Customer Identification Programs

When issued in May 2003, the final CIP rule applied only to new customers who opened accounts after Oct. 1, 2003. Existing customers were exempted from the rule as long as the Financial Institution (FI) maintained a reasonable belief that it knew the customer's true identity. As to these pre-existing customers, the FI had to maintain adequate documentation of the basis for its reasonable belief. Most FIs took no remedial steps to test the accuracy of their beliefs.

While concentrating on new customers may have made sense in 2003 when banks were struggling to implement CIP, today, given the regulatory climate, it is our belief that FIs should consider applying both CIP and Know Your Customer (KYC) principles to the high-risk segment of their pre-CIP accounts.

Public orders issued by bank regulators against many FIs over the past several years suggest that regulators repeatedly have found that the identity information for pre-CIP customers in banks' customer files or record systems does not meet the reasonable belief requirements for exempting them from CIP. This finding is not surprising for several reasons. First, most compliance officers have had to rely on the 'word' of account managers that they truly 'know their customers' and that their files adequately document the basis of their knowledge. File testing or other avenues of inquiry often reveal that account managers fail to understand their KYC obligations or to document the basis of their knowledge. Second, bank internal auditors typically have not focused on the pre-CIP customer base. Instead, and perhaps understandably, they focused their attention on measuring whether the bank had met CIP, as well as KYC obligations, with respect to new customers. Third, given the other obligations imposed by the Anti-Money Laundering (AML) provisions of the Patriot Act and the daunting task of reviewing and updating hundreds or thousands of files and electronic records for existing relationships, many FIs lacked the resources to review existing customers.

Today's Environment

In today's heightened regulatory environment, however, overlooking pre-CIP customers ' especially high-risk accounts ' may be shortsighted. For example, it can be very damaging if an internal audit or regulatory examination shows that customers are incorrectly classified (e.g., an offshore hedge fund as an 'LLP' or a Money Services Business as an 'Other'). Furthermore, a customer not reasonably known and whose activity, as a consequence, was not properly monitored, could result in the filing of an inaccurate Suspicious Activity Report (SAR) or, worse yet, the failure to file a report on suspicious activity.

It's important to understand where risk resides within the entire customer base. For example, customers acquired years ago by former employees or those acquired through a merger or acquisition should be targeted for review. This is not currently the norm in part because of the faulty premise that any suspicious behavior of pre-CIP customers will be caught by transaction monitoring systems that flag deviations from established norms. The problem is that transaction monitoring systems are only as good as the customer data provided. Stale data can produce false positives (creating large case population backlogs) or no alerts at all, thereby leaving the potentially suspicious client behavior unknown and the transaction patterns monitored incorrectly.

A second argument favoring the application of CIP and KYC due diligence to pre-CIP customers is that there is a tension between CIP and KYC requirements and sound SAR reporting procedures. SAR reporting requirements apply to all FI customers, new and old. A robust SAR reporting regime also requires FIs to evaluate customers' transactional history against an up-to-date customer profile. The underlying reasoning is simple: you can't really know who your customer is until you ask some basic questions and reasonably verify what you learn. If the FI does not know who its customer is currently, the FI cannot assess the risk associated with that customer. As suggested above, if the customer profile is outdated or missing altogether, the output from the transaction monitoring system will be, at best, misleading. At worst, it will be plain wrong. Bad data 'in' will result in incorrect analysis 'out.' Additionally, incomplete customer information may lead to improper risk classification. If an FI cannot adequately anticipate a customer's activity, it cannot properly define the rules and parameters against which to monitor the customer. If the FI does not have a current customer profile, it may waste its own time and resources investigating false alerts and waste government time by filing SARs on activity that should not have been classified as suspicious.

It is axiomatic that all FIs want to know all of their customers, especially those that present the highest risk for money laundering and terrorist financing. However, it can be difficult to develop a methodology to achieve this objective without sapping all of an FI's compliance resources and clogging the flow of transactions.

Updating Information

An effective plan to update customer information generally begins with a pilot effort covering a small sample of files. If well selected, the sample will yield useful information about the general state of the overall customer population as well as the average time required to review and complete a file. One of the first steps of a well-planned CIP/KYC remediation effort should be aimed at reducing the number of files to be reviewed. Every FI has duplicate customers or customers with inactive accounts. Once the scope has been identified and each file to be reviewed has been assigned for that purpose to a relationship manager, remediation protocols and a detailed roadmap for all aspects of the effort must be developed. Unless roles and responsibilities, process flows, checklists of entity-specific CIP/KYC requirements and research guidelines are developed in advance, much time and expense may be wasted once the work begins. Do not underestimate the time and care needed to plan and set up a remediation effort. Ultimately, through remediation, client contact, and quality assurance efforts, the customer information should be sufficient to reveal the true nature and associated risks of a relationship, allowing an FI to know its customer.

Failure to apply CIP and KYC principles to customers that pre-existed the onset of the CIP regulations may impede suspicious-activity monitoring of those customer's transactions. This, in turn, could affect an FI's ability to report suspicious activity accurately ' a failure that can pose regulatory and reputational risk to FIs. The FFIEC BSA Examination Manual implies so; sound risk mitigation principles suggest it; and recent enforcement orders and examination findings appear to dictate it.

Michael Zeldin ([email protected]) and Michael Shepard are principals and Piero Molinario is a senior manager in the Anti-Money Laundering practice of Deloitte Financial Advisory Services LLP.

Section 326 of the USA PATRIOT Act requires financial institutions to implement a written Customer Identification Program (CIP) that is appropriate for the size and type of business and that includes minimum requirements. The CIP is intended to enable the institution to form a reasonable belief that it knows the true identify of each customer. The CIP must include account opening procedures that specify the identifying information to be obtained from each customer. It must also include reasonable and practical risk based procedures for verifying each customer's identity.

During the CIP rule comment period, regulators, industry groups and bankers debated actively whether the final rule should be made retroactive to cover existing as well as future customers, or prospective to cover only customers taken on after the final rule took effect. Most bankers and industry groups favored a prospective application because implementing CIP would create significant burdens requiring changes to policy and procedures, IT systems, internal controls, and other processes. They also argued that requiring banks to modify existing customers' identification information would be overly burdensome, unreasonable, and unproductive.

Background

When issued in May 2003, the final CIP rule applied only to new customers who opened accounts after Oct. 1, 2003. Existing customers were exempted from the rule as long as the Financial Institution (FI) maintained a reasonable belief that it knew the customer's true identity. As to these pre-existing customers, the FI had to maintain adequate documentation of the basis for its reasonable belief. Most FIs took no remedial steps to test the accuracy of their beliefs.

While concentrating on new customers may have made sense in 2003 when banks were struggling to implement CIP, today, given the regulatory climate, it is our belief that FIs should consider applying both CIP and Know Your Customer (KYC) principles to the high-risk segment of their pre-CIP accounts.

Public orders issued by bank regulators against many FIs over the past several years suggest that regulators repeatedly have found that the identity information for pre-CIP customers in banks' customer files or record systems does not meet the reasonable belief requirements for exempting them from CIP. This finding is not surprising for several reasons. First, most compliance officers have had to rely on the 'word' of account managers that they truly 'know their customers' and that their files adequately document the basis of their knowledge. File testing or other avenues of inquiry often reveal that account managers fail to understand their KYC obligations or to document the basis of their knowledge. Second, bank internal auditors typically have not focused on the pre-CIP customer base. Instead, and perhaps understandably, they focused their attention on measuring whether the bank had met CIP, as well as KYC obligations, with respect to new customers. Third, given the other obligations imposed by the Anti-Money Laundering (AML) provisions of the Patriot Act and the daunting task of reviewing and updating hundreds or thousands of files and electronic records for existing relationships, many FIs lacked the resources to review existing customers.

Today's Environment

In today's heightened regulatory environment, however, overlooking pre-CIP customers ' especially high-risk accounts ' may be shortsighted. For example, it can be very damaging if an internal audit or regulatory examination shows that customers are incorrectly classified (e.g., an offshore hedge fund as an 'LLP' or a Money Services Business as an 'Other'). Furthermore, a customer not reasonably known and whose activity, as a consequence, was not properly monitored, could result in the filing of an inaccurate Suspicious Activity Report (SAR) or, worse yet, the failure to file a report on suspicious activity.

It's important to understand where risk resides within the entire customer base. For example, customers acquired years ago by former employees or those acquired through a merger or acquisition should be targeted for review. This is not currently the norm in part because of the faulty premise that any suspicious behavior of pre-CIP customers will be caught by transaction monitoring systems that flag deviations from established norms. The problem is that transaction monitoring systems are only as good as the customer data provided. Stale data can produce false positives (creating large case population backlogs) or no alerts at all, thereby leaving the potentially suspicious client behavior unknown and the transaction patterns monitored incorrectly.

A second argument favoring the application of CIP and KYC due diligence to pre-CIP customers is that there is a tension between CIP and KYC requirements and sound SAR reporting procedures. SAR reporting requirements apply to all FI customers, new and old. A robust SAR reporting regime also requires FIs to evaluate customers' transactional history against an up-to-date customer profile. The underlying reasoning is simple: you can't really know who your customer is until you ask some basic questions and reasonably verify what you learn. If the FI does not know who its customer is currently, the FI cannot assess the risk associated with that customer. As suggested above, if the customer profile is outdated or missing altogether, the output from the transaction monitoring system will be, at best, misleading. At worst, it will be plain wrong. Bad data 'in' will result in incorrect analysis 'out.' Additionally, incomplete customer information may lead to improper risk classification. If an FI cannot adequately anticipate a customer's activity, it cannot properly define the rules and parameters against which to monitor the customer. If the FI does not have a current customer profile, it may waste its own time and resources investigating false alerts and waste government time by filing SARs on activity that should not have been classified as suspicious.

It is axiomatic that all FIs want to know all of their customers, especially those that present the highest risk for money laundering and terrorist financing. However, it can be difficult to develop a methodology to achieve this objective without sapping all of an FI's compliance resources and clogging the flow of transactions.

Updating Information

An effective plan to update customer information generally begins with a pilot effort covering a small sample of files. If well selected, the sample will yield useful information about the general state of the overall customer population as well as the average time required to review and complete a file. One of the first steps of a well-planned CIP/KYC remediation effort should be aimed at reducing the number of files to be reviewed. Every FI has duplicate customers or customers with inactive accounts. Once the scope has been identified and each file to be reviewed has been assigned for that purpose to a relationship manager, remediation protocols and a detailed roadmap for all aspects of the effort must be developed. Unless roles and responsibilities, process flows, checklists of entity-specific CIP/KYC requirements and research guidelines are developed in advance, much time and expense may be wasted once the work begins. Do not underestimate the time and care needed to plan and set up a remediation effort. Ultimately, through remediation, client contact, and quality assurance efforts, the customer information should be sufficient to reveal the true nature and associated risks of a relationship, allowing an FI to know its customer.

Failure to apply CIP and KYC principles to customers that pre-existed the onset of the CIP regulations may impede suspicious-activity monitoring of those customer's transactions. This, in turn, could affect an FI's ability to report suspicious activity accurately ' a failure that can pose regulatory and reputational risk to FIs. The FFIEC BSA Examination Manual implies so; sound risk mitigation principles suggest it; and recent enforcement orders and examination findings appear to dictate it.

Michael Zeldin ([email protected]) and Michael Shepard are principals and Piero Molinario is a senior manager in the Anti-Money Laundering practice of Deloitte Financial Advisory Services LLP.