The term “contextual risk” is quickly becoming a buzzword in our industry as technology advancements and data expansion continues. And while those items are important for efficiency when it comes to developing a contextual risk baseline for customers, it is important in this process not to lose the critical element of the human touch.
In 2015, I presented to a group of community bankers the idea of contextual risk, titled “Contextual Awareness of High-Risk Customers.” While this training has been refined over the years, it still holds true that without proper contextual information about the customer, any action—alert dispositions, investigations, high-risk customer reviews and suspicious activity report (SAR) decisions—would be deficient and possibly wrong.
Even though the regulation requiring know your customer (KYC) or customer due diligence (CDD)/enhanced due diligence efforts was not implemented until 2005, the Basel Committee on Banking Supervision has stressed the importance of KYC since the 1997 and 1999 Core Principles Methodology reports. After the September 11 attacks, the Financial Action Task Force (FATF) incorporated the Basel Committee’s KYC standards into their recommendations. The CDD pillar in the U.S. was required starting in mid-2018. Other countries have been on a similar path. However, the majority of our sister nations required CDD efforts as a matter of law for years prior to the U.S. requiring it.
Since its first publication in 2005, the Federal Financial Institutions Examination Council’s (FFIEC) Exam Manual has an underlying theme of KYC. The chapter headings alone imply the importance of this as the customer risk increases, more steps need to be taken to mitigate the risk. As quoted in the 2014 Exam Manual, “Upon identification of unusual activity, assigned personnel should review CDD and other pertinent information to determine whether the activity is suspicious.”1 This section is buried in the suspicious activity reporting chapter but speaks volumes to the “spirit” of the requirement. The phrase “personnel should review CDD…to determine whether the activity is suspicious”2 supports the theme of using contextual awareness of high-risk customers. In simpler terms, high-risk reviews set the context (or lens) by which you view the customer. In addition, the FATF discussed the importance of CDD and enhanced CDD measures and stated, “an absence of sufficient information due to too little CDD could make monitoring meaningless.”3 This 2011 quote from the FATF makes it crystal clear.
So, while we have many articles, training and tools for KYC and CDD efforts, there seems to be a fair amount of time spent on the “letter of the law” compliance rather than working toward satisfying the “spirit of the law.” The spirit of the law, when talking about contextual customer risk, is where the important items reside. If we are busy complying with checkmark requirements, then we can miss the thousands of data points that go into creating a contextual baseline. This contextual baseline can be as simple as industry information or as complex as a well-written high-risk customer review.
When an institution fulfills the letter of the law, which in our case is the FFIEC Exam Manual or other regulatory publications, but not the spirit of the law, it does not satisfy the intentions of those who wrote it. Most institutions that experience penalties related to AML failures are typically deficient in satisfying the spirit of the law. Take a look at the last few consent orders that were made public. These failures were not for the letter of the law items like wrong dates of birth or late CIP documents. The failures were for not detecting and reporting suspicious activity or for failing to manage the contextual risk of a customer. This is not to say that an institution should only focus on the spirit of the law. They must comply with the letter of the law as well. But fulfilling the spirit of the law hedges against AML program failures. The overarching requirement for AML professionals is to find suspicious activity and report it in a manner that is useful for law enforcement. In AML compliance, fulfillment of both letter and spirit of the law is required.
A common example of banks meeting the letter but not the spirit of the law is when a team will write up high-risk reviews that—on the surface—appear to be sufficient. They meet the weight test (big file) or they address the business, rough out some of the transactional activity and provide a brief description of the already stated activity. Their efforts show a simple restatement of facts about the business. They miss the forest for the trees and do not address the “rightness” of the activity as it relates to the customer. This is complying with the letter of the law—perform high-risk reviews. But the spirit of the law wants us to perform the reviews for a reason—and that reason is to give an accurate context by which we must view the customer.
Risk in Context
A great example of utilizing a contextual baseline of a customer is found in the real-life example outlined below:
An individual customer is receiving various wires from businesses and individuals. The average wire dollar amount is $7,000, and the customer triggered a wire velocity alert. Upon reviewing the customer’s activity in the account, it is noted that they receive payroll automated clearing house (ACH) deposits from the state. The flagged wires are from businesses and individuals that do not apparently have any relationship with the customer and range from $3,500 to $10,000 in amounts. There is no last name commonality, no businesses that are owned by the customer, etc. The money appears to move to other bank accounts owned by the customer, including an investment account. The alert is dispositioned as not suspicious due to the lower dollar amounts of the wires and the fact that these wires are not taken out in cash or sent overseas.
However, an important contextual baseline of the customer is missing. This context provides the lens through which the activity should be viewed. This customer works for the state and their position at the state allows them to approve or deny permits for commercial development and community planning. Once an analyst knows this contextual data point, it changes the rest of the transactional information. The businesses and individuals can now be researched to determine if they are applying for permits or attempting to develop properties throughout the state. This information is easy to find when using specific search terms. The historical alerts on this customer were dispositioned as not suspicious for over 18 months. But one additional piece of information—critical context—changed how the analyst viewed the activity and prompted the filing of a well-written and actionable SAR that addressed possible corruption and bribery.
Higher Risk Customers
There is a global push toward effectiveness, and for U.S.-based financial institutions (FIs), there is a looming operational requirement for ingesting the Financial Crimes Enforcement Network’s national priorities.4 There are many opinions regarding the usefulness of the priorities and whether they will help institutions focus their monitoring efforts. Regardless of those various opinions, the underlying activity noted in the national priorities aligns with the global focus put forth by the FATF, Wolfsberg and the Egmont Group. How an institution will operationalize the priorities is really where we need to be focused.
Most institutions jump right to the risk-assessing aspect and forget that threats and vulnerabilities assessments are key predecessors of any risk assessment
When tying in contextual risk and the national priorities, it is vital that institutions have proper baseline data of the customer prior to attempting to figure out if a noted priority or sub-underlying activity is a threat to your institution. Most institutions jump right to the risk-assessing aspect and forget that threats and vulnerabilities assessments are key predecessors of any risk assessment. For an institution to properly see its threats and vulnerabilities, it must have baseline contextual information about the customer. For example, before community institutions look at one of the priorities like proliferation financing and determine it is not applicable to its risk, that institution must look at how that threat would operationally be applicable. Proliferation financing is carried out by a variety of businesses that manufacture large weapons, computer chips used in weapons, small metal fitting manufacturers, shipping companies, trade brokers, etc. Many smaller institutions would write this “risk” off as not applicable, yet most institutions likely have some threat exposure based on the various industries noted above. This is where contextual risk is a key component of operationalizing the priorities. If an institution has not reconciled, or perhaps not collected, the key contextual information of its customers, like an industry or a North American Industry Classification System (NAICS) code, then an institution will not be able to accurately and effectively assess the threat landscape regarding proliferation financing.
While industry codes are not the end-all solution for proper contextual risk, it is a vital component of any KYC program. It is surprising that KYC and customer identification programs would not classify an industry as just as important as a physical address. Without knowing the industry of the business, how can an analyst see the activity clearly?
Industry codes and NAICS have issues like not being updated to include cannabis businesses, the wide variety of financial technology companies or virtual currency companies, and some other nuanced booming industries. However, most automated monitoring systems will allow an institution to add an industry value and risk associated with that industry to accommodate for lax industry coding.
Contextual information about a customer (business or individual) is not only critical for a financial crime investigation but is also highly applicable when it comes to sanctions. Over the last several years, sanctions have become more nuanced, leaving the traditionally very linear restrictions in the dust. Now, there are requirements to cast a wide net that require full investigations on a customer to determine whether they or their activity is on the restricted sanctions list. Sanctions typically name the known individuals, businesses and activities that are restricted. There have been many updates and changes to sanctions, especially in recent months, that now require an FI to know—and have in a searchable format—certain contextual information about the customer. For example, Executive Order 14024,5 issued by President Biden in April 2021, addressed a broad restriction against Russian industries. This order explicitly restricts activity associated with the technology sector or the defense and related material sectors. Operationally, there are very few sanctions screening systems that will cross-reference an industry code of the customer (contextual data) and screen other key data points like the destination of the wire or the bank’s country. Institutions must rely on their critical contextual data, like the industry or NAICS code, to determine which of their clients may be in violation of the sanctions restriction and the institution could unknowingly be facilitating payments of a restricted industry for that client. Casting a wide net and only looking at all outgoing or incoming wires to/from Russia (address field of originator/beneficiary) could be an overwhelming amount of data to review. Having that critical context of the customer and cross-referencing that information with the country’s risk is one way to enhance efficiency.
The idea around contextual risk is not limited to just industry or NAICS information or political standing. Contextual risk can also be incorporated, for sophisticated monitoring systems, by integrating open-source information through application programming interface connections to large data consolidators like Google, Apple, etc. At a previous ACAMS conference, I shared an idea that would help provide contextual risk for more efficient and effective monitoring of private ATM owners. Using Google’s data regarding ATM locations, hours of activity (traffic) and average time spent at the location, they could build a contextual risk score for institutions to use when banking various businesses that may have a private ATM onsite. As data lakes grow and grow, expect contextual data points and usability to expand likewise.
For now, institutions should ensure that the minimum contextual risk information is collected and correct. And as technology improves, hopefully, contextual risk will take front-and-center importance in both regulatory requirements and third-party monitoring system priorities.
Sarah Beth Felix, CAMS, M.F.S., CEO and founder, Palmera Consulting, co-founder and chief AML officer, Acceleron Bank (in formation), firstname.lastname@example.org,
- “Assessing Compliance with BSA Regulatory Requirements,” Federal Financial Institutions Examination Council, https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/04
- “Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual),” Federal Financial Institutions Examination Council, 2014, p. 64.
- “Anti-money laundering and terrorist financing measures and Financial Inclusion,” Financial Action Task Force, June 2011, p. 7, https://www.fatf-gafi.org/media/fatf/content/images/AML%20CFT%20measures%20and%20financial%20inclusion.pdf
- “Anti-Money Laundering and Countering the Financing of Terrorism National Priorities,” Financial Crimes Enforcement Network, June 30, 2021, https://www.fincen.gov/sites/default/files/shared/AML_CFT%20Priorities%20(June%2030%2C%202021).pdf
- “Executive Order 14024 of April 15, 2021: Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation,” U.S. Department of the Treasury, April 19, 2021, https://home.treasury.gov/system/files/126/14024.pdf