It is clear that private investment companies (PICs) are one of the most scrutinized financial planning vehicles on the anti-money laundering risk scale. They are defined in the U.S. FFIEC BSA/AML Examination Manual, along with all variations of the business entities spectrum. The manual defines them, describes their risks and provides adequate risk mitigation practices. It is all very straightforward, and with strong internal policies and procedures and a strict risk-based approach, companies should be able to keep PICs under control. Of course, that is provided that people actually know where they are in your institution. That is the bigger challenge.
In my experience, PICs do not hover around portfolios waving a red flag. Although they are concentrated primarily in private banking, the truth is that PICs and their variations may lurk anywhere. Without warning, they can creep up on your worst-case scenario when you least expect it—during a challenging exam, or even worse, as part of an investigation.
You may be tempted to discard this concept as an institution's lack of effective controls and weak risk assessments. Before you do so, consider the population of existing accounts opened long before rigorous PIC procedures were implemented in your institution, or the portfolios that have been inherited from merger to merger, migrated from one line of business to another, or realigned from one officer to another. That is just one factor to consider in the quest for PICs coming under the radar.
There might be a number of causes contributing to the mystery. Let us explore some of the more probable factors:
Assumptions — The number one reason for missing PICs is assuming that they are only used by private banking clients. The fact that your organization has a business model that offers offshore planning does not guarantee that PICs are not being used by clients outside of your defined business model and all its controls.
Existing Accounts — As previously mentioned, the population of existing accounts from all lines of businesses represents the biggest exposure. In a world of mergers, business realignments, personnel changes, and lately, numerous rescued takeovers of distressed institutions, it is practically impossible to maintain a hold over every account in your portfolios.
Existing Relationships — This is a more subtle, but critical cause of the unseen PICs. There may be solid, well-known relationships with your institution that have evolved over the years into complex relationships serviced by several lines of businesses, but where the main point of contact with the client remains with the officer who initiated the relationship. These situations can blur boundaries and weaken controls. For example, consider a commercial relationship with personal accounts for the business owners and their families. Private banking may service the personal accounts, and the investment products may come from the brokerage department.
However, when a new "entity" account is needed, the PIC may be part of the commercial portfolio and treated as another business account, not necessarily one that follows the appropriate controls. It is true that effective account opening procedures involve the commercial officer identifying the nature of the new entity, but that is when the factor of awareness comes into play.
Awareness — International private bankers know what PICs are. They understand their risks, and that they must comply with strict procedures. However, the same may not be true for the rest of the officers in your institution, even private bankers dealing with American clients. The rest of the employee base may have very limited knowledge of PICs from annual AML training. However, this usually involves little actual exposure to recognizing PICs when a new account is opened, or to identify lingering PICs in their existing portfolios. As a result, even new account procedures may be wrongly bypassed, and controls designed to address PICs may be missed.
Technology — We live in a world of technology where systems rule. Anything and everything that you ever wanted to know about your institution's accounts is at your fingertips. Right? Wrong! Systems have improved tremendously, and they are the best tool to improve controls ranging from account opening to monitoring. However, the reality is that for most institutions, even the largest ones, systems remain a challenge. Systems identifiers used to flag PICs may not exist, and adding a field to capture this information may be a major endeavor. Furthermore, even if you can add the field, it must be populated. That does not include the many different systems used for different products and lines of business, and the systems that are still not fully integrated years after a merger.
This is a sobering picture of a lost battle, but it does not have to be. For every aforementioned cause, there is a remedial approach. It may take time, and you must become creative with the resources you have, but it can be addressed. The result will impact the existing accounts, and help to establish more refined procedures for new accounts, strengthen training, and improve the resolution of any abnormal activity by gaining a better understanding of the nature of the accounts. Overall, the risk mitigation of exposure to PICs would be more comprehensive.
To assess the likelihood of unidentified PICs, consider running a targeted compliance review. Start by adopting a discovery approach. Ask your technology resources to run reports using fields that are part of the company's existing database, such as ones that may shed some light on possible leads. For example, request a report of business accounts sorted by country using the address field. If you want to be more specific, run a report using the same field, but filter the search for designated high-risk offshore jurisdictions such as the ones designated by FATF, but do not forget states such as Delaware. Then go to the business unit and ask questions.
Review accounts that may be located in jurisdictions used for offshore structures. Identify whether the entities are actually PICs, and if so, ensure they are correctly classified and the appropriate controls applied. Interview the officers responsible for the accounts. Assess their knowledge and awareness of PICs.
In addition, be very careful with the vocabulary used to refer to PICs. Whatever name is used, it is still a PIC. These few steps will give you a good idea whether you have a problem. It may also prompt a more structured effort to scrub portfolios for PICs.
Provided that you have the time and resources, address the one factor that will ensure short- and long-term success before you embark on this exercise. Educate your officers and service teams and go back to basics. Teach them not only the definition of a PIC, but why it is so critical to know where they are and apply the right controls. Give employees real-life scenarios. Call PICs by all the titles you can imagine so that nobody overlooks an entity because it is not holding a sign advertising that it is a PIC.
It will never be perfect or foolproof, but implementing these suggestions will create a much better scenario. Of course, once you find your hidden PICs, you have to do something with them, but that is another issue.
The following is the timeless question of risk assessment:
Are you more accountable for the risk you know or is it better not to know?
In my opinion, it is better to know and follow a realistic risk-based approach to mitigate the risk. Believe me, the sleepless nights of not knowing are much worse.
