Staying on top of the dozens of overlapping and ever-changing Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements can be challenging for even the largest and most sophisticated financial institutions. As you start your planning for 2021, keep in mind these Top 10 requirements that should form part of every AML/KYC program.
1. Document your AML/KYC program
Document the processes and controls that comprise your AML program, and update the documentation as the regulatory requirements or your internal processes evolve. In addition, formally assign an individual to be personally responsible for overseeing your AML/KYC program, and clearly define their roles and responsibilities.
2. Screen customers at onboarding and throughout the relationship
Screen all new customers (both individuals and legal entities) against the OFAC list before opening their account. In addition, re-screen all customers periodically (ideally daily) over the course of their relationship with you. And if you’re conducting business outside the US, you may also need to screen your customers against United Nations and other non-US sanctions lists. Lastly, while (technically) not required, to avoid potential risks and liabilities most financial institutions also screen customers against other types of government enforcement and watch lists (e.g., the FBI’s Most Wanted List), along with “adverse media” lists.
3. Categorize each customer based on their AML risk
Some customers present a higher anti-money laundering risk than others. This could depend on factors such as the types of financial products they use, the corruption indices/levels of the locations where they reside, and the type of business in which they’re engaged. Capture enough information during the onboarding process to assess the AML risk of each customer and assign them an appropriate risk category. Also perform additional due diligence and/or obtain more senior level internal approvals before opening an account for a higher risk customer. Lastly, as the customer relationship evolves, update the initial risk ranking to reflect any change in the customer’s risk profile.
4. Check whether the customer is a PEP
A Politically Exposed Person (a ‘PEP’) is an individual who is or was a prominent public or governmental official of a foreign (non-US) government, as well as their immediate family members and close associates. Due to their position or relationship, PEPs may present a higher risk that their funds are proceeds of corruption or other illicit activity. Screen all new customers against a PEP list both at the time of onboarding and periodically over the course of their relationship with you. Depending on multiple factors, Enhanced Due Diligence (‘EDD’) or other steps may be required – check out some of the details here.
Also, since some PEPs live in the US (keep in mind the ‘family member’ and ‘close associate’ prongs), you can’t avoid the PEP requirements by limiting your customer base to only US citizens or residents.
5. Perform ID verification prior to account opening
Verify the name, address, government identification number and (for individuals) date of birth of all customers before opening an account. Verification may be performed by non-documentary (e.g., analyzing a digital footprint) or documentary (e.g., reviewing government identification cards or other documents) methods. You must also properly notify customers that you’re performing this verification and maintain records of the verification results.
6. Perform CDD or EDD where required
In many cases, it’s not enough to just verify a customer’s identity and perform screening. Rather, the Financial Crimes Enforcement Network (“FinCEN”) added an extra layer of requirements in 2018 applicable to banks, mutual funds, brokers-dealers, futures commission merchants and introducing brokers in commodities. The new requirements, called the Customer Due Diligence (‘CDD’) Rule, significantly increase these firms’ due diligence obligations, especially when it comes to identifying control persons and beneficial owners of legal entity customers. The new rule also impose a requirement to conduct EDD on high risk customers. More details are available here.
7. Monitor and report suspicious activity
Financial institutions must report transactions in currencies that exceed certain thresholds, and must monitor for and report any other transactions that:
- May involve potential money laundering or other illegal activity (e.g., terrorism financing),
- Are designed to evade the anti-money laundering rules, or
- Have no business or apparent lawful purpose.
The type and nature of monitoring and reporting differs depending on the firm’s business, the underlying activity and the different regulator(s) to which a firm is subject. However, FinCEN, as the US agency with the authority to implement, administer, and enforce compliance with the anti-money laundering laws, is the primary body with which Suspicious Activity Reports (‘SARs’) and Currency Transaction Reports (‘CTRs’) are filed.
8. Retain required records
All financial institutions are subject to the Bank Secrecy Act (the ‘BSA’). The BSA imposes a complex web of requirements as to the types of records that must be retained, and the length of the retention period. For a comprehensive summary of these requirements, refer to 31 CFR Chapter X and other FinCEN advisories and guidance. The key take-away is to make sure that you:
- Understand which record-keeping requirements are applicable to your business,
- Document the record-keeping requirements in your AML policies, and
- Ensure that your systems retain required records for the appropriate time period and do not, for example, delete or over-write required data prior to the expiration of that time period.
Note however that the BSA record-keeping requirements are in addition to those imposed by other regulators, e.g., Securities & Exchange Commission, state Money Service Business Regulators, etc.
9. Provide AML training
You must periodically (most do this annually) provide AML training to your employees. The training should focus on your AML program and its controls, your employees’ AML-related roles and responsibilities (this may differ by an employee’s function) and how to detect and report suspicious activity. Common mistakes regulators have found when examining AML training programs include:
- Failure to document that an employee attended training,
- Exempting certain senior staff (e.g., the CEO) from attending training,
- Providing generic training not tailored to a firm’s actual AML program or AML risks, and
- Failure to provide (and document) ‘off-cycle’ training if the firm made a material change to their AML program.
10. Perform independent testing
Financial institutions are required to periodically (at least annually) test that their AML program and the associated controls are operating as designed, and are effective. The testing can be performed by anyone “independent” from the individual(s) responsible for implementing the AML program, which could be another team within the financial institution (e.g., internal audit) or a third party. The testing should assess each of the nine ‘tips’ mentioned above. In addition, if your testing identified any deficiencies, develop and document an action plan for each deficiency, assign ownership to an appropriate person, and periodically report progress to senior management.
Note however that, like the record-keeping and other requirements discussed above, your regulator(s) may expect your AML testing to conform to certain standards. When developing and implementing a testing program, review any related materials published by your regulator.
Bonus: Keep an eye on the implementation of AMLA 2020
The Anti-Money Laundering Act of 2020 (AMLA 2020) became law on Jan 2. It’s the most sweeping change to the AML laws since the PATRIOT ACT in 2001. Among its many provisions, AMLA 2020 provides for the creation of a beneficial ownership registration database, expanded whistleblower rewards and protections, requirements for AML staff to be physically based in the US, and new Bank Secrecy Act violations and penalties. There’s nothing specific that financial institutions need to implement at this time, but keep your eyes on the horizon. That’ll change.
Designing and implementing an anti-money laundering program consistent with all applicable requirements is a daunting task. It can consume massive amounts of time, energy and resources. And, if managed incorrectly, can result in significant liability to your firm and senior management.