were never filed. Again, the staff did not understand the process.

All accounts and activity have to be monitored for suspicious activity. The CDD regulations require that, for any account that has been accorded high AML risk status, the suspicious activity monitoring should be greater.

I think almost all of our clients are performing CDD to an adequate level for 99.9% of their account relationships. You may need to establish some enhanced CDD procedures within your BSA/AML policies to address customer relationships for business and commercial accounts, accounts of non US citizens, accounts to individuals who do not live in your immediate geographical area, accounts that you have identified as performing transactions with foreign countries, accounts for which you file numerous CTRs, any account for which you have previously filed an SAR, accounts who have been granted a CTR exemption, and, I would say, any accounts with known felons. You also need to address within your policies procedures for monitoring changes in customer risk. For example: when a particular customer opened their account they fit the low risk profile, but now you have learned they have run off to join Al Qaeda. A change in that customer's risk may be in order.

If you have any questions on this you can give us a call, or go to the Federal Financial Institution Examining Council Bank Secrecy Act/Anti-Money Laundering Infobase.