The importance of meeting the challenge of customer screening
Over the course of many years conducting regulatory enquiries I have observed that most anti-money laundering (AML) failures (and ruined careers) have been underpinned by deficiencies in customer screening, either at the onboarding stage or at some later point in the customer lifecycle. The greater the risk posed by a customer, the more egregious the screening lapse and the resulting punishment and reputational damage. There can be a direct causal link between customer screening failures and the facilitation of highly-toxic behaviours by customers, including sanctions breaches, drug trafficking and other forms of criminality. Whilst customer screening is not a panacea, it is a critical first step in ensuring that your business doesn’t facilitate criminal activity, because failure to screen properly can have ruinous consequences for your business.
The core purpose of customer screening is to add to the risk picture of your customers (or potential customers) and, specifically, to identify if they are:
- Subject to international sanctions
- Politically exposed persons (PEPs)
- Convicted or suspected criminals
- For some other reason, a reputational risk to your business.
The ultimate aim is to find out whether your customers are or could be linked to money laundering, bribery and corruption, terrorist financing, or another form of financial crime, and, if they are, to protect your business by taking evasive action (by declining to do business) or appropriate follow up action (through enhanced due diligence [EDD] or a suspicious activity report [SAR]).
It may seem obvious but many businesses fail to recognise that screening is only effective if it is risk-based, which means being responsive to risk throughout the screening process. As the Financial Action Task Force (FATF) puts it, a risk-based approach involves “analysing and seeking to understand” how any money laundering or terrorist financing risks you identify affect your business, and responding accordingly. In a risk-based approach, the individuals or entities deemed highest risk are allocated the most resources – further investigation, more regular review, and so on.
It isn’t difficult to get customer screening right. But there are a few common pitfalls to be aware of.
“We know our customers”
Businesses often develop a false sense of security about the risk profile of a particular customer or group of customers. This could be because they have met the person in question, have a longstanding professional relationship with them, or because the business and the customers are in the same jurisdiction. This attitude of “we know our customers”, especially amongst more senior staff who have an historical relationship with some individuals and personally vouch for them (think “old boys’ network”), can lead to red flags being overlooked. In addition, the failure to recognise the risks associated with your own jurisdiction is a particularly common pitfall. Also, don’t forget that customer risk can change over time. A person who has been low-risk for many years may become high-risk owing to a change of job, a move abroad, or being elected to political office. If you don’t screen them regularly, you may not find out about their change in risk profile until it’s too late!
Lack of applicable staff knowledge
Many frontline staff have a limited understanding of the ways in which their business can be abused by criminals. Staff often report that they would not feel confident analysing a customer’s rationale and activity in relation to a particular product, let alone whether the rationale and activity are consistent with one another or fit expected norms.Developing staff understanding of the money laundering risks faced by your business is not expensive. Along with initial screening and risk-based transaction and profile monitoring, it should be a core element of your financial crime prevention strategy. Effective “know your customer” (KYC) requires much more than verifying that customers don’t have a criminal record. It’s not always possible to fully “know” each customer, but training staff to know what the wrong sort of customers might look like will pay handsome dividends. It’s vital that compliance staff have at least a basic understanding of the crimes they are working to prevent, and the emerging typologies, in order to make sense of customer screening results.
A KYC360 Digital CPD Account allows you to create an effortless record of your evolving AML expertise. >>You can register for one here<<
Evidencing your work
Under almost all regulatory regimes, businesses are obliged to keep good records of compliance-related work. Document not only any screening you carry out but also any decisions you took on the basis of it (e.g. “we collected the following results and discounted them for this reason…”; “we made the following assessment of this adverse media report…”). Include minutes from relevant meetings. Printed, filed reports are hard to search and tend to go missing. We recommend storing everything in a document management system, or at least on an appropriate shared server.
RiskScreen Core allows you to annotate and comment on the decisions made at the time of screening and generate a pdf report of results for evidencing your results >>Learn More<<
Recognising the limitations of screening
Screening is a critical part of protecting your business against financial crime, but it’s just the first step. Most people looking to misuse financial services know that they won’t make it through screening if they have a criminal record (or, if they don’t know it, then in all likelihood they represent low value activity and do not present a major risk).Over my last few years of work with regulated firms I have seen an increasing fixation, manifested in burgeoning spend, on this first step, at the expense of effective financial crime prevention. The responsibility for this lies in part with the mainstream providers of screening services, which on the whole are subsidiaries of large corporates. These providers run with significant overheads in the form of sales and support teams, R&D, database access and so on. In order to justify the cost of licences, and as a tougher regulatory environment over the last decade left businesses with little choice but to pay up, providers entered something of an arms race. Most charge for a broader and more complex range of features than firms really need.
The dangers of over-screening
Counterintuitively, this over-provision can weaken compliance regimes. KYC work at many businesses, including large financial institutions, is not carried out by compliance professionals but by comparatively junior staff who may not be equipped to interpret complicated search results.
Over-screening is also cost ineffective: interpreting the results for each customer can take up a significant amount of time and drain staff resources. False positives, a common consequence of overzealous screening solutions (e.g. that use vast PEP databases that include the niece and nephew of every local politician in Zanzibar), are a particular bugbear of many staff. Over-screening is a drain on staff resources and can weaken compliance.
RiskScreen Batch cuts false positives by up to 95% versus compared with leading competitors, whilst providing best-in-class management information and reporting >>Learn More<<
Simply crossing your fingers and hoping that you don’t end up with the wrong sort of customer is no longer an option. If your business is abused by criminals and becomes the subject of an investigation, regulators will take a materially kinder view if you can demonstrate that you had rigorous KYC procedures in place and were doing your best to prevent criminals from gaining access to your services.
Such procedures can be time-consuming and expensive, but they needn’t be if you take a risk-based approach to the depth and regularity with which customers are screened, and avoid paying for an inflated price software with eIDV and other unnecessary features. Make sure to avoid common pitfalls such as failing to evidence your work, which expose your business to risk and waste time in the long run. Finally, upskill relevant staff to interpret the results of screening efficiently and inculcate into the culture and fabric of your organisation an appreciation by everyone of the importance of effective screening.
This article first appeared in Issue 31 of ICA’s Member Magazine inCOMPLIANCE® produced in September 2017. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.
Stephen Platt is Chairman and Chief Executive of KYC Global Technologies, the operating company of RiskScreen. Stephen is a barrister and an Adjunct Professor of Law at Georgetown University in Washington D.C. He is the author of the award-winning, bestselling book “Criminal Capital”. He consults to Stephen Platt & Associates LLP on large-scale regulatory investigations and is regarded internationally as a leading authority on the criminal abuse of financial services.
You might also be interested in these articles: