Why KYC is the Backbone of BSA/AML Compliance
By their very nature, money launderers will go to great lengths to cover their tracks. In the process, they use the normal activities of legitimate businesses like banks, credit unions, money service businesses, and other financial services organizations to help them “clean” ill-gotten gains. One of the strongest tools financial institutions have in combating the covert use of their services for illegal ends is to Know Your Customer (KYC).
The Mandate for BSA/AML Compliance
The problem is that the legitimate businesses used for money laundering may inadvertently fall into non-compliance with Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) requirements. Since the flow of funds through money laundering can be used to finance drug-related, terrorist, or other illegal activities, the issue has been raised to the level of national security policy. There is little wriggle room: virtually all financial services businesses are responsible for designing and implementing risk-based anti-money laundering controls.
Several units of the U.S. Department of the Treasury are charged with promoting, monitoring, and enforcing compliance with anti-money laundering rules, including the Financial Crimes Enforcement Network (FinCEN), which has oversight of the system as designated administrator for BSA/AML compliance. Financial institutions that are found to have facilitated money laundering, even if inadvertently, can be heavily fined.
Managers of financial institutions must implement controls that allow them to detect irregular money flows and transactions even when the money launderers are doing their best to deceive. Regulators have assisted in this by providing guidelines for risk-based compliance models that allow an institution to review and evaluate its typical markets, transactions, and processes for level of money laundering risk. The result of the risk assessment will direct the level of effort put into installing controls.
These controls have to be able to support required reporting to FinCEN, and can be very detailed. For example, any person or entity that engages in more than $10,000 in transactions in a single day, even if in a combination of smaller transactions, has to be reported in a Currency Transaction Report (CTR). Financial institutions must collect customer identification information that is current and verifiable, and since April 1, 2013, institutions must use the electronic filing system established by FinCEN.
Know Your Customer
As money launderers have become more sophisticated, and more adept at using both bank and non-bank service providers (like cash couriers and trading services), regulators have placed more emphasis on Know Your Customer, and even Know Your Customer’s Customer. Although it is true that certain types of transactions (such as high currency amounts), locations (foreign vs. domestic), or businesses (international bank vs. local credit union) may have inherently different levels of risk, the truth is that any type of transaction may be fraudulent because it is being used with criminal intent. Financial institutions have to pay close attention to the customer’s characteristics in the risk assessment process.
Every BSA/AML compliance program has to include a Customer Identification Program (CIP) based on Customer Due Diligence (CDD) investigations. Because financial entities can vary so much from each other in terms of typical types of transactions, customers, locations, scale, and business lines, the Know Your Customer efforts can vary as well. In general, CDD will include verifying the identity of customers and understanding the monetary thresholds for required reporting and record retention, as well as the specific FinCEN rules governing specific types of transactions.
Most types of financial institutions are required to have a written CIP that meets minimum standards for that institution. The aim is to provide a reasonable basis to believe that the customer’s identity is verifiably known. Most organizations have customer relationship management programs that help to gather and retain relevant information, but they may need to be adjusted for the types of accounts and transactions customers use. Regulated organizations must develop and maintain oversight in the form of due diligence research that could range from background research on individuals to on-site investigations of business entities.
What About Third Parties?
For a variety of reasons, more financial institutions are outsourcing activities ranging from automated technology services (such as ACH) to whole departmental functions. These trends create a complex array of third parties that carry with them new sources of risk, including operational, compliance, reputational, strategic, and credit risks. Third parties now include most types of vendors, partners, and subcontractors. Where these third parties include foreign entities, the financial institution may face additional compliance burdens from the Office of Foreign Assets Control (OFAC).
Due diligence in establishing a relationship with a third party should include gathering information about the entity such as its experience and reputation (from independent sources), its history and performance, its stated goals, its risk management practices and insurance coverage, and numerous other factors that might affect the risk it poses. These findings will be incorporated into a contractual relationship, and monitored appropriately for the level of risk.
Due diligence in verifying your customers’ identities is a requirement of BSA/AML compliance. When integrated into an enterprise risk management plan, Know Your Customer can be a critical part of a financial institution’s success, as well.
