Enhanced due diligence. How much is enough?
The quality and effectiveness of enhanced due diligence procedures at regulated financial institutions is again in the spotlight following the publication of a thematic review by the UK Financial Conduct Authority (FCA): “How small banks manage money laundering and sanctions risk.”i
This review follows an earlier 2011 anti-money laundering (AML) review, which found that over three quarters of banks failed to carry out adequate customer risk assessments. Amongst other issues, the current 2014 review found ongoing weaknesses, including enhanced due diligence (EDD) procedures in relation to high risk customers, Politically Exposed Persons (PEPs) and correspondent banks. In relation to EDD, the FCA pointed out a number of weaknesses:
- An unwillingness to make sufficient enquiries with prominent PEP customers
- Insufficient work to establish the source of wealth and source of funds of a PEP customer (despite this being a legal requirement under the UK money laundering regulations)
- Not taking sufficient notice of relevant information in the public domain that might indicate that funds could be linked to the proceeds of crime
Regulated financial institutions are expected to take a risk-based approach to evaluating their customers.
The depth and extent of EDD undertaken will ultimately depend on individual circumstances that are impacted by a range of factors, such as the following:
- Whether the customer is a PEP (in which case they will always be treated as high risk, regardless of other factors)
- The level of existing institutional knowledge about the customer
- The extent to which a customer is willing to provide documentation or further evidence to support their representations
- Where the customer is located and what type of business they conduct
- The capability and experience of the institution to undertake EDD procedures
- The significance of the proposed relationship
The FCA’s recent findings suggest that some financial institutions still do not get the basics right. For example, in one case ignoring obvious information (Google results) that suggested a potential customer was linked to corrupt activities – or only identifying issues well after the point of customer acceptance. Both cases suggest a lack of adequate integrity due diligence with regards to a potential high risk customer at point of on-boarding. In its guidance on PEPs ii , the Financial Action Task Force (FATF) recommends a number of appropriate EDD measures, including:
- Ensuring the accuracy of Customer Due Diligence (CDD) data and seeking declarations from potential customers
- Conducting searches of commercial databases and government-issued PEP lists
- Utilising in-house databases or sharing information between financial groups
- Accessing country-level asset disclosure systems for PEPs
In our experience, and with reference to FATF guidance, there are a number of additional points to note.
Over-reliance on a narrow range of data sources
Commercial databases and data aggregators may assist in the process of screening customers, but it is important to understand the limitations inherent in these sources:
- There is no single, comprehensive list of PEPs worldwide. Commercial PEP databases have attempted to plug this gap by providing an alternative catalogue of PEPs, often using information such as government websites. Not all PEPs will be included in these data sources. In particular, it is much harder to identify close associates of PEPs who may act as a front for the PEP themselves. Unfortunately, in some cases, reliance is placed exclusively on commercial databases to identify PEPs, without considering other risk factors. FATF states: “using any lists or database software to assist in the determination that a client is a PEP may increase the risk that financial institutions… wrongly assume that if a name is (not) in such a database then the client is (not) a PEP.”
- Commercial news aggregators often specialise in certain regions or certain types of publications. Knowing what a news aggregator does not cover is important, as is not placing undue reliance on certain sources. In one case, a bank used a commercial news aggregator to screen its entire high risk customer base using an (English language) negative news string, in spite of the fact that most of its customers were located in a non-English speaking territory – and that the news aggregator had no coverage of any publication in the country concerned. It is important to tailor searches appropriately, including searching the relevant language and data sources.
Accuracy and completeness of open source data
The growth in the volume of open source data means that more information than ever is available to researchers. This presents challenges not only in analysing an ever-expanding quantity of information, but also in understanding what is relevant, and what is not. It is important to understand the primacy of the information, and whether the original data source can be considered reliable. The accessibility of information is just one challenge; understanding its potential veracity is another, which requires a degree of experience and knowhow. Examples of challenges in this area include the following:
- Statutory filing requirements for corporate entities (corporate due diligence) that exist, but are in practice rarely followed, because the penalties for non-compliance are very low or non-existent. This may give a false impression that information is accurate and up-to-date, when this is not necessarily the case. Placing reliance on such information might, for example, lead to inaccurate identification of a company’s owners.
- Media sources that are controlled by prominent business or political figures or parties and which are used to spread disinformation about rivals, or which produce unduly flattering information about their owners or those associated with them. Reliance on these sources without sufficient verification could lead to poor decision-making.
- Increasing use of social media or internet sources (which may prove a valuable source of information) also provides challenges in that these sources are not subject to an editorial control processes, and inaccurate information may spread quickly to the point where it gains the appearance of fact.
Over-reliance on commercial search engines
Commercial search engines such as Google are regularly cited by regulators as sources of information and should always be considered, albeit with a number of caveats:
- Potentially negative information (subjects argue inaccurate or irrelevant) is increasingly being removed from search results in response to concerns over data privacy under the European Union’s “right to be forgotten”.
- Search engine algorithms are designed to deliver results in a way that may not necessarily promote the most relevant information from a financial crime perspective. Individuals and organisations increasingly use search engine optimisation techniques or paid-for advertising to promote results they want users to see. Hence, it cannot be taken for granted that a “quick Google search” would highlight relevant results without more complex querying.
- The “dark web” or “hidden web” remains an issue: areas of the internet not accessible by search engines, for example, because the information resides behind paywalls. There is additionally a phenomenon of internet “balkanisation”, in which a large number of countries have imposed forms of restriction to areas of the internet, ostensibly for reasons of public good.
Ultimately, as the FCA points out, the “central objective of EDD is to enable a bank to better understand the risks associated with a high-risk customer and make a balanced decision of whether to accept or continue the relationship”. Only by obtaining a holistic view of a customer’s circumstances can this be achieved – and this must depend on robust processes to gather and analyse relevant information. Just because the customer is unwilling and the financial institution is concerned not to put off the customer, or because gathering information can be onerous, will not be grounds to avoid taking a proportionate risk-based approach.