I recently had the opportunity to sit and discuss the evolving roles of both the compliance officer and the money laundering reporting officer (MLRO) with a group of second-year law students from the Eugene Dupuch Law School. During this cross-examination like exercise, the group ventured to ascertain my position on whether all customer due diligence documentation should be requested from every client during the onboarding process given that it is so diverse and requires a detailed level of understanding. I strongly responded 'no'. I further argued that the process should be used to ascertain facts about a potential customer that would assist an institution in identifying potential risks, determining if those risks are within its risk appetite, and then deciding how to monitor the potential client.
It is important to note that best practice does not always align with laws, regulations and guidance. However, the organisation that determines global best practice standards is the Financial Action Task Force (FATF). They have produced 40 recommendations for combating money laundering and terror financing, and have subsequently updated them over the years to adapt to the changing environment. There is an expectation among compliance and anti-money laundering experts that the FATF’s approach and methodologies may be further updated in 2021.
The FATF recommendation that applies to customer due diligence is 'Recommendation 10, which reads: “Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship, or conducting transactions for occasional customers.
"Countries may permit financial institutions to complete the verification as soon as reasonably practicable following the establishment of the relationship, where the money laundering and terrorist financing risks are effectively managed, and where this is essential not to interrupt the normal conduct of business.”
Locally, paragraphs 37 through 121 of the Central Bank of The Bahamas’ anti-money laundering/counter terrorism financing guidelines offer guidance to its supervised financial institutions (SFIs) and reference key legislation. Designated non-financial businesses and professionals (DNDBPs), such as law firms that are supervised by the Compliance Commission, also have updated guidance based on the risk-based approach regarding customer due diligence.
It is against this backdrop, and for the purposes of good governance, that I would suggest you ask yourself: “How strong is our institution’s customer identification programme. Failure to implement a robust framework could result in costly fines and unsettling findings by auditors and regulators alike. Here are two tips.
Know your regulatory landscape and your internal landscape.
When last has your institution completed a gap analysis between your current policies and procedures and the current regulatory landscape? If you are a a senior executive, compliance or risk professional, and paused before answering this question, I am afraid it has either been too long or the process is not as robust and consistent as it needs to be. The art of regulatory compliance is quickly becoming an exciting area that involves multiple steps to prevent or mitigate potential risks to the institution. Be aware of the parameters of your regulatory and internal environment would greatly assist your company. It also reduces the potential of irritating potential customers with irrelevant requests based on the type of service being requested.
Pay attention to your risk variables
The FATF notes: “When assessing the money laundering and terrorist financing risks relating to types of customers, countries or geographic areas, and particular products, services, transactions or delivery channels risk, a financial institution should take into account risk variables relating to those risk categories. These variables, either singly or in combination, may increase or decrease the potential risk posed, thus impacting the appropriate level of customer due diligence measures.”
These risks appear in the purpose of an account or relationship' source of wealth and source of funds; domicile of the client; the nature of the business relations; and/or industry of employment, politically exposed position, potential negative media among other risks. Your entity’s corporate and individual risk assessment tools must have at a minimum the above triggers that would assist with risk rating a client.
My external audit and internal audit journey, along with travelling to conferences and interacting with regional and international risk and compliance professionals, have highlighted that a ‘one-size fits all approach’ to an institution’s client on-boarding and monitoring is an equation for disaster and unwanted inefficiencies.
NB: Derek Smith Jr is a compliance officer at a leading law firm in The Bahamas, and a former assistant vice-president, compliance and money laundering reporting officer (MLRO), at local private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).