The Justice Department and the financial regulatory agencies have sent a strong message of enforcement, suggesting that financial institutions are not adequately implementing AML compliance controls.
The message was heard all the way up to corporate boardrooms. The question now is what is the industry going to do to improve their compliance programs. This is not rocket science, and the financial industry knows full well what is required to make their compliance programs work. They have a lot of experience in this area; they are used to government regulation and supervision.
AML compliance starts with a focus on the Bank Secrecy Act. The BSA applies to all U.S. financial institutions. It covers three main areas: new client due diligence, ongoing transaction monitoring, and reporting and record keeping requirements.
An AML program starts with a risk assessment. The initial focus starts on the client base and location – domestic versus international. To the extent the client base is internal, the risks increase because of the amount of money and connections to foreign countries. Some countries are higher risk than others – that is fairly obvious.
A risk assessment also has to consider the risk profile of its client base. The level of risk assigned to a customer will dictate the amount of due diligence required. High-risk customers have to undergo enhanced due diligence procedures, while low risk customers have to satisfy basic customer identification procedures.
Foreign and domestic banks, broker-dealers and mutual funds need to conduct enhanced due diligence of high-risk clients that includes not only the client’s identity but also its ownership, customer base, business operations, and country risk.
Financial institutions have to be careful when dealing with foreign private banking customers who have assets over $1 million. An enhanced due diligence inquiry requires identification of nominal and beneficial owners of the account. If the foreign investor or beneficial owner is a foreign government official, family member or related company, firms have to dig even deeper on the individuals or entities.
Basic due diligence inquiries include asking the purpose of the account and the source of the funds based on the client’s risk profile. AML compliance officers also need to request financial references and basic media research on the client’s reputation.
Risk assessments and due diligence are the cornerstone of an AML compliance program. Due diligence is a flexible process based on information gathering and resolution of red flags. The first round of information can raise additional questions and require focused monitoring of an account, including transaction monitoring.
Regulated and non-regulated entities have to adhere to these principles and have to respond to high-risk candidates. AML enforcement is not limited to the banking industry. The government has expanded AML enforcement focus to non-bank companies.
Once a high-risk client satisfies the due diligence process, transaction monitoring on a regular basis is critical. In some instances, additional due diligence and inquiries may be required. In some cases, the entity may have to terminate an account.
Even if a financial institution keeps the customer, there may be circumstances when the bank has to file a suspicious activity report (SAR). Financial institutions are required to report any transaction of $5000 or more that they know, suspect, or have reason to suspect the funds (or a part thereof) were derived from illegal activities, designed to evade BSA requirements, have no business or apparent lawful purpose.
When a customer’s stated purpose for an account does not square with the nature and frequency of the transactions, the bank has to respond. If the bank fails to act in response to apparent red flags, prosecutors and regulators will tag the bank officials with willful blindness. The SARs process is confidential and banks have to be careful to reserve such filings for appropriate cases – a bank should not under report or over report.