I recently had the opportunity to sit and discuss the evolving roles of both the compliance officer (CO) and the money laundering reporting officer (MLRO) with a group of second-year law students from the Eugene Dupuch Law School. During this cross-examination-like exercise, the group ventured to ascertain my position on whether all customer due diligence documentation should be requested from every client during the onboarding process, considering the process is so diverse and requires a detailed level of understanding. I strongly submitted no. I further provided that the process should be used to ascertain fact about a potential customer that would assist an organization identify potential risks, determine if those risks are within the organization’s risk appetite and how to monitor the potential client, among other pressing factors.
It is important to note that best practice does not always align with laws, regulations and guidance around the world. However, the organization that provides global best practice standards is the Financial Action Task Force (FATF). It has produced 40 recommendations and has subsequently updated them over the years to adapt to the changing environment. There is an expectation among compliance and anti-money laundering experts that the FATF’s approach and methodologies may be updated in 2021. The recommendation that applies to customer due diligence is Recommendation 10 and its notes: “Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers. Countries may permit financial institutions to complete the verification as soon as reasonably practicable following the establishment of the relationship, where the money laundering and terrorist financing risks are effectively managed and where this is essential not to interrupt the normal conduct of business.”
Locally, paragraphs 37 through 121 of The Central Bank of The Bahamas’ anti-money laundering/combating the financing of terrorism (AML/CFT) guidelines provide guidance to supervised financial institutions (SFIs) and references key legislation. Designated non-financial businesses and professionals (DNDBPs), such as law firms that are supervised by the Compliance Commission of The Bahamas, also have updated guidance based on the risk-based approach (RBA) regarding customer due diligence.
It is against this backdrop and for good governance, that I would suggest you ask yourself, how strong is our institution’s customer identification program (CIP)?. Failure to implement a robust framework could result in costly fines and unsettling findings by auditors and regulators alike. Here are two tips.
Know your regulatory landscape and your internal landscape
When last has your institution completed a gap analysis between your current policies and procedures and the current regulatory landscape? If you are a c-suite member, compliance or risk professional and paused before answering this question, I am afraid it has either been too long, or the process is not as robust and consistent as it needs to be. The art of regulatory compliance (I will address in a standalone article) is quickly becoming an exciting area that involves a myriad of steps to prevent or mitigate potential risks to the institution. Being aware of the parameters of your regulatory and internal environment would greatly assist your CIP. It also lowers the potential of irritating potential customers with irrelevant requests based on the type of service being requested.
Pay attention to
your risk variables
The FATF notes, “When assessing the money laundering and terrorist financing risks related to types of customers, countries or geographic areas; and particular products, services, transactions or delivery channels risk, a financial institution should take into account risk variables relating to those risk categories. These variables, either singly or in combination, may increase or decrease the potential risk posed, thus impacting the appropriate level of customer due diligence (CDD) measures.” These risks appear in the form of purpose of an account or relationship, source of wealth and source of funds, domicile of the client, the nature of the business relations and/or industry of employment, politically exposed position, potential negative media, among other risks. Your entity’s corporate and individual risk assessment tool(s) must have at minimum the above triggers that would assist with risk rating a client.
My external audit and internal audit journey along with traveling to conferences and interacting with regional and international risk and compliance professionals have highlighted that the “one size fits all approach” in regards to an institution’s approach to client on-boarding and monitoring is an equation for disaster and unwanted inefficiencies.
• Derek Smith Jr., a Top 40 Under 40 Leader, is the compliance officer and money laundering reporting officer (MLRO) at Higgs & Johnson, a leading law firm in The Bahamas and former assistant vice president, compliance MLRO at an international private bank. His professional career started at a ‘Big Four’ accounting firm and has spanned over 15 years including business risk management, compliance, internal audit, external audit and other accounting services. He is also a Certified Anti-Money Laundering Specialist (CAMS) and Certified Risk & Compliance Management Professional (CRCMP).