AML Compliance: KYC and Due Diligence
AML compliance is filled with fascinating issues, lots of acronyms, and plenty of common sense. One of my favorite areas is KYC (which I originally thought stood for KFC – Kentucky Fried Chicken), or Know Your Customer.
KYC is a critical area for every financial institution. Due diligence kicks in depending on initial information collected on specific customers. It is a rapid fire due diligence screening process. Banks and other financial institutions have been criticized by regulators and Congressional investigators for weak controls in this area, especially if banks delay acting on due diligence while holding onto customer accounts. This was a specific criticism made by Senator Levin against banks investigated by the Senate Permanent Subcommittee on Investigations.
The first step in any KYC program is a bank’s Customer Identification Program (“CIP”) which requires a bank to collect and document a customer’s name, date of birth, address and identification presented.
The second step is Customer Due Diligence (“CDD”) which requires the bank to obtain information to verify the customer’s identity and assess the risk. If the CDD inquiry leads to a high risk determination, the bank has to conduct an Enhanced Due Diligence (“EDD”).
The precise procedures for CDD and EDD depend on the risk profile for a bank. There are significant differences in risk profiles between a bank operating in Missouri and New York City or Miami, and this is reflected in the risk profiles for customer due diligence.
Banks need to have access to reliable open source intelligence. Many of the companies offering due diligence services for corruption purposes have been around for years providing support for AML due diligence programs.
To determine the relevant risks, banks need to collect information on the customer’s: (1) nature of business; (2) purpose of account; (3) expected pattern of activity (volume, nature of transactions, and amounts); (4) origination and destination of funds; (5) basic business documentation; (6) business customer’s customers (e.g. international customers or banks); (7) nominal and beneficial owners of the account; (8) business reputation and references; (9) other business and personal business interests; and (10) location of business in relation to bank. This is not an exhaustive list. Banks may need additional information depending on the specific facts presents but this is a good beginning list.
Expected and average activity are important issues to develop because they become measuring stocks to use to identify suspicious transactions. This inquiry focuses on expected deposits (and sources); withdrawals; cash transactions; wire transfer transactions; originating and destination countries.
Within this information, a bank can segment this information into categories relating to customer type, geography, nature of business, account type, balance and transaction volume.
All of this information goes into the creation of a customer profile model against which activity is measured – suspicious transactions then can be easily identified using AML software models and products. It sounds relatively easy but there are a number of important steps in the process which I have glossed over as to defining specific elements in a customer profile and trigger points for flagging suspicious transactions for follow-up investigation.