Disclaimer: The contents of this article are meant to provide a general understanding of the subject matter. However, this article is not intended to provide legal or other professional advice and should not be relied on as such.
This article is the second in a three-part series exploring the many factors that comprise customer risk. Part 1 discussed risks associated with customer characteristics and relationships. In this Part 2, we explore the money laundering risks associated with financial products and services, as well as the red flags presented by patterns of customer activities and behaviors.
Taking a risk is intentionally interacting with uncertainty. Customer risk, within the context of anti-money laundering, is the risk that a financial institution’s customer may conduct money laundering activity or other financial crimes through their account with the institution, that are not detected. Should this activity come to light, the institution could experience regulatory, financial, and reputational issues.
There is always a risk that any new or existing customer could use the financial institution for illegal activity. Because it is impossible to eliminate all risk (and remain in business), the alternative is to manage risk.
Individuals and institutions collectively perceive risk differently. How much risk one is willing to assume to achieve a desired reward trade-off is known as a “risk appetite.” For financial institutions, this is especially true with customer money laundering risk.
Customer Risk Score
The FinCEN Customer Due Diligence (or CDD) Rule[i] requires financial institutions to establish an understanding of the money laundering and terrorist financing risks of their customers via a customer “risk profile.” For most financial institutions, this takes the form of a customer risk rating or score. The risk score allows for targeted monitoring of those customers who present the higher potential risk.
Categorizing Risk Elements: Who, What, Where
There are many different risk factors to consider when assessing a customer’s money laundering risk, which may be logically grouped into categories as shown in the chart at right. Note that while each risk category in this chart appears to have an equal share of the total risk, this is not always the case.
Who: Customer Profile and Relationships. This is the set of risk factors associated with the characteristics of a customer, as well as the customer’s relationships to other individuals and other legal entities. We covered this category in depth in Part 1 of this series.
What: Products, Services, Activities and Behaviors. This group of risk factors includes what the customer will do, or is currently doing, through the financial institution. It includes the types of products and services which may have a higher money laundering risk, as well as customer transactional activities and behavior patterns that may indicate potential illegal activity. In this article we explore this category in greater depth.
Where: Geographic Risk. The geographic locations where a customer’s payment activities, assets, and business relationships occur are inherently tied to the money laundering risks associated with those locations. In the final installment of this article series, we will review one particular methodology for risk scoring individual countries from a money laundering and terrorist financing perspective.
Quantifying and Measuring Risk: The Risk Scoring Model
The customer risk score should be designed to quantify risk using an objective model, then modified as appropriate based on actual experience and professional judgement.
The customer risk score should also be dynamic, meaning it must be able to change and evolve over the life of the customer relationship. For example, a risk score for a new customer with no prior history with the financial institution will never be perfect, no matter how complex the model. Only with time and experience will the customer’s profile and corresponding risk score more closely reflect actual risk exposure.
No single risk factor exists in a vacuum. Rather, all risks are very much intertwined. Every customer presents a unique set of characteristics, using products and services in certain ways, that together comprise the overall risk profile.
Financial Products and Services vs. Activities and Behaviors
Certain financial products and services have characteristics that can make their use more attractive to money launders and fraudsters.
A product is a type of account or financial instrument; a service is an activity or transaction that’s performed on a product.
For example, a checking account is a product. The services a financial institution would typically offer to the holder of this product include check writing, wire transfers, cash withdrawals, direct deposit, and many others. A service may also be a stand-alone offering, such as trade finance, issuing a cashier’s check in exchange for cash, or foreign currency exchange.
Products vs. Services: Examples
- Product: Account or financial instrument
- Checking account
- Savings account
- Certificate of deposit
- Line of credit
- Brokerage account
- Credit card
- Commercial letter of credit
Service: Activity or Transaction
- Wire transfer
- Cash withdrawal
- Mobile banking
- Stock trade
- Check writing
- Trade Finance
Customer activities refers to their use of financial services. For example, a customer with a checking account may write checks, make deposits, and receive incoming ACH debits. All of these are activities, and activities occur in patterns: transaction types, amounts, timing, location, etc.
When a new account is opened, the institution should establish what that customer’s anticipated transaction activities on the account will be. Over time, most customers establish a relatively consistent pattern of activity.
These patterns may vary at different times of the year (particularly with business accounts) but these seasonal variations will typically also be consist. The deviations from these patterns generate red flags that should be investigated further.
Behaviors reflect how a customer performs an activity. An example of a suspicious behavior is structuring, where an individual makes cash deposits of $10,000 or less with the deliberate intent to avoid currency transaction reporting requirements. In this scenario, the activity is cash deposits, and the behavior is making smaller deposits to avoid a CTR filing.
Customer activities and behaviors go together. They are all about “how” a customer uses financial services.
Inter-Related Risks: An Illustration
Here is a simplified example of how products, services, activities and behaviors are interrelated.
Assume the customer in the illustration below has a personal checking account which she opened six months ago. The regular activities she conducts on this account are writing approximately twenty checks each month, and automatic vendor debits for typical monthly bills.
However, over the course of one month she receives two incoming foreign wire transfers. Shortly after these funds are credited to her account, she initiates an outgoing wire transfer through the bank’s online system to a U.S. recipient in another state. She also receives foreign incoming funds through an ACH credit, and over the course of four days in one particular week, she makes cash deposits at the teller window of $9,900, $9,800, $9,900 and $9,400, respectively.
In her account opening documents, the customer stated she had no plans for any foreign activity or wire transfers; only check writing and debits for typical monthly bills.
In summary, this account has routine/normal activities, out-of-pattern activities, and potential structuring behavior.
Money Laundering Risks of Products and Services
Almost any financial product can be used to launder money with enough creativity. However, some products are more vulnerable – or attractive – than others, based on certain characteristics as discussed below. It is also important to consider the phase of the money laundering process (placement, layering, integration) that a product or service’s characteristics could facilitate.
When assessing the money laundering risk of a particular product or service, consider all the above factors as well as any others unique to the financial institution. In essence, the more flexibility a product or service offers, the greater its attractiveness in the placement and layering phases of the money laundering cycle.
The Payments Industry: Facilitating Financial Crime?
Globally, the payments industry continues to make financial transactions faster and easier – but how much have these also facilitated financial crime?
- Online account opening
- Mobile banking
- Elimination of tellers
- Digital wallets
- P2P payment systems (PayPal, Venmo)
- ATM cash deposits
- Same day ACH: single transaction limit will increase from $100,000 to $1 million in March 2022
This trend will only continue. Now more than ever, effective monitoring of customer activity and behavior patterns is essential to fighting financial crimes in this new age of high-speed anonymous payments.
Assessing Products and Services Risks: A Methodology
One method for evaluating products and services risks begins with a complete inventory of all the financial institution’s offerings. For a large and diverse institution, this may be a daunting challenge. Consider focusing on one segment at a time, such as depository products, credit/loan products, stand-alone services, etc.
Next, create a matrix with all the risk characteristics described previously, and any others that may be unique to the financial institution. Each product and service is then effectively “scored” from a money laundering risk perspective based on how many risk characteristics it presents. These could then be bucketed into low, medium and high for simplicity.
A personal checking account is undoubtedly the most flexible and accessible product type available. Transactions can be completed anonymously through online/mobile banking; cash deposits and withdrawals are common; and foreign wire transfers or ACH are probably allowed as well, depending on the financial institution’s policies. On the other hand, a one-year certificate of deposit might permit a small number of cash withdrawals, depending on features, but otherwise would not be particularly useful in the laundering process.
A commercial letter of credit is used to facilitate import/export transactions and trade finance, so the foreign element is inherent. Trade finance underlies a particular type of illegal activity known as trade-based money laundering. (For an in-depth look at this topic, see Trade-Based Money Laundering: What Compliance Professionals Need to Know.)
Residential mortgages have received increasing attention in recent years due to a growing trend in real estate-related money laundering. FinCEN classifies the real estate market as particularly attractive for money launderers, because a purchased property appreciates in value over time, protecting the buyer from market instability, and allowing a large amount of illegal funds to be laundered with a limited number of transactions.[iii] A loan or mortgage is used to obscure the source of illicit funds and integrate those funds into high-value assets. The funds are used to either repay the loan in a lump sum or make loan payments in cash just below the reporting threshold.
Remote and mobile check deposit services could facilitate money laundering or fraud in several ways. Without a human (i.e. a bank teller) to examine the physical checks, suspicious activities such as deposits of sequentially-numbered money orders or cashier’s checks (purchased with dirty cash) could be made. As well, checks with no connection to the customer, fraudulent endorsements, and counterfeit checks are no longer subject to the scrutiny of experienced bank tellers.
Wire transfers have always been one of the money launderer’s favorite tools. Most wire transfers today are initiated anonymously through online banking and can move large sums around the world in a matter of minutes. Despite the FinCEN requirement that certain key identifying information be included on a wire transfer (known as the Travel Rule[i]) the Federal Reserve does not verify this information is present. Therefore, without systematic controls, important identifying details could be deliberately left off a wire transfer’s instructions to obscure its purpose or to avoid being flagged as suspicious.
Remote vs. Mobile Deposit: Know the Difference
While both of these services allow a customer to deposit checks without physical presentment, there is a difference between them.
Remote check deposit is a service intended for business accounts. The business customer uses a check scanning device which creates images of the fronts and backs of checks in large batches and may even add electronic endorsements. The entire batch is submitted electronically to the bank for processing.
Mobile check deposit is primarily a consumer service. A smart phone is used to take images of the front and back of the check and submit it for processing. Each check is its own “batch” and only one check may be deposited at a time.
Check writing is very low risk from a money laundering perspective. A check creates a permanent, traceable record, converted from its paper form to an electronic image.
A cashier’s check written in exchange for cash is however very high risk, especially if a customer develops a pattern to this activity. This is a classic form of placement – converting dirty money into a legitimate form. The risk is exponentially higher if the financial institution does this for non-customers, as there would be little to no tracking or monitoring of the purchaser’s activities.
Private banking services offer personalized and discrete delivery of a wide variety of financial services to high-net-worth individuals and their corporate interests. Private banking customers may prefer these services due their public prominence, family matters, or tax considerations. The private banking relationship is carefully handled by a relationship manager who is responsible for providing a high degree of personalized service to the customer, often forgoing standard bank policies and controls.
Because of the focus on privacy and confidentiality, private banking services may include assistance with establishing offshore vehicles such as personal investment corporations, trusts, or even more exotic arrangements. These are, in essence, shell companies formed to hold the customer’s assets, incorporated in jurisdictions known for financial secrecy. Private banking has historically been at the center of several significant money laundering cases.[iv]
Incorporating Products and Services Risk into the Customer Risk Score
The customer risk score is comprised of the three categories of risk: customer characteristics; products, services, activities and behaviors; and geographic risk.
Once an inventory of all products and services has been completed, the individual risk factors associated with each one may then be identified. The more risk characteristics, the higher the potential risk. Individual products and services are then assigned a risk ranking of low, medium, or high (or an even more granular ranking if appropriate).
Within the customer risk scoring model, point values are determined for those products and services the financial institution considers relevant based its risk perspective. For example, one institution may only wish to assign a point value to products and services ranked high risk, whereas another may include those with medium and high rankings.
If a new customer indicates they will be using any of these higher risk products and/or services, the corresponding point values for each are added to the customer’s total risk score. Similarly, if an existing customer adds a higher-risk product or service, their overall risk score should be modified accordingly.
It is important that a products/services risk scoring process make sense for the financial institution. For example, a financial institution may offer domestic wire transfer services to all its customers. Therefore, including wire transfers a higher-risk service within the customer risk score model provides no added value, as every customer’s risk score would be increased by the same amount.
Customer Activities and Behaviors
The ultimate purpose of an anti-money laundering program is to detect and report suspicious activity.
Most of the time, activity or behavior becomes suspicious when it differs from what is expected of that customer – in other words, it is out-of-pattern. With a new customer, “anticipated activity” is the reference point; whereas existing customers have a historical pattern of activity with which to compare. There are, of course, always legitimate reasons for a particular customer’s sudden out-of-pattern activity. It is here that professional judgement must come into play.
The following are more detailed discussions of significant money laundering activity patterns: structuring; funnel accounts; and business customer account activities.
Structuring is undoubtedly one of the most well-known money laundering methods. It involves the intentional manipulation of cash transactions to avoid triggering a governmental reporting requirement.
Structuring could be performed by an ordinary individual who lacks an understanding of the actual purpose of cash transaction reporting regulations. However, more commonly the individuals engaged in structuring are money mules, runners, or “smurfs” hired by money launderers. They go from bank to bank, and branch to branch, depositing cash, withdrawing it from ATMs, and purchasing money orders or cashier’s checks – all in amounts just under the reporting threshold.
Structuring can occur in many different settings, from traditional banks to money services businesses to casinos. Most anti-money laundering systems have a means to detect potential structuring activity by customers.
A funnel account is another money laundering method that has existed for years but continues to grow. FinCEN has issued multiple Advisories relating to funnel account use.[v]
A funnel account is an ordinary depository account used to launder money by exploiting the branch networks of financial institutions. Illegal funds are deposited into the account at one or more locations by money mules, and then withdrawn from a different geographic location, often hundreds or thousands of miles away.
The graphic[vi] above illustrates the funnel account process. Illicit funds are deposited into a business account at various branch locations on the east coast, and then withdrawn from that account at a branch in Los Angeles. The illustration further depicts how the cash from the funnel account is subsequently used in trade-based money laundering. Funds are wired from the funnel account to a U.S. or a foreign-based business to purchase goods, which are then shipped to another country for sale. Once the goods arrive, they are sold and proceeds ultimately are passed to the criminal organization.
Funnel accounts are also frequently used by human smugglers. U.S.-based family members pay the smugglers to bring their relatives into the country often by depositing cash payments into a funnel account.
Here are the most significant red flags indicating a funnel account:
- Multiple deposits, where the funds are then rapidly transferred to other accounts (same day or soon thereafter)
- Multiple deposits from locations outside the opening branch’s regional area
- Extensive deposit activity, yet the account retains a low balance
- Deposits from unrelated individuals or companies
- Deposits from different sources, such as cash, ATMs, checks and incoming wire transfers
Legitimate businesses are increasingly being used to launder criminal proceeds. Money laundering commonly involves moving proceeds from illegal activity into a legitimate, respectable business to make these proceeds appear normal and legal.
The more profitable organized crime becomes, the more important it is for criminal enterprises to shift profits into legitimate activities. Without a reliable “legal” income, a luxurious lifestyle will eventually attract unwanted attention.
Business customers typically demonstrate very stable and predictable patterns of receipts and disbursements, even if the business is seasonal. When new and unusual transactions occur on a business account, these are red flags. For example:
- Sudden use of incoming or outgoing wire transfers, with no prior history.
- A pattern of incoming wire transfers, followed by one or more disbursements in the form of outgoing wires, checks or cash withdrawals that add up close to that of the incoming funds. This could indicate the business may be an intermediary in the layering phase of money laundering. Intermediaries are often allowed to retain up to 10% of the funds as their compensation.
- This pattern could also potentially indicate a fraud situation. Typically, a small business client falls for a scam that unknowingly makes them an intermediary in the laundering process under the guise of assisting a “company” to help their “clients” move funds to avoid taxation or some other reason.
- Foreign wire transfers, especially the business has no overseas dealings.
- Incoming round amount wire transfers of $25,000 to $50,000 with no clear business purpose. Wire transfers in this dollar range are popular with launderers and fraudsters, perhaps assuming these amounts are less likely to be flagged by a bank’s monitoring system.
- Explanations provided by customers for unusual transactions that seem odd, irrelevant, or without a valid business purpose.
Incorporating Customer Activities and Behaviors into the Customer Risk Score
Once a financial institution detects and then decides to report, a customer’s suspicious activity, it must determine whether to continue with that customer relationship. For some financial institutions, terminating a customer relationship may not be an immediate option. For example, a lending institution may be committed to a long-term contractual relationship with its borrower that does not allow unilateral termination due to “suspicious activity.”
If the customer relationship will continue after suspicious activity is detected and a SAR is filed, that customer’s risk score should be adjusted to reflect a new high-risk level, regardless of their original calculated score.
How this is achieved will be unique to each financial institution’s AML system. One transparent and simple method would be to establish risk score elements for various levels of suspicious activity:
|Risk Score Element:||Point Value:|
|Out of pattern activity – no SAR filed||15|
|Continuing Activity SAR filed||50|
Each incremental behavioral element pushes the customer into a higher, or highest, score range. The customer’s monitoring threshold in the AML monitoring system will then reflect their high risk.
The Customer Risk Score: Always Evolving
It is critical that the customer risk score be dynamic, meaning it may and likely will change over time as the financial institution develops a longer history with the customer. At the outset of the relationship, no customer risk score will be perfect because it is an assessment based on objective data and predictions of account activity.
As the relationship continues, a customer may add new accounts or services. Relocation, a new job, and other personal circumstances change. Business customers may grow their revenues, add new product lines, or even start exporting.
When the underlying risk factors change, or actual activity or behaviors go out of pattern or into clearly suspicious patterns, the customer’s risk score should be modified accordingly. A risk score change may be a prompt that further customer due diligence is needed.
Just as a customer’s risk score can go up, it should also come down if the underlying risk is mitigated or a risk factor is no longer present.
Regardless, the decision to manually adjust a customer risk score should be made with professional judgement and the underlying rationale clearly documented.
More to Consider
The following are some additional considerations for financial institutions regarding products, services, activities and behaviors risks, and the risk scoring model into which they may be incorporated:
- Overall, seek to build a risk scoring model that is simple, clear, and logical. Such a model is more readily evaluated, tested, and modifiable as needed.
- Create and maintain a formal record of how the risk scoring model is designed, including the rationale behind the selection of each risk factor and any factor weighting. Well-written and thorough documentation provides a clear reference that can be shared with regulators, management, and internal audit, as well as all Compliance staff.
- Educate front line staff about red flags for suspicious customer behavior. It is important for staff to understand not only what the red flags are, but also why. This helps them better understand money laundering risks in general.
- Ensure customer information on which the risk scoring model depends is kept current. This ensures each customer’s risk score evolves as changes occur. A new address, unexpected foreign transaction activity, or even a SAR filing all have the potential to increase a customer’s risk score. Whenever possible, such changes should occur dynamically rather than manually.
- Always consider customer risk scores within the context of actual customer behavior. A customer with a low risk score whose account activity has all the red flags of a funnel account should no longer be low risk. Similarly, an initially high-risk customer who maintains a steady and predictable pattern of transaction activity can potentially be downgraded to a lower risk category, if the financial institution’s risk tolerance allows
Tools for AML Compliance