by Kimberly Smith, co-founder of SILO Compliance System
As a former compliance officer and MLRO and now a business owner, I’m probably the most understanding and co-operative customer a regulated financial institution may have when it comes to requesting my due diligence and Know Your Client (“KYC”) documentation. My passport has been certified several times, I’ve had letters written on my behalf from lawyers and accountants and I am happy to sit in a board room with bankers and explain the business activities, the anti-money laundering software solution that I am marketing, and my business revenues.
Some of my regulated service providers – both in the US and abroad – have known me for twenty years. They know me personally, have seen me through the birth of my child, a broken marriage, re-marriage, the death of family members and international moves. Those I’m particularly close to know of my personal struggles with a father suffering dementia, my sticker shock for college tuition, the tough months endured when my husband was deployed with the US military and my love for gardening.
Because they know me so well, I imagine they have me down as a low risk customer. And back in the day when I sat in the hot seat that belongs to the risk and compliance officer, I would have assessed me as Low Risk too. I’m clearly one of the good guys.
Recently, however, conversations with other compliance professionals have made me re-assess my own risk rating.
Footprint vs Path
All of the above information – my date of birth, nationality, residence, previous employment and business ownership – is my “footprint”. All of which, for many, is Low Risk.
However, if one looks at my current “Path” – what I’m doing, where I travel and growth of revenues – it is no surprise that I have become a higher risk customer.
Why? I travel. A lot. And to many so-called “higher risk” jurisdictions. Not a month goes by when I’m not going to see customers in those lovely islands in the Caribbean that the mainstream media likes to call “tax havens”. Often, I fly in and out within 48 hours. I receive several wire transfers from those countries into a business bank account and many under the reportable currency transaction amount.
Once it was explained to me that my current “path” is showing signs of higher risk activity, I began to understand that yes, I AM a higher risk customer and to a diligent compliance officer, more documentation is needed on my file.
But that’s okay. I can document the legitimacy of my transactions. I can show license agreements for the software and profits from a house sale. I can easily provide years of financial statements for both my business and my personal tax filings that reveal typical start-up business cashflow challenges followed by a growth in revenues.
A risk assessment is not an indictment
Although my risk assessment has gone from low to higher risk, I am still not being deemed a criminal. My bank accounts are not at risk of being closed – assuming I can account for the change in my activities, which I can. I simply need to provide the documentation, and this can easily be done in less than an hour or two with a good scanner.
I’m not offended by my higher risk status. The good compliance officers still know me – still know I’m one of the good guys. They are doing their job, monitoring my transactions and amending my risk profile so that when a regulator comes to inspect and pulls my file – they can show the documentation that explains my higher-risk transactions and activities.
Customer and Compliance are a Team
As a customer, I don’t mind working with risk and compliance officers to ensure they are meeting their obligations and reducing risk of penalties – as long as requests are reasonable and I’m not getting penalized for my business activities. I believe that the average customer is going to be willing to comply with enhanced due diligence requests when they understand the reasoning – and the requests are not so unreasonable they are impossible to provide.
The tone of the request, however, is important. Threats of closing accounts and internal communications about “de-risking” customers don’t help. Two-way dialogue between the customer and compliance officer that explore documentation options that are not overly onerous to the customer is what is needed.
But not everyone likes Higher Risk Customers
Quite simply, higher risk customers impact your bottom line. They take up more compliance resources – assessments have to be thorough and are therefore more time-consuming. The more higher-risk customers one has, the bigger compliance budget you need. And we all know compliance is not a revenue-earner. So it’s understandable that a financial institution would prefer to keep me marked as low-risk. Especially when they KNOW I’m one of the good guys who’s not laundering criminal proceeds or helping terrorists.
And risk is relative. I may be high-risk to one financial institution, low-risk to another and medium/normal-risk to another. Some may have a compliance policy where all of my documentation proving the legitimacy of my transactions puts my risk assessment back to low, in which case I can expect not to hear from them for many years – if at all. But another institution may still assess me as medium- or high-risk and have me provide further documentation in the future.
There is no one-size-fits-all for any type of regulated business in a specific industry or regulated jurisdiction. It’s what makes compliance such a difficult and demanding job. But not an impossible one.
I would be very interested to hear from others how they handle risk assessments on an ongoing basis and how, if I was their customer, they would assess me.