FinCEN’s 2016 introduction of Customer Due Diligence (CDD) as the fifth internationally known pillar of Anti-Money Laundering (AML) Compliance programs has evolved the compliance landscape. The four longstanding pillars of: 1) developing internal policies, procedures, and controls; 2) designating a (Bank Secrecy Act (BSA)/AML) officer responsible for the program, 3) ensuring relevant training of employees, and 4) independent testing, required the additional pillar in order to sufficiently address certain risks that the market had not adapted to address quickly or sufficiently enough on its own.
This Q&A aims to provide a better understanding of the fifth pillar, related impacts, and practical steps institutions can take to improve AML compliance.
QUESTION #1: Can you provide a summary of the fifth pillar? Do you believe that enforcement trends leading up to 2016 informed the introduction of the pillar? If so, in what ways?
Regulators were driven to add a fifth pillar due to their view that “improper identification and assessment of a customer’s risk can have a cascading effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened BSA compliance program.”[1] As described in the Federal Financial Institutions Examination Council's (FFIEC) CDD exam procedures, inadequate CDD policies, procedures, and processes could negatively impact a bank’s ability to detect and report suspicious activity, avoid criminal exposure, and adhere to safe banking practices.
Enforcement actions in 2015 and 2016 displayed a clear trend of insufficient CDD efforts from institutions that were governed by the pillars. This can be seen in the case example of Gibraltar Private Bank and Trust Company.
In 2016, Gibraltar Private Bank and Trust Company were fined $4M for, among other things, a failure to fill out customer risk profiles with accurate information. As a result, when the bank’s Transaction Monitoring (TM) system generated alerts on various customers, the analyst could not effectively determine how to change customers’ risk ratings based on the change in customer activity. The bank consequently failed to rate its high-risk customers appropriately, leaving the bank ill-equipped to adequately monitor high-risk transactions from these accounts.[2] This is a prime example of the institutions’ widespread failure to collect and leverage customer information in a manner that meets Know Your Customer (KYC) standards.
There certainly appears to be a correlation between the addition of a fifth pillar in 2016 and the prior years’ enforcement actions, which were primarily filed against institutions that did not adequately collect and utilize CDD information. The fifth pillar acutely focuses on enhancing institutions’ CDD efforts – at least in part – to remedy prior years’ institutional wide failures that in essence seemed to follow a check the box type of exercise with regard to data collection without sufficient understanding regarding its need and use for monitoring.
QUESTION #2: What benefits and drawbacks do you observe from adding CDD as a separate pillar?
The fifth pillar provides renewed focus for institutions to establish an understanding of the customer’s identity and the purpose of an account, which provides a strong foundation for conducting TM (Transaction Monitoring) activities. The fifth pillar outlines four (4) separate components that are crucial to accurate and complete CDD. By adequately meeting each of these guidelines the institution will have a deep understanding of both the identity and risk profile of the customer. This is crucial because the customer’s identity and the purpose of the account are core components in determining whether suspicious activity occurred.
As an example, if the client was a restaurant, and they purchased $30,000 worth of kitchen equipment, this would be a capital expense that is not out of the ordinary for their business. However, if the client was a financial services institution with the same purchase, the purchase may be deemed suspicious and require more due diligence and oversight. This simple example shows just how critical it is to understand the client, their business, and everyday transactions to properly conduct TM.
A potential drawback to the fifth pillar’s focus on CDD is that increased focus in the area may draw attention away from other important areas. For example, limited compliance staff resources could focus heavily on identifying the customer while other key components of KYC, such as Enhanced Due Diligence (EDD), may fall by the wayside. EDD entails gathering deeper investigative research regarding the customer, often politically exposed persons (PEPs) and those who originate from a high risk country, as there is a component of the customer or its transactions that signals the need for further review beyond normal CDD. Failure to perform EDD has even graver consequences for an institution, as these customers are at a higher risk of performing riskier transactions. So, under these circumstances, adding CDD as a separate pillar where institutions are stretched for resources for the purpose of TM could add instead of reducing risk.
QUESTION #3: How can institutions veer away from incorporating the fifth pillar as a check the box exercise?
To ensure that the fifth pillar does not merely become a check the box exercise, institutions should start by reorganizing their AML CDD compliance staff training programs. The training programs should be dual-focused: 1) the “why” behind CDD processes and 2) the general processes employees must follow in order to adequately collect and use customer information. The goal of training is to create a culture of compliance, and – importantly -- to provide renewed focus on why meeting AML compliance begins with adequate CDD.
An ideal training program will reach all internal employees and managers whose duties are AML / AML adjacent. It should incorporate an in-depth overview of the four components of the fifth pillar, provide case studies of the enforcement actions that led to the establishment of the fifth pillar, outline the criminal and civil consequences of non-compliance, and provide a risk-based approach to CDD processes.
Institutions should not provide specific steps for employees to complete; doing so risks turning it into a check the box exercise. Rather, the training programs should be equipped with a general manual that includes the four CDD components and example steps the analyst can take in the case of each type of risk rating (low, medium, and high). Behind each “step” of the process, the institutions must emphasize the rationale behind “why” they need to be so diligent when obtaining the information and the consequences for noncompliance.
By focusing on teaching employees, the “why” behind key processes and the costs and risks of non-compliance, rather than a mechanical check-the-box mentality, institutions will improve their collective “compliance IQs” and increase the likelihood that each employee will better appreciate the critical role CDD plays in the institution’s broader AML and risk management efforts.
QUESTION #4: Throughout 2021 and 2022, enforcement actions reveal a trend of institutional failures to implement effective TM systems. This was a departure from the previous years’ trends focusing on inadequate CDD. As described in the Bittrex case, TM systems were insufficient to identify major red flags. To what degree does CDD inform TM processes (and vice versa)?
In 2022 FinCEN imposed a Civil Money Penalty of nearly $30M on Bittrex due to failure to develop and implement an effective AML program, including failure to implement a TM system altogether. Instead of utilizing TM software, the company relied on two employees to manually review all of its transactions. Due to the staggering number of transactions (23,800 per day with a daily value of $97.9M), Bittrex did not file a single Suspicious Activity Report (SAR) from 2014 through May 2017. Upon regulatory review, it was determined that Bittrex failed to flag transactions involved in illicit activities with online darknet marketplaces including Agora and Silk Road 2. Due to the company’s under-staffed AML compliance team and failure to implement a tangible TM tool, it left its company open to “abuse by bad actors including money launderers, terrorist financiers, and sanctions evaders (pg. 5).”[3]
CDD and TM processes work hand in hand. The tuning process for control gaps in the TM system relies on client information collected during the CDD process regarding the purpose of client’s accounts and typical business activities. Without adequate CDD captured, the TM process will not adequately flag potentially suspicious activities, which leads to failure to file SARs.
The TM deficiencies in Bittrex further illustrate the interconnected nature of CDD, TM, and SAR filing. Bittrex’s lack of a properly implemented TM system led to significant internal control weaknesses as there was not enough manpower to capture the suspicious activity in the institution.
QUESTION #5: When it comes to technology, what challenges have you seen in the TM space?
There are many challenges for institutions when it comes to utilizing technology for TM. One of the main issues is that most TM systems are off-the-shelf, meaning that the system is implemented as-is and not customized or calibrated to the risk levels and types of customers the system is going to encounter at a particular institution. The harm in implementing such systems without proper tuning is that while purchasing it may initially aid with a quick response to a regulatory finding or concern, to properly implement and tune the system for the unique risk scenarios encountered [at each institution] it will likely require substantial time and cost.
Additionally, these technologies are notorious for generating false positive alerts if not properly tuned. False positives create a huge cost in terms of manpower to both re-calibrate the system and evaluate the backlog of alerts. False positives increase labor expense and “distract analysts from promptly focusing on the confirmed cases that require thorough investigation.”[4]
Ankura offers both quantitative and qualitative approaches to ensure that institutions’ TM systems are running at peak performance. Our team of experts has the necessary skill set to provide comprehensive analysis on how to best optimize systems so they can detect any suspicious activity quickly and accurately. Having proper assistance from those that know the systems and the industry, provides institutions with comfort knowing that all transactions will be monitored closely in order to protect against fraudulent activities or other malicious intentions.
QUESTION #6: What advice would you offer to institutions as it pertains to integrating technologies and other processes to allow them to better detect unusual behavior and red flags during the CDD and TM processes?
To properly leverage technology to detect suspicious transactions, an institution must first undergo a testing and tuning process when purchasing off-the-shelf TM tools. The system must be calibrated to the institution’s risk appetite, clientele, geographical locations of business, and products. On at least an annual basis, the institution’s compliance team must look at the results of their TM alerts/adjudication process and make any applicable changes based on false positive results or the changing nature of their program or business.
In addition to a properly tuned TM system, it is equally as important to hire and train compliance staff with the right skills, experience, and knowledge of how to properly review transactions and the process of SAR escalation. Staff must be trained in both how to use the system and how to determine if there are issues with the system’s operations. The combination of having a finely tuned TM system as well as well-trained employees is critical in ensuring the right decisions are made during the TM and SAR processes.
[1] http://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/02
[3] FinCEN, Enforcement Action, In the Matter of Bittrex, Inc. (Page 5)
[4] https://www.unit21.ai/blog/the-complete-guide-to-transaction-monitoring
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
