Managing the Risks of Risk Management – ACAMS 2016 Panel
Law enforcement organizations are often burdened with a lack of resources for investigating financial crimes, as Sheriff Joseph Lombardo, Office of the Sheriff, Las Vegas Metropolitan Police Department, noted during his ACAMS 2016 keynote this morning, But as the panelists during the “Managing the Risks of Risk Management” session later that day noted, financial institutions can encounter the same problems with risk assessment if they don’t enact effective processes.
Spencer Doak, director of BSA/AML policy, Office of Comptroller of the Currency, noted, risk management is a “client centric” discussion, which often begins when organizations create customer due diligence (CDD) and enhanced due diligence (EDD) policies.
According to Doak, the process begins by assessing if you have enough information right now to know the types of transactions your customers are engaged in, particularly high-risk customers with irregular account activity. As he admitted, this can be a challenge, but it often starts with understanding the purpose of the account – determining the type of business the customer is engaged in, what the products and services they will use are, where they are employed, and more.
While this seems like the start of a cumbersome process for an institution, Doak reassured attendees that the bulk of customers are involved in regular, almost predictable transactions. But as he noted, “you have to start somewhere.”
In fact, the very act of reaching out to customers to answer these questions can lead to more answers. “If [a customer] is not responding to your letters and calls, that’s probably a red flag,” Doak said.
The easiest thing to do in this CDD approach is to look at how a client responds to questions about their account activity. If the answers lead to a “tree of other questions,” that’s often where you start to find issues.
For example, Doak noted that if a customer opens an account at a bank in Las Vegas, but the customer lives in New York, that should lead to some questions. While there are legitimate reasons for a scenario like this, it takes better knowing new customers as they walk in the door. But what are institutions to do about their existing customers?
Doak insisted that institutions need to look for at-risk customers and then create a risk-based review cycle for those customers. “If you set out a policy, you need to adhere to that policy,” he added.
Most Suspicious Activity Monitoring (SAM) mechanisms should reveal unusual activity – large movements of funds moved at irregular intervals, etc., but managing risk then becomes a data problem. “If you have the metrics that can have a meaningful impact” in creating an effective risk profile of customers.
Doak admits that the next phase in the process – identifying the at-risk customers and investigating them – is a challenge for most institutions. But as he reassured attendees, “you’re not trying to investigate [a customer] to file a [Suspicious Activity Report or SAR], you’re trying to investigate them to NOT file a SAR.”
Susan Galli, managing director in the Financial Services Advisory Risk and Regulatory practice at PricewaterhouseCoopers LLP, admitted that effective CDD/EDD procedures are cumbersome, but necessary.
“An annual risk assessment is probably as popular as a colonoscopy, but once it’s done, it’s not that bad,” Galli added, earning a hearty laugh from the attendees.
“It’s an extremely labor intensive practice to do appropriately,” but connecting with the right partners in your organization, and having access to the right data can help keep it relatively painless.
Galli admits that the data challenges are great as organizations manage these processes, but they only become worse if institutions end up taking on a greater number of high-risk customers.
