Financial institutions have long bemoaned the exercise of the anti-money laundering risk assessment due to the long odds of actually getting it right – an alchemy of human judgment, complex backend methodology and rigid validation procedures that are often easily picked apart by examiners.
But at least a few large institutions have started to turn this bane into a boon by viewing the risk assessment through the lens of crimes other than just laundering illicit gains, such as human trafficking and bribery and corruption, say former compliance officials and consultants.
Such a stratagem could more effectively uncover higher risk activities in what may appear to be lower risk classes of individuals and businesses. It typically involves asking more detailed due diligence questions to customers and businesses in a more precise manner, in a way that cuts down on adding to compliance bloat and doesn’t irk customers who don’t want to play 20 questions.
A more precision-guided risk assessment in areas other than just AML is something that more banks, particularly large operations in multiple jurisdictions, have contemplated or attempted to undertake, said Jorge Guerrero, an anti-money laundering consultant based in Austin, TX
“A lot more banks are now much more attuned” to financial crime risk assessments rather than just from an AML vantage point, he said. “They are realizing the risk assessment has to be more tailored and targeted to be effective and dynamic. That will actually make the jobs of compliance officers easier” in the end because it would create stronger internal controls.
That more banks are trying to view risk assessments and the foundational due diligence through the lens of multiple crimes and a panoply of red flags is a sound move on many fronts, said Robert Serino, of counsel with Buckley Sandler and a former deputy chief counsel and director of enforcement for the US Treasury’s Office of the Comptroller of the Currency (OCC).
With more detailed questions, it can take some of the guesswork out of the hands of frontline staff in disparate branches. A more robust and wide-ranging risk assessment can also support compliance teams, who can then use it to update customer risk rankings or loop suspicious activity from the monitoring system back into the risk assessment in a timely manner, he said.
Compliance failings and financial crisis expose risk assessment faults
The issue of AML risk, and the accuracy and adequacy of the information that feeds into the risk assessment, has become a higher regulatory priority in recent years. The 2008 economic downturn and a cavalcade of high-profile enforcement actions suggested some financial institutions were not properly gauging risk, both across the board and in the context of AML and other financial crimes.
Examiners in recent years have been chastising institutions over nearly every area of the risk assessment. Dozens of enforcement actions have faulted institutions for issues ranging from insufficient diligence information in the beginning of the customer relationship, to the math and technology behind the rankings, the independence of validation procedures, and even not giving enough attention to the lowest risk populations.
For many large banks, risk assessments have become the “bane of their existence,” said Hillary Rosenberg, counsel at Lewis Baach and a former compliance director at JPMorgan Chase.
That’s because, typically, examiners have “very specific thoughts about what the risk assessment should be, how it should be measured and how it should look. The requirements are very rigid and very explicit.” she said, adding that examiners in recent cycles have found faults with the methodology, validation procedures and conclusions of assessments.
But rather than just doing the risk assessment with the goal of finding a numeric ranking to quantify a low, medium or high distinction, the assessment can be bolstered with additional questions informed by the red flags of certain criminal actions or emerging threats. This can help parse out what specific customers and businesses within risk categories may be engaging in illicit activities, Rosenberg said.
For instance, by understanding that certain seemingly low risk businesses, such as nail salons or spas, could be at a higher risk for human trafficking, the bank can create additional automated monitoring protocols, which would ensure to flag if the majority of the transactions happen between a specific period, such as late at night and into the morning. That could also aid an institution in filing a SAR more quickly and getting more timely intelligence to investigators.
‘Tailored and Targeted’ assessments
In the US, the risk assessment has long been a contentious subject. While there is no specific law or regulation that requires financial institutions to do an AML risk assessment, the obligation is nonetheless ensconced in the interagency exam manual since its inception in 2005.
Under the interagency examiners’ manual published by the Federal Financial Institutions Examination Council, financial institutions are tasked with determining how much to scrutinize a client’s account activity based on what sort of products, services and transactions the individual or company is involved in, as well as where the customer is located.
That assessment is “not a one-time exercise” and compliance officers should update risk profiles every 12-to-18 months, or “as necessary,” according to the manual. Most financial institutions score customers numerically and rank accounts in three tiers of risk, determining as early as possible in the onboarding process when they should skip questions only meant for riskier relationships.
Guerrero noted that while certain areas are considered historically higher risk, that ranking can be subjective and easily second-guessed by nitpicky examiners. He added that to better gird themselves, some institutions are establishing enhanced controls and due diligence at the class, customer or individual level to capture a broader array of potential illicit activities.
The issue of customer types and accounts that could be tied to human trafficking, for instance, has risen recently as the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an extensive series of red flags last month tied to both trafficking and human smuggling.
The bureau, which is also the country’s financial intelligence unit responsible for handling millions of filings tied to large transactions and suspicious activity, urged institutions to pay close attention to customer behavior. The guidance directed institutions to look for indicators such as persons who accompany customers at branch locations, and discrepancies tied to staffing companies and personal services operations where paychecks seem to go back to the company or abroad to suspect entities.
Challenges abound but rewards too
But retuning procedures so that these red flags can inform the risk assessment can be a challenge because banks can feel “hampered by what they are supposed to ask and how to assess risk,” Rosenberg said. She added that by understanding what businesses and regions are at a higher risk for key crimes in addition to money laundering can allow an institution to come up with more tailored questions at the outset.
That can involve using the same template as the AML risk assessment but with additional questions. As an example, Rosenberg gave the scenario of asking a customer who is a nail salon or massage parlor whether the business operated between the hours of 11 p.m. and 3 a.m. If the answer is yes, it could mean the operation is at a much higher chance for activity tied to human trafficking.
In addition, to bolster anti-bribery and corruption efforts, an institution can add questions to its assessment related to what regions companies are operating in and what are their business channels. Institutions may consider asking whether customers do business in high corruption risk areas such as Eastern Europe or Asia, and what is the role or experience of any foreign finders and agents a business may use, Rosenberg said.
If the company obliges and hands over such information, it could lower the risk tied to bribery. If they are very opaque and give few details, that may raise the risk of the operation, causing their transactions to be more tightly monitored, she noted.
Multiple regulators voice concerns and expectations for assessments
Risk is something examiners are more nervous about on all fronts. In January, the OCC issued guidelines which formalized the agency’s heightened expectations on how banks manage all manner of financial risks, including under the rubric of countering money launderers.
Part and parcel of the guidelines is that they would require certain large banks that are systemically significant or have a large international footprint to reexamine their risk profiles on an annual basis and determine whether the risks of US operations should be handled separately from those of foreign parent operations.
Moreover, if any compliance plans to remediate missteps are deemed insufficient, or the bank does not answer in the way the regulator desires, the OCC can more quickly issue a fine or other enforcement action without first submitting a notice of intent.
Less guesswork up front, fewer gaps later
Regulators have also been noting failures tied to the proper depth of due diligence and accuracy of risk assessments in an increasing frequency in recent years.
Failures to properly review customers can lead, in turn, to failures in transaction monitoring. If a monitoring system doesn’t realize the danger of certain areas, it may not flag what, in hindsight, was suspicious activity, resulting in expensive and burdensome remediation engagements, Guerrero said.
In the last several years, some penalties in which risk assessment and subsequent monitoring failures played a role include the $160 million penalty against Wachovia, now part of Wells Fargo, for dealing with risky foreign money services businesses, along with the $1.9 billion penalty against HSBC for failing to scrutinize trillions of dollars in suspect transactions.
The HSBC penalty included not just a monetary fine, but a requirement to review know-your-customer information for the past five years, and potentially re-risk assess their entire population at an estimated cost of $700 million. Some of the largest money transmitters have also been penalized for not properly keeping tabs on agents who were aiding human traffickers.
Even payments to something as seemingly innocuous as Red Box rentals, when viewed through the magnifier of human trafficking, can make a customer or operation more risky because traffickers have been known to buy more DVDs to keep their illicit workforce entertained when they are not doing menial tasks or engaged in sexual services, Rosenberg said.
“Anyone can do a risk assessment, but you have to remember these decisions are made by many people who are making their own judgment calls,” Serino said. “But even if they are trying their best and get adequate training, there can be customers who slip through the cracks.”