Meeting Regulators' Expectations when Managing Client Relationships

Meeting Regulators' Expectations when Managing Client Relationships

Meeting the Regulators’ Expectations when Managing Client Relationships

 

Managing client relationships, and demonstrating to regulators that relationships are being rigorously checked for suspicious activity, is one of the biggest challenges facing banks today. Despite voluminous guidance from the regulators, it is still an area where banks make mistakes or fail to meet the regulators’ expectations.

The Arab Bankers Association’s Editor, Andrew Cunningham, spoke to Shakeel Aslam, a Director and Head of Emerging / Middle-Eastern Markets in Grant Thornton’s Business Risk Services division in London, about the advice he gives to clients on the management of new client relationships, and the on-going management of existing relationships. 

 

ANDREW CUNNINGHAM: So much has been written about how banks need to manage their documentation on customers and maintain strong anti-money laundering (AML) systems, why are banks still making mistakes and getting themselves into trouble?

SHAKEEL ASLAM: Banks understand the broad requirements, but problems arise in consistent and high quality implementation. Too often, records are not kept up to date, customers’ sources of funds are not rigorously checked, and subsidiaries are too willing to rely on information and systems in their head office, rather than doing due diligence work themselves.

What can go wrong when filling in documents on clients and their accounts?

The most obvious problem is with records that are not kept up to date – we often see files on clients that have not been reviewed or changed for years. Regulators expect clients and accounts to be monitored on a continuous basis. In practice, what banks need to show is that they have a schedule for frequent reviews and that the schedule is adhered to. We recommend that clients diarise their review schedule and make sure that a back-log of un-reviewed files does not built up: regulators take such back-logs very seriously.

We also see a tendency for banks to put all clients into the ‘medium risk’ category rather than ‘high’ or ‘low’ – doing that is often the easiest thing to do case-by-case but when a regulator sees a bank consistently over-allocating accounts to a medium risk category it will conclude that the bank’s risk assessment procedures are too basic.

Many of these deficiencies could be remedied with better staff training and with a greater emphasis from senior management on the importance of compliance and record keeping, rather than just ‘bringing in the business’.

How much detail do banks need to have on clients’ sources of funds?

A regulator will expect to see a lot of records and information accumulated at the time the client is ‘on-boarded’ because the bank will be having a lot of contact with the potential client at that time. For example, as a minimum standard, a bank should generally be able to establish proof of address through, for example, a utility bill and proof of identity through some form of photo ID such as a passport or driving license. The bank needs to see the original documents as well as keeping copies. It cannot just rely on verbal statements or copies.

But what if this information has already been accumulated at head office? Can’t a subsidiary rely on an assurance from the group? 

The subsidiary would need its own assurance – it can’t rely purely on a simple statement from head office that, ‘We’ve checked this client out and he’s OK.’ The subsidiary should be able to demonstrate that it has substantiated through adequate and proportionate due diligence the information being provided by head office. 

If the group sent across scanned copies of documents – proof of address, source of funds, etc. – the subsidiary would know that the documents exist and are appropriate. Would that be sufficient?

In a simple client scenario, yes, that would probably be sufficient, but if there are any unusual elements to the potential relationship or the client, then the subsidiary should conduct its own due diligence, especially if the threshold levels for carrying out AML / KYC checks at head office are not aligned with those at the subsidiary level in the UK.

What about transaction monitoring for potentially suspicious transaction activity? This is a subject that always crops up during discussions about AML and compliance.

The challenge with transaction monitoring is to set your parameters at the correct level. If your parameters are too loose then the system will generate too many alerts, many of them spurious, and you won’t have time to follow them all up. 

It’s important to regularly review the logic behind monitoring systems. For example, you could take a month of transactions, and if find that more than 10% of the alerts being generated were false positive alerts then you probably need to tighten up the system’s logic for one or more of the parameters. As the system and processes mature within an organization, the percentage of false positive alerts generated should typically show a declining trend. 

A big problem for banks that do business in the Middle East is the spelling of Arabic names. There are several different ways of transliterating Arabic names into English. The US Treasury’s lists of Specially Designated Nationals (SDNs) often provides several alternative transliterations for each of the names listed, but even so it is difficult to capture all the possible spellings. This can affect the logic of your monitoring systems in two ways – it can fail to capture suspicious transactions because the system doesn’t recognize an alternative spelling, or it could trigger a false positive alert based on a mis-spelling of the name of a respectable client. 

How do these issues change when a bank is dealing with a Politically Exposed Person (PEP) as opposed to a routine client?

You usually need to have an additional – higher –  layer of approval within the bank before you can do business with PEPs, and that additional approval will bring with it internal requirements for additional due diligence and documents. With this sort of “Enhanced Due Diligence” (EDD), a bank’s compliance department certainly needs to be involved.

The bank should have a clear strategy as to whether or not it wants to deal with PEPs and if it does then rigorous EDD checks and balances need to be embedded in its overall AML / KYC control framework. The bank should also have a clear idea about the type of transactions and volume of transactions that the PEP will be running through the account.

To be clear, a politically exposed person is defined by the Financial Action Task Force (FATF) as an individual who is or has been entrusted with a prominent public function. Due to their position and influence, it is recognised that many PEPs are in positions that potentially can be abused for the purpose of committing money laundering offences and related predicate offences, including corruption and bribery, as well as conducting activity related to terrorist financing. 

Are there any up-coming requirements that banks should be looking out for? 

The European Union’s 4th AML Directive becomes effective in June this year and will result in increasing regulatory requirements and documentation in areas such as risk assessment and CDD, beneficial ownership and PEPs. Essentially the regulatory expectation is that banks raise the bar, and of course banks should remember that even though the UK is planning to leave the EU, for the moment we are still members and are subject to EU Directives.