By Evan Sparks
Imagine a consultant based in Puerto Rico. She deposits mostly checks from her different clients, and she wants to open an account at a Great Lakes area bank. Would the bank consider her risky as a customer, and if so—how risky?
If she were to get wires from clients in, say, Panama and Colombia, the frequency or size of wires might trip additional risk factors, making ongoing monitoring key. However, if the bank is one that deals with a lot of international business, it might rate the consultant as less risky than would a small or midsize bank that primarily handles domestic retail clients.
Ultimately, there’s no one answer for how to deal with high-risk customers. “None of this is written down anywhere,” says Daniel Stipano, a partner at Buckley LLP and a former senior official at the OCC. “There’s nowhere you can go to get an answer because it’s not that prescriptive. And yet you’re subject to pretty intense scrutiny by your examiners.”
And while the ambiguity can be a challenge for compliance, experts speaking at ABA’s 2019 Regulatory Compliance Conference outlined several key principles for banking higher-risk customers: establish coherent systems, ask the right questions, maintain ongoing monitoring and employ technology wisely.
Work the system
“The challenge of understanding your customers as an institution is not understanding a single customer but figuring out operational methods to understand all of them,” says Tracy Woodrow, SVP for Bank Secrecy Act, anti-money laundering and OFAC compliance at Buffalo, N.Y.-based M&T Bank.
And beyond the formal criteria that the bank uses to evaluate the customer, Woodrow adds, is the “see something, say something” factor. “Make sure your first line of defense is attuned,” she explains, “and that they have a mechanism to report to your BSA/AML group unusual activity.”
All banks need to have an upfront risk appetite for the customers they’re comfortable banking, and this will differ based on the profile of the bank and the resources it has to monitor customers, Woodrow explains. “Whatever you’re doing, have it in writing,” adds Marilu Jimenez, a banking consultant in San Juan, P.R., who was a longtime compliance executive at Banco Popular.
And employee training is also key to handling riskier customers, says Jimenez. “The [frontline] person that is interviewing that customer has to say, ‘We need to have your expected activity.’”
Question and answer
Asking questions like that is central to managing compliance risk related to riskier customers. “A lot of this boils down to how well you know your customer and how that account’s going to behave,” says Stipano—and when the account is first opened, the only way to assess that risk is by asking the customer.
But they need to be the right questions, and they need to be keyed to actual risk. For example, a question about how many checks a customer expects to write might result in unhelpful data, especially if customers just guess. For Woodrow, whose bank deals mostly with domestic customers, the key data points are whether the customer intends to receive or send international wires, and if so, how often and for how much. Other questions in a predefined set to drive risk classification can cover geographies and target reach, as well as an assessment of prohibited relationships and a rating to flag the riskier-rated customers for enhanced due diligence. (For more on recent regulatory requirements around customer due diligence, see the sidebar.)
One of the unique challenges of banking high-risk customers is that many of these potential customers can be non-transparent. International private banking customers often have different corporate structures in multiple jurisdictions with separate individuals, LLCs or trusts behind them. Some structures are set up deliberately to be opaque.
In 2018, the Financial Crimes Enforcement Network’s customer due diligence rule, often called the “beneficial ownership” rule, imposed a requirement for banks to identify and verify the identity of beneficial owners (those with at least 25 percent equity ownership or significant management or control) of legal entity customers. Some banks monitor beneficial ownership at lower percentages of equity. “It’s important when you have these types of non-transparent entities to have procedures that help you dig into who you’re really dealing with, where’s the money coming from and where the money’s going,” explains Tracy Woodrow.
The rule also codifies risk-based CDD procedures, including requirements to understand the nature and purpose of accounts in order to develop customer risk profiles, ongoing monitoring and maintenance of customer information. The upshot: “Always know who you’re really doing business with,” says Daniel Stipano. He cautions that banks don’t need to assume that a complex business structure is necessarily suspicious. “There could be legitimate business reasons,” he explains. However, “the fact that something is inordinately complex is something you want to delve into and understand.”
Regulators have not been especially strict as banks have gotten used to the expectations of the CDD rule, says Stipano, a former senior OCC official. “I do think that this honeymoon period is coming to an end, and I do think on the next pass, banks are going to get a higher degree of scrutiny.”
Woodrow adds that banks should “make sure the high-risk customers have really good compliance for the CDD rule, because those are the first ones your regulators are going to look at. . . . Make sure you have a fully filled out certification form for each one of these customers.”
But too many questions, or the wrong kind of questions, can turn off some customers, especially if another bank isn’t as thorough. “I think it’s important to ask why you need to ask the questions,” comments Woodrow. “If they don’t [affect customer risk rating], I think it’s fair game to step back and say whether this is a necessary question or not.”
Keeping tabs
“Once a customer has entered the bank, it’s the actual activity that makes all the difference,” says Woodrow. “If you just evaluate a customer when they walk in the door and then never evaluate them again, it’s a very dangerous practice.”
Many banks use negative news searches to monitor customers. Woodrow says M&T Bank uses an automated system to screen all customers, including ultimate beneficial owners and controlling parties, for negative reports—from newspapers and periodicals that are “sufficiently supported,” not blogs and social media posts—regardless of risk rating. “Just because the news is negative doesn’t mean it’s material,” she adds, explaining that M&T has clear guidelines for when negative news contributes materially to decisions about customer accounts.
Banks need to conduct periodic reviews. High-risk customers should be reviewed on an annual basis or even more frequently; low-risk customers might be reviewed every three to five years, with medium-risk customers reviewed every two to three years. “I think there’s probably some merit on kicking the tires periodically,” says Stipano on reviews of lower-risk customers, “but it’s something you don’t need to do with any frequency.”
Sometimes, ongoing monitoring will lead to a decision about whether to continue the customer relationship. Woodrow advises banks to have a designated team to evaluate that, along with a rigorous process that factors law enforcement interest, suspicious activity reports and material negative news into a decision based on board’s risk appetite about whether to close account. “Decisions to close accounts have real-world consequences, and I want my team to be sensitive to that,” she says.
Tech tools
“Technology has to be your friend here,” Woodrow emphasizes. “Doing those detailed evaluations of every single customer is fine as long as you have a handful of customers, but as you get scale, particularly as you get customers through digital channels that you never have the opportunity to evaluate face to face, you have to use technology to help you get through all the data points.”
However, there’s still a significant role for human judgment. For example, technology can flag someone who should be subject to enhanced due diligence—and that technology is key for freeing up bank personnel to devote personal attention to the more challenging risk cases rather than doing cumbersome manual monitoring.
“In my world, enhanced due diligence continues to be a fairly manual process,” Woodrow explains. “EDD is all about thinking deeply about your customer to make good decisions. You can’t rely on technology for all of that.”