The expectation for enhanced due diligence did not change with the passing of the 5th BSA pillar. However, examiner expectations for enhanced due diligence (EDD) continue to evolve because it is a critical component of your bank’s BSA Program. TCA® first addressed the EDD topic in a 2015 In Depth article. The November 2018 BAT Chat included Part I of this series and focused on customer due diligence requirements
What is Enhanced Due Diligence?
Customer Due diligence (CDD) processes must be designed to enable BSA Officers to develop an overall risk profile of a customer and make reasonable determinations about the nature of customer activity. EDD is an extensive, ongoing effort to define customers dictated by the risk profile and risk tolerance of the institution. Policies and procedures should describe the frequency and depth of the processes, who is subject to EDD, and the analysis, including reviews of transactions, used to develop a specific customer’s risk profile.
What should be part of the transactional review?
Transaction reviews are typically a global look at a customer’s actual account activity related to the account owners. The global analysis includes individual accounts, business accounts owned by entities under similar control, or loan accounts, deposit accounts, safe deposit boxes, credit cards and any other account relationships within the institution, including signers on accounts. One key goal is to identify where a potential customer’s accounts or other connections may exist. The activity reviews should include wire transfers, monetary instrument purchases, cash activities, check and ACH activities, and higher-risk business product services such as remote deposit capture, ACH origination, or privately-owned ATMs. This captured and analyzed transactional activity should be compared to anticipated activity collected during the account opening CDD process. Transactional review is only one component of an EDD review.
What else should EDD include?
EDD analysis is an art and not a science, and transactional activity reviews serve as a baseline. Bank Secrecy Act Policy and Procedures also should allow a bank to consider additional resources to further evaluate risk. For example, you should consider the following:
- Searching for negative news on the Internet through various search engines
- Site visits (in person or virtual)
- Staff interviews
- Reviewing beneficial ownership, if applicable
- Obtaining financial statements
- Reviewing underwriting documentation
- Reviewing other client relationship documentation.
- Executing 314(b) searches
These are common checklist items, but they can prove critical to understanding the “big picture” for customer risk. For example, what about a store with no inventory? A virtual site visit may not tell you. Or, what if a business has considerable negative reviews? Is this a potential red flag? TCA has been seeing examiners cite lack of news searches as recommendations in exam reports. Examiners expect BSA Officers to look beyond the transactions to understand the overall risk customer risk.
What should my conclusion state?
After an analysis of the data, customers should be categorized using a standardized rating system such as high, moderate or low risk, based on criteria set forth in policies and procedures. Automated systems do this by assigning weights to input components based on a scorecard and provide the risk designation. Manual processes require a scorecard too, but the designation is based on data collected and assessed manually by the bank. This process may be more frequently repeated based on risk ratings with higher-risk accounts than lower-risk accounts.
For the higher risk rated accounts, BSA staff should comprehensively document what has been reviewed and what it means in terms of the customer’s risk profile. In the past, EDD component scores were tabulated via an adding machine and staff would jot down a few sentences at the top of the statement pertaining to the overall account risk rating. Expectations have evolved and examiners are looking for “so what” does the rating mean and how is the bank responding.
Remember, EDD is for three audiences: the institution, independent auditors and examiners. This summary should answer some of the following questions:
- How did you come to your conclusions?
- What supports a high-risk rating?
- What supports the reduction in a risk rating?
- What supports an elevation of a risk rating?
- How does actual activity compare to anticipated activity?
- How does it compare to activity transacted in previous review periods?
The EDD’s documented global analysis should include written detail of everything that was reviewed and what it means for each customer and what risk it presents to the bank.
Whatever process your bank chooses for documenting your analysis, it should be consistent, should allow for changes to risk ratings and should be conducted according to established procedures and schedules.
Who else needs to be reviewed for EDD?
Board and management oversight are critical to any process. BSA professionals know the Board has an obligation to oversee and manage all risks associated with the bank, including BSA. They don’t know what they don’t know unless informed. Unclear or overly wordy summaries make it more challenging and tougher for management and the Board to perform oversight and execute their fiduciary duty.
The Board information content should be driven by level of severity. Often, Boards may choose to review only high-risk customers, while others may choose to review all moderate- and high-risk customers. Some even want to know when a risk rating has changed, up or down.
An effective BSA Officer must understand the risk appetite of the Board and what information would assist in effective oversight of the BSA Program and associated risks. Also, don’t forget that a proper BSA audit scope should opine on what goes to the Board and if the Board truly understands the bank’s risk. If the Board information is to be succinct, the audit should proactively protect the Board and bank by communicating the need for better reporting and possibly additional training.
While many areas of customer due diligence and enhanced due diligence are subjective, one thing is certain: The compliance and burden of expectations are increasing. Examiners are focusing on BSA staff’s understanding of bank customers and the risks they present to the bank. Just casually doing CCD and EDD is simply not enough. You must document your efforts and provide reasonable analysis to support your conclusions.
Also, BSA exam scopes now include more in-depth review of lending activities, and this is where some banks are falling short. Regulators are diving deeper into lending activities. Stay tuned to future BAT Chat articles covering BSA examiners probing deeper into lending activities.
A CDD or EDD process tune-up always makes good sense. You can always trust your TCA BSA Action Team partners to provide relative and timely guidance on how to enhance your CDD and EDD existing processes. We find better solutions that fit the evolving BSA challenges.
ASK THE BAT—Beneficial Ownership Questions
Q: Are loans that the Bank purchases subject to beneficial ownership rules?
A: No. Beneficial ownership has the same definition of an account as CIP rules. An account does not include:
- Products or services for which a formal banking relationship is not established with a person, such
- as check cashing, funds transfer, or the sale of a check or money order.
- Any account that the bank acquires. This may include single or multiple accounts as a result of a
- purchase of assets, acquisition, merger, or assumption of liabilities.
- Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.
Did you schedule your BSA Audit? Contact TCA’s BAT for A Better Way for your Independent Audit and Model Validation
E-Mail the BAT at [email protected] with your BSA/AML/CIP/CDD/OFAC Questions!