But what elements should firms consider as part of an AML customer risk assessment? And how do they determine what to prioritize? 

What is a Customer Risk Assessment?

In order to understand the money laundering risks each customer poses, a customer risk assessment should consider a number of factors.  These include verifying the identity of a customer, considering how to engage with them – the products and services they access, the type of transactions they carry out, and how often – and the geographical locations to which the customer is linked. 

In addition, firms should ensure they comply with national and international sanctions by screening customer and beneficial owner names against United Nations and other relevant sanctions lists.

Firms will have different levels of risk appetite regarding the customers they are willing to work with. However, it is important that a consistent customer risk assessment methodology is implemented, setting out the criteria for customer risk scoring weighting mechanisms, and the rationale behind these.

The main purpose of the assessment is to identify the risks to which a firm may be exposed, either in the course of a business relationship, or for an occasional transaction. The more complex this interaction is, the more rigorous a customer risk assessment needs to be. 

By being well informed, firms will be better placed to determine the correct level of customer due diligence (CDD). Ongoing reviews should be completed, particularly if a customer starts to act in a manner that deviates from their risk profile. The Financial Action Task Force (FATF) recommends that where firms cannot apply the appropriate level of CDD, they should not enter into the business relationship, or should terminate the business relationship.

What Factors Should be Included in a Customer Due Diligence Risk Assessment?

There are four main pillars to consider in a customer risk assessment: 

In the US, the Financial Crimes Enforcement Network’s (FinCEN) CDD Final Rule clarifies and strengthens customer due diligence requirements. It requires applicable financial institutions to establish and maintain written policies and procedures that are designed to:

• Identify and verify the identity of customers
• Identify and verify the identity of the beneficial owners of companies opening accounts
• Understand the nature and purpose of customer relationships to develop customer risk profiles
• Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

Dynamic AML Customer Risk Assessment

An ongoing assessment of customers is needed to help firms mitigate money laundering risk, but what is suspicious for one customer won’t be for another. 

Some general behaviors that may raise a red flag, or prompt a re-evaluation of a customer risk assessment include: 

• Changing banks a number of times in a short space of time 
• Attempts to disguise the real owner of the business
• Requests for short-cuts or unusual speed in transactions
• Involvement of a third-party funder with no connection to the business 
• A large amount of private funding from an individual running a cash-intensive business
• False or suspicious documents used
• A large amount of cash transactions inconsistent with the profile of the customer
• Business transactions involve countries with a high risk of money laundering and/or funding of terrorism
• Overly complicated ownership structures
• Inconsistent level of business activity

Firms need to more accurately flag suspicious actors and activities. To do so, they need to understand the importance of dynamic risk assessments and have the data and technology to enable this.

Misclassification of low-risk customers as high risk, and inaccurate or insubstantial KYC information gathering, can dilute the effectiveness of AML measures – and a wholly manual and complex process may not be enough to guarantee the results needed.

Firms should consider simplifying the architecture of their risk models and introducing statistical analysis to complement expert judgment. Machine learning algorithms can improve the quality of data and help continuously update customer profiles, while considering behavior and additional factors.

The post Customer Risk Assessment: What you Need to Know appeared first on ComplyAdvantage.

EDD is especially relevant for high-risk or high-net-worth customers or those who conduct large or unusual transactions, which pose more significant risks.

Every year around $2tn in illicit cash flows through the global financial system despite governments, regulators, and financial institutions trying to maintain financial stability through new legislation, enforcement actions, and improved collaboration. 

For firms trying to protect against money laundering and terrorist financing (ML/TF), understanding customers is critical, and EDD is an in-depth know your customer (KYC) process that can help.

What is Enhanced Due Diligence Usually Required For?

All Financial Action Task Force (FATF) members must implement customer due diligence (CDD) requirements as part of their domestic AML/CFT legislation – as stated in Recommendation 10 of the FATF’s 40 Recommendations. 

In addition, FATF’s Recommendation 19 states that EDD measures should be carried out on “business relationships and transactions with natural and legal persons, and financial institutions, from countries for which this is called for by the FATF.” Institutions should implement KYC/AML and all CDD measures for new business relationships, occasional transactions if there is a suspicion of money laundering or terrorism financing, or unreliable documentation. Monitoring should be ongoing rather than a one-off obligation.

The FATF identifies customer, country, and product money laundering risks in its CDD guidance. Enhanced due diligence may be required for persons or situations that present a greater risk, including:

• A business relationship conducted in unusual circumstances – e.g., unexplained geographic distance between the firm and customer
• Non-resident customers, or those subject to economic sanctions
• Legal persons or arrangements that are personal asset-holding vehicles
• Companies that have nominee shareholders or shares in bearer form 
• Cash-intensive businesses
• The beneficial ownership structure of the company appears unusual or excessively complex, or opaque
• Countries without adequate AML/CFT systems
• Countries subject to sanctions or embargoes or with significant levels of corruption or criminal activity
• Countries funding or supporting terrorist activities or having designated terrorist organizations operating within their country
• Private banking
• Anonymous or non-face-to-face transactions or business relationships
• Payments received from unknown or unassociated third parties

In Europe, under Article 18 of 4AMLD, any business located in a country on the high-risk third countries list requires EDD. 

Enhanced due diligence may also be needed for politically exposed persons (PEPs). FIs should take a risk-based approach to determine what measures to put in place and for how long.

FATF EDD Best Practices

EDD practical steps suggested by the FATF include:

• Accessing additional identifying information from a wider variety of sources
• Carrying out additional searches 
• Verifying the source of funds involved to ensure they are not proceeds from crime
• Gaining additional information from the customer about the purpose and nature of business relationships 
• Commissioning an intelligence report on the customer or beneficial owner 

How Does the Enhanced Due Diligence Process Work?

Following FATF guidance, companies should implement risk-based EDD measures that reflect the specific AML/CFT risk that individual customers present. These should include:

• Obtaining additional customer identification materials
• Establishing the source of funds or wealth
• Applying closer scrutiny to the nature of the business relationship or purpose of a transaction
• Implementing ongoing monitoring procedures

For many of the persons and entities identified, enhanced due diligence will be a standard part of their relationship with a firm.

An alert could also trigger EDD in a transaction monitoring system if it’s flagged for further investigation. Additional information – either from a relationship manager or the client – may be needed, and firms should make internal and external inquiries to learn more about the customer and the transaction.

Identify risks before they become threats

Ensure your firm has effective EDD measures in place. Screen against the world’s only dynamic global database of Sanctions and Watchlists, PEPs, and Adverse Media, in consolidated, structured profiles.

Learn more

Enhanced Due Diligence AML Requirements 

CDD regulations typically require firms to maintain records of the information they collect for at least five years. This includes copies of all identification documents (driving licenses, birth certificates, passports, etc.) and business documentation. 

Firms should be able to comply quickly and efficiently with requests for records from regulators and enable authorities to reconstruct individual transactions, including details of the amounts of money and types of currency involved. 

Where CDD measures create suspicion or reasonable grounds to suggest that a customer is involved in criminal activity, companies must report that information promptly to their jurisdiction’s financial intelligence unit (FIU) via a suspicious activity report (SAR).

Regulatory requirements will differ in local jurisdictions, so firms should check their operating areas.

While adverse media is not a regulatory requirement for enhanced due diligence, it can be a powerful tool. It may reveal involvement with money laundering, financial fraud, drug trafficking, human trafficking, financial threats, organized crime, terrorism, or other criminal activity.

In Europe, Article 18 of 4AMLD states that businesses located in a country listed as a high-risk third country require EDD. And any politically exposed persons (PEPs), their close associates, or family members must also be thoroughly examined.

It is also important in all jurisdictions to keep updated on constantly evolving AML sanctions. Regular screening is needed to ensure your customers are not on any watch lists. Industries at increased risk of money laundering, such as gambling, also often have KYC enhanced due diligence requirements in many parts of the world.

In the US, FinCEN guidance warns that the scope of due diligence measures will vary on a case-by-case basis.

Customer Due Diligence vs. Enhanced Due Diligence

There are three levels of due diligence – simplified, CDD, and EDD.

There are several characteristics that distinguish EDD from regular CDD policies:

• Rigorous and robust: Enhanced due diligence policies require significantly more evidence and detailed information than essential regulatory obligations of customer identification, establishing ultimate beneficial ownership, and business relationship nature and purpose
• Reasonable assurance: EDD requirements should provide “reasonable assurance” when calculating a KYC risk rating. Responsible investigators should complete all necessary research steps and exercise professional skill and judgement in making decisions
• Detailed documentation: The EDD process must be documented in detail, with scrutiny on how data is captured and validating the reliability of information sources
• PEPs: Special attention should be paid to PEPs, who are in positions that can be potentially abused for money laundering.

Effective enhanced due diligence measures are built on a combination of technology and expertise. 

As risk profiles and criminal behaviours evolve, firms must be as flexible and innovative with their approach to EDD as with other aspects of their AML/CFT policy. Technology provides valuable tools to facilitate EDD processes, but human vigilance is vital to spot and address new threats.

EDD also requires “reasonable assurance” when calculating a KYC risk rating. This means that the professionals responsible for making a decision must have completed all the necessary research steps and exercised professional skill and care in reaching their judgement.

Find out more about the FATF recommendations you need to know.

The post What is Enhanced Due Diligence (EDD)? appeared first on ComplyAdvantage.

Since those lists change constantly, ensuring screening processes stay up to date and effective, and avoid inefficiencies and false positives, is an ongoing issue for obligated firms. The biggest challenge in this area consists of large volumes of transactions and critical time pressures.

To improve the accuracy of your screening program while minimizing false positives, ComplyAdvantage offers the ability to screen the SWIFT / Bank Identification Code (BIC) of a bank instead of its name.

Bank Identification Code (BIC)?

BICs are unique bank identifiers, and some sanction lists include sanctioned BICs. According to SWIFT, the 7,000 banks that use the SWIFT network for correspondent banking have more than 1 million individual correspondent relationships. Screening the BIC code instead of the entity name therefore significantly improves false-positive rates on correspondent bank screening. 

BICs are sometimes mentioned in sanctions lists – when this happens, ComplyAdvantage adds them to its database. The database is enriched by the addition of missing BICs through manual updates made by the ComplyAdvantage sanctions team. 

Why is this important to my business?

1. Screen counterparty banks as part of your compliance program.
2. Improve screening accuracy without increasing false positives.
3. Keep pace with ever-evolving financial crime activity.

ComplyAdvantage Transaction Screening

• Screen the whole transaction against real-time Sanctions and Politically Exposed Persons (PEP) coverage via a single API call
• Identify sanctions risk in all parts of the payment message including unstructured free reference text.
• Select sanction lists, fuzziness levels, or the most commonly configured algorithms, on a rule-by-rule basis, to configure a risk-based approach in a more granular way.
• Aggregated transaction-level alerts, MI reporting and an electronic audit trail.

If you would like to find out more about how ComplyAdvantage can drive efficiencies in your transaction risk management program, speak to a member of our team.

The post Product Update: BIC Screening appeared first on ComplyAdvantage.

However, because cryptocurrencies are cryptographically secured on their blockchains, transactions between users are generally anonymous and take place in seconds. The speed and anonymity of cryptocurrency transactions is an attractive opportunity for criminals seeking to evade conventional AML/CFT controls: research shows that illicit cryptocurrency transactions totalled around $14 billion in 2021 – a rise of 79% from $7.8 billion in 2020. As of 2022, it is estimated that around $10 billion in cryptocurrency is held in illegal addresses.

With global regulators paying closer attention to cryptocurrency transactions, it is more important than ever for crypto exchanges to address their AML/CFT compliance responsibilities. In particular, crypto exchanges must address the anonymity concerns associated with cryptocurrency transactions by implementing suitable Know Your Customer (KYC) processes in order to understand who their customers are, and how they are using their services. 

What is KYC? Crypto Exchanges and Digital Compliance

The Know Your Customer process is a foundation of AML/CFT compliance regulations around the world and requires financial institutions to both identify their customers and work to understand the nature of the business in which they are involved. 

The conventional KYC process involves a range of due diligence measures, along with ongoing screening and monitoring as customers engage with the services that a particular firm offers. KYC is important in financial contexts because criminals employ a range of strategies to evade AML/CFT controls: by building a rich, and accurate risk profile of each individual customer, financial service providers are much better equipped to detect customers that are misusing their services, and to prevent crimes like money laundering and terrorism financing. 

What does KYC mean in crypto exchanges?

In the context of crypto exchanges, KYC may be a more complicated compliance challenge since firms must work harder to establish the identities of the customers that are using their digital services, and to understand the details of transactions that they are facilitating. 

Risk-based compliance: Following Financial Action Task Force (FATF) recommendations, crypto exchanges should adopt a risk-based approach to KYC compliance. Risk-based compliance requires firms to perform risk-assessments of individual customers, and then implement a proportionate AML/CFT response. If an assessment finds that a customer is high risk, the crypto exchange should deploy more intensive compliance measures – as opposed to simpler measures for low risk customers. Risk-based compliance enables crypto exchanges to deploy their AML/CFT resources more efficiently, while protecting customers from negative experiences, as far as possible. 

In practice, digital KYC compliance means that ‘traditional’ KYC practices should be adjusted for the specific challenges that crypto exchanges face – and include the following measures and controls:

• Identity verification: In order to build accurate risk profiles, crypto exchanges should be able to build accurate risk profiles for their customers. With that in mind, exchanges must obtain and verify identifying information from their customers, including names, addresses, birth dates, and relevant corporate information.
• Customer monitoring: Exchanges should monitor their customers’ transactions on an ongoing basis, paying special attention for signs of criminal activity – which may include unusual transaction patterns, or transactions involving high risk customers and locations. 
• Screening: Exchanges must screen their customers to ensure that they are not subject to international sanctions, or that they are politically exposed persons (PEP), and therefore at higher risk of being involved in money laundering. 
• Adverse media: Customer risk profiles may be informed by adverse news stories before the same information appears in official sources. Exchanges should screen on an ongoing basis to detect customer involvement in adverse media. 

Crypto Exchange KYC Risks

KYC compliance in the cryptocurrency space is complicated by an evolving regulatory landscape, and by relatively novel criminal methodologies. Accordingly, cryptocurrency exchanges should be aware of the following vulnerabilities and risks when developing and implementing their KYC solution:

• Anonymous transactions: Cryptocurrency exchange transactions offer money launderers a degree of online anonymity. Accordingly, exchanges should seek to inform their identity verification process with digital controls, including obtaining biometric customer information such as face, voice, and fingerprint scans. 
• Transaction speed: Cryptocurrency funds can be moved between accounts in a matter of seconds, often outpacing AML/CFT controls. Exchanges should ensure that their own AML/CFT checks and monitoring processes can be completed before funds are transferred to user wallets. 
• Structured transactions: Money launderers may attempt to evade reporting thresholds by structuring their transactions in small amounts, across multiple accounts. Crypto exchanges should ensure their controls prevent the creation of multiple accounts and share information with other financial service providers to detect and prevent structuring strategies. 
• Money muling: Money launderers may seek to further exploit the vulnerabilities of cryptocurrency transactions by coercing or incentivizing third parties – known as ‘money mules’ – to engage with crypto exchange services on their behalf. Exchanges should work to detect money mules by performing suitable due diligence and identifying customers whose profiles do not match their wealth or expected financial behavior. 

Negative customer experiences: Beyond the regulatory risks, crypto exchanges with inadequate or unsuitable KYC procedures also risk negatively affecting their customers’ experience of their services. Under a risk-based approach, KYC enables exchanges to build detailed risk profiles – and subsequently adjust their AML/CFT controls to better suit individuals. With that in mind, effective KYC is a way to optimize experiences for lower risk customers, ensuring service speed and efficiency where onerous AML/CFT scrutiny is not required.

KYC Automation

AML/CFT compliance regulations require crypto exchanges to collect, analyze, and store vast amounts of digital customer and transaction data. In order to manage that obligation, crypto exchanges should seek to integrate a suitable software solution: in addition to automated speed, efficiency and accuracy, software solutions help firms add depth to their KYC procedures, and build out richer, more detailed risk profiles for their customers. 

Automated KYC processes also help crypto exchanges remain agile in a rapidly changing regulatory environment. As new criminal methodologies emerge, and governments implement new cryptocurrency legislation, KYC software may help exchanges adapt to their regulatory environments and make important risk-based decisions quickly. Similarly, with the benefit of machine learning systems, exchanges may be able to perform deeper levels of analysis on historical data to reveal unforeseen vulnerabilities or unexpected diversions from expected financial behavior. 

Further reading:

• Explore how ComplyAdvantage enables firms to detect suspicious behavior across fiat and cryptocurrencies in one platform.
• See how we’ve helped other crypto firms improve efficiency and reduce time spent remediating alerts.

The post What is KYC and Why is it Important for Crypto Exchanges? appeared first on ComplyAdvantage.

What is Customer Due Diligence?

Customer due diligence refers to the measures and controls that firms use to establish and verify the identities of their customers. For banks and other financial institutions, CDD measures and controls help firms ensure they are not doing business with criminals who intend to use their services to launder money or finance terrorist activities. CDD is particularly important for banks since money launderers may use sophisticated criminal methodologies to evade AML/CFT controls or exploit vulnerabilities in the financial system.

CDD in banking is also a foundational component of the risk-based approach to AML/CFT recommended by the Financial Action Task Force (FATF) – which requires banks to deploy a compliance response commensurate with the level of risk that they face. Accordingly, banks should use the information that they collect during the CDD process to perform risk assessments of individual costumes and to build risk profiles in order to judge those customers’ subsequent financial behavior.

CDD in Banking: Data Collection

With those factors in mind, customer due diligence in banking and other financial services should involve the following data collection requirements:

Personal identifying documents: Banks should establish the identities of individual customers by collecting their names, dates of birth, and residential addresses. In practice, this means customers should be required to submit personal identification documents (or copies of those documents) such as passports, driving licenses, birth certificates, and utility bills.

Ultimate beneficial ownership: Criminals often attempt to use corporate infrastructure or shell companies to disguise their identities, transacting anonymously with banks in order to evade AML/CFT controls. With that in mind, when dealing with corporate customer entities, banks should seek to establish ultimate beneficial ownership (UBO), by acquiring incorporation documents and other official company information that asserts the identities of the individuals behind the infrastructure.

Biometric data: Many banks offer financial products and services over the internet, where criminals may be able to take advantage of online anonymity to evade AML/CFT controls. In this context, the CDD process should include the collection of certain biometric identifying data points, such as face, voice, and fingerprint ID.

Compliance Penalties

Failures in CDD, or inadequate CDD measures and controls, may expose banks to significant criminal risks and lead to AML/CFT compliance violations. Penalties for violations vary by jurisdiction but data suggests that governments are increasing their focus on AML/CFT: since 2009, global regulators have issued around $32 billion in AML/CFT compliance fines, while in 2020, the US, regulators extracted $11.11 billion from banking institutions.

When Should CDD in Banking be Applied?

Banks should apply some level of customer due diligence to every customer that they serve. Under the risk-based approach, lower risk customers may be subject to standard levels of CDD scrutiny, while higher risk countries should be subject to enhanced due diligence (EDD). EDD requires banks to implement more intensive identification measures, including obtaining further documentation from customers, or establishing the source of funds and wealth.

A standard CDD in banking process may involve the following steps: 

• Submission of personal details: Customers enter personal details (name, address, etc.) into an online form – or on a physical document if engaging in person. 
• Official documentation: Customers provide official documentation to verify their personal details in the form of a passport, driver’s licence or similar. 
• Biometric verification: Banks may require customers to submit biometric data to support their personal details and then verify their identities to gain ongoing access to their accounts. Biometric data may include a ‘selfie’ photo, fingerprint, or voice print. 
• Screening: Information collected during the CDD process should be used to screen customers against relevant AML/CFT lists and databases, including sanctions lists, PEP lists, and other high risk customer watch lists. Screening processes should be ongoing throughout the business relationship. 
• Risk profile: Banks should use CDD data, and any relevant screening data, to build a risk profile for their customers. The risk profile will provide the standard by which to deploy AML/CFT compliance measures. Banks should deploy EDD for customers deemed to pose a higher risk.
• Monitoring: After onboarding, risk profiles may be used to judge subsequent financial behaviour. Banks should, for example, monitor customer transactions on an ongoing basis for signs of unusual or suspicious activity which does not correlate with a customer’s established profile.

AML/CFT Software Solutions for CDD in Banking

The customer due diligence process requires banks to collect and analyze large amounts of data, and then store that data for ongoing monitoring purposes. Since CDD takes place at onboarding, customer experiences are also a concern: CDD that is too onerous or invasive may create negative customer experiences, while inadequate CDD in banking may result in them missing AML/CFT risks.

With those factors in mind, banks should seek to automate their CDD process. CDD software not only delivers speed, accuracy, and capacity benefits, and reduces the potential for costly human error, but enables banks to create richer customer risk profiles in order to better detect AML/CFT risks. Further, with the benefit of machine learning systems, banks may be able to enhance their wider AML/CFT process, using CDD data to make predictions and decisions about financial behavior, and factoring in changes to regulation or emergent criminal methodologies.

Further Reading on CDD in Banking

• • Our AML Guide for Digital Banks explores how digital-first banks can build an effective AML compliance program
  • Or, explore how our transaction risk management and customer screening solutions are helping banks around the world today

The post CDD in Banking: What You Need To Know appeared first on ComplyAdvantage.

Hampshire Trust Bank (HTB) is a specialist bank based in the UK that provides business finance, mortgage and development finance solutions. It also offers savings accounts to individuals and businesses. 

The challenge

HTB is working to stay ahead of the rapidly evolving financial crime landscape, and the growing sophistication of fraudsters. To support this work it was looking for a transaction monitoring and screening solution that would meet the needs of its growing customer base while safeguarding the bank’s reputation.

HTB’s compliance team recognized how the transformation of digital technology could enable the bank to achieve its strategic objectives.

To select the right vendor for its business, HTB ran an extensive RFP process, including a cost-benefit analysis and input from multiple line of business (LOB) stakeholders. The decision making group wanted to understand how the solution they chose would work in practice, to strike the right balance across operational and risk control variables. 

The solution

HTB selected the transaction monitoring and screening solutions from ComplyAdvantage because they offered flexibility in a number of areas:

• The extensive data sources – including adverse media – utilized by ComplyAdvantage provide a comprehensive screening solution in a single place. This means HTB can achieve wide-ranging checks in a single pass, with peace of mind that all possible sources are being reviewed.
• Proprietary data ensures HTB does not have to integrate with a third-party supplier, ensuring a simple, effective single partnership in this critical area. 
• Ongoing monitoring means a constant eye is cast over any potential financial crime risks, so they can be mitigated effectively.
• As a hosted, supplied solution managed by ComplyAdvantage, HTB can focus on reducing the risk of financial crime, while ComplyAdvantage manages the technical side of the platform.
• By adopting a risk-based approach that includes tailoring its rule set to the users of its products, HTB was able to work with the implementation team at ComplyAdvantage to configure appropriate rules, mitigate risk and reduce false positive rates. For example, the team is looking at how to optimize the application of its rules for charities, who operate their accounts in a different way to other business customers. 

These features enable what Robin Jeffery, Head of Transformation at Hampshire Trust Bank, refers to as “a platform which supports a constant cycle of learning and evolving, able to adapt in line with the changing behavior of both customers and criminals.” He added: “Other products we reviewed on the market were more rigid. ComplyAdvantage enables us to focus on continual improvement, adapting the platform as we learn and as the world evolves.”

Another key benefit of the partnership with ComplyAdvantage has been the collaborative approach throughout the implementation process. “It didn’t matter who worked for HTB and who worked for ComplyAdvantage. We had a single team, driving forward the delivery with a focus on achieving the outcome.” 

Next steps

Now that HTB has implemented ComplyAdvantage’s screening and monitoring solutions, it is aiming to use the single alert dashboard view to present new insights that can drive the bank’s digital transformation process. However, successful deployment is only the beginning of the partnership. Regular calls with the customer success team at ComplyAdvantage ensure HTB has access to the latest updates and features, and helps keep the team up-to-speed on industry best practices. 

Both ComplyAdvantage and HTB know that the biggest challenge they face is the continued evolution of both customer and criminal behavior. An informed compliance strategy and a modern, agile and flexible technology stack is HTB’s answer to this challenge.

Find out more about our transaction risk management solutions. 

The post How HTB deployed an agile, scalable transaction monitoring, payment and customer screening program appeared first on ComplyAdvantage.