Kaluwa Maitre-Avril, FICA takes a frank look at client onboarding procedures at Financial Institutions with a view to providing solutions that add value to the process and manage risks more effectively while making money safely.
This article first appeared in inCOMPLIANCE Issue 28 "Coming into focus" published March 2017. It is an official publication of the International Compliance Association, www.int-comp.org
From Red to Green: Enhancing Decision-Making with Traffic Light Assessment
In my honest Opinion: a frank look at client onboarding procedures
1. Coming
into focus
ISSUE 28
YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION
inCOMPLIANCE
®
Compliance:
making a
difference
Coming to
the surface
Earning
your wings
p.16 p.20
£4.95 where
sold separately
p.32
2. inCOMPLIANCE®
27
CLIENT ONBOARDING
R
iddle me this:
• I attend compliance, anti-money
laundering (AML), fraud and tax
conferences
• I monitor financial enforcement sites
and regulatory watchlists
• I subscribe to money laundering alert
magazines and journals
• I am a member of a recognised
compliance association or body
• I subscribe to compliance solutions
providers for politically exposed
persons (PEP), sanctions and
adverse media screening
• My firm is well-established and
provides quality services to clients
• I have extensive knowledge of know
your customer (KYC) and client due
diligence (CDD) documentation for
onboarding new clients
• I move millions of dollars annually
through the banking system.
Who am I? I have posed the above
question to several AML trainees and
to date only one person has come
up with the correct response. If you
guessed “a criminal” then you are in
this select class.
Where am I going with this? Relying
on a “tick-box” approach to your client
onboarding process adds little value
to your compliance and AML program
when criminals can cleverly tailor
themselves and their applications to
suit your institution’s requirements. By
presenting you with exactly what you
want, they can gain entry into your
institution with relative ease. Coupled
with this is the myth that a stringent
application of the AML laws of one’s
jurisdiction prevents illicit proceeds
from infiltrating a financial institution
(FI) or system. In applying a “tick-box”
approach, how then does an FI and its
compliance team readily identify and
manage money laundering, terrorist
financing and other compliance risks
posed by a prospective client?
True story
Last year I visited a well-established FI
– of which I’ve been a client for over a
decade – to make a modest investment.
My KYC documentation was duly updated,
complete with a copy of a recent salary
slip, which was supplied as requested. I
also provided a utility bill, which was in
my husband’s name, as were all other
bills, except the one for my mobile phone,
which bore a previous address. This was
explained to the accounts executive who
told me that my husband must provide a
declaration addressed to the FI confirming
that I resided with him at our address (yes,
you read that right!).
Somewhat incredulous, I dismissed
the suggestion as a joke and
facetiously asked: “What if I don’t
want my husband to know about this
investment?” For me, it mattered not
that he was fully aware; I questioned
how such an insistence would
properly manage risk. Apparently the
joke was lost on the executive, who
further requested that I submit a copy
of his ID. Of course, I quickly sobered
up and in my best professional
voice said that this was onerous and
unnecessary considering:
1. the FI had a copy of my marriage
certificate on file;
2. my husband had no beneficial
interest in this investment;
3. I was a long-established client and
known professional with no criminal
history;
4.my source of funds and wealth were
clearly understood and could be
substantiated; and
5. I had provided them with all other
KYC and CDD documentation.
The guidance of the compliance
officer was sought. After being
presented with my assessment of the
situation, her conclusion was that they
were merely “following the law”. The
flustered accounts executive suggested
that I should not have indicated that
the address on the mobile bill was out
of date (its submission would certainly
have checked their box!). With
that, I decided to take my business
elsewhere and happily completed their
suggestion sheet!
Challenges
As a fellow compliance professional,
I was compelled to think about how
this situation could have turned out
differently, since compliance, risk
and AML professionals are facing a
gargantuan amount of pressure and
a myriad of challenges, the likes of
which our counterparts of 8-10 years
ago never confronted. Today, we are
constantly plagued by threatening terms
like “de-risking”, “Panama Papers”,
and “FATCA”. Add to that the lack of
CDD and risk assessment software;
external pressures (such as the Common
Reporting Standard and the EU’s Fourth
Money Laundering Directive);
In my honest opinion
Kaluwa Maitre-Avril takes a frank look
at client onboarding procedures
3. inCOMPLIANCE®
28
CLIENT ONBOARDING
Entity name: ABC LIMITED
Risk calculated by: JANE DOE Date: 2/14/17
Business activity risk
Business category Insert “Y” Letter rating Score
Regulated/licenced asset management/investing activities Y L 1
Professional consultancy services M 0
Mining/fine art/jewellery H 0
Country risk
Country category Insert "Y" Letter rating Score
Equivalent regulations/heavily regulated Y L 1
Obscure AML/CFT legislation/regulations Y M 2
Sanctions and embargoes H 0
Client risk
Client category Insert "Y" Letter rating Score
Regulated intermediary/licensed entity Y L 1
Politically exposed person H 0
Product/service risk
Products/services categories Insert "Y" Letter rating Score
Personal/corporate demand deposits/custodian services Y L 1
Reliable/eligible introducer status L 0
Trusts services/wealth planning or structuring M 0
Debit/credit cards Y H 3
Method of introduction/delivery channel risk
Method of introduction/delivery channel Insert "Y" Letter rating Score
Eligible/reliable introducer Y L 1
Existing customer or employee M 0
Walk in/unknown H 0
Transaction size risk
Estimated largest transaction amount Insert "Y" Letter rating Score
$5M and over Y H 3
Number of monthly transactions Insert "Y" Letter rating Score
1 to 10 Y L 1
Low 0-33%
Medium 34-66% Total weighting 45.27%
High 67-100% Recommended risk rating Medium
Example 1: Sample risk rating sheet
4. inCOMPLIANCE®
29
CLIENT ONBOARDING
Example 2: Weighting breakdown
Category Weighting
Business activity risk 0.30
Client risk 0.25
Country risk 0.20
Transactions size risk 0.10
Method of introduction risk 0.05
Product and services risk 0.10
increasing compliance costs; enigmatic
sanction regimes (e.g. concerning Iran);
lack of integrated client data due to
outdated legacy systems; over-eager and
demanding business development or sales
teams… the list goes on. Some, if not most,
of us are fearful of incurring personal fines
or, worse, jail time; incurring regulatory
fines and sanctions for corporate
breaches; or losing correspondent banking
relationships and services. Others have
turned into robots, mindlessly checking
and unchecking boxes.
The question is: how does one face
these challenges and fears confidently
when onboarding new clients?
The answer? Apply risk
management practices that add
value to your role and institution, as
the reality is that FIs are in business
to make a profit. Construct a robust
compliance risk management
framework that complements and
supplements your institution’s overall
strategy, covering issues of regulatory
compliance, internal/independent
audits and compliance risk
management practices, among others.
From this, separate action plans can
be developed to target specific areas
of your overall compliance program to
include AML, KYC, CDD and suspicious
activity reporting.
Develop a risk profiling
process
In the absence of sophisticated and
expensive CDD software to perform
this type of analysis, you can use simple
methods if operating in a manual
environment. Even now I use what I call a
“Whodunnit?” list. This is a list of only five
questions, which generates a simple but
coherent profile of the client, its business
activities, its reason for wanting your FI’s
products and services, the jurisdictions it
operates in or from, associated entities,
principals and expected transactional
activity, etc, gleaned from reviewing the
client application file.
I strongly suggest you undertake
this exercise no matter how manual
or automated your environment is,
especially if new application volumes
are not significant. When completed,
the “Whodunnit?” list should provide
a quick snapshot of the applicant
for business to isolate important risk
factors, which can be fed into a risk
assessment tool. Your “Whodunnit?”
list should cover the following:
1. Who is the client? – For example,
is it a regulated/licenced entity or
a PEP? In your summary, note the
sources of wealth and expected
funds. What risk does this client
pose (e.g. licenced FI vs realtor vs
lawyer vs wine producer vs seller
of precious metals and jewels vs
public mutual fund etc)? Who are
the principals? Are they acting as
trustees or fiduciaries, or are they the
true beneficial owners?
2. What are the business activities?
3. What jurisdictions are involved?
– This should include jurisdictions
of residence, business, operations
and expected sources of funds (e.g.
Seychelles, Russia, the UK).
4. How were they introduced and/or met?
– For example, was this via a well-known
intermediary; a walk-in; using online
searches; face-to-face meeting, etc?
5. What is the expected transactional
activity and does it make commercial
or business sense based on the clients,
their business activities, intended
purpose for the account, and/or the
industry within which they operate?
Create or use a risk
assessment tool
You can then feed this data into a risk
assessment tool such as a risk rating
spreadsheet if you are not lucky enough
to have software to perform this function
or do not use your legacy system’s risk
assessment module for whatever reason.
This sheet should score and measure
specific risk factors, which can fall under
the categories shown in condensed form
in Example 1. Each factor is scored from 1
to 3 based on the individual risk assigned
to it. Each category score should be risk
weighted and aggregated to 100 (as
illustrated in Example 2) to arrive at the
final recommended risk rating (e.g. low,
medium, high, ultra-high). You can tailor
the sheet, risk factors and categories
to suit your specific industry, FI, and
products and services.
Remember the key is to identify, assess
and manage risks posed by new clients to
your institution, to make money safely, and
to bar those who pose an unmanageable
or significantly high risk.
Kaluwa Maitre-
Avril is a CCO of a
private bank and a
consultant
Construct a robust
compliance risk
management
framework that
complements and
supplements your
institution’s overall
strategy
Apply risk
management
practices that add
value to your role
and institution, as
the reality is that
FIs are in business
to make a profit
5. Head Office
Wrens Court | 52-54 Victoria Road |
Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOM
Tel: +44 (0) 121 362 7747 Fax: +44 (0) 121 240 3002
Email: ica@int-comp.org www.int-comp.org
International Compliance Association
CPD - 1 point
Advice to Readers
inCOMPLIANCE® is published by the International Compliance Association.
Reproduction, copying, extraction, or redistribution by any means of the
whole or part of this publication must not be undertaken without the written
permission of the publishers.
inCOMPLIANCE® is distributed as a free member benefit to all members of the
International Compliance Association.
Articles are published in good faith without responsibility on the part of the
publishers or authors for loss occasioned to any person acting or refraining
from action as a result of any views expressed therein. Opinions expressed in
this publication should not be regarded as the official view of the ICA or as the
personal views of the Editorial Board members of inCOMPLIANCE®.
All rights reserved in respect of all articles, drawings, photographs etc published
in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these
are expressly forbidden without permission of the publishers.
Printed in England
ICAM408