Do all of the requirements across global and local authorities make your head spin? They certainly have accumulated over the past 10 years. This year alone, the activity level has been high among global policy-making bodies working through new guidance and pending rules. With the recent Financial Action Task Force (FATF) revised recommendations in February, customer due diligence (CDD) has been given a spiffy new suit of clothes via clarified rules.
The identification of beneficial owners and formal listing of high-risk jurisdictions were named as key issues by the FATF in February this year when it updated its recommendations, prompting discussion and preparation for change. Electronic identity verification (eIDV) and watch list filtering for faceless interactions are more relevant than ever. How and where you implement these tools across teams and business lines—not only before, but after account opening or initial financial product purchase—will now be under a higher strength microscope than has been experienced in prior years. Watch for clearer expectations for more CDD throughout your organization and harsher consequences if you fall short. Some institutions are already feeling the heat through more detailed audits, harsher penalties and consent orders to which they must respond.
Requirements for Strengthened CDD are Spreading Across the Globe
Verifying that a new customer is who they say they are when they phone in to your sales offices, when they log into your web site to access services or an account is not easy, as we all know. It becomes even more complex when you must also verify the hidden owners, or beneficial owners not readily apparent in your information collection in the client application process and ongoing during the life of the account or financial product ownership.
Constantly evolving financial crimes are compounding the scope of risk management and increasing the need for strengthened CDD and refreshed identity verification (IDV) frameworks and rules. This is a trend with countries as well, which are looking toward a higher degree of CDD and a tightening of IDV rules, the latest being New Zealand. Advancing risks of corruption and bribery, high-risk jurisdictions and adherence to tightened Office of Foreign Assets Control (OFAC) sanctions programs are a few of the sizzling hot topics in the regulatory landscape. It is important to note that, although employee-related fraud is ever present in all industries worldwide, this article focuses on the customer-centric risks highlighted by authorities that are impacting covered financial institutions by the global anti-money laundering (AML) regulations.
These risks are not new, but the FATF and governments around the world are highlighting new and growing risk elements within them. As a result, a trend of refined IDV and CDD requirements are emerging in pending rules across the globe. Organisations are receiving greater pressure now to more precisely identify their customers and examine their activity. For example, New Zealand has recently included prescriptive eIDV rules as a key element of their new guidance.1 Watch for this best practice to become a global trendsetter. Regulators and other overseeing authorities worldwide are looking at how programs and tools or capabilities within are actually functioning and whether they successfully mitigate the vulnerabilities identified in the risk analysis. Many examiners and auditors are now reviewing closely the way a financial institution's eIDV programs and procedures monitor customer activity throughout the account's life cycle.
What does this mean for your business? The example in New Zealand shows us that applying more logic and practicality to your verification rules and program will not only meet compliance and prevent risk, but it can save time and money. Simplifying steps while maintaining integrity and quality of the risk management makes sense to your bottom line and requirements. The New Zealand rules simplify the steps to point to a single source of identity data in their rule framework while maintaining security in the verification process, and so can you. Talk with your regulator on how to abide by your regional rules while employing best practices like these.
Flexibility and extra time to conquer the learning curve with AML are over. Following FATF's revised and renewed guidelines, authorities affirm continuing mistakes of a basic nature to be inexcusable and consequences are increasing in severity.
Reinforcing this concern in the globe are consent orders issued by regulators over the last two years. Still present are a volume of basic deficiencies in core AML program components. For example, the failures to adequately identify the actual customer (including all beneficial owners) and appropriately monitor activity are still commonly found violations.2
Definition of Enterprise-wide Client Risk: The risk represented across the organisation in a wide variety of detailed information relating to the customer's account — from account opening throughout the account life cycle. This is assessed from a single view of the customer profile, incorporating all of the various financial relationships with which the account has an affiliation.
Even in the busy work place you should try harder to stay in touch with FATF guidance. Its direction influences policy across the world, after all. The latest revisions are clearly making waves. Keeping up to date on the reports by this source, as well as those by your local authority, will help you tighten your CDD program to meet new requirements, prevent common mistakes and avoid costly violations.3
Leveraging Existing Tools to Aid an Enterprise-Wide Client-Centric Risk Profile
Not identifying all beneficial owners of an account or financial product indicates you don't understand with whom you are doing business. As a result, your regulator will view your opportunity to accurately recognize where your risks lie across your organisation as dangerously diminished.
As pending rules around the world are finalized, regulators will be examining institutions in detail for how IDV occurs at service entry and ongoing throughout all access points in the institution from customers and hidden owners after initial account opening. Examiners will review how well you identify risk in customer activity as funds and account activity move across your various business lines and service delivery methods.
Key will be identifying all owners with access and control of the account. Also critical will be your expectations of the transactional behavior, whether you are assessing it ongoing and have controls in place if suspicious activity occurs. The review will inevitably include the controls in place for IDV/eIDV, the watch lists selected to screen customers and beneficial owners, as well as those used to flag high-risk jurisdictions. A deeper drill down on CDD is fully expected. There is good news, however. Meeting the refined requirements need not be so daunting. New guidance has cleared murky waters.
You can leverage existing tools across the high-risk areas of the organisation and meet the new requirements by revisiting your Risk Assessment (RA) with an internal team. Include your regulatory authority in the self-imposed review or invite their input ahead of any formally scheduled exam. Look for all places across the flow of funds where beneficial owners may be acting behind a nominal owner. Identify business lines or units where the most resources, tools and attention are needed, and where the highest risk transactions occur. Apply an enterprise-wide client risk approach to your process.
Get familiar with and apply the new FATF recommendations. Include in your review where new co-owners or beneficiaries are likely to enter again after customer relationships are initially formed. Review the tools and teams in place to ensure they support procedures and controls. Again, invite regulator feedback outside of an exam when you review your program and procedures for the fit with the new and revised CDD rules.
Recommended Risk Lists
Compliance challenges involving some of the hot topics in the globe mentioned above are most efficiently met with the appropriate watch lists suited to business and your level and type of risk, as well as to your formal requirements. There is an abundance of watch lists in the world for a variety of risks and due diligence needs. Just as your risk depends on your type of business, the kinds of customer target groups you serve, where you are located etc., the watch lists you choose depend on these factors as well. Generally, you will find that authorities will recommend a subset of watch lists for each institution, based on their size, location, target area and other factors that affect their risk. Ask for your regulator's opinion on how to tailor a fit for your risk-based need and for your institution in general. If you are accountable to prescriptive rules in your compliance requirements, your regulator will have advice on lists to fit both your requirements and risk combined.
Watch lists can be very basically divided into two types for ease of understanding; core watch lists (required) and watch lists for enhanced due diligence (EDD). What is a core watch list for one institution may be an optional EDD list for another. There are different types of watch list categories for entities (businesses, individuals, vessels, organisations, and location specific sanctions programs) that are deemed high risk in a variety of regards.
Core watch lists are most often government sourced and individual countries may require one specific to the country that is often derived from the United Nations Consolidated List (UN Resolution 1267, 1617 etc.) Examples include the OFAC, Australian Department of Foreign Affairs and Trade (DFAT), and European Union Consolidated List.
EDD watch lists are not universally required and may be industry-based or risk-based. These include non-government watch lists, such as the one for the World Bank Ineligible Firms list; the Bureau of Industry and Securities List for export administration compliance; and the Organization for Economic Co-operation and Development (OECD) Uncooperative Tax Havens List.
Your IDV/eIDV and watch list programs, as part of your larger controls and procedures with CDD, can contribute to a significantly improved bottom line through reductions in identity theft, fraud losses, reputation damage and more. If leveraged successfully, existing tools and teams can be realigned and disseminated across the organisation to not only strengthen CDD, but also improve the customer experience and increase revenues. Take a moment below to see how your CDD efforts measure up today to the revised FATF and related guidance for your location.
How do you rate?
In a minute or less see how amenable your organisation is toward a customer-centric approach right now. The steps below are one example of guidance interpretation. You can amend these to suit your interpretation and have your regulator review and comment. Use this example to see how you rate and how much work you may have left to do to meet the new pending rules.
Don't Get Burned by Being Caught with Holes in Your Understanding and Your Compliance Program
If you answered "yes" to three or more of these, your organisation may be adaptable to a customer-focused risk model but you still have work to do. If you answered "no" to any one of these, the number of deficiencies found in your federal review will increase along with the amount of remediation required. If you answered "no" to any two or more of these, your chances of violations are high.
CDD is an evolving process as your business and markets change. It is time to open up the official reports and rules and get familiar again . . . and do so regularly. The world is witnessing evolving criminal activity. Tools the criminals are using to commit crime are continually developing too; informal value transfer systems, mobile phone access, expanding realms of the Internet and more. All of these evolutionary changes provide growing opportunities for criminals to hide their identity.
Summary of Advice Regarding New & Pending Rules
- Pay attention to the policy formation, enforcement actions and reports. Keep up-to-date on pending and final rules.
- Take CDD to deeper levels and identify all account owners and beneficiaries.
- Conduct IDV and eIDV, watch list screening throughout the life cycle of transaction
The revised FATF recommendations offer extremely helpful guidance toward addressing these challenges to eIDV in particular. The more targeted risk-based approach in "following the money" will no doubt be challenging, there is no way around that. However, the savings to your organisation and protection of national security will speak for themselves in the long and short run.
Keep your hands out of the flames and review your risk and your requirements on a regular and scheduled basis.
- Identity Code of Practice 2011, New Zealand,
- The United Kingdom's banking regulator penalized a Zurich-based financial institution in May this year along with its former anti-money laundering officer a combined 540,000 pounds for broad failures in risk-ranking and enhanced due diligence procedures. (Moneylaundering.com, May 22, 2012,
- Go to FATF's recommendations page.(http://www.fatf-gafi.org/topics/fatfrecommendations/documents/fatfrecommendations2012.html)