Identifying and managing high-risk customers is key to a robust financial crime prevention program. Below, we explore best practices and share expert insights from our latest webinar on managing your high-risk customers effectively.
High-risk customers are individuals or entities that, due to specific characteristics or circumstances, pose an elevated level of risk for businesses or financial institutions. These customers may be more likely to engage in activities associated with money laundering, terrorist financing, or other illicit behavior.
This could involve patterns of behavior, inherent risk related to identified customer types, products, and services, or geographies, including High-Intensity Drug Trafficking Areas (HIDTA) and High-Intensity Financial Crimes Areas (HIFCA).
Regulators and examinations are currently focusing on several hot topics.
The first is Banking-as-a-Service (BaaS). The common narrative in issued enforcement actions is that the sponsor bank, as the regulated institution, is responsible for high-risk customers. Therefore, the sponsor bank must have direct insight and oversight into how third-party high-risk customers are evaluated and approved for business.
Regulatory scrutiny has also ramped up over the last two years. In 2023, there was a 57% increase in enforcement actions specific to BSA/AML failures. This trend has continued into 2024and close attention is needed for customer controls and improvements.
Tip: When enforcement actions are issued, take note of the information disclosed that can help inform your institution on what went right or wrong for the institution in question, and evaluate these against your program. What are your internal controls if the same happens at your financial institution? Are they documented correctly? Have you recently tested your controls to ensure that they work well?
Understanding what it means for a customer to be high-risk to your firm is crucial. The sooner you can identify high-risk customers, the better equipped you'll be to manage potential issues. It's much easier to prevent a problematic customer from entering your system than to deal with one later. Five essential actions in this process include:
Tip: Consider the number of risk ratings you use and the level of management required to maintain accurate customer risk assessments.
Who should be responsible for approving or retaining an account for a high-risk customer? The answer depends on the nature of the high-risk customer.
Generally, everyone must be included in that decision if you have a prohibited customer. If it's a restricted customer, it should go to the second line to issue a non-objection or approval confirming the bank is comfortable onboarding them.
If the revenue-generating business line wants to approve a business relationship despite objections from the AML officer, this decision needs to be taken to the C-Suite executives to discuss (with a very clear risk management lens) whether the bank is willing to take on the risk and why it needs to be approved at that level.
However, the first line ultimately owns the risk of onboarding clients, so they need to be well-educated in this area to know when to flag a customer for further review.
Best practices for periodic reviews include verifying customer information program (CIP) information and beneficial ownership information to determine whether they are relevant to the review.
Then, look at the customers' transactional activity. What's happened since the last review? Have there been any SARs filed? If so, how many? Are there any alerts that came in waves? Are there any adverse news reports? How is the customer tracking against expected vs. actual activity? Has this changed over time, is the data still reliable? Are there any outliers? How do they track against peers? Does the customer still fit the risk appetite of the bank? Can this client’s risk level be downgraded?
Make sure the process is consistent, well-documented, and replicable for regulators and internal audits.
Tip: If you’re employing a model for your customer risk rating, tune it every 12-18 months. Models are inherently subjective, and with regular tuning, you can influence the number of high-risk customers based on your bank's risk tolerance.
When a customer is identified as being too high-risk and can no longer be effectively managed, it's crucial to have a process to conclude the business relationship and safely exit the customer.
This should involve an escalation or risk management committee with representatives from both the first and second-line functions to ensure the decision is justified and proportionate based on the identified risk level.
Prior to termination, the bank should also examine relevant laws, regulations, and internal policies. Certain jurisdictions have specific procedures or requirements for terminating customer relationships, particularly if the customer is suspected of illegal activities.
When it comes to effectively managing your high-risk customers, regardless of the specific strategies involved, the process should revolve around three core pillars: consistency, explainability, and documentation.
To hear more on this topic, listen to our latest AML Voices Webinar: ‘Best Practices for Managing Your High-Risk Customers’ with industry experts Chuck Taylor, Hunter Kreger, and Nancy Schicker, or check out our resource center for more on this and other related topics.
If you have any questions on this critical aspect of compliance and financial crime prevention and need more targeted insight, you can also talk to one of our advisory experts.