Disclaimer: The contents of this article are meant to provide a general understanding of the subject matter. However, this article is not intended to provide legal or other professional advice and should not be relied on as such.
How does one define risk? One definition states that to take a risk is to intentionally interact with uncertainty. Uncertainty means something that may or may not occur, which cannot be predicted if or when it will occur, and over which we have little to no control whether it will occur.
Customer risk, within the context of anti-money laundering, is the risk that a financial institution’s customer may conduct money laundering activity or other financial crimes through their account with the institution, that are not detected. So if and when this activity does come to light, it could subject the institution to all kinds of regulatory, financial, and reputational issues.
Any new or existing customer has the potential to use the financial institution for illegal activity. This represents uncertainty. While without customers, a financial institution would have no risk, it would also have no business. The solution is to find ways to manage risk, rather than eliminate it altogether.
Customer Risk Profiles and Relationships
Everyone perceives risk differently in any given situation. This is especially true with customer money laundering risk. Anti-money laundering professionals must have a heightened awareness of what makes a customer at higher risk for money laundering activity. In this article and the next two in this three-part series, we explore the many factors that comprise customer risk, such as customer risk profiles and relationships.
Customer Due Diligence vs. CIP
Customer Due Diligence and customer identity verification, commonly known as “CIP” (for Customer Identification Program) are often-confused terms.
Customer identity verification or “CIP” is a clearly defined set of regulatory requirements for confirming a new customer’s identity. Established by section 326 of the USA PATRIOT Act, the requirements only apply to new customers, whether natural persons or legal entities. They also apply to the natural persons who are beneficial owners of legal entity customers. For the most part, CIP is a one-time exercise of obtaining documentation to ensure the financial institution has a reasonable belief that it knows the customer’s true identity.
Customer due diligence (CDD) involves more detailed analysis and assessment of a new client from a money laundering risk perspective. In the customer onboarding process, identity verification typically comes first, followed by further due diligence. After all, if a customer’s identity cannot be verified, opening an account for them would not be prudent.
The Customer Risk Score
A customer risk rating, or risk score, helps a financial institution to identify those customers who present a higher risk of money laundering or illegal activity.
For financial institutions subject to U.S. law, this is a requirement. The FinCEN Customer Due Diligence (or CDD) Rule[i] became law in July 2016, with a final compliance date in May 2018. Among many things, the CDD Rule requires that a financial institution should establish an understanding of the money laundering and terrorist financing risks of its customers. The Rule describes this as a customer risk profile, but in practice, most financial institutions define it with a customer risk rating or score.
This risk score is then used to identify those customers who should be more closely monitored for potential money laundering activity. Because it is not feasible to monitor every single customer in-depth, a risk score allows for targeting of those customers who present a higher potential risk.
Categorizing Risk Elements: Who, What, Where
There are many different risk factors to be considered when assessing a customer’s money laundering risk, logically grouped into categories as shown in the chart at right. Note that while each risk category appears to have an equal share of the total risk, this is not necessarily the case.
Who: Customer Risk Profile and Relationships. This is the set of risk factors associated with the characteristics of a customer, as well as the customer’s relationships to other individuals and other legal entities. In this article, we explore this category in greater depth.
What: Products, Services, Activities and Behaviors. This category encompasses what the customer will do, or is currently doing, through the financial institution. More specifically, it addresses the types of products and services which may have a higher money laundering risk, as well as customer transactional activities, behaviors, and patterns of behavior that may indicate potential illegal activity. Part two of this article series will discuss these risks.
Where: Geographic Risk. The geographic locations where a customer’s payment activities, assets, and business relationships occur are inherently tied to the money laundering risk associated with individual countries. In the final installment of this article series, we will explore one particular methodology for risk-scoring individual countries from a money laundering and terrorist financing perspective.
Quantifying and Measuring Risk: The Risk Scoring Model
The customer risk score should be designed to quantify risk using an objective model, then modified as appropriate based on actual experience and professional judgment.
Over the years, risk-scoring models have often become overly complex. Perhaps this is in response to greater regulatory scrutiny, changing perceptions of customer risk, attempts to refine and apply different risk factors by business segment, or simply overthinking the problem.
However, some leading financial institutions are exploring a simpler and more holistic approach. These models begin with a consistent set of risk factors, then apply the specific inputs relevant for each line of business. While the details of model development are beyond the scope of this article, it should be emphasized that a customer risk scoring model that is as simple as possible, while maintaining effectiveness, is an important goal.
A customer’s risk score, although based on an objective model, must nevertheless be dynamic, i.e., it may likely change and evolve over the life of the customer relationship. A risk score for a new customer with no prior history with the financial institution will never be perfect, no matter how complex the model. Only with time and experience will the customer’s risk profile and corresponding score more closely reflect actual risk exposure.
Customer Risk Profile and Relationship Factors
From a customer risk profile and relationships perspective, legal entity clients have many more risk factors to consider than do individuals, as discussed in the next section. Individual clients’ behaviors have a more significant bearing on money laundering risk. Nevertheless, there are several demographic and relationship risk factors to consider. These factors point to a potential higher risk for all three stages of money laundering: placement, layering and integration. Individuals or consumers are clients who are opening depository, investment, or credit accounts for personal or household use.
Customer risk profile and relationship factors relating to individuals may appear on the surface to imply underlying cultural or other biases. However, this is simply not the case. Compliance professionals utilize these well-established higher-risk characteristics based on law enforcement’s and financial institutions’ experiences.
Onboarding channel: Traditionally, new accounts are opened by individuals during face-to-face interaction with financial institution staff. However, the growth of online account opening, while improving customer convenience, has increased risk by allowing a new level of anonymity. Without adequate verification controls, someone opening an account online can more easily disguise their true identity. As well, new consumer accounts opened on behalf of the institution through third-party service providers also increase the potential for similar risks, either through weak internal controls or even collusion between the account owner and a service provider representative.
Depth and length of the customer relationship: Combined, these are risk-mitigating factors. A consumer customer with multiple accounts, such as checking, savings, a credit card, a mortgage or consumer loan, etc. has a deeper relationship with the financial institution than one who has only one account. As well, an ongoing customer relationship for a certain length of time, such as three to five years or more, is also a mitigating factor. Both the depth and length of the customer relationship reduce the “uncertainty” factor. In a customer risk scoring model, mitigating factors are assigned negative point values to effectively reduce the overall risk score.
Employment status: An adult client who has no employment warrants further exploration to determine the reason why. A self-employed person may present a slightly higher money laundering risk due to the potential to comingle business funds and transactions within a personal account, or vice versa. Commingling may be an attempt to hide or distort activity to evade taxes or other illegal activities. A client who states that their employer pays them in cash should be considered very high risk, particularly for placement of illegal funds.
Assets and sources of wealth: This risk factor is of greater importance with private banking, investments, and loans. If a client appears to hold assets beyond what would be expected based on career/employment history without a reasonable or verifiable explanation, or the client reports unusual sources of income and/or assets that cannot be independently confirmed, the client should be considered a higher money-laundering risk.
Citizenship status and residence: A person with nonresident alien status is a higher potential risk than a citizen or permanent resident, as they have no permanent ties to the country and may only be allowed to remain there for a certain time period. Also, someone who opens an account at a financial institution location that is significantly distanced from their place of residence or employment without a valid reason may also be a higher risk. Individuals acting as “money mules” for illegal activity such as narcotics distribution or human trafficking often open accounts at many different institutions within a wide radius of where they live or work, in order to break up large illegal cash deposits into smaller, less noticeable transactions to avoid suspicion and cash transaction (CTR) reporting.
Politically exposed persons (PEPs): A PEP is a foreign person with a current or former high-profile political role or public function. Some financial institutions may consider the spouses and adult children of these individuals to be PEPs as well. PEPs represent a higher risk for financial institutions because historically, they are more likely to become involved in money laundering, corruption, bribery, or terrorist financing.
Unfortunately for Compliance professionals, there is no single official list of PEPs. A person who is considered a PEP in one country would not be so in their home country. Fortunately, many compliance software vendors compile and publish a global list of PEPs including their direct relatives and associates, which is typically available for automatic and ad hoc name screening much like OFAC and other sanctioned party lists. However, an individual’s status as a PEP does not automatically make them a sanctioned or prohibited party. For more on this subject, watch our webinar on Recent PEP Screening Guidance from Regulators.
No apparent family relationship between account parties: A consumer account with joint account owners or authorized signers that have no apparent family relationship should be examined more closely for suspicious activity. Oftentimes this scenario can signify a human trafficking, elder abuse, or fraud situation is involved. It may also be a red flag for a funnel account.
Funnel accounts are frequently used by narcotics and human trafficking criminal organizations. The account is opened at one financial institution location, where several individuals make frequent cash deposits, typically in amounts below the reporting threshold. Deposited funds are then quickly withdrawn from a different institution location, commonly in another state, as part of the money laundering layering process.
Anticipated transaction activity: Transaction activity is an important risk factor for individuals, falling under the second major category of risk – products & services, activities and behaviors. However, anticipated transaction activity may be considered a customer risk profile factor because it reflects what the customer is telling the financial institution they plan to do with the account. If anticipated transaction activities include frequent cross-border wire transfers or frequent cash deposits, the account merits closer monitoring (at least initially) as reflected in a higher risk score.
Business/Legal Entity Customers
This customer category includes all types of commercial ventures as well as non-profits and trusts.
Legal entity customers present significantly greater money laundering risks than do individuals/consumers because a legitimate business provides the perfect cover for all three phases of the money laundering cycle. Organizations involved in the international narcotics trade, cybercrime, human trafficking, and financial fraud all commonly use legitimate businesses, as well as a variety of trust types, to conceal their illegal gains.
This chart illustrates the most significant established risk factors relating to the characteristics of legal entities. Each of these is discussed in further detail below.
Ownership, Entity Structure, and Third-party Oversight
The less transparency that exists in ownership and entity structure, the greater the risk. When the individuals who are behind an enterprise, directing its activities, clearly want to remain anonymous, a complex ownership structure and legal entity type may both provide this desired anonymity.
Shell companies are frequently used to create additional layers of ownership in a complex structure. A shell company (typically an LLC) is one with no physical presence and no valid business purpose other than to be one layer in a complex structure intended to disguise the true ownership and control of the organization.
Trusts may also be also especially risky. According to the Internal Revenue Service, abusive trust arrangements can hide the true ownership of assets and income or disguise the substance of transactions. Although these trusts give the appearance of separating responsibility and control from the benefits of ownership, as would be the case with a legitimate trust, the taxpayer in fact controls them.[ii]
Abusive foreign trusts are often formed in countries that impose little or no tax on trusts and also offer financial secrecy. These are often “tax haven” countries outside the jurisdiction of the U.S. Typically, abusive foreign trust arrangements enable taxable funds to flow through several trusts or entities until the funds ultimately are distributed or made available to the original owner, purportedly tax-free.[iii]
When performing due diligence on a legal entity, pay close attention to where the entity is incorporated (domiciled). If a business’s primary operations are not in its state of domicile, further examination is warranted. Of particular interest are the domicile states of Delaware, Wyoming, and Nevada as these states are the most notorious for anonymous corporate formation. When an entity is domiciled in one of these states, it is also highly likely a NIS firm is involved.
Use of Nominee Incorporation Services Firms
Nominee incorporation services (NIS) firms, also called corporate formation agents, exist throughout the U.S. and around the world. While they serve a legitimate business purpose, they are often used to create shell companies, make them appear legitimate, and hide the true owners. They can legally form a new company in any state in the U.S.
In addition to establishing new legal entities, these firms provide many other services designed to make a shell company appear legitimate: a physical mailing address, a telephone number and someone to answer it in the name of the company, a letterhead, and more.
Of even greater concern are the “nominee” officers, directors, shareholders, or bank signatories a NIS firm may establish for the shell company. A nominee is an ordinary person who is paid for the use of his or her name, in place of an actual company owner/director/shareholder, so that the individual’s name is kept out of any public record. These nominees’ names could even be included in place of the true owners on a Beneficial Ownership form provided to a financial institution. The nominee arrangement is built upon a very complex power of attorney relationship. Law enforcement investigations over the years have discovered individual nominees who are each listed as the owners of literally thousands of companies.
One way to determine if a legal entity customer is using a NIS firm, and may therefore be a shell company, is to perform an internet search on the company’s address. If the search results return entry after entry of company names, all with the same address, a NIS firm is almost certainly involved. An internet search or background check on the stated beneficial owners could also reveal possible nominees in place.
The magnitude of anonymous corporate formation is staggering, particularly in Delaware and Wyoming. In 2020, over 249,000 new legal entities were formed in Delaware, bringing the total of all companies incorporated in the state at the end of that year to 1.6 million.[iv] This is astounding, considering the entire population of the state of Delaware is just under 1 million people.[v] The image at right is of a nondescript building in Wilmington, Delaware, which over 300,000 companies list as their corporate headquarters. It is the office of CT Corporation System, the largest NIS firm in the United States.
Wyoming has no state income tax and a very small population of just over 576,000 as of the 2020 census.[vi] Much like Delaware, the state of Wyoming derives significant income from corporate formations. The image at the left is a small house in Jackson, Wyoming – and the physical headquarters of over 5,000 companies. An article in Reuters from 2011 describing the issues with anonymous shell companies[vii] featured the NIS firm housed at this location.
Clearly, cash-intensive businesses have a much greater propensity for facilitating the placement of dirty cash into the financial system. Funds from illegal activities can easily be commingled with deposits from the business’s legitimate receipts. These businesses may also routinely make very large daily cash deposits and may therefore qualify for a Cash Transaction Reporting (CTR) exemption.
The table below includes the most common types of cash-intensive businesses. Two of these, in particular, are effectively “in the business of cash”: money service businesses (MSBs), and private ATM operators.
MSBs effectively convert cash into another form, such as wire transfers, money orders, or stored value cards. An MSB’s customer base is highly transient, and the transactions processed offer a relatively high degree of anonymity with minimal documentation.
Private ATM operators are another type of cash processor with a high money laundering risk. These businesses own ATMs which are often located in convenience stores, gas stations, and other retail locations. The ATM owner provides the cash for the machine from their own funds and is then reimbursed through a payment processing service.
A money launderer could purchase ATMs and install them in various retail locations, potentially within business establishments that are co-conspirators. The launderer loads the ATMs with illegal cash or co-mingled with clean cash. Ordinary people use ATMs, and the electronic transaction process debits the cardholder’s account and credits the ATM operator’s bank account. These transactions appear as electronic deposits from a legitimate financial institution, effectively laundering illegal cash.
Private ATM operators are regulated by state banking agencies but are extremely difficult to oversee and control.
Foreign Business Activities
As part of the customer due diligence process, a business client’s anticipated cross-border transactions should be evaluated. Imports and exports are the most common source of foreign transaction activity for business customers.
Historically, import/export activity was the domain of large multinational corporations. However, today’s global economy allows small and medium-sized businesses to actively participate in international trade.
The risk of money laundering activity is inherently higher when overseas counterparties are involved. Traditionally, a buyer and seller executing a foreign trade transaction would use a commercial letter of credit (LC) issued by a financial institution to ensure payment and delivery of goods. The supporting documentation required by the financial institution to issue and collect funds under an LC ensures that both parties’ interests are protected and provides a complete paper trail of the transaction.
However, these protections come at a price, in the form of bank fees paid by both parties, which increases the buyer’s cost and reduces the seller’s profit. To avoid the additional costs of letters of credit, many exporters have transitioned to “open account trading.” Under open account trading, the seller simply invoices the buyer for the shipment, and payment is made directly from the buyer to the seller, usually by wire transfer. Without an LC, there’s no independent set of eyes examining the transaction, which in turn facilitates two particular types of money laundering: trade-based money laundering through over- or under-invoicing, and Black Market Peso Exchange. To learn more about these money laundering methods, watch Trade-Based Money Laundering: What Compliance Professionals Need to Know.
The “Respectability Factor” and Customer Money Laundering Risk
Money laundering commonly involves introducing proceeds from illegal activity into a legitimate, respectable business to make it appear normal and legal. It also involves techniques developed for legitimate business purposes, such as cash management services, lockbox receipts, and possibly private ATMs. Professional service providers including attorneys, accountants, and financial advisors may also be involved in the money laundering process, either directly or simply by looking the other way.
The more profitable organized crime becomes, the more critical it is to funnel those profits into legitimate activities. Without a reliable “legal” income, a criminal’s lifestyle will eventually attract the attention of law enforcement and tax authorities. One cannot sustain a luxurious lifestyle without spending a large amount of income on goods and services. Therefore, this income must appear to be generated from a legitimate source.
The “family owned and operated” gold standard of respectability of a business client may in fact be a red flag for a financial institution. It often represents a closely held entity with little to no controls or oversight of the business’s financial dealings. Essentially, a business customer’s “respectability factor” may no longer be a valid mitigating factor in a customer’s money laundering risk assessment.
Money laundering, fraud and other illegal activities are increasingly being committed through legitimate businesses with long-standing favorable reputations. These are often traditional or well-respected industries and may be in perceived “safe” rural or less populated urban areas. These characteristics make a legitimate business the perfect hiding place for illegal activities.
Another type of high-risk cross-border activity is the transportation of goods across the southwestern U.S. border with Mexico, which includes the southern borders of California, Texas, Arizona and New Mexico. This region is designated as a High-Intensity Drug Trafficking Area by the U.S. Office of National Drug Control Policy.[viii] (Also refer to each HIDTA state’s unique website for more information on its program.)
Any business client who operates in this region should be more closely scrutinized for potential money laundering and other illegal activities, regardless of the nature of their business. Pay close attention to any Mexican counterparties, the volume of cash-based transactions, and any business operations within Mexico. Similarly, MSBs that operate in this same region are also considered very high risk. Known as casas de cambio, or “exchange houses,” these businesses have frequently been involved in money laundering activities tied to narcotics smuggling and human trafficking. The landmark 2010 case of Wachovia Bank’s processing of millions of dollars in illegal funds through Mexican casas de cambio is a primer on how these businesses facilitate illegal activity.[ix]
Customer Relationships and Risk
In addition to customer characteristics/demographics, it is important to understand how customers’ relationships impact money laundering risk.
With both individuals and legal entities, the length of the customer’s relationship with the financial institution provides a slight risk mitigating factor. The longer the customer relationship, the more history the institution accumulates in terms of transaction patterns and behaviors. This lengthy history is invaluable in detecting out-of-pattern, and potentially suspicious, behavior should it arise. Many institutions consider a customer relationship of five years or more as a threshold for slight risk reduction, all other things being equal.
With respect to a customer’s external relationships, individuals and legal entities present different types of risks.
The primary relationship risk with individual/consumer clients arises when more than one person is an account owner or signatory, but there is no family relationship between them. Without a valid explanation, this scenario could be an indicator of a funnel account, where illegal proceeds deposited by multiple money mules are centralized. Or increasingly, such circumstances could point to human trafficking or elder abuse. The account is in the victim’s name but is controlled, either against the victim’s will or without their knowledge, by another account co-owner or signatory. If there is no reasonable explanation for this type of joint ownership, the account should be considered high-risk and monitored closely, at least initially.
With a business/legal entity customer, there may be hidden relationships between seemingly unrelated entities where the common thread is the ultimate beneficial owner(s). Consider the following illustration:
In this example, a financial institution holds accounts for three LLCs: a trucking company, a dry cleaner, and a nail salon. These are all very different businesses, and on the surface, these three entities do not appear to be related. Each is directly owned by other LLCs. But by drilling down to the beneficial owner of these entities, it becomes clear that they are related, through ultimate ownership by one individual, Bob Smith. If these inter-relationships are not disclosed and flagged, there are heightened risks of undetected suspicious funds movement between the entities, or between the entities and the beneficial owner. To identify these relationships and flag-related party transactions, a financial institution must electronically capture beneficial ownership data and effectively utilize this data in transaction monitoring.
A business client’s foreign connections – subsidiaries, a parent company, or affiliated entities – should also be identified as a part of customer due diligence. The next step is to assess the potential money laundering risk posed by the countries where these related entities are located. In general, foreign-related entities have a greater potential for suspicious or illegal funds movement in or out of the country under the guise of intercompany transfers.
More to Consider
The following are some additional considerations for financial institutions regarding customer risk profiles and relationships and the risk scoring model into which they may be incorporated:
- Overall, seek to build a risk-scoring model that is simple, clear, and logical. Such a model is more readily evaluated, tested, and modifiable as needed.
- Create and maintain a formal record of how the risk scoring model is designed, including the rationale behind the selection of each risk factor and any factor weighting. Well-written and thorough documentation provides a clear reference that can be shared with regulators, management, and internal audit, as well as all Compliance staff.
- Educate front-line staff about customer risk factors – both what and why. This helps them understand how to help protect the financial institution and participate in the customer due diligence process.
- Ensure customer information on which the risk scoring model depends is kept current. This ensures each customer’s risk score evolves as changes occur. A new address, unexpected foreign transaction activity, or even a SAR filing all have the potential to increase a customer’s risk score. Whenever possible, such changes should occur dynamically rather than manually.
- Use the full capabilities of, and if necessary, enhance AML technology. An effective AML monitoring system should incorporate machine learning, so the system recognizes when a change occurs and either provides an alert or even updates the risk score automatically.
Remember that no single risk factor exists in a vacuum. All the risks explored here should be considered together, along with customer activities and behaviors and geographic risks, to be explored in upcoming articles.
Most importantly, consider these risk factors within the context of actual customer behavior. A customer risk profile and score without activity monitoring serves no purpose, as does monitoring transaction activity without using risk scores to target those customers who present the highest risks.