Today let’s return to that enforcement action against City National Bank, issued by federal banking regulators last week for City National’s systemic risk management shortcomings. We originally looked at the settlement order’s advice on risk assessments; next up is another common compliance challenge: customer due diligence.
The recap here is that the Office of the Comptroller of the Currency fined City National $65 million for its compliance program failures, and ordered the bank to take “broad and comprehensive corrective action” on pretty much everything: operational risk management, compliance risk management, internal controls, anti-money laundering compliance, and more. The good news for us is that OCC’s settlement order goes into extensive detail about the improvements it wants to see. Other compliance officers can give that order a close read and use it as inspiration for program improvements you might want to implement at your own organization.
Customer due diligence deserves that treatment for two reasons. First, it has long been a primary compliance concern for financial firms. Second, as regulators keep stepping up their attention to compliance with economic sanctions, “CDD” will increasingly become a compliance priority for everyone else, too. So let’s take a look.
Step 1: Define the Basics
As spelled out in the settlement order, City National must begin by defining customer risk categories and procedures for fundamental tasks.
For example, the bank must have clear definitions of low-, moderate-, and high-risk customers; and a clear method for assigning customers to one of those categories that considers each customer’s entire relationship with the bank. That includes factors such as the type of customer (individual, business, shell company), purpose of the account, geographic location, and “expected account activity” — which, in turn, depends on another set of factors, such as the size and frequency of transactions.
What’s important to note here is that effective customer due diligence is about much more than background checks to confirm the customer’s identity. To assess “expected account activity” you’ll need to solicit information from the customer about his or her intentions. You’ll need to cross-reference those answers to other information that might come up in background checks. So think about the procedures you’d need to establish to get such data collection and cross-referencing done.
Along those lines, OCC also says the bank must adopt procedures to collect, maintain, and update all information necessary to establish an accurate customer risk profile. That includes procedures for identifying instances where required CDD information is incomplete, and getting such information; as well as procedures to support ongoing monitoring of customer activity and to report suspicious activity.
The question for compliance officers is how easily you can retro-fit existing due diligence procedures — say, for FCPA compliance — to achieve this high standard of customer due diligence set forth by OCC. Most companies that aren’t banks will never need to meet every OCC criteria, but a lot of those criteria might help with your sanctions compliance efforts.
For example, if you’re selling technology around the world, how would you establish those categories of low-, medium-, and high-risk customers? How would you monitor ongoing customer activity, especially if you work with resellers or distributors? What attestations or certifications would you want from end-use customers?
Step 2: Effective Customer Monitoring
The second part of the OCC’s orders on customer due diligence dwells on the importance of monitoring customer activity. City National must have procedures to conduct periodic reviews of high-risk customers, and those procedures must include four points:
- Risk-based criteria to establish how often periodic reviews of high-risk customers are conducted;
- Documented evidence of transactional analysis, including comparisons of expected, historical, and current activity, the source and use of funds, trends, and activity patterns;
- Documented critical analysis of all significant information in the file, including the identification of significant disparities, investigation of high-risk indicators, and well-supported conclusions;
- The clearing of any backlogs of high-risk customer identification reviews, so that the bank can determine appropriate risk ratings and file any necessary suspicious activity reports.
What’s striking here is the emphasis on analysis — both transactional (meaning, you need sophisticated data analytics) and critical (meaning, you need actual human beings to offer an opinion about the customer risk).
Banking regulators have faulted banks many times over the years for under-investment on both fronts. For example, OCC and FinCen fined USAA $140 million in 2022 for moving too slowly on AML compliance weaknesses; the Fed fined Deutsche Bank $186 million in 2023 for moving too slowly on needed improvements in customer due diligence and transaction monitoring. We could scroll through the annals of AML enforcement actions and find many examples of financial firms whose business boomed in the 2010s and they kept their AML staff at, like, two people.
For banks looking to strengthen customer due diligence programs, the question really is one of managerial fortitude: Is there enough support among senior leadership to invest in people and technology to achieve this level of analysis OCC wants to see? Then again, that’s been the question for banks for ages.
For compliance officers at non-banks, looking for ways to apply this OCC material to your own compliance program, the question is more about (1) what level of customer monitoring makes sense for your business, given your sanction risk profile; and (2) how would you actually build these procedures, to get that level of analysis?
We can explore those two questions in future posts. For now, the City National settlement order continues to provide plenty of food for thought.