Finding solutions for high-risk businesses

Many banks have encountered the situation where high-risk clients are heavily scrutinized by regulators. Additional monitoring, increased filing of Suspicious Activity Reports (SARs), and ever-increasing enhanced due diligence have been among the regulators demands.

For many banks this increased scrutiny has led to the decision to terminate the relationship with high-risk clients, even though they often represent profitable relationships. In some cases, banks have determined that they will no longer serve entire industries (e.g. money transmitters and check cashers) to avoid severe scrutiny.

However, recent guidance indicates that there should never be a wholesale refusal to bank entire industries. When banks can demonstrate that they maintain a strong compliance program, they can keep high-risk clients in their portfolio.

Opening the door more

In early 2015, regulators made an effort to back away from the direction of Operation Chokepoint. FDIC for example, released Financial Institution Letter 5-2015. This guidance, “Statement On Providing Banking Services,” states in part: 

“Currently, there is concern that banks are indiscriminately terminating the accounts of all MSBs [money service businesses], or refusing to open accounts for any MSBs, thereby eliminating them as a category of customers. Such a wholesale approach runs counter to the expectation that financial institutions can and should assess the risks of customers on a case-by-case basis …

“Similarly, a blanket direction by U.S. banks to their foreign correspondents not to process fund transfers of any foreign MSBs, simply because they are MSBs, also runs counter to the risk-based approach.”

The focus for high-risk customers changed from de-risking (a fancy term for “getting rid of”) to risk management. The idea here is that financial institutions may indeed provide services for high risk customers if there are monitoring systems in place.

Steps for defending a BSA decision

The BSA/AML risk assessment is the first step in developing a strong compliance program. For this reason, the risk assessment must be comprehensive and updated regularly. As a best practice, the risk assessment should clearly define the current levels of risk inherent in the customer portfolio, as well as the risk appetite established by the board.

In this context, the risk appetite should include guidelines for the types of accounts that are considered acceptable and the clear authority of BSA staff to do what is necessary to keep risk at acceptable levels.

When developing this analysis, BSA staff must consider the resources that are available for monitoring and supervising the transactions of the customer base. The training, knowledge, and skill of BSA staff are important considerations in this area. Bank staff must be able to fully understand and monitor the business being conducted by the customer base.

In several cases, enforcement actions have resulted from the fact that BSA staff were uninformed of how particular businesses work. For example, if a bank decides to provide accounts for money transmitters, there must be staff members who are fully aware of the business model of these non-bank financial institutions.  

Chief among the programs that a financial institution must establish are the “Know Your Customer” (KYC) and risk-rating functions. There must be a process to determine the level and nature of the high-risk activity that the customer will conduct from the start. The institution must be able to gather sufficient information about the customer to evaluate the risks associated with the relationship.

Once the risks are fully documented and established, the financial institution must establish a comprehensive plan for monitoring the customer and making decisions about the proper response to transactions observed.

This process should include an evaluation of the ability of the bank to monitor and analyze the transactions of the customer. There must be sufficient transparency between the bank and the customer to determine whether ongoing transaction activity fits into the business line. For example, if a customer’s business is remittances, a significant increase in selling cashier’s checks should raise concerns.

In the event that the customer conducts transactions that are out of the ordinary, there should be a procedure to talk with the customer and obtain an explanation. In the event that the explanation is incomplete or unreasonable or questions cannot be answered to the satisfaction of the BSA staff, there must be a well-defined process for closing the account.

Using software solutions

There are many different types of BSA monitoring software available to financial institutions. There is no one type of software that fits all institutions. Instead, there are several that fit each type of risk appetite.

Choosing the appropriate software for your institution should involve understanding the way the software works. By developing a clear understanding of the way alerts are generated, BSA staff can appropriately adjust settings for efficient monitoring of the transactions of high-risk customers.

The monitoring software used should be subject to regular data validation and annual model validation. The data validation process should be designed to certify that BSA monitoring software is pulling accurate data form the core system. The model validation process should be designed to ensure that the settings being used in the BSA software allow for maximum effectiveness for suspicious activity review.

The bank should maintain complete written documentation of the conclusions made about potential suspicious transactions. Regulators expect that the decision process for whether or not to maintain a high-risk customer, though ultimately the decision of the board, to be fully documented.

Ultimately, there is no prohibition on banking high risk customers. There simply has to be a BSA compliance program in place that is up to the task of monitoring and administrating the risks.

About the author

James DeFrantz is a principal at Virtual Compliance Management, Hayward, Calif. He can be reached at [email protected]