Professional Documents
Culture Documents
your customer cannot be verified, your CIP should also include policies that detail when an account
should not be opened, when it should be closed and when a suspicious activity report should be filed.
Government watch lists have become an integral part of the fight against terrorist financing and
money laundering. In addition to U.S. Office of Foreign Assets Control (OFAC) lists, the United
Nations, the European Union, the Bank of England, and other organizations issue separate lists.
Periodic scrubs of your customer database against PEP (Politically Exposed Persons) lists should also
be a vital part of your program.
It should be documented in your CIP to which lists your customers are compared. This can be
done either manually or through the use of software, depending on your institution’s needs. Some
institutions do both; preferring to manually compare those customers that have a higher risk rating.
Finally, all of the information collected at account opening should be kept for five years after
the account is closed. These records should include copies of IDs, an explanation of any non-
documentary methods that were used, and the outcome of any verification discrepancies that may
have occurred during the CIP process.
Case Study
A cease and desist order issued in 2006 to a Nevada bank by the U.S. Federal Deposit Insurance
Corporation (FDIC) clearly illustrates the link between good risk-based account opening procedures,
customer due diligence and suspicious activity monitoring. The bank was cited for having serious
deficiencies in its BSA (Bank Secrecy Act) compliance that were found in its affiliated trust company
during an examination. According to the enforcement action, the bank had to review its CDD
procedures to make sure that the information gathered when an account was opened was sufficient
to ensure proper monitoring for suspect behavior.
The FDIC also ordered the bank to include in their CDD written program procedures for assessing
the risk of their customers and ensuring that the transaction monitoring software that they chose
had the ability to perform according to that assessment. Additionally, the written program had to be
approved by the board of directors of the bank.
Regulatory Expectations
A sound customer identification program should have procedures intended to give your institution
as much information necessary in order to make an accurate evaluation of who a customer is and
what to expect from them. It should be risk-based and approved by management. All related records
should be kept, organized and accessible; and above all else should convey that your institution
understands the connection between customer identification and the ability to efficiently monitor for
suspicious activity.
If a regulator is examining your CIP program it is likely that they will request the following records:
• A copy of the CIP that covers all products, services and regulatory requirements;
• A copy of board minutes approving the CIP (or BSA program that includes CIP);
• A copy of audit procedures for CIP and any audit reports;
• A copy of the CIP training program (or BSA training program that includes CIP);
• List of accounts opened with an application for a tax identification number (TIN);
• List of accounts opened where verification is incomplete or exceptions were made;
• List of accounts identified as high-risk by the institution;
• Names of any institutions relied on for CIP, whether they are required to maintain an AML
program and regulated by a U.S. agency; copies of contracts; the CIP procedures used and
certifications made;
• Names of third party agents or service providers that perform CIP; copies of contracts, CIP procedures
used by the third party, and policies/procedures for ensuring adequate third party performance.
Figure A: Courtesy of 2006 BSA/AML Examination Manual
Concept 2 – Enhanced Due Diligence
Enhanced due diligence (EDD) is a process that has come under greater scrutiny with the passing of
the regulations set out by the USA Patriot Act Section 312 and the implementation of the Third EU
Money Laundering Directive into Member State’s domestic legislation. Both mandate an increased
level of monitoring for customers who are considered high-risk.
The EU Third Directive calls for EDD in the case of non face-to-face customers, correspondent
banking relationships, and politically exposed persons (PEP); whereas Section 312 focuses on foreign
correspondent bank accounts and foreign private bank accounts, particularly if they might be linked
to a PEP.
A PEP is a person who is or has been in an influential political position, as well as family members
or close associates of that person. Although this definition blurs when institutions try to interpret how
long after retiring from office is a PEP still a PEP, or if domestic PEPs should also be considered PEPs.
Typically institutions err to the side of caution, however it is crucial that you clearly state your PEP
policies in your written procedures and get them approved by upper management.
Regardless, regulators and examiners have come to expect EDD on all customers that are considered
as posing a higher risk. For example, the “2006 Federal Financial Institutions Examination Council’s
BSA/AML Examination Manual,” published in the U.S., states that these customers and their
transactions should be reviewed more closely at account opening and more frequently during their
relationship with the institutions. It also lists other examples of risky customers, including:
• Foreign financial institutions, including banks and money services businesses (MSBs);
• Non-bank financial institutions, such as casinos, MSBs, securities dealers, pawnbrokers, auto
dealers, boat dealers, jewelers, and travel agencies;
• Nonresident alien accounts, particularly if they are from a high-risk jurisdiction;
• Foreign corporations, particularly offshore corporations;
• Businesses that are cash intensive including bars and restaurants, privately owned ATMs, parking
garages, laundromats and car washes;
• Foreign and domestic charities or non-governmental organizations;
• Professional service providers such as real estate agents, insurance agents, mortgage brokers,
lawyers, and accountants;
Case Study
Another cease and desist order issued by the FDIC in 2007, specifically instructs a South Florida
bank to determine the appropriate levels of enhanced due diligence for customers deemed to be
of higher risk through an assessment. The bank had failed to hire appropriate staff and implement
effective systems to properly monitor high risk accounts, according to the regulatory action.
The regulator further details what enhanced due diligence procedures should entail, including
processes for confirming the identity and business activity of the customer; understanding the
expected transaction activity; and ensuring the identification of the customer for the purpose of
reporting suspicious activity.
Regulatory Expectations
When an examiner comes to your institution, they will require assurance that your EDD procedures
include steps for obtaining the correct information on high-risk customers. Your written CDD
program should also include specific details describing the decision making process for deciding
whether an account is subject to EDD.
If the customer warrants EDD, the purpose of the account, source of wealth, beneficial
ownership, bank references, and explanations for changes in account activity should all be
included in their profiles.
Customer types to which regulators pay special attention include foreign correspondent accounts,
PEPs, corporate vehicles, and non-bank financial institutions.
assistance of a high-tech system designed specifically for that purpose. Major financial institutions
are extremely complex entities with vast branches in numerous cities and states. Under the law, in
order to “know their customers” banks and others must monitor countless transactions, often made
with little or no face-to-face contact. To do so without an equally complex and yet flexible computer
system would be impractical.
However, when choosing these systems you must also perform due diligence, but this time on
your vendor.
Case Study
A bank in Missouri received a cease and desist order from the FDIC in 2006 that specifically
addressed the need to have proper procedures in place to manage technological solutions. The
action listed that the bank was in violation for operating with an inadequate BSA and OFAC program,
as well as a faulty information technology program. The enforcement action ordered the institution to
perform a technology risk assessment, as well as develop vendor management policies.
The FDIC also required the bank to create an IT committee, who would meet monthly with the
board of directors. Items that the committee was mandated to address include methods for the
identification, development, acquisition and maintenance of IT solutions; the development of IT
policies and procedures; the testing of solutions, and the rectifying of negative technology related
audit or examination results.
Regulatory Expectations
Guidance published by the FDIC in 2004, “Computer Software Due Diligence Guidance on
Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory
Compliance,” marked the first time a U.S. regulatory agency weighed in on the reliance by financial
institutions and businesses on software technology to guard against money laundering.
The guidance suggested that financial institutions include a “regulatory requirement clause” in its
licensing agreements with software providers that would require vendors to maintain applications
that comply with pertinent regulations.
The FDIC also recommended two steps that should be taken when evaluating software: buyers
should validate the process by which the product has been developed; and evaluate the quality and
functionality of the product.
Items that should be collected from the vendor include:
• Proof of liability insurance
• At least three references
• Financial statement that ensures financial viability
• Proof of sufficient qualified staff to perform services
Additionally, in order to be effective, a customer due diligence solution must be easily customizable,
have flexible risk-scoring capabilities, manage sanctions lists, have a user friendly work-flow process,
and integrated research tools. Though this step seems rudimentary, ensure that your institution’s
definition of CDD is in sync and commensurate with the vendor or provider. If your vendor’s
approach to due diligence does not reflect your written BSA program, you run the risk of negative
regulatory scrutiny.
Please contact Debra Geister at Debra.Geister@lexisnexis.com
for more information or visit www.risk.lexisnexis.com/diligence
LexisNexis and the Knowledge Burst logo are trademarks of Reed Elsevier Properties Inc., used under license.
©2008 LexisNexis Risk & Information Analytics Group Inc. All rights reserved.
Actionable intelligence to help make critical
decisions throughout your customer lifecycle.
Customer Development
• Acquire and retain profitable customers
• Manage customer relationships through their life stages
• Score and reduce credit/lending risk
• Assess risk and identify opportunities
Collections Authentication
Management & Screening
• Skip and locate right party • Mitigate liability of acquiring
contacts and assets and retaining customers and
associates
• Score and segment
portfolios • Authenticate identity
• Help ensure regulatory
• Screen and monitor compliance
accounts
• Screen applicants
• Facilitate litigation to manage hiring
Fraud Prevention and retention
Contact a LexisNexis®
Representative for more information:
1-888-332-8244 l www.risk.lexisnexis.com
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. Other products and services may be trademarks or registered
trademarks of their respective companies. ©2008 LexisNexis Risk & Information Analytics Group Inc. All rights reserved.