The thrust of any anti-money laundering (AML) program is to avoid relationships and transactions with the "bad guys" – the criminals, sanctioned parties, fraud perpetrators and others whose activity, as recognized, comprise reportable events, reputational risk and may even invite various kinds of enforcement actions or litigation against a financial institution (FI). When a FI learns of negative news about a prospective client, the on-boarding process needs to gather information, reflect the governance of the risk decision, and document why and with what limitations the on-boarding process proceeds. This concept is important, especially considering that with the financial crisis slowly drifting past the U.S., the regulatory focus appears to be shifting back on to FIs' AML compliance abilities, including those around Know Your Customer (KYC). ¹ This article discusses leading practices FIs should consider when dealing with those customers who have adverse information within the public media.

While regulations stipulate certain types of customers with whom FIs should have limited-to-no dealings, e.g., specially designated nationals (SDNs), shell banks, politically exposed persons (PEPs)², customer due diligence (CDD) may identify other adverse information affecting the reputation of a customer that falls outside regulatory stipulations, but that a FI may want to know before establishing a new relationship or continuing one with an existing customer (e.g., customer who is linked with a financial crime such as fraud or tax evasion). While it is an accepted practice to factor in the client's overall reputation,³ the more difficult question is: once adverse or potentially adverse information is found, how should we deal with such information?

The risk tolerance for these types of customers may vary among FIs, however all FIs should have a clear and defensible basis for the decision to either reject or accept a customer with adverse information in the public media, so that they can demonstrate a transparent, consistent approach to customer risk mitigation. There are some critical components to this decisioning: assessing the credibility of the information, establishing consistent criteria to identify the false versus truly positive hits, maintaining an escalation process for decisioning the truly positive hits, and the incorporation of due diligence results into customer risk profiles for the on-going monitoring of those accounts the FI has opened.

A wide array of media research databases and online sources are available to assist in conducting due diligence during the on-boarding process and/or on-going investigations. These range from subscribed research services to information held in the public domain. While giving greater access to information, these sources can result in a large volume of potential hits on a customer, creating a burdensome review process. Limiting research to a list of credible sources and/or having clear guidance on the sources that may have greater weight when assessing information will assist to refine the volume of hits and enhance the reliability of potential matches. It can also reduce the manual effort and, therefore, potential costs associated with assessing the information.

The CDD process should be supported by having criteria to determine false-positive versus truly positive matches, and procedures to implement that criteria, including guidance on when enhanced due diligence (EDD) is required, the type of additional information that is warranted, and when additional information or clarification should be obtained from the potential customer. The relationship manager or branch manager can play a valuable role in this process, not only to obtain salient information, but to manage the interaction and help minimize any perception of an unjustified inquiry. The guidance should be in the form of written procedures that should be detailed and regularly refreshed so that they facilitate effective and efficient decision-making and consistency of decisions across the organization.

Where additional research confirms that the adverse information relates to the potential customer, it is important that a well-defined and documented escalation process that enables the case to be raised to the Compliance department and senior management is in place. While senior management usually has the ultimate authority on this decision, Compliance may present the facts around the adverse information and advise on the reputational or regulatory risk posed by the customer based on the information found. No matter the decision, a documented audit trail and related supporting material to understand the rationale behind the decision should be maintained.

Depending on the nature of the identified negative information and how it relates to the customer, the existence of adverse information may not prevent the on-boarding of a customer. For example, a global publicly traded firm may own a distant subsidiary that was previously hit with AML enforcement actions. This information should be reflected within the customer's overall risk assessment which in turn should feed into the on-going monitoring process so that the level of monitoring and frequency of periodic reviews of the customer reflects the level of risk it has been assigned based on the information gathered. Increasingly, regulators are assessing the extent to which FIs utilize the information gathered during the customer on-boarding process in the customer risk rating and the on-going monitoring process, with the expectation that FIs will subject their higher risk clients to increased monitoring and periodic reviews of information⁴.

Additionally, the information gathered during the on-boarding process can serve a valuable role when performing a review on a customer's transaction. The analysis of an automated transaction alert by itself may not yield much by way of determining whether the transaction is suspicious or not. However, when analyzed in tandem with the information identified about a customer during on-boarding or periodic reviews, the outcome of the review may differ significantly. With regulatory focus re-aiming itself at FIs' AML/KYC efforts, the role that on-boarding controls play in identifying and properly managing all AML risks associated with their clientele, including adverse information found in the public media, will be of even greater importance.

There are three crucial questions a FI should ask itself when considering whether to accept customers with adverse information found in the public media. First, did we obtain sufficient information and consult with the right personnel to arrive at our decision? Second, did we document our decision in such a way as to leave a clear audit trail showing the rationale behind our decision? Third, are we confident that our on-going monitoring and controls over a customer with adverse information will enable us to detect suspicious activity should it occur? While there is no guarantee that a regulator will arrive at the same conclusion as the FI when answering these questions, it is clear that the existence of a well-structured and documented process that encompasses the factors described above can help to safeguard an FI from exposure to illicit activity, regulatory criticism and potential damage to its reputation.

Rachel Sloan is a Principal and John Dubois is a Senior Associate in the Anti-Money Laundering group of Deloitte.

As used in this document, "Deloitte" means Deloitte Financial Advisory Services, LLP a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

1. "Regulators Gearing up for New Bank Secrecy Push." R. Witkowski. American Banker (Vol. 177, No. 73). 17 April 2012
2. USA PATRIOT Act, Section 311
3. "Banks' management of high money-laundering risk situations – How banks deal with high-risk customers (including politically exposed persons), correspondent banking relationships, and wire transfers." Financial Services Authority (FSA). June 2011, Pg. 21.
4. "Number of AML Fines Rose in 2011, With Regulators Focused on Risk Models, Individuals," C.Adams & B.Monroe. ACAMS/MONEYLAUNDERING.COM, 27 March 2012.