Various forms of the proverb date back as early as the 14th century. However, it was more firmly rooted in American culture when Benjamin Franklin included a version of the rhyme in his Poor Richard’s Almanac in 1758. It went like this:
For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a horseshoe nail.
The usage of the proverb is intended to serve as a reminder to those who may otherwise become lost in the minutiae that the small details can have a major impact on the big picture.
With Bank Secrecy Act compliance, it is all too easy to simply go through the motions, especially when it comes to collecting information about potential new accounts. It’s tempting to become careless in collecting information due to repetitive nature of the process unless we keep the end purpose in mind: catching suspicious activity. Because of this, it’s a good idea for compliance personnel to take a step back every now and then and see how the nail factors into the overall security of “the kingdom.”
It can help to start off with a brief history lesson. Although the concept of Know Your Customer was introduced with the Bank Secrecy Act in 1970, it has been enhanced and amended by the implementation of other acts. One such act was the USA PATRIOT Act of 2001, which came on the heels of the terrorist attacks of 9/11. Those events made plain the correlation between money laundering and terrorism, and the USA PATRIOT Act was introduced to help combat this by increasing the requirements of due diligence of new and even existing customers/members at financial institutions. In short, the Know Your Customer requirements have made financial institutions responsible for learning at least to a certain degree with whom they’re doing business.
All financial institutions are required to have Know Your Customer policies and procedures, including the following four items. Although these elements necessitate more work put into collecting information at account opening, they can make the end goal of Know Your Customer (monitoring for suspicious activity) much easier.
1. Member Identification Program
This program should outline the policies and procedures associated with verifying the identity of a customer or member. This can include documentary methods (such as a government-issued picture ID) or non-documentary methods (such as information from a consumer reporting agency) or both. At a minimum, financial institutions must obtain the name, address, date of birth, and identification number of the new or returning customer or member.
Your CIP or MIP should also include procedures for situations where the institution cannot verify the identity of a customer or where the customer appears on a federal government list of suspected or known terrorists or terrorist organizations. It should also note how the institution notifies customers that information will be requested to verify their identity.
2. Member Due Diligence
After verifying the identity of the new customer or member, the next logical step is to try to anticipate the level of risk posed by the customer or member to the institution. This is where CDD or MDD comes in.
This section should outline all the information the institution will gather at account opening to determine the kind of risk a customer or member presents to the institution. Information gathered should include gaining an understanding of normal and expected transactional activity. It should also aim to predict the types of products and services the customer will be using. The point here is to ensure that the institution has enough information to have an effective suspicious activity monitoring program. Such programs should be based on the level of risk associated with customer/member type and background.
3. Enhanced Due Diligence
Enhanced due diligence is all about taking a more in-depth look at the accounts your initial due diligence efforts determined present a higher level of risk. These are the customers or members your institution has determined are most likely to engage in suspicious activity or pose a higher than normal degree of risk by definition. As such, this section should address procedures to find any kind of information that would be helpful in the event that you have to investigate deeper. This might consist of a review of the account’s purpose, background checks of the involved individual(s), a review of websites regarding legitimacy or other related aspects, and anything else that would help in the investigation.
4. Record Retention
If you can’t produce the documentation, it could create a big gap in an investigation that may subsequently occur, potentially resulting in regulatory and legal problems for the financial institution. The key point with record retention is to remember that institutions should keep all Know Your Customer information for five years after an account is opened and five years after an account is closed. Moreover, when AML systems are dynamic, the capacity to “pull” your KYC, CDD and EDD information shows its strength. Remember, that “record retention” is really only part of the definition. There is also record integration and retrieval.
Of course, there is much more to Know Your Customer, but the key takeaway here is to avoid getting so caught up in the details that you lose sight of how the small nails fit into the big picture. Remember that the purpose for the initial collection of information is to improve your institution’s ability to monitor for, investigate, and report on suspicious activity later. When an institution loses the BSA/AML war, all too frequently it comes down to the proverbial nail of KYC. Don’t lose the battle.