Warning: Banks Need to Re-Examine KYC Risk Evaluation Procedures
A federal jury in New York recently handed down a verdict against the Arab Bank, Jordan’s largest bank, for funding Hamas terrorism acts against Israel. The verdict is precedent setting and will encourage other plaintiffs to challenge bank conduct that enables terrorism.
The plaintiffs put on evidence that the Arab Bank conducted business with 150 Hamas leaders and operatives in the early 2000s, and helped to finance two-dozen suicide bombings.
Banks should be mindful of this recent case but should avoid fear mongering and over-reacting to the decision. It certainly will lead to more litigation. Credit Lyonnaise and Bank of China are awaiting trial in two other cases.
Banks already are under pressure to ramp up their KYC policies and procedures to identify and prevent interactions with risky customers and organizations. This is just another reminder of the importance of designing and implementing effective KYC policies.
As noted in an earlier posting, FinCEN is considering additional requirements to include beneficial ownership certifications from bank customers. Potential civil liability is another reminder that KYC policies have to reflect current risks. For banks, it is one thing to deal with a drug dealer; it is quite another to conduct business to benefit a terrorist group involved in bombings and killing of innocent civilians.
The Arab Bank case has some unusual facts that are important to recognize.
First, the customer organizations that conducted business at the Arab Bank were not identified by any government as prohibited terrorist groups.
Second, the plaintiffs benefited from a jury instruction that the judge gave in the case in response to Arab Bank’s failure to produce customer account and banking records because of claims that Jordanian law prohibited such disclosures. That issue is sure to be appealed.
The Arab Bank claims it followed international standards for conducting its operations and specifically in reviewing its customers under KYC requirements. Plaintiffs were able to show that one Saudi organization was used to fund families of suicide bombers as compensation for the family’s “sacrifice” of a family member.
The plaintiff’s also offered evidence that between 2000 and 2001 the Arab Bank transferred around $4 million to two dozen Hamas leaders and operatives through its New York branch.
The KYC implications of the case are significant, primarily because of the fact that many of the identified Hamas organizations and operatives were not identified by any government agency. Banks routinely build their KYC systems around such listings. Extending liability beyond these government lists could have significant implications for due diligence policies and procedures.
In most circumstances, banks collect and analyze basic customer identity information, and then compare the customer’s name matching against lists of “politically exposed persons” or “PEPs.” Based on geographic and business account risk factors, banks create risk profiles, including expected transaction patterns. Banks then monitor such accounts based on risk profiles.
The Arab bank decision will cause banks to re-examine its KYC practices and look to factors outside the “traditional” risk analysis. A broader view of “risk factors” will have to be created beyond those traditionally used in the KYC analysis.