the risk management blog

3 Keys to a Customer Identification Program for AML Compliance

byLowers & Associates | July 15, 2015
compliance

One of the most important components of BSA/AML compliance is a Customer Identification Program (CIP). After all, money laundering is done by people who do not want to be discovered, and most of them pose as legitimate customers. The shorthand phrase “Know Your Customer” (KYC) means that a financial institution has to have a reasonable belief based on due diligence that its customers are who they say they are and are acting within the legal framework.

The first requirement is to have a thorough understanding of BSA requirements, broadly conceived to include all the applicable laws and regulations. Knowing these will enable you to investigate potential customers for relevant risk factors. Beyond basic identity and records requirements, applicable regulations may target certain currency transactions, potential structuring techniques, identifying types of suspicious activity, and so forth.

A compliant CIP has three major components to due diligence: planning and implementation, oversight and accountability, and independent auditing. Each of these may be more or less complex depending on the financial institution’s business lines, size, structure, and risk profile. The regulatory agencies, such as FinCEN, expect your institution’s compliance program to be unique to it on a risk-adjusted basis, but they will look at the components of a CIP to ensure they are effective.

1. Planning, Documentation and Reporting

All banks and most other financial institutions are required to have a written CIP document subject to management review, and available for enforcement actions. The core purpose of the CIP is to verify the identity of a customer, where “customer” can mean any individual or organization that qualifies as a legal person that can open and use an account.

Every CIP must have a risk-adjusted procedure to verify the identity of a potential customer who wants to open an account. The relevant risks may include the types of accounts in question, typical transaction size, the quality of the information offered by the customer, the characteristics of the organization as customer, and the location(s) where the customer’s transactions originate or end. You need to be able to record and retrieve customer information and account activity, including relevant transactions.

2. Oversight and Accountability Issues

Part of “Know Your Customer” is to understand the individual or organizational background on a range of relevant topics. The investigation should be made by a qualified firm or person, and may review a number of sources:

  • Public records
  • Criminal background records
  • Asset tracking, such as real property or business ownership
  • Prohibited or sanctioned databases
  • Law enforcement proceedings
  • On-site inspections as needed

3. Independent Auditing

Every BSA/AML compliance program, including its CIP, should be periodically reviewed by qualified independent auditors. The main objective of the audit is to determine whether a compliance program is effective in monitoring, identifying and reporting suspicious transactions.

In addition, the audit should address the CIP. It would address the key elements of the CIP, such as the customer information required, the information verification procedure including comparison to government watchlists, records and retention, compliance with other applicable laws, and evidence of action related to non-verified information.

Your BSA/AML compliance program should always include a management structure, internal controls, information systems, reporting mechanisms, and so forth. Yet, the key sources of risk these systems address will always be people: managers, employees, customers, and business vendors or partners. Is your Customer Identification Program up to par?

 

bottom-CTA-AML-ebook

ABOUT THE AUTHOR

Lowers & Associates

Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.

View all posts by Lowers & Associates >