The Federal Regulators New Statement on Risk Assesments

by Julie Copeland

On July 6th, the Federal banking regulators[1] along with FinCEN issued a joint statement on the “Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence” (the “Statement”). The purpose of issuing the Statement was to remind financial institutions that a risk-based approach to due diligence should not automatically exclude a particular type of customer. “Not all customers of a particular type automatically represent a uniformly higher risk of money laundering, terrorist financing or other illicit financial activity” the Statement cautioned.

The Statement went on to list examples of customers whom financial institutions did not necessarily need to assess as high risk, including ATM owners or operators, non-resident aliens and foreign individuals, charities, professional service providers, non-bank financial institutions, cash intensive businesses and customers who might be considered politically exposed persons.

In this environment of heightened concerns about individuals or entities from, related to or doing business with Russia, many financial institutions may be taking a wide brush approach to due diligence on these clients and severing or limiting relationships. Furthermore, the turmoil in the crypto world may be causing a similar tightening of due diligence controls. There are many factors that are causing institutions to take an exceedingly rigorous and perhaps, too rigorous, an approach to customer due diligence, as the Statement seems to imply. The consequences to financial institutions can be great if they fail to prohibit particular customers or prevent transactions linked to illicit activities.

It is also possible that we are seeing the effects of automated decision-making (“ADM”) without the benefit of human oversight. An article previously published on the PCCE blog pointed out the issues that can arise if ADM is used with no or limited human review.[2]  These issues can range from discrimination in decisions that are made because of biased data or artificial intelligence that does not work as intended resulting in harmful or unintended outcomes.

The Anti-Money Laundering Act of 2020 pointed out the risk of so called “de-risking” noting that such actions, among other results,” ultimately drives money into less transparent channels through carrying of cash or use of unlicensed or unregistered money service remitters, thus reducing transparency and traceability, which are critical for financial integrity, and increases the risk of money falling into the wrong hands.”[3]

The lessons that can be gleaned from these various pronouncements are several:

  • A financial institutions’ risk-based due diligence process must be a living/breathing control system that is reviewed and modified on a regular basis.
  • Human review of automated machine decision making is necessary in some form so that broad brushes of customers are not barred from the financial system based on what may be biased data..  
  • Transaction monitoring systems should also be re-evaluated on a continuing basis to determine that the trip wires for transactions to be rejected do not unnecessarily prevent transactions from going through. A $2500 Venmo transaction for a customer with over $300,000 in a bank is not necessarily a suspicious transaction even if the customer has never preformed a Venmo transaction previously. At the very least, an inquiry is warranted before the transaction is blocked. At the very least, institutions should take a sample of rejected transactions or customers on a regular basis to determine if the algorithms need adjusting.  

Financial institutions today must walk a fine line between appropriate due diligence but not overly restrictive controls that unnecessarily exclude customers with certain names or in certain businesses. This is not easy but the use of ADM – if deployed intelligently with human oversight – can assist in this difficult and delicate task.

 

[1] The statement was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Controller of the Currency

[2] See, New Automated Decision-Making Laws: Four Tips for Compliance, NYU Law’s Program on Corporate Compliance and Enforcement Blog, June 29, 2022.

[3] Anti-Money Laundering Act of 2020 contained in the National Defense Appropriations Act of 2020.

 

Julie Copeland is the Executive Director of NYU Law School’s Program on Corporate Compliance and Enforcement.

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.