AML compliance departments are being pressed to identify higher risk geographies within the United States. If a financial institution solely bases its domestic high-risk strategy around regions designated as High Intensity Drug Trafficking Areas (HIDTAs) or High Intensity Financial Crimes Areas (HIFCAs), they may be creating operational inefficiencies and missing true AML risk. This paper provides guidance on developing an effective domestic high-risk identification program.
Determining High-Risk Geographies
The geographic location of a customer or a customer's transaction is an important component of a financial institution's risk assessment, customer due diligence and suspicious activity detection program. The 2010 FFIEC BSA/AML Examination Manual repeatedly cites transactions involving foreign locales or foreign customers as higher risk with an expectation for increased awareness from the financial institution. However, it is not just foreign counterparties that draw regulator attention, but also, transactions, banking offices, and customers in domestic higher-risk geographic locations.
For financial institutions within the United States, addressing and having documented procedures on domestic geographic risk may not even be on radar screens. These institutions may be criticized by regulators because the examination manual specifically points out domestic geographies located within HIDTA or HIFCA as higher risk.1 This leads to regulators and auditors increasingly posing the question: "How are you handling customers located within a HIDTA or HIFAC?"
The immediate answer may be, "We'll look into that," which is then followed by a panicked effort by the compliance staff to quickly implement a stop gap procedure to address the question. A few examples of potential remedies are:
- Increasing the risk rating score for all customers within these geographies by a number of arbitrarily defined "points." Thus, they could more easily exceed a defined risk rating point threshold and be deemed "high-risk."
- Developing targeted transaction monitoring scenarios to generate "alerts" more easily for these customers.
While the newly developed plans demonstrate the financial institution has responded, the operational implications can be burdensome and ineffective. Compliance staff is now spending their time researching and reviewing more customers than before, but realizing limited return. Often a "knee jerk" reaction to a regulatory question can lead to operational inefficiencies.
HIDTA and BSA/AML Risk
The question becomes: "How do we demonstrate we have evaluated domestic risk appropriately and deploy the appropriate risk mitigation?" To start, let's first examine the HIDTA designation and consider how it impacts BSA/AML risk. Per the White House's Office of National Drug Control Policy: "The High Intensity Drug Trafficking Areas (HIDTA) program, created by Congress with the Anti-Drug Abuse Act of 1988, provides assistance to federal, state, local and tribal law enforcement agencies operating in areas determined to be critical drug-trafficking regions of the United States."2
Intuitively, if an area is a "critical drug-trafficking region" it would seem there would be a higher likelihood of criminals attempting to deposit drug trafficking proceeds into financial institutions. However, the criteria and manner in which a domestic area is designated a HIDTA results in an inconsistent determination of geographic risk and ultimately, may not assist the financial institution in identifying and reporting suspicious activity.
This is not an attempt to be deliberately provocative or belittle the efforts of law enforcement agencies as they combat drug trafficking. If a financial institution were to use the HIDTA designation as an indicator of increased BSA/AML risk, a customer in Pickett, Tennessee (population 4,783)3 would be considered higher risk than an identical customer in a major metropolitan area like Minneapolis, Minnesota, or Pittsburgh, Pennsylvania.
How can this apparent inequity in risk classification exist? Simply put: the HIDTA designation is not based strictly on empirical criteria such as county population, aggregate drug arrest rates or drug arrests per capita, but rather, local law enforcement agencies petition for HIDTA status and, if accepted, receive additional federal resources.
Using the latest complete census population statistics available (2009), there are 41 counties within the United States with a population greater than one million.4 All but two of these counties (Hennepin, Minnesota, and Allegheny, Pennsylvania, being the exceptions) have the HIDTA designation. In fact, 60 percent of the entire U.S. population is within a HIDTA.5 For financial institutions located within metropolitan areas or across multiple states, there is a high likelihood that the majority of their customers may be in a HIDTA.
The aggregate drug arrest by state would seem to provide a useful benchmark for the pervasiveness of drugs and law enforcement response. Forty-six states within the U.S. have at least one HIDTA designated county.6 However, the four states without any (Idaho, Alaska, Minnesota and Delaware) HIDTA counties do not have the four lowest drug arrest rates. Using the FBI's 2009 Drug Arrest Rate Rankings, Delaware is ranked 11th highest in drug arrest rates, and Idaho (ranked 37th) has a higher drug arrest rate than Colorado, where 88 percent of the state population is within a HIDTA.7
Applying the HIDTA designation as an increased AML/BSA risk becomes even murkier when comparing counties' drug arrests within a state. Taking Virginia as an example, five of the top six most populous counties are HIDTAs, yet none of those are in the "top ten" counties by drug arrest rate within Virginia.8 Fairfax County, the largest county in the state with more than one million residents and a HIDTA, has one of the lowest drug arrests per capita within the state. Conversely, the five counties in Virginia with the highest drug arrest rates are not HIDTAs.
HIFCA and BSA/AML Risk
While there are fewer U.S. counties classified as a HIFCA, there are similar challenges when financial institutions consider applying additional risk weight to those customers. Currently, there are seven regional HIFCAs covering the United States and Puerto Rico. These HIFCAs have jurisdiction over specific geographies in California, the southwest border (Texas and Arizona), Chicago, New York (including New Jersey), Puerto Rico, and South Florida. HIFCAs were created in the 1999 National Money Laundering Strategy as a means of "concentrating law enforcement efforts at the federal, state and local levels in high intensity money laundering zones."9
This program description seems to provide a potentially helpful domestic geographic risk indicator for BSA violations to U.S. financial institutions. However, just because a county is located within the jurisdiction of a HIFCA should not automatically make those residents higher risk than a resident in a non-HIFCA. The HIFCA jurisdictions are regionally established and logistically it was less complicated to include a larger swath of land surrounding the target areas. For example, all counties in New York and New Jersey are included in the New York HIFCA. Since New Jersey has 21 counties and New York has 62, including all of them in the New York HIFCA's territory is easier than evaluating each individually and excluding those counties without high money laundering risk.
Impact and Challenges
A financial institution may find that the majority of their customer base is within a domestic "high-risk" location if they use the HIDTA and HIFCA designations. As the below chart displays, almost two thirds of the U.S. population (per 2009 census data) resides in either a HIFCA, HIDTA, or both:
|% of Total Population
|Both HIDTA and HIFCA
Financial institutions will struggle with getting meaningful benefit from increasing the risk "weight" from these classifications because the majority of their customers could be higher risk. How would a bank in Hawaii use the HIDTA designation to increase a customer's risk score when 99.99 percent of Hawaii's population is within a HIDTA? If everybody is "high-risk," then the distinction loses any value. Conversely, a bank in Minneapolis would not have to account for domestic high-risk because none of the five million residents in Minnesota are either in a HIDTA or HIFCA.
|Branch & Location
|# of Customers
|% of Customers
|# of SARs
|% of SARs
|SAR to Customer Ratio
For a multi-state bank, one strategy may be to develop a multiple criteria "risk" grid using HIDTA, HIFCA, and, perhaps, FinCEN data. Consider some of the key statistics for California which may be germane to BSA/AML: 90 percent of residents are in a HIDTA, 66 percent are in a HIFCA, FinCEN's latest SAR by the Numbers report (volume 16)10 shows that, for the last ten years, 21 percent of all SARs are from California, yet only 12 percent of the United States population lives there. All of the macro indicators of domestic BSA/AML risk would point to California being very high. This probably is not new information to any compliance professional with locations in California, but the difficulty is leveraging this knowledge into actionable risk awareness and ultimately, risk mitigation.
As this has shown, using solely the HIFCA and HIDTA designations can be overly inclusive and ultimately, may be ineffective in pinpointing domestic risk. What then, are some meaningful geographic, demographic, or transactional data points that can help financial institutions determine if certain customers receive additional attention because of where they live or where they conduct their transactions?
Using Other Data to Classify Risk
Financial institutions can analyze key management information reports and internal statistics to best locate existing domestic "hot points," as well as emerging trends. Since SAR filings are the end result of identified BSA/AML risk, they would be the source of the best risk indicators and should be heavily scrutinized. After SARs, there are transactional and demographic analytics which will shed light on other areas of focus.
A good starting point is to examine your institution's overall SAR filings (select a time frame with an adequate population size) and separate them by state, county, zip code and branch. This will identify branches with a disproportionate ratio of SARs to customers. To put some of the SAR filings into perspective, it may be helpful to plot the entire population of customers coded to each branch. The table on the left provides a simplified chart of customers by branch and SAR filings.
A "macro" view of this sample financial institution shows branches with a disproportionately higher SAR filing rate (as compared to the average) and customers from these specific branches may have higher domestic risk. Branch #4 has 8 percent of the customers, but 15 percent of the SAR filings.
If your management information reports further stratify SAR filings beyond the standard "characterization of suspicious activity" boxes on the SAR (e.g., the case category capturing the specific transaction type reported), those subcategories should be populated with summary statistics. Continuing with statistics from the above example, a further breakout by branch is shown in the table below.
This view of SARs by location and case category shows transactional types which are prevalent in SAR filings. From this data FIU management can identify areas with deviations from the overall bank average. In the above example, Branch #4 has a lower percentage of SARs from branch personnel referrals, which may indicate they may need more training on identifying unusual customer activity. In that same branch, a high percentage of SARs result from cash transactions. The financial institution might consider increasing the scrutiny or risk rating of customers from this branch who conduct certain types of cash transactions. SARs can be further analyzed to see if they are from a common customer type (occupation/industry, demographic, product type) and then, the FIU leverages these findings to develop the necessary risk mitigation. For instance, the FIU develops a targeted report identifying cash behavior by NRAs at specific branches or regions.
A good starting point is to examine your institution's overall SAR filings and separate them by state, county, zip code and branch
Financial institutions that do not file many SARs, should evaluate key variables within transaction monitoring alerts to identify potential correlations between domestic geography and unusual activity. Alerts will provide a broader population size to analyze and establish a statistically sound justification for increasing risk awareness on certain geographies. One analytical exercise to consider is comparing the alert disposition (i.e., "cleared" or "escalated") for customers residing in a HIDTA/HIFCA with those who do not. For example, if 60 percent of your customers reside in a HIDTA and their alerts have the same "escalation" percentage as the 40 percent non-HIDTA customers, then that is supporting evidence that, for your customer base, the HIDTA distinction is not an empirical measure of additional BSA/AML risk.
Identifying domestic risk based off anecdotal information or broad designations will provide limited utility for a financial institution looking to implement an operationally efficient BSA/AML risk management program. The HIFCA and HIDTA initiatives are instrumental in law enforcement's efforts to curb drug trafficking and should not be ignored when determining domestic risk. For instance, if a bank is planning an acquisition within a completely new state, there should be an understanding of the "macro" potential risk they may be inheriting. However, institutions looking for "actionable" and precise indicators of domestic risk are best served by leveraging data from the ultimate indicator of BSA/AML risk: their own SARs.
|# of SARs
|# of SARs
|# of SARs
|# of SARs