Reinforcing Integrity Risk Management – “Customer Due Diligence” Requirements Reworked

One of Risk Management’s most important cogwheels, for the purpose of investigating and detecting a wide range of reputational risks and economic crimes, is the due diligence process.  As described in former articles published on Global Risk Affairs, due diligence requirements are largely anchored in legislation dealing with the prevention of money laundering, fraud, corruption and tax evasion, as well as being an integral part of good corporate governance guidelines and practices.

Based on individual risk exposure, financial institutions and corporations have adopted very different procedures, tools and approaches to customer due diligence, some of which are more standardised and others more tailored. In the majority of cases a combination of standardised and tailored measures is necessary.

European and US legislators are to a certain degree, however, concerned about the eclectic mix of due diligence approaches, and have launched a series of consultation processes aimed at improving the efficiency and effectiveness of due diligence procedures (see overview below). This article looks at the various initiatives and highlights the issues, which are at the centre of ongoing discussions about the adaptation of existing customer due diligence legislation.

Customer Due Diligence requirements revisited

Recommendations made at the G-20 Pittsburgh Summit in 2009, following the outbreak of the financial crisis, have encouraged a strengthening of standards on customer due diligence, beneficial ownership and transparency efforts. One of the most far reaching and also controversial pieces of legislation is the Dodd Frank Act, which requires institutions dealing with high-risk jurisdictions and sectors to expanded their due diligence efforts beyond their immediate business partners, to include all partners throughout the entire supply chain. Against this backdrop, reinforcing the risk-based approach by improving risk filtering and risk assessment processes is recommended as best practice in order to identify and monitor particularly high-risk customers.

The pivotal role of risk assessment

The general discussion surrounding the due diligence topic is often focused on how much screening and research of third parties is actually appropriate in order to ensure that legal compliance requirements are met and sound risk management is guaranteed.  The key challenge is how to instil procedures, which meet these requirements in an efficient and cost effective manner. An optimal risk assessment process should, in the first instance, ensure that no compliance and reputational risks can fall through the net during an initial filtering process, whilst secondly guaranteeing that the assessment process can be managed effectively.  Developing tailored risk filtering and assessment tools is therefore the starting point for installing and then monitoring any systematic due diligence process.

Figure: Enhanced risk-based approach to Customer Due Diligence

Legislation revised – The ‘enhanced risk-based approach’

Legislators, in particular, seem to be placing increased emphasis on the development of  adequate risk assessment procedures and ongoing monitoring in an attempt to narrow down the partners which require more detailed research as opposed to those entities and individuals which represent a lower risk.  In this regard, the FATF calls for an “enhanced risk-based approach”.

Although due diligence processes must be structured it remains important to adopt a situations-based risk assessment approach, which allows and requires individual judgement on a case-by-case basis.  Whilst ‘risk-ticking’ by using a database to search against an individual’s name is an essential part of the process, protecting an institution from sophisticated criminal activity necessitates state of the art risk assessment and mitigation tools in order to ensure adequate and effective risk management overall.

Similarly, when dealing with high-risk customers it is important to move beyond a standardised screening of names to a more knowledge and network-based research approach to ensure that critical risks, which might result through indirect links and associations, do not go undetected because the process is too narrowly defined or even exclusive in its procedure.

Table: Regulatory initiatives for enhanced risk-based Customer Due Diligence

ORGANISATION

DATE

ISSUES

FATF 02/2012 In February 2012 the FATF (Financial Action Task Force) published its revised recommendations which call for institutions to not only identify but also to verify the reliability of the their customer as well as respective ownership and control structure when dealing with legal entities; understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship; conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds. With regard to the special issue of Politically Exposed Persons (PEPs) financial institutions are required, in addition to performing normal customer due diligence measures, to: (a) have appropriate risk-management systems to clearly determine in what sense the customer or the beneficial owner is a Politically Exposed Person; (b) obtain senior management approval for establishing (or continuing, for existing customers) business relationships; (c) take reasonable measures to establish the source of wealth and source of funds; and (d) conduct enhanced ongoing monitoring of the business relationship.
EU 04/2012 As recently as April 2012 the EU announced a consultation process for the development of the 4th EU Anti-Money Laundering Directive; AML: Creating a modern EU Framework capable of responding to new threats. The EU aims to finalise the directive by autumn 2012.  The main focus is the full integration of anti-terrorist financing measures with anti-money laundering controls, the introduction of new measures to counter the financing and proliferation of weapons of mass destruction as well as addressing the laundering of the proceeds of corruption and tax crimes.  Furthermore the framework aims to strengthen the requirements for higher risk situations and allow countries to take a more targeted risk-based approach.  The key points at the heart of the discussions will be the application of the risk-based approach, customer due diligence measures, the transparency of legal persons and arrangements and the issue of Politically Exposed Persons (PEPs).
FinCEN 03/2012 In March 2012, the US Treasury department, FinCEN (Financial Crimes Enforcement Network) announced that it is seeking to strengthen and clarify customer due diligence requirements as it is concerned that there is a lack of uniformity and consistency.  Although policies and procedures form the foundation of any due diligence process the risk of instilling a ‘tick-box’ approach prevails, which ultimately contradicts the ever-increasing need for a robust risk management process.  FinCEN’s aim is to enhance financial transparency in order to strengthen efforts to combat financial crime by adopting a broad approach, improving the availability of beneficial ownership information of US legal entities and by facilitating global implementation of international customer due diligence standards as well as beneficial ownership of legal entities.  Ultimately this will also ensure that best practice standards of an effective risk-based approach are implemented.  The consultation process ended on 11 June 2012.
FSA 03/2012 In March 2012 the UK regulator the FSA (Financial Services Authority) heavily criticised investment banks for failing to maintain the right anti-bribery and corruption data, or implement decent preventative systems.  In particular the lack of adequate anti-bribery and corruption (ABC) risk assessment was flagged.  A consultation process has been initiated as a result.

Conclusion

The complexity of reputational and integrity risks as well as the risks emanating from changes in the political and regulatory landscape represent some of the most serious challenges currently facing corporation’s and financial institution’s overall risk management.

Limiting the amount of due diligence undertaken and standardising due diligence processes at a routine level might, to a certain extent, fulfil minimum compliance requirements, but can be insufficient in a high risk context where it might in fact increase an organisations exposure to more serious reputational and financial risks.  Therefore, being prepared to focus on assessing the risks emanating from the more complex and intransparent investments and personal networks and to monitor any such engagements of concern is likely not only to be most effective from a regulatory and legal perspective, but also in institutionalising a solid risk management structure.

Beyond fulfilling regulatory, compliance and good governance requirements, a well established reputational due diligence function which operates across the business will assist organisations in effectively balancing their risk appetite and tolerance in order to fulfil their strategic missions whilst protecting the interests of their stakeholders.