High risk customers present myriad concerns for a BSA Officer. Questions like- what is the proper amount of Due Diligence, how much monitoring is appropriate and whether or not SAR’s should be filed are all questions that go with the administration of a high risk client. Of course, the ultimate question is whether or not the customer should be kept or “de-risked” (the relatively new nomenclature for closing the account). For many BSA Officers this last option step is elusive. In many cases, high risk customers continue to be a burden on the overall compliance apparatus. Year after year, SARs, enhanced due diligence, and sometimes hopes and prayers are employed while administrating high risk customers. These customers often become the target of examiners during their reviews and very often become the reasons for a finding at an institution. On the other hand, high risk customers are often the source of substantial fee income. For the BSA Officer, convincing management senior management that they right thing to do is to sacrifice earnings in the name of compliance is a very tough sale to say the least. To paraphrase a very popular song, sometimes “It’s So Hard to Say Goodbye”
High Risk Doesn’t mean Undesirable
According to the FFIEC BSA Examination manual higher risk accounts are defined as:
“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents”
The Manual goes on to detail several other factors that should be considered when monitoring accounts that are high risk. We note that the manual does not conclude that high risk accounts should be avoided. Instead, the manual suggests that when a bank has recognized that an account is high risk, proper monitoring is required. The best practices for high risk accounts include:
• Complete customer Identification: Your institution must be able to establish that the customer is who they say they are. Are they a real person or a legal person in good standing? The goal of CIP must be to establish a basic identification
• Enhanced Due diligence: For a higher risk customer the best practice is to find out all you can about the reputation of the person of the company that is opening the account. During this process, it is important to find out about how the customer is perceived by the community.
• Know Your Customer: This area is the most critical when dealing with a high risk customer. Understanding the particular business and how it operates is critical to being able to properly monitor transactions. In addition, to knowing how you customer operates, knowledge of how the industry operates is key, because it provides context for your customer.
• Baseline monitoring: Using the information that has been obtained in the previous steps, setting up a monitoring plan for a customer allows the BSA Officer and BSA staff to develop a plan for review of a customer’s transactions. If the customer uses wires to pay vendors, then there should be a baseline for monthly wires and the vendors who receive the wires should match the types of vendors that deal in the particular industry.
High risk customers need bank accounts too and just because there is a higher risk of money laundering doesn’t mean that an efficient plan for monitoring can’t be developed.
Degrees of High Risk
Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean. When a customer’s activity is consistent with the parameters that have been established and have not varied for some time, then account can technically be high risk by definition, but not in practice. For example, Money sServices Businesses are considered “high-risk” because they fit the definition from the FFIEC manual. However, a financial institution can establish who the customers of the MSB are and what they do. A baseline for remittance activity, check cashing and deposits and wire activity can be established. As long as the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word. Knowing what the customers’ business line is and understanding that the customer continues on in that line without much variation reduces the overall risk.
On the other hand, when transactions are conducted that don’t match the business profile of the customer concern should follow. For example, if the MSB above started showing remittances to a new country, it is time for a discussion with the managers. Does this represent a new business line? To whom? Why now? Do the answers match with what you know about the customer and the surrounding community? The customer should be more than willing to give information on changes to their business. Generally, small business owners are proud and happy to discuss growth of their businesses. A new business line or new set of customers is the type of news that is readily discussed. Moreover, discovering changes in business often leads to new opportunities for additional products and services from the bank. The more reluctant the customer is to discuss the reasons for a variation in the business, the more likely that there might be a problem. Information is the key to effectively administering a high risk customer.
Explain it to Me Like I am an Eight Grader
In the movie “Philadelphia” Denzel Washington plays an attorney who has a habit of saying “explain it to me like I am an eighth grader”. His point was that if you truly understood a concept, you could make it plain for all. This is a good rule of thumb for monitoring high risk customers. Can you explain how the business works to a friend or acquaintance? Can you see in your mind’s eye how money flows through the business and feel comfortable that this makes sense? More than any other area of compliance, BSA/AML administration requires a good amount of “gut feel”. If a customer comes to you and says that they are a local flower shop, does it make sense that they would need to send remittances? Can the customer explain to you his/her business in a way that you understand and feel comfortable? If the answer is no, then the whole relationship should be reconsidered. There is no right or wrong answer, but if you can’t explain the business to someone who is an eighth grader, then you most likely cannot effectively monitor it.
Suspicion is in the Eye of the Beholder
When it comes to BSA, suspicious activity is often treated as a vague and hardly knowable concept. In point of fact suspicious activity is in the eye of the BSA administrator. The FFIEC BSA examination manual doesn’t specifically define suspicious, but instead lists examples of suspicious activity. The list includes things like unwillingness to give information, incorrect information, or transactions that don’t match the information about the customer (e. g. unemployed with large cash deposits).
For accounts that are already opened and are high risk, suspicious activity should be transactions that don’t fit the known fact pattern of the customer. Are there suddenly much larger cash deposits than there have been in the past? Perhaps wires are going to new vendors or new locations? These are the sort of transactions that demand an explanation from the customer. Moreover, the explanation should be accompanied by documentation. For example, if the customer says that have opened a new line of business, then they should be able to show documentation on how this new line came to be. Whether or not the explanation rings true is a matter of both documentation and gut feel.
The decision to file a suspicious activity report (“SAR”) should not be a default. If the activity is truly suspicious, then like any other relationship, there are trust issues. The SAR is really a report that is saying that we do not feel comfortable with what the customer is doing. If the activity rises to the level of a SAR, then the process should begin to consider whether the relationship is worth keeping.
De-Risking- a Mitigation Tool
One of the compliance areas that burdens the most BSA compliance resources is the follow up and administration of SARs.
The decision to file a SAR is a balancing act. For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result in heavy regulatory criticism. It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious. Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”. While almost no institution will admit to doing so, a large number have actually filed defensively.
As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution. There are many times when a customer engages in a suspicious transaction that is a onetime thing. Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy. A SAR is filed and the account is closely monitored for the next 180 days. There is no other unusual or suspicious activity.
However, there are cases when a customer engages in suspicious activity and continues to do so. For many institutions, the process has become a continuous string of monitoring account activity and filing SARs. However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information. In the event that there are numerous SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:
• The activity can be fully explained and vetted and is therefore not suspicious
• The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)
Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators. This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing. Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin. Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk and the process of de-risking should begin.