Periodic reviews (PRs) form an integral part of an organization’s anti-financial crime (AFC) controls. Ultimately, the object of the PR is to assess whether the organization should continue its relationship with the customer. Information obtained during client onboarding and account opening may not be current. Therefore, learning about making effective PRs is only one step in strengthening an organization’s AFC defense. This article will discuss effective PRs and will take a closer look at the design and management of PRs in your organization.
The following are key considerations to understand PRs and when these should be performed.
What Are Periodic Reviews?
- PRs are usually undertaken for existing client relationships and are a part of ongoing AFC monitoring of the customer following onboarding.
- PRs are different from event trigger reviews (ETRs) or driven reviews, as they follow a set cycle based on the customer’s risk. For example, PRs are performed annually for high-risk customers, every 24 months for medium-risk customers and every 36 months for low or standard-risk customers. In some organizations or lines of business, there is no PR for lower-risk customers; instead, reviews are undertaken whenever there is a trigger event (e.g., a change in the customer’s occupation).
- PRs are usually undertaken by the business and approved by business management, but compliance’s input may be required for higher risk relationships or when material risk is identified.
- PRs ensure clients’ profiles are kept up to date. During PRs, organizations are required to update the customer’s information and check if the customer’s risk profile needs to be reviewed.
The following are best practices to consider when undertaking effective PRs.
Best Practices for Effective PRs
- Clarify the organization’s AFC policy on the objective of PRs to update the customer’s information—customer due diligence (CDD)—and assess if the customer’s risk profile should change ratings.
- The AFC policy and procedures should set out the risk-based assessment explaining why certain categories of customers will be subject to one-, two- or three-year review cycles and why certain customers will be subject to compensating controls instead of PRs.
- Ensure that sufficient resources are allocated and prioritized for the timely completion of PRs.
- Relationship managers (RMs) or customer-facing staff performing PRs, namely the front office, must document their assessment of new or incremental risks relating to their customers and determine whether their customer’s current risk rating should be revised.
- Design a transactional review dashboard to review significant transactions or patterns during the lookback period of the PR. The front office’s dashboard review should form a part of the questions and assessment in the PR checklist.
- Track PRs to completion and promptly escalate to senior management or AFC risk committees when there is a backlog of overdue PRs, explaining the impact on the organization’s “know your customer” requirements and their risk.
- Independently test that new or incremental risks have been checked, where applicable. In addition, verify that the customer’s risk rating has been revised and their CDD profile has been updated on the CDD system.
The PR Checklist and Beyond
A question that the front office should consider as part of the customer risk assessment during the PR for commercial banking/business banking customers is whether the customer has diversified or expanded their business activities or operations
Most organizations have a PR checklist, which the RM or customer-facing staff go through with the customer as part of the PR. Once all items are checked, the PR is done until the next cycle.
The checklist can be used, but it must be completed to ensure all bases are covered during the PR. It cannot just be an update of the customer’s CDD data. There should also be questions for the front office to consider as part of the customer risk assessment during the PR. For example, when considering high-risk customers, is the government-issued ID on file still valid?
Many regulators expect regulated entities to request and receive copies of new government-issued ID when the documents submitted by the client during the onboarding process have since expired. Therefore, the checklist should note if the ID on file expired. If it has, during the PR, the front office should request a new ID (e.g., a copy of the most recent passport for individual customers and the certificate of incumbency for entity customers). A question that the front office should consider as part of the customer risk assessment during the PR for commercial banking/business banking customers is whether the customer has diversified or expanded their business activities or operations.
The transaction review questions in the following section should assist in this conversation. The front office’s conversation should give them an understanding of spikes and patterns in the customer’s account activity and whether this is still in line with the customer’s anticipated activity and risk profile. In the case of customers who are operating companies, the front office should also question whether the inflows and outflows are in line with the customer’s scale of business and profitability. The front office should verify if there are new or incremental risks since onboarding or since the last PR.
Transaction Review Questions
- Has the customer diversified its business, entered new markets or launched new products and services?
- Are there material changes to the ownership and control of the customer’s corporate structure?
- Has the customer acquired significant new end-customers, suppliers, agents or distributors?
The organization may discover a new sanctions nexus during the PR conversation. They may also discover a nexus with third parties involved in the supply chain of illicit wildlife trade or modern slavery (e.g., indentured or child labor). These nexuses should be escalated to AFC compliance and AFC risk committees, as they may be assessed against the organization’s risk appetite or risk tolerance.
During the periodic review of an individual, it is important to consider whether the customer is a politically exposed person (PEP). While regulated entities rely on third-party vendor databases, the information on a PEP may not be up to date or complete. As the front office has a relationship with the customer and talks to the beneficial owners (BOs) and connected parties, the RM should be the person to ask questions about the customer or the BO’s political ambitions and/or new public office role. As the definition of a PEP is not just the primary PEP position, the RM’s checks should extend beyond the customer and the BO to their immediate family members, business partners and other associates—especially for non-resident customers and account holders since it might be difficult to know what is happening in their countries.
If the primary PEP has stepped down from public office or no longer exerts political influence, the organization may wish to assess if the customer should still be subject to enhanced due diligence.
Offshores and Complex Corporate Structures
During the periodic review of customers with offshores or complex corporate structures, it is important to ask if there has been any change in the case of known nominee relationships.
At times, the organization may accept a nominee relationship because there is an economic rationale on why the true BO (namely, the person for whom the nominee is holding the relationship with the organization) does not want to be identified as the owner and controller of the account. During onboarding, the rationale is documented and the true BO is identified, verified and recorded in the organization’s CDD records.
Effective PRs result in better AFC risk management as the organization will have up-to-date client CDD and risk profiles
During a PR, the front office should clarify with the customer if the nominee relationship is to continue and if there are any changes in the relationship. For example, has there been a change in the true BO, the source of funds or the purpose of the account with the organization? Such relationships pose a risk to the organization and should be regularly assessed by senior management or the AFC risk committee to determine whether or not to continue with nominee relationships.
Questions should be designed to assess whether the customer is establishing a business relationship or opening an account to evade tax reporting or commit other tax crimes during client onboarding. Similar questions should be included in the PR checklist to regularly re-assess the risk if any. An additional question for customers with offshores or complex corporate structures is related to tax risk. Are there any tax risk indicators?
For this purpose, tax risk red flags should be included as questions for the front office to assess, such as the ones listed below.
- Are offshore revenues received?
- Is the customer investing in the organization’s products or just “parking” funds offshore with the organization?
- Has the customer or its BOs participated in, or does it intend to participate in its home country’s tax amnesty or voluntary disclosure program?
- Is there any adverse news in open sources that the customer, BO or related parties are involved with any civil or criminal proceedings relating to tax matters?
- Are there new or incremental risks? If yes, should the customer risk rating be updated? In case of material risk, should the client relationship be retained?
Risk Profile and Rating
The risk profile and rating may not reflect the current risks posed by the customer. Employees should take notes from the front office’s regular meetings with their customers to discuss portfolio management. As part of the investment suitability framework, the front office asks several questions about the customer’s current risk appetite (conservative vs. risk taker) and investment objectives. The front office then assesses whether the customer’s investment risk profile and investment strategy should be revised.
Likewise, the PR checklist must drive the front office to make the following risk assessment and recommendation: is there a risk, and how should the organization manage this risk? The RM or customer-facing staff sign-off on their assessment and recommendation. Their line manager reviews, challenges and decides if they support the recommendation.
In the case of material risk, the documented PR checklist should be escalated to AFC compliance. They will decide if the matter should be tabled at the organization’s AFC risk committee to discuss if the risk is within the organization’s risk appetite or risk tolerance. If yes, the risk is accepted and documented. If not, the client relationship should terminate.
The Transaction Review During a Periodic Review
Transaction monitoring (TM) is risk-based, and it operates on the generation of alerts from a suite of rule-based detection scenarios. Transactions triggering the set parameters and thresholds will then be reviewed for risk relevance. However, several transactions do not generate an alert and are not subject to any inquiry.
For higher-risk relationships, banks should design and develop a transaction review dashboard for PRs. This dashboard supplements TM and should be made available to the front office when undertaking PRs for private banking customers, higher-risk offshore financial institutions with correspondent bank accounts, payment service providers and designated non-financial businesses and professions.
The dashboard should include the data points below, as applicable to the customer type.
- The value and volume of transactions exceed the documented anticipated account activity for the customer. This could be a month-to-month analysis.
- The total inflows during the PR lookback period exceed the customer’s given net worth (individuals) or profitability (entities).
- There is a significant increase in total inflows during the PR lookback period (e.g., 20% or 25% increase from the last lookback period).
- There is a pattern of large cash deposits and large cash withdrawals during the PR lookback period.
- There is a pattern of third-party inflows and outflows, which is not in line with commercial banking customers, or are noninvestment related for private banking customers.
- Staff should note transactions where a TM alert has already been generated. The front office can note that these would have been reviewed as part of TM and seek TM’s input on the outcome of their review.
When reviewing the dashboard, the front office may have the information to explain a particular spike or pattern in the account activity. If they do not have the information, they should discuss it with their customer and obtain the necessary explanation and supporting documents. The outcome of the transaction review, the follow-up questions and the assessment should be included in the PR checklist discussed above.
Organizations must ensure that the front office has a comprehensive checklist to identify the customer’s new or incremental risk. Nevertheless, PRs must go beyond the checklist and assess whether the customer’s risk rating should be revised and whether the relationship should be retained.
Effective PRs result in better AFC risk management as the organization will have up-to-date client CDD and risk profiles. The organization will also be able to make better-informed decisions on continuing business relationships with its customers.
Rosalind Lazar, CAMS, director of licensing, Binance.com, firstname.lastname@example.org