White Paper

Know Your Customer

By Mary Barrett PMP and Jim Nellis VP - Practice Manager
Introduction
Money laundering, fraud, terrorist financing, and other financial crimes continue to rise and are becoming more sophisticated. To facilitate the reduction of illegal activities being perpetrated against financial institutions, regulatory agencies operating under the provisions of the USA Patriot Act are providing a broader focus on Anti-Money Laundering (AML) activities. A large part of this focus is on activities related to Know Your Customer (KYC). KYC is a critical component of the regulations directed at reducing the incidents of money laundering, fraud, and terrorist financing. Too often financial institutions are not aware of their vulnerability until an illegal activity is discovered, after the fact, and/or the regulators have imposed penalties for lack of compliance. Protecting your institutions assets, reputational credibility and integrity with the regulators is essential in this environment. Another important consideration is that the cost of remediation and satisfying a regulatory action, over and above any monetary penalties incurred, can far exceed the cost that would be incurred to proactively develop a strong Know Your Customer (KYC) program. The KYC program must satisfy regulatory requirements, effectively manage and mitigate the risk of non-compliance while still providing a quality customer experience. Questions that should be asked to ensure that best practices are deployed within your organization include: Do you know what the regulators are looking for when they evaluate your program? Is your KYC program robust and rigorous enough to effectively mitigate the risks to your institution? What actions are being taken by your organization to make the changes needed to provide for an ongoing process that ensures compliance and reduces risk exposure?

A large Regional Bank recently said"ADS provided flexibility in meeting our constantly evolving work/project requirements, had the experience for our project, produced excellent documentation and found creative ways to deal with problems encountered.

A sound KYC process depends on many factors and it should be noted that there is no formula or onesize-fits-all solution that works for every institution. The regulations are often subject to interpretation. Risks vary based on the mix of the institutions customer base; the size and nature of businesses served; geographical location; the products and services offered; customer transaction activity; and finally, on your institutions appetite for risk. This article will address the actions that financial institutions should be taking, administrative issues, and the role of technology.

Activities that Financial Institutions Should be Taking

Financial institutions are facing many challenges in todays business environment from both market and regulatory fronts. With this understanding, it is even more critical that they make a greater effort to implement and adhere to the critical components of Know Your Customer activities which are described below. Customer Identification Program (CIP) Simply put, verifying that customers and clients are who they say they are. According to provisions of the USA Patriot Act all financial institutions must verify the identity of individuals wishing to conduct financial transactions with them. The law was implemented by regulations in 2003 which require financial institutions to develop a Customer Identification Program appropriate to the size and type of its business. The CIP must be incorporated into the financial institution's Bank Secrecy Act/AML compliance program, which is subject to approval by the financial institution's board of directors.

The CIP is intended to enable the bank to form a reasonable belief that it knows the true identity of each customer. The CIP must include new account opening procedures that specify the identifying information that will be obtained from each customer. It must also include reasonable and practical risk-based procedures for verifying the identity of each customer. Financial institutions should conduct a risk assessment of their customer base and product offerings, and in determining the risks, take into consideration: The types of accounts offered The methods of opening accounts. The types of identifying information available The institution's size, location, and customer base Customer Due Diligence (CDD) - Assessing the risks associated with a customer by predicting the types of transactions in which a customer is likely to engage. These procedures assist the institution in determining when transactions are potentially suspicious. The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a high risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customers identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for high-risk customers and ongoing due diligence of the customer base. Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. CDD policies, procedures, and processes are critical to the bank because they can aid in: Detecting and reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk. Avoiding criminal exposure from persons who use or attempt to use the banks products and services for illicit purposes. Adhere to safe and sound banking practices. In addition, CDD guidelines should include policies, procedures, and processes that address whether they: Are commensurate with the banks BSA/AML risk profile, paying particular attention to high-risk customers. Contain a clear statement of managements overall expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customers risk rating or profile, as applicable. Ensure that the bank possesses sufficient customer information to implement an effective suspicious activity monitoring system. Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained. Ensure the bank maintains current customer information. Assessing customer risk is also an important component of CDD. Management should have a thorough understanding of the money laundering or terrorist financing risks of the banks customer base. Under this approach, the bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customers occupation or business operations.

Much of the CDD information can be confirmed through an information-reporting agency, banking references (for larger accounts), correspondence and telephone conversations with the customer, and visits to the customers place of business. Additional steps may include obtaining third-party references or researching public information (e.g., on the Internet or commercial databases). CDD processes should also include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations). Enhanced Due Diligence (EDD) - Due diligence or investigative actions beyond what is required by standard KYC customer due diligence procedures based on high-risk client profiles and/or activity. Customers that pose high money laundering or terrorist financing risks present increased exposure to banks; due diligence policies, procedures, and processes should be enhanced as a result. Enhanced due diligence for high-risk customers is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the banks reputation, compliance, and transaction risks. High-risk customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their relationship with the bank. The bank may determine that a customer poses a high risk because of the customers business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving high-risk jurisdictions. If so, the bank should consider obtaining, both at account opening and throughout the relationship, the following information on the customer: Purpose of the account. Source of funds and wealth. Beneficial owners of the accounts, if applicable. Customers (or beneficial owners) occupation or type of business. Financial statements. Banking references. Domicile (where the business is organized). Proximity of the customers residence, place of employment, or place of business to the bank. Description of the customers primary trade area and whether international transactions are expected to be routine. Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers. Explanations for changes in account activity. As due diligence is an ongoing process, banks should take measures to ensure account profiles are current and monitoring should be risk-based. Banks should also consider whether risk profiles should be adjusted or suspicious activity reported when the activity is inconsistent with the profile.

Administrative Issues
KYC also poses significant administrative challenges. While recordkeeping may appear to be a lesser concern, this is, in fact, an area where an institution can leave itself most vulnerable. Without adequate documentation, many of the KYC requirements cannot be met. Auditable proof of your institutions KYC activities is required and the regulatory agencies are scrutinizing this area very closely. Written AML/KYC policies and procedures should clearly define and support the KYC process. They must continually be reviewed and brought up-to- date as changes to regulations and your institutions processes dictate. In addition, due diligence analysts and EDD investigators need to know how to properly interpret KYC data. Penalties for regulatory non-compliance are also on the rise and the regulators are becoming more diligent in imposing these penalties.

There are different types of AML/KYC enforcement actions that regulatory agencies can issue. Informal actions are issued when an agency deems it necessary to obtain a written commitment from an institution that an AML/KYC compliance problem will be corrected. These actions are not made public. Formal actions are more severe and are disclosed to the public. They include: Written Agreements These describe violations and prescribe corrective action. They are not enforceable in court; however, violations of these can provide the basis for Civil Money Penalties. Cease and Desist Orders These describe violations and prescribe corrective action and are enforceable by the court. (More than 125 cease and desist orders have been issued relating to AML since 2000). Civil Money Penalties These have increased in frequency and value over the years. They can be levied against a bank, its directors, officers and affiliated parties and have even skyrocketed up to $40 million.

Role of Technology
Technology plays a significant role in addressing KYC issues and a variety of technological services are available to support the process; however, there is a risk in relying too much on technology. Data must be analyzed and interpreted. The interpretation of data and, the subsequent investigation of the information provided, involve human intervention. This process usually becomes more manual as the level of due diligence increases. All high risk entities require Enhanced Due Diligence (EDD) and closer monitoring on an ongoing basis. In order to manage this process and perform effective investigations, appropriate tools and processes are required involving the use of technology resources. The integration of data and information, profiling of clients and other intelligent uses of the available technology can reduce the number of cases requiring manual intervention. The specific needs and feasibility of monitoring requirements will be different according to the size of your institution. Ultimately the goal is to find a balance between mitigating the risk of doing business with someone using your institution as a vehicle for illegal activity, and over burdening your resources.

Conclusion
KYC activities should be risk-based and tiered on a regularly scheduled, continual basis whether onboarding accounts or reviewing existing client relationships. While there are many different approaches to ensure regulatory compliance as there are banks, we have tried to identify the critical components necessary to establishing a comprehensive, efficient, and well managed approach to your banks KYC activities.

About ADS Financial Services Solutions

A D S Financial Services Solutions has been serving the critical business and technology needs of leading financial institutions nationwide for more than two decades with operational consulting, systems integration, and business alignment services. For three decades, ADS has delivered hundreds of complex projects for leading financial institutions nationwide, ranging from operational consulting and systems integration to business alignment services. Financial institutions turn to ADS for our industry insight and leading edge technology experience. Our team is recognized by our clients for consistently delivering innovative, practical, and effective solutions, on time and within budget.

For more information about ADS Financial Services Solutions contact: James Nellis Vice President Practice Manager Enterprise Fraud and Compliance
One Batterymarch Park Quincy, MA 02169 330.518.5537