Special contributor report
By Andres Betancourt
Senior Associate, Forensic Investigations and Advisory Services
Grant Thornton LLP
August 17, 2016
Ever-changing technology and global landscapes have contributed to increased complexity in identifying the risk your entity clients poses. Complexity is increased in identifying the intended operations of a business when dual use products are produced or sold by the client.
The limitation of resources dedicated to identifying risks in financial institutions has highlighted the need for more efficient methods of determining client risks. There are two points in the due diligence process which offer great opportunity to accurately identify risks: the onboarding process and the ongoing monitoring for clients.
A challenge currently exists with entity clients who do not fit into the present risk models used for identifying high risk entities by financial institutions. Deficiencies have been seen in providing appropriate risk scoring models that address new risks.
Currently older existing entity clients that were not subject to current EDD procedures will not be reviewed or monitored until financial entities receive third party law enforcement referrals or with discovery of adverse information in news articles, lawsuits or other information pertaining to misuse or issues with their products or services.
The following are some entity clients that possibly fall under classification of entities that pose new risks where there are not strong risk scoring models for risk assessment: software companies catering or supplying services and or products for virtual currency wallets, as well as entities providing services in medical marijuana consulting, marijuana vending machines, production of detox products (i.e. synthetic urine), sales suppression software and production and sale of synthetic drugs (i.e. weed and MDMA).
These products may be within the realm of legality, however, their sometimes misguided use by consumers may carry unwanted reputational or legal risks to financial institutions/ entities as a result negative publicity.
Although the medical and social use of marijuana has been legalized in some US states, it is still illegal under federal statues and financial institutions are wary that if they bank businesses offering these products they may be subject to fines and penalties from federal regulators.
In dual use arena, providence from ‘provision of means’
An important element to keep in mind in risks assessments of dual use products is the term “provision of means.” According to several reviews of dual use goods and corporate liability:
“Provision of means are cases that present the question of when the contribution of neutral, or dual use, equipment, technology, or products—items that are not inherently unlawful but that can be used to violate international law—constitutes complicity in the crimes ultimately committed with such materiel.
Even though one can claim that “user manipulation is not a product defect” duality of products has had a lasting effect in the past years and this can be seen by various examples of legal proceedings.
Such is the impact of dual use products like synthetic drugs that a recent publication, from the World Economic Forum made reference to and highlighted their relevance to the global state of illicit activities and their impact in different jurisdictions: An excerpt that is particularly powerful states:
“There are many long-standing examples of regulatory arbitrage; the synthetic drug market is home to some of the most alarming instances of this practice. Laboratory-produced chemical compounds that mimic the effects of popular recreational drugs but that are not yet controlled by international drug conventions are being sold as “legal highs”.43
The rapid emergence of these drugs has forced authorities to play regulatory catch-up to such an extent that the United Kingdom is considering a blanket ban on new psychoactive drugs, rather than banning the drugs one by one.44
Many of these substances are being produced legally in China45 and sold cheaply online; in the US, the Drug Enforcement Authority “can’t keep up with regulating the drugs, essentially because the research labs in China can change the structure of the chemical and create new versions.”46- (State of the Illicit Economy, Briefing Papers” World Economic Forum –Oct 2015)
More reputational risk, more KYC responsibilities
These products open financial institutions and other entities to unnecessary risks that can have very real reputational repercussions if not identified effectively and efficiently. Two sustainable solutions that can possibly alleviate the above concerns are the following:
- A more comprehensive industry checklist or commercial activity form that requires entity clients within different lines of business to self-identify the purpose and use of services, products, vendors, suppliers and customer’s customers. This will aid entities assess and decide if opening or maintaining relationships with such commercial clients is within their tolerable risk appetite.
- A two tier KYC process that includes partnering with a third party to manage all or part of the KYC due diligence. According to a recent white paper such outsourcing will eventually “reduce the costs associated with maintaining KYC records, systems and processes, taking the pressure off an already over-extended infrastructure”.
Examining the first alternative, the standard industry checklist or commercial activity form refers to business operations, geographic locations, production facilities; delivery channels products and services, and other variables (both internal and external factors).
Implementation of a more rigorous and pinpointed form with further granularity into products and services and how these can be used can provide useful information about this particular tranche of clients being overlooked. A possible solution would be to include the following sub heading under products and services:
- Dual use products or services – Does the client, related individuals or entity directly or indirectly provide services to the following:
- Automated sale suppression device or software
- Entities that are involved in the production or retail sale of synthetic drugs (Synthetic weed, MDMA and ecstasy)
- Production/distribution of detox products or drug testing kits and paraphernalia
- Entities involved in medical marihuana consulting and other products (i.e. marihuana vending machines, Potcoin)
- Provide services and products to entities in the virtual currency business (i.e. Bitgold, pre-paid Bitcoin cards, digital cash)
- Provide services and products to trading platforms for digital options, binary options trading. Fixed Return Options (FROs)
- Provide services and products to VoIP Technology
KYC morphs to KYE, as in E for everything
A complement to the above is to ask entity clients to provide a self-attestation of their top ten vendors/suppliers as well as the type of industry they are involved. Request quarterly to semi-annual mandatory updates (through account/relationship managers) Conduct independent OSINT review to ascertain validity of information and possible uses of their services and products. Risks rate your client’s vendors, suppliers and possible usage of products to better understand underlying risks.
Though these process might seem to be time consuming it could apply to all high risk clients as now more than ever we need to think in a `Know your everything` mind frame rather than Know Your Client.
The use of forms allows clients to self-identify however institutions must keep in mind what procedures are available to verify the veracity of the information provided. Validating information from client attestations can be performed by exhaustive research but also partnering (or /utilizing more) with new technology can provide useful as it will facilitate information gathering (i.e. Trulio-Canadian Fintech ).
Besides implementing the above it is pivotal to reinforce specialized tailored training to first line of defense staff (tellers, customer representatives, account managers, business advisors, or business or industry specialists) to enforce completion of documentation.
Gathering of this information aids in the manual review by Compliance Officers/Compliance personnel. It also facilitates proper risk scoring by automated recordkeeping system or case management software and allows companies to have the most up to date information on the client which allows adequate and current risk assessment can be made.
The second alternative, involves KYC processes being performed by a third party that specializes in due diligence checks. A small to medium enterprise with limited resources, experience or a small compliance department or personnel would highly benefit from outsourcing of KYC processes which can be costly and time consuming.
An option is the suggestion of a two tiered on-boarding process that includes self-identification questions before account opening and a mandatory periodic review on a quarterly basis after account opening for any entity client that respond yes to any of the subsections listed above.
KYC earlier in the relationship, less risk exposure later
The overall percentage of the entire client base that these clients represent is conservatively less than 5 % percent. The cost benefit of assigning these mandatory quarterly reviews (regardless of transactional activity or analytics) would definitely out weight the possible reputational risks that can arise.
The risk would be hedged earlier in the relationship cycle and any increased risk that is identified would allow enough time to implement the proper mitigating controls and assess the viability of continuing or restricting the relationship.
This suggested processes should not be used to facilitate the de-risking of banking relationships but to be able to implement new or more effective controls such as periodic reviews, enhanced transaction monitoring since account opening, business model updates, site visits, routine request for updates on vendor/supplier names and their related industries.
As a point of reference, regardless of the current process, it is crucial that institutions self-assess and constantly ask themselves if they are doing enough. Are more stringent KYC processes required? Does lack of oversight for KYC operations being outsourced yield better information and results?
We are at a point where enhanced risk assessments are pivotal to better evaluate the financial or banking relationship as a whole. Training first line staff about identifying new emerging risks as well as strengthening the KYC and Customer Identification Program (CIP) processes for entity clients.
We must think outside the common boundaries of our risk controls and develop a more adaptive approach to the evolving nature of our environment and assess emerging trends more effectively so mitigation is a done on a first line defense as opposed to a reactionary stance.
Effective KYC measures are obviously a summation of actions starting from training, monitoring, client risk scoring and others.
This articles’ intent is to reiterate the strong effect that information gathering and proper risk scoring has on being able to onboard acceptable risk and mitigating unforeseen residual risks of emerging technologies and dual use products of our entity clients.
Andres Betancourt, CFCS, CAMS | Senior Associate
Grant Thornton LLP
The views and opinions expressed in this article are the author’s own and do not necessarily represent his employer.