Compliance in a Digital World
Senior Compliance Advisor, Matt Goble, discusses the challenges of mitigating additional risks that go hand-in-hand with the convenience of digital banking.
Digital banking is one of the most common topics discussed around the industry. A transformation that was already well underway was propelled forward even more so by the pandemic. As institutions kept their lobbies closed, customers/members who were still electing to perform their transactions in-person had no choice but to do so online from their desktop or mobile banking apps. Financial institutions were forced to ensure their digital banking platforms were up to par to keep up with the increase in demand and remain competitive in the market before their customers/members found an alternative. It is safe to say that consumers’ new digital behaviors are here to stay as online banking is quickly becoming the dominant channel for opening new accounts. While the ability to open deposit accounts and apply for credit online from anywhere using your smart device provides the convenience factor for the customer/member, it also comes with additional compliance considerations and risks for financial institutions to face head-on.
There is an ever increasing challenge for financial institutions to effectively manage money laundering risks from fraudsters as well as the compliance risks that stem from digital onboarding – beginning with Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Office of Foreign Control (OFAC), and Know Your Customer (KYC) compliance as well as the beneficial ownership collection requirements from your business accounts. Let’s break down the key components of each of these regulatory requirements along with ways to mitigate the inherent risks in connection with digital banking and account onboarding.
Financial institutions must maintain an effective Customer Identification Program (CIP) which requires the institution to verify the identity of each customer/member by collecting their name, physical address, and identification number such as a driver’s license or tax id number. For business accounts, it’s recommended to obtain the partnership agreement or articles of incorporation registered with the state. This poses a challenge when the customer/member is no longer face to face with the banker as there may be a lack of information provided by the individual or the information obtained may have been obtained fraudulently through identity theft schemes such phishing attacks, mobile banking trojans, malware or fake banking applications deployed by the fraudsters. Financial institutions can mitigate this risk by requiring the customer/member to provide, as a minimum, their name, physical address and identification number prior to moving forward with opening the account. Additionally, ensure the information collected is verified against a reputable database. Establish controls to identify fraudulent information by performing a back-end review of how the information was input into the application. For example, verify that the IP address location of the individual opening the online account matches the location of their physical address.
Customer Due Diligence or CDD Rule requires a financial institution to maintain appropriate risk based procedures for conducting ongoing customer/member due diligence including understanding the nature and purpose of customer/member relationships for the purpose of developing a customer/member risk profile and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer/member information, including beneficial ownership information for legal entity customers/members. This prompts financial institutions to collect and maintain information on the purpose of the account, the source of funds, occupation, transaction activity, and the type of business for commercial accounts. Onboarding accounts digitally increases the risk of adequately risk rating the business or consumer account holder but such risks can be mitigated by having an effective monitoring system in place. For example, consider having anti-money laundering (AML) system alerts in place for unusual cash activity.
Office of Foreign Asset Control (OFAC) verifications are also required to be in place in order to block accounts and transactions of specified countries, entities, and individuals included on the OFAC list. For example, if a funds transfer comes from offshore and is being routed through a U.S. bank to an offshore bank, and there is an OFAC-designated party to the transaction, it must be blocked. Digital banking increases the risk that certain transactions will not be screened against the OFAC list as financial institutions are unable to conduct real time OFAC verifications allowing transactions to be conducted prior to OFAC verification. Financial institutions can mitigate this risk by restricting use of the account until OFAC verification has been completed and reviewed by the institution.
For commercial accounts, financial institutions must collect beneficial ownership information when a “legal entity” as defined by the rule opens a new account. This information includes the beneficial owner’s name, date of birth, address, identification number, as well as photo identification. During the onboarding process, make sure beneficial owners provide all required information prior to allowing transactions to be conducted. Establish procedures to verify the information provided and ensure the business customer/member provides a certification of accuracy of information prior to allowing transaction to be performed.