AML and UDAAP: Secrecy vs. transparency

By Kathryn Reimann

Both banks and their customers at times find themselves in the regulatory “no man’s land” between requirements to identify and act on suspicious activity without “tipping off” the account holder, and the regulatory clear expectation that banks deal transparently with consumers and their complaints. Magnifying this expectation—and the risk of getting it wrong—is the CFPB’s ability to determine what constitutes an unfair, abusive or deceptive act or practice.

Recent regulatory focus on customer service at large banks suggest that a lack of responsiveness and transparency in managing customer service issues could have UDAAP implications. This concern isn’t new. Customer complaints have always been a CFPB pillar. But the level and breadth of response scrutiny is increasing, as are expectations of transparency. Will this exacerbate existing challenges faced by banks dealing with customers questioning restriction or closure of their accounts “because it no longer fits within strategy”—a reason often given when the closure relates to activity that the bank perceives as raising AML risk levels? Even the OCC may be looking at this issue with a new lens, noting recently the fairness concerns implicit in denying vulnerable customers access to their funds.

As traditional (that is, rules and scenario-based) AML transaction monitoring programs rely more on automation, assisted by machine learning and artificial intelligence, how does a bank ensure that consumers who may have triggered ”suspicious” or “unusual” activity alerts are treated fairly given the volume of alerts that must be processed? How “fair” or “transparent” is it to close a customer account based on a machine-triggered alert that suggest it is “suspicious,” without making a tailored attempt to determine whether consumer has an explanation for the activity?

Yet, the consequences that result from “tipping” or revealing the filing of a suspicious activity report, coupled with the often enormous volumes of alerts and the use of rules-based for account closure (for example, automatic closure after two SAR filings), create significant risk challenges for a bank committed to maintaining SAR secrecy while dealing with customers irate over an account closure notice, baffled by the bank’s stance or despondent over inability to access their funds.

The need to maintain SAR confidentiality requires that AML-related systems, processes and decisions be appropriately segregated and protected to mitigate the risk of tipping or employee disclosure. New risks and challenges may arise, however, if a consumer challenges a bank’s account restriction or closure activity through the regular customer complaint process—or if there are other competing regulatory issues handled in a bank process outside the line-of-sight of the AML team.

Thinking about a typical scenario

Take the case of a consumer we will call Tom. Tom has been a customer in good standing of XYZ Bank for 25 years, with no complaints on either end. Tom shares a last name with a step-brother in another state, who recently faced a criminal fraud conviction and also lost a related civil case. The brothers’ financial and personal lives are completely separate, other than attendance at weddings at funerals. Several years earlier, however, at the behest of his father, Tom lent money to his step-brother, which was later repaid. The size of the transaction was significant relative to Tom’s account and usual activity.

XYZ Bank’s AML transaction monitoring process prudently incorporates news-related and other data feeds. A news report on the brother’s problem generated an alert. A further review flagged the “unusual” transactions between Tom and his brother. Tom’s account was then flagged as “high risk”, and a closure notice was generated to Tom and his bank branch. The letter states that Tom’s accounts no longer fit within the bank’s strategy and will be closed in 30 days—which the bank has the right to do—and in a true financial crime situation, perhaps the obligation to do. Tom is confused and frantic, as his personal and business will suffer, and a new bank will want to know why his account was closed. The XYZ Bank branch manager, who has known Tom for many years, is sympathetic, but says it is out of his hands. He suggests filing a customer complaint with headquarters, but notes that these take time to resolve and that the closure decisions, in his experience, usually stick.

Tom does not even recall the loan to his step-brother, but in the absence of other logical reasons for the account closure, Tom starts to wonder whether the publicity around his step-brother might have worried XYZ Bank.

He worries that a new bank will ask why he is changing banks, and he needs a current banking relationship right away. He sends a complaint, and in 10 days receives a form letter that simply confirms that his account no longer fits within the XYZ Bank’s strategy.

From the perspective of Local Bank’s AML committee and management team, a blanket decision to automatically close accounts that have engaged certain types of transactions—with known fraudsters, or those triggering multiple SARs, or accounts categorized as high risk—is anchored in a risk-appetite determination that seems both reasonable and efficient, and has probably passed muster with examiners and auditors for years.

What neither Tom nor XYZ Bank yet realizes is that an outsized number of the closure notices generated in this same manner went to customers in low-to-moderate-income zip codes for whom Spanish is their preferred language (per bank records and IP addresses). This may suggest a further potential risk as application of UDAAP and fair lending protections expand, unless the bank has been testing for disparities and has documented the business case for using methods that result in disparate impact on protected classes.

So what happens next in a case like Tom’s? Some consumers may give up and simply accept the account closures. Savvy consumers may hire counsel or others to review bank statements and push the bank for a re-examination of its decision. Other aggrieved consumers may take to social media, or contact a state or federal regulatory agency. Others may give up on the bank and complain to a regulator. In all of these instances, the consumer’s situation remains reflected in bank records to be discovered at any time by an examiner who may question whether complaints like Tom’s were adequately considered and answered and look for related documentation.

Protecting the bank and consumers

While such complaint situations may remain relatively unique, they pose tricky questions, which may only become more complex as the CFPB asks broad questions about bank service standards. Of course, there is an opportunity here for cooperation between the CFPB and other regulators to work together the balance competing risks. In the absence of such coordination, however, what steps might banks consider to prudently address AML risk without creating additional consumer fairness risk? While there is no certain answer, these suggestions may help:

  • Have a playbook and designated personnel to deal with it. Document this type of complaint while maintaining appropriate internal and external confidentiality around the AML and SAR process.
  • Sensitize relevant staff to competing concerns and how to escalate when needed.
  • Review auto-account or batch account closure processes and related consumer communications by AML risk and customer fairness lenses.
  • Periodically test to determine whether SAR and closure-related processes may disproportionately affect consumers in protected classes. Appropriately document or otherwise address situations that raise questions.
  • Make sure complaints regarding account closures are acknowledged in a timely manner, and document the ensuing review. Account activity, any related alerts and any auto- or other determinations and communications should be reviewed, along with appropriateness of steps the bank took to obtain the consumer’s rationale for the account activity and the consumer response (or failure to respond). This will likely require controlled coordination among the AML and consumer complaint handling personnel. (With the input or approval of the appropriate AML, legal and compliance staff, determine whether the customer has provided information or can be asked to provide details that demonstrate that alerting transaction was actually consistent with lawful activity, and does not pose the risk originally suspected. If the account would not have been closed given new information or a more practiced senior-level review, remediate the mistake.)
  • As practicable, during the time that a complaint challenging closure is pending, explore the feasibility of taking reasonable steps to protect the bank and limit inconvenience or embarrassment to the customer (for example, allow reasonable ATM withdrawals and payments to utilities but limit deposits).
  • Regardless of the outcome, stay attuned to reputation issues that may arise in social or other public media, and be prepared with a standard statement.

While there is no way to completely eliminate uncertain risks, following a documented process that addresses the above considerations should increase bank and regulatory confidence reasonably and responsibly balancing AML and consumer fairness risk.

Kathryn Reimann is a regulatory adviser at Hummingbird and a senior adviser at Oliver Wyman. She was recently the chief compliance officer for Citibank. and the Citi Global Consumer Bank. Thanks to Hummingbird colleagues co-CEO Matt Van Buskirk and regulatory adviser Lyn Farrell for their input.