As a state or federally regulated financial institution, it’s important to have a grasp of what constitutes a high-risk customer as it pertains to BSA and financial crime risk. Additionally, determining what high-risk activities or traits might elevate the risk of a customer is also critical. For this reason, being aware of your financial institution’s respective regulatory agency’s prescribed standards can assist in determining whether your financial institution meets the standards set by their assigned agency.
Whether your institution’s BSA compliance program is regulated by the National Credit Union Administration (NCUA), The Federal Deposit Insurance Corporation (FDIC), or the Board of Governors of the Federal Reserve System (FRB), the guidance regarding examinations is a concerted effort. This effort is evidenced by the Federal Financial Institutions Examination Council's (FFIEC) BSA/AML Examination Manual. As such, guidance on determining your high-risk customers begins with the BSA/AML Risk Assessment – Overview section the aforementioned manual.
This section breaks the Risk Assessment process into two parts: Identification and Analysis. However, as important as the Risk Assessment process is, we will focus on determining high-risk customers. Within the Identification portion of the Risk Assessment process is the section on Customers and Entities, with detailed explanation on the following customer types:
- Foreign financial institutions, including banks and foreign money services providers (e.g., casas de cambio, currency exchanges, and money transmitters)
- Nonbank financial institutions (e.g., money services businesses; casinos and card clubs; brokers/dealers in securities; and dealers in precious metals, stones, or jewels)
- Senior foreign political figures and their immediate family members and close associates (collectively known as politically exposed persons (PEP))
- Nonresident alien (NRA)
- Foreign corporations and domestic business entities, particularly offshore corporations (such as domestic shell companies and Private Investment Companies (PIC) and international business corporations (IBC)) located in higher-risk geographic locations
- Deposit brokers, particularly foreign deposit brokers
- Cash-intensive businesses (e.g., convenience stores, restaurants, retail stores, liquor stores, cigarette distributors, privately owned ATMs, vending machine operators, and parking garages)
- Nongovernmental organizations and charities (foreign and domestic)
- Professional service providers (e.g., attorneys, accountants, doctors, or real estate brokers)
This list of business types and occupations provides a good framework to assess your institution’s client base against. Balancing this list against other risk factors using a risk-based approach is imperative to keeping the work load at a reasonable level. Ensuring that data involving these and other risk factors is accurate and complete further ensures that the risk-based approach taken is appropriate.
The Analysis portion of the Risk Assessment process provides the basic building blocks for a financial institution’s Customer Identification Program (CIP) and Customer Due Diligence (CDD) program. Per the FFIEC Manual, determining the following factors for each potential high-risk customer will help the financial institution determine the customer’s actual risk:
- Purpose of the account
- Actual or anticipated activity in the account
- Nature of the customer’s business/occupation
- Customer’s location
- Types of products and services used by the customer
These types of questions provide answers that assist the financial institution in building risk profiles. They also provide data for determining which customers may be outside of normal patterns when compared to similar customer types. The data comprises the primary function of conducting CDD, determining which customers need follow-on Enhanced Due Diligence (EDD), on those customers deemed statistically different than the norm.
In conclusion, the Risk Assessment process, customer onboarding processes, CIP, CDD and EDD, are all integral to determining an effective risk mitigation strategy, and consequently finding out who high risk customers are as it pertains to your financial institution. Developing a proper risk-based approach to managing customer risk is not a one-size-fits-all process; it should be a customized, organic approach to mitigate risk based on the institution’s risk appetite, human capital and financial soundness.