In 2015, the Financial Crimes Enforcement Network (FinCEN) assessed a civil money penalty against Ali Al Duais[1] . Al Duais, owned the Michigan money services business King Mail & Wireless Inc. and was found to have violated the Bank Secrecy Act by willfully failing to “develop, implement, and maintain an effective written anti-money laundering program” that would reasonably prevent money laundering or financing of terrorist activities.
Now, imagine you’re an executive at another financial institution, it’s 2022, and Al Duais tries to open an account with your bank. If your organization doesn’t perform the expected due diligence to flag him, you too could face consequences for Al Duais’ criminal activity. Take it from any number of banks who have faced sanctions for a lack of appropriate customer or enhanced due diligence (EDD). In fact, last year alone, regulators levied nearly $1 billion in fines against financial institutions that failed to comply with customer due diligence regulations.
This is why financial institutions, like your hypothetical bank, must perform enhanced due diligence to assess customer risk, minimize business exposure, and ensure compliance with regulations like the Bank Secrecy Act for financial services.
EDD begins with CDD
So, what exactly is “Enhanced Due Diligence”? Well, in order to properly explain “enhanced” due diligence and how it deals with high risk assessments for financial crimes, we have to start with “customer” due diligence (CDD). So, let’s begin with a pair of definitions from two U.S. regulators. The Federal Financial Institutions Examination Council (FFIEC) considers financial institutions with adequate CDD to be those that have a “critical framework which enables the bank to comply with regulatory requirements including monitoring for, and reporting of, suspicious activity.”
FinCEN’s CDD definition clarifies that these measures to help lower potential risks for financial crimes focus on businesses, by way of their owners. The organization’s definition says that financial institutions must “identify and verify the identity of any natural persons (known as ‘beneficial owners’) of legal entity.” A beneficial owner is someone who, according to FinCEN, “exercises substantial control over” or owns at least 25% of a company.
This means that if someone comes into your bank and wants to open an account for their business, as a beneficial owner of that company, your bank must verify their identity to ensure they are not likely to launder money or finance terrorist activities through the bank account in that company’s name.
The process of verifying their identity, through a standardized framework, is known as customer due diligence. Financial institutions must perform CDD to comply with the aforementioned Bank Secrecy Act and other regulations enacted to help with risk management, fighting money laundering, and stopping terrorist financing.
Enhanced due diligence puts the spotlight on risk
Enhanced due diligence builds upon CDD requirements by introducing risk-based assessments. Through an EDD framework, financial institutions can more thoroughly scrutinize higher-risk customers, relative to those with lower-risk profiles.
To help explain, let’s picture two scenarios. In the first, a potential customer downloads your banking app to open a new account for their business. Your initial identity verification confirms they are who they say they are, and a check of their banking history reveals no red flags. You’ve made a reasonable effort to determine how likely that person is to launder money through your bank, and your due diligence framework has demonstrated that it’s a low risk to allow this potential business and, by proxy, it’s beneficial owner to transact through your institution.
Now, consider someone like Al Duais (or anyone else FinCEN has levied enforcements against) tries to open a bank account for their company. You verify their identity: They are who they say they are, but are immediately flagged as being on a financial crimes watchlist. Or perhaps, this person has conducted business in a high-risk foreign country in the past. Or maybe your due diligence checks uncover that this person has a business relationship with a known fraudster. It’s clear that your institution should treat this person, and their company, as a higher risk. This may mean lowered transaction thresholds, reduced services offerings, or simply not allowing this individual or company to transact business through your bank at all. These high risk assessment and risk management red flags only arise when a robust EDD framework is in place.
EDD for financial services goes beyond identifying and verifying potential business customers. It builds a risk-based framework around know your customer (KYC) practices. As you’ll see momentarily, enhanced due diligence risk assessments are crucial for keeping your bank compliant with anti-money laundering regulations.
Download the Gartner Market Guide for Identity Verification
KYC and EDD: not as easy as ABC
At its core, verifying a customer’s identity as part of a structured KYC process is about ensuring customers really are who they say they are. When a bank issues a new line of credit, it asks customers for identity verification like a government issued ID, proof of address, and/or other personally identifiable information.
However, what happens in a case where the initial ID verification uncovers potential risk factors because that person is who they say they are? What if, for example, your due diligence process shows that person is on a politically exposed persons (PEPs) or sanctions list?
Back to our example of Ali Al Duais. FinCEN’s charges against Al Duais say that his company never identified or mitigated the risks of high-risk transactions to Yemen, a country which the US Department of Treasury has frequently had sanctions against.[2] That finding should have raised red flags, just as in the case of Al Duias trying to open an account with your bank today. A robust EDD framework would show that he now represents an elevated risk as an individual and that your bank should conduct further due diligence.
PEPs and sanctions lists aren’t the only flags that might require additional due diligence. What if the applicant’s name shows up in media stories about money laundering (known as “adverse media)? What if it’s the wife or brother of a sanctioned individual? Enhanced due diligence practices give banks a framework for escalating risk assessments of customers when necessary.
Al Duais is just one real-life example, but there are many others like him who might pass a standard identity-verification program even with existing red flags. Compounding the issue is the rise of new fintech platforms and currencies like crypto. With so many financial transactions now happening online, a digital risk-based approach to vetting banking customers has become crucial.
EDD must continually reevaluate risk
A final consideration for EDD measures is that they must be ongoing. At one point in time, Ali Al Duais was not sending suspicious transactions to Yemen. He could have opened an account at your bank without being considered a high-risk customer, because he was not then involved in criminal activity.
Years pass and Al Duais begins engaging in illicit transactions while still a customer at your institution. If you only implement EDD measures when a new customer signs up, you’d miss his eventual turn toward terrorist financing. At the point that FinCEN charges him with violating the Bank Secrecy Act, if he remains a customer at your bank, you may very well be held liable. This hypothetical instance is why enhanced due diligence must be an ongoing effort.
Banks should continuously consider the risk factors inherent in servicing business customers. To do so, they can establish an EDD framework that monitors the following risk-factors:
- Watchlists. Whether sanctions, PEPs or other watchlists, banks should keep an eye on updates. If a customer ends up on one of these lists, that inclusion can trigger additional EDD protocols.
- Adverse media reports. If a beneficial owner shows up in news stories about activities, such as tax evasion or corruption, they’ll receive watchlist red flags. This person’s appearance on an adverse media report alerts banks to place greater scrutiny on future business transactions.
- Suspicious activity/suspicious transactions. In Al Duais’ case, FinCEN determined his companies sent payments abroad in “dollar amounts inconsistent with family support,” and “large dollar amounts that had no apparent business or lawful purpose.”
What concrete steps can companies take to improve their enhanced due diligence frameworks?
1. Many organizations still have manual KYC processes. However, there are far too many regulations in far too many jurisdictions to keep pace. Financial institutions should consider tools that accelerate KYC review processes and make them more effective through automation.
2. Organizations often perform KYC checks at onboarding, but it shouldn’t stop there. Companies should implement KYC tools that periodically review their customers throughout the duration of the relationship and can highlight when a customer’s risk status has changed.
3. Implement a tiered, programmatic workflow approach to vetting customers. The initial step will be basic, such as verifying their identity by checking a government-issued ID alongside a biometric liveness check. The program can then check PEPs and sanctions databases for any red flags. If red flags arise, the EDD system workflow then introduces additional risk-based reviews, including other banking activity, adverse media checks, additional watchlist checks, geolocation reviews, and more.
4. Build an audit trail. Institutions must create an audit trail as part of their customer risk due diligence programs. If a regulator questions a bank’s anti-money laundering efforts, having an audit trail of KYC checks and EDD processes to point to shows banks have reasonable programs in place to prevent money laundering.
Above all, banks should build enhanced due diligence (EDD) programs that scale and can adjust for dynamic business conditions. For example, a customer transacting in Russia may not have raised suspicions two years ago. Today, a bank would need to quickly change their EDD process to incorporate activity in Russia in light of the recent geopolitical conflict. The ability to quickly account for changing risk factors must be central to any institution’s enhanced due diligence frameworks.
Finally, don’t be afraid to consult with experts. Drop us a line if you have questions about your EDD policies or are looking for tools that incorporate multiple KYC checks and balances into your identity-verification process. We look forward to speaking with you.
[1] UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY FINANCIAL CRIMES ENFORCEMENT NETWORK
[2] Yemen-related Sanctions
About Adam Bacia
Adam is Senior Director of Product Marketing at Mitek.