Humans have a remarkable ability to get used to things. For example, on a trip to Yellowstone National Park several years ago, I saw a group of people excitedly pointing to something off in the distance. They had cameras out and were acting as if they were seeing Sasquatch. However, when I got close enough to see what they saw, I realized it was only a few mule deer. The people admiring the deer, it turned out, were from a large urban city outside of the United States, and had never seen mule deer before. What was commonplace to me, as a local of this area, was extraordinary to them.
This ability to adapt and grow accustomed to things and situations can be both a good thing and a bad thing. When we become so used to something, it’s easy to pay less and less attention to it, and we start to just go through the motions. With Bank Secrecy Act compliance, it is all too easy to simply go through the motions, especially when it comes to collecting information about potential new accounts. It’s tempting to become careless in collecting information due to the repetitive nature of the process unless we keep the end purpose in mind: catching suspicious activity. Because of this, it’s a good idea for compliance personnel to take a step back every now and then to make sure BSA compliance isn’t just a part of the daily routine.
It can help to start off with a brief history lesson. Although the concept of Know Your Customer was introduced with the Bank Secrecy Act in 1970, it has been enhanced and amended by the implementation of other acts. One such act was the USA PATRIOT Act of 2001, which came on the heels of the terrorist attacks of 9/11. Those events made plain the correlation between money laundering and terrorism, and the USA PATRIOT Act was introduced to help combat this by increasing the requirements of due diligence of new and even existing customers/members at financial institutions. In short, the Know Your Customer requirements have made financial institutions responsible for learning at least to a certain degree with whom they’re doing business.
All financial institutions are required to have Know Your Customer policies and procedures, including the following four items. Although these elements necessitate more work put into collecting information at account opening, they can make the end goal of Know Your Customer (monitoring for suspicious activity) much easier.
1. Customer/Member Identification Program
This program should outline the policies and procedures associated with verifying the identity of a customer or member. This can include documentary methods (such as a government-issued picture ID) or non-documentary methods (such as information from a consumer reporting agency) or both. At a minimum, financial institutions must obtain the name, address, date of birth, and identification number of the new or returning customer or member. Your CIP or MIP should also include procedures for situations where the institution cannot verify the identity of a customer or where the customer appears on a federal government list of suspected or known terrorists or terrorist organizations. It should also note how the institution notifies customers that information will be requested to verify their identity.
2. Customer/Member Due Diligence
After verifying the identity of the new customer or member, the next logical step is to try to anticipate the level of risk posed by the customer or member to the institution. This is where CDD or MDD comes in.
This section should outline all the information the institution will gather at account opening to determine the kind of risk a customer or member presents to the institution. Information gathered should include gaining an understanding of normal and expected transactional activity. It should also aim to predict the types of products and services the customer will be using. The point here is to ensure that the institution has enough information to have an effective suspicious activity monitoring program. Such programs should be based on the level of risk associated with customer/member type and background.
3. Enhanced Due Diligence
Enhanced due diligence is all about taking a more in-depth look at the accounts your initial due diligence efforts determined present a higher level of risk. These are the customers or members your institution has determined are most likely to engage in suspicious activity or pose a higher than normal degree of risk by definition. As such, this section should address procedures to find any kind of information that would be helpful in the event that you have to investigate deeper. This might consist of a review of the account’s purpose, background checks of the involved individual(s), a review of websites regarding legitimacy or other related aspects, and anything else that would help in the investigation.
4. Record Retention
If you can’t produce the documentation, it could create a big gap in an investigation that may subsequently occur, potentially resulting in regulatory and legal problems for the financial institution. The key point with record retention is to remember that institutions should keep all Know Your Customer information for five years after an account is opened and five years after an account is closed. Moreover, when AML systems are dynamic, the capacity to “pull” your KYC, CDD and EDD information shows its strength. Remember, that “record retention” is really only part of the definition. There is also record integration and retrieval.
Of course, there is much more to Know Your Customer, but the key takeaway here is to avoid getting so caught up in the routine that you lose sight of how important it actually is. Remember that the purpose for the initial collection of information is to improve your institution’s ability to monitor for, investigate, and report on suspicious activity later. When an institution simply goes through the BSA/AML motions, it becomes all too easy to for suspicious activity to fall through the cracks.