Customer Due Diligence: Beyond Documents & Money
There's a lot written and even more said about customer due diligence; so one might wonder what, if anything, yet another article can add. But in fact, there is a huge gap between the prescriptive rules and guidance set out by regulators (who, these days, largely replicate an international formula) and the real world. The vast majority of writing on this area does not address that gap. In this article, we will examine some of the spaces through which criminals walk to defeat the systems set up by financial institutions.
In 1994, when the area of money laundering compliance and risk management was new, this author was asked the simple question: "What is the biggest risk to the money launderer?" The answer was the same then as it would be today: it's your staff.
Ultimately, it is not your staff training (that is all too often limited to setting out the law and the regulatory position with your internal processes bolted on and a few case studies thrown in to help maintain at least some level of interest) that will protect your organisation: rather it is the awareness programmes.
Before moving on, it is helpful to set up a scenario. Imagine that, on the table in front of you, there are three oranges, A, B and C. Make a choice. Write your choice down and keep it for later. Awareness programmes are a constant drip-feed of information that remind staff at all levels that every customer and every transaction presents a risk of money laundering and that they must at all times think "is this something about which I should be suspicious?"
When the industry changed the terminology from "know your customer" to "customer due diligence" it did itself a huge disservice. In this article, we will see that due diligence is, in fact, a subset of "know your customer" and that just as important as "know your customer" is "know your staff" and "know your business."
The term "due diligence" was commandeered from the mergers and acquisitions practice area. There it meant to conduct a rigorous investigation into the business of a target company, a detailed internal audit looking for anything that might affect the legitimacy or commercial value of the deal. It has very little in common with the question of identifying a prospective customer and so the use of the term in our context is misleading.
Customer due diligence is now, in effect, defined by the Recommendations by the Financial Action Task Force — but interestingly, the FATF does not, in fact, define the term. It uses it but there is no specific clause that says "customer due diligence means..." and it describes "the customer due diligence process."
But what it refers to is identification and verification of the information obtained, finding out what the customer intends to use an account for and monitoring accounts, it implies (but does not expressly state) that a profile should be created and then, requires monitoring against that profile for exceptions to expectations. It expressly says that it is not necessary to conduct CDD in relation to each transaction. (Recommendation 5 and interpretive notes).
It is also less than precise on when CDD is required: when a business relations are established (good), when occasional transactions reach a specified threshold or are wire transfers in specific circumstances (less good), where there is a suspicion of money laundering (surely too late) or where "the veracity or adequacy of previously obtained customer identification data" is open to question.
This last provision is, on the face of it, a make-weight. However, it is here argued that it is in fact as important as the first — the conducting of CDD when business relations are established. But it is very often overlooked even though regulators repeat it in their notes. There are few interpretations of what it intends and the FATF's own "interpretative notes" offer no help. This is what this author says it means: it incorporates the long-overdue need to monitor accounts not only for deviation from the profile but also to authenticate the user. In short, while CDD is every transaction is not necessary, financial institutions should be certain that the person operating the account is, in fact, the person who is expected to do so. It's called "authentication" and it is the third plank of any effective KYC system:
· know who your customer is (identification and verification including periodic checks that data remains valid),
· know the customer's money (source of funds, expected use of account, transaction monitoring) and
· know who is conducting business (authentication)
·
Case study
In 2008, in Hong Kong, a criminal gang recruited some 200 elderly residents of a district to open accounts and to then hand over the ATM cards attached to those accounts in return for a single small payment. This was not the first time such a scheme had been used: in the mid-1990s, criminals paid college students to open accounts and to hand over the cheque books in return for a small sum each month. In each case, the banks were not aware that the accounts were being operated by a third party.
CDD basics
A Malaysian bank holds an early morning meeting for its compliance staff where they sit and read the newspapers. But this is not a coffee morning: it is a major plank of their account monitoring and account opening risk management systems. With newspapers in four major languages, with several focusing on discrete communities and regions, the team scours the news for information on pending investigations, arrests and convictions. The names are added to the bank's internal watch list and run existing accounts, identifying not just individuals but also companies with which they are associated. In 10 years, the bank has built up an impressive database of those who are at least under suspicion by various authorities and departments enabling them to identify accounts that should be checked for suspicious transactions. They do not automatically report the holding of accounts: they do so only if there are suspicious circumstances.
This grass-roots initiative was created by the bank to take account of the reality of money laundering risk management: that most money laundering is domestic but that the grand international watch lists are focused on international matters. It's simple, cheap and very effective. Added to e.g. a register of voters (the basis for most address verification in credit bureaux checking) it provides an excellent addition to their armoury. Very few financial institutions do anything similar.
Timing of CDD
In this author's recent article on the new law in Hong Kong, specific attention was drawn to the clear stance taken by the Hong Kong legislature in relation to the timing of CDD. It makes it clear: if information is not complete and verified, the account must not be operated. This allows for the process of opening an account to be put in hand but not for any transactions to take place.
Case studies
A UK bank allowed an account to be opened with insufficient documentation. The account was operated for six months before the compliance team was notified by which time it had been operated outside the parameters that the account would have been expected to remain within. When the customer was challenged about the missing documents, the money in the account was abandoned and the customer disappeared. All identity documents provided proved to be false.
A UK private bank engaged freelance introducers. One, operating in the Middle East, had business cards made up bearing his personal address and contact information with the bank's name and logo. His business practice was to qualify the customer and to tell the customer to wire the account opening moneys to a holding account at the bank pending the account being opened. If the account was opened the monies were transferred to the new account. If the account was rejected, the bank was then left with the problem of what to do with the money — and whether to make a suspicious transaction report.
Real documents, fictitious data
Surprisingly, many governments do not perform as strict identification processes as financial institutions are required to do. However, governments tell financial institutions that they may rely on government issued documents.
Case studies
An Australian citizen (male) married an Indonesian citizen (female) in Indonesia. Believing that the marriage would not be recognised in Australia and therefore his wife would not be allowed to join him, the man decided that it would be easier if he were to present himself as a New Zealander immigrating to Australia with an Indonesian wife. So he flew to New Zealand where he found the grave of a male child born about the same time as he was but who had died while an infant. He applied for and obtained a birth certificate relating to that child. He immediately used the birth certificate to obtain a driving licence and then used those documents to apply for a passport. His downfall was not the process: it appears that the reason he was found out was because he pressed for urgent issue of the passport. New Zealand has one of the most "connected" governments in the world and a sharp-eyed clerk noticed that the time-frame for applying for all three documents was extremely short. That raised suspicions and he was arrested when he went to collect the passport. Had he been successful, he would have been in possession of three government issued documents proving his identity.
Shortly before British Honduras became Belize in 1981, it ordered a large stock of passports. After independence, these passports became unnecessary but instead of being destroyed, or in some way marked to render them useless, they found their way into the hands of brokers who, as late as the late 1990s, were selling them as "camouflage passports." The documents were real. The information on them could have been anything. New countries pop up surprisingly frequently: in 2011, Sudan is likely to divide into two. In 2010, Curaçao gained independence but retained its name. The Netherlands Antilles became independent and became Sint Maarten (also, informally, known as Saint Martin). There have been more than 30 new countries in the past 20 years, several of which are now part of, or are, petitioning to join the EU.
So the question of validation of passports in an international environment is becoming ever trickier. Many of the new countries have limited representation overseas and therefore seeking confirmation of the authenticity of a passport is made more difficult. Security standards also vary widely. That is not to say that new countries adopt weak security, merely that there is no global standard for passport security. Even if there were such a standard, countries change the levels of passport security frequently during the life of a passport. Indeed, during the life of a still-current Australian 10-year passport, there have been three changes in security including the famous but sadly short-lived dancing kangaroo hologram.
How to tell a lie
There has been much talk on TV programmes, both factual and fictional, about the use of body language techniques which can reveal whether a person is being evasive or failing to tell the truth. While some things are difficult to fake, it's important to remember that an accomplished money launderer or fraudster is an actor. He is also a salesman. It is his job to make people trust him and it is that trust that allows him to make your bank staff less likely to identify something suspicious in his demeanor. There are several things that help a money launderer improve his chances of beating the system. Remember the oranges? Pick up your note of your choice.
In advanced due diligence training courses, this author uses an exercise in which he puts up pictures of three oranges, marked A, B and C. Above the oranges are the words "make a choice." He tells the audience to "make a choice." That's just what was done at the top of this article. Did you choose A, B or C. Or A+B, or B+C or, even A+C? Perhaps A+B+C?
In fact there are many different combinations but almost everyone chooses one orange. The most off-the-wall answer was a delegate who answered "orange juice." Although this was said as a joke, it demonstrated that that delegate had listened to what was said and what was written. However, what almost every delegate hears and reads is not "make a choice" but "choose one."
The exercise demonstrates that people anticipate what will be said and, unless it is very different to what is actually said, they rely on their own expectations. Criminals rely on this kind of thinking. Front line staff and sales people, particularly those in, say, insurance sales, are focussed on the task in hand — and that task in hand is to make the sale. The money launderer knows that, if he is likeable he is less likely to be challenged. But he also knows what that staff member expects to see and hear. Research into job interviews regularly shows that good looking people get better jobs. This is to do with something called the "golden ratio." Unsurprisingly, perhaps, it's to do with mathematics and it was discovered by the Ancient Greeks.
The ratio is known as "phi" — short for the name of a Greek sculptor Phidias. He found that there was a fixed proportion which human binocular vision finds the most pleasing — and it was all linked to rectangles. The proportion has been calculated to many decimal places but for ease we can say that it is 1:1.618. For example, the Mona Lisa's face, taken from her hairline to her chin in one direction and from the hair at the two sides of her face, forms a golden ratio rectangle. It appears that what is inside the rectangle is reduced in importance if the ratio is correct. Of course, it does not always work: a person who is one metre wide and 1.168 metres tall would not, generally be regarded as attractive. However, if the body is broken up into pieces, then Da Vinci's famous diagram of the ideal human body, arms and legs outstretched is an example of the golden ratio in action. It is said that Le Corbusier, famed for furniture design, used the golden ratio as the basis for his famous chairs.
The ratio can be used to examine faces: the width of a forehead, the size of the eyes, nose and mouth are all important visual cues when we meet someone. Why is this important? The simple reason is that a person who is more pleasing to the eye is often treated more sympathetically than someone who is less attractive. And that translates directly into how your staff respond in interviews with prospective clients — and with those who might already be under suspicion. All of this happens subconsciously. Unless interviewers are specifically aware of this risk, they may easily fail to be as cynical as they need to be to protect the organisation.
This is not however the Victorian "science" of physiognomy which is currently undergoing something of a popular resurgence: "face reading" as it is sometimes called is not about facial expressions or body language. While some Chinese traditions claim accuracy in reading facial bumps, even moles, these are not well documented. In Victorian times, the breadth of the forehead, the closeness of the eyes and other features were claimed to give a guide to temperament and personality. None of this is intended to suggest that good looking people are more likely to be dishonest, but it is merely a tool to warn people that they may be less aware. Nor does it have anything to do with flirting, either.
Listen to what people say
But it is what people say and how they say it that can prove the best tell-tale in a non-controlled environment. Studying body language requires some control data and that can rarely be obtained in a single interview. But the way people speak and what they do or do not say is a much more instant and instantly identifiable method of identifying untruths. The first tip is to compare accents with known biographical data. With a UK customer, if a person says he is from London but his accent has a northern twang then this indicates a possible lack of honesty. So might a forced false accent such as a pretend "received pronunciation" accent. Many people put on a false voice when they feel the need to impress. The underlying question is why do they feel the need to give that impression?
Secondly, there is much truth in the idea that the bigger the lie, the easier it is to get someone to believe it. So, is the person applying for an account making claims as to unachievable projections for their business? Or trying to be more important by name dropping? This type of lie is common in "CV padding" — claims to have "been to Oxford" implying an Oxford University education when in fact they attended Oxford Polytechnic (as was). People rarely lie about having attended a minor university or other establishment.
Third, lies are often diversionary, intended to distract the interviewer from something that should get more attention. Therefore, rather than investigate the story being told, the interviewer should be looking for the subject that the person is trying to take attention away from. That might be to prevent a too-close look at a document that will be copied and handed back, for example a passport or driving licence. When this author lost his driving licence it was easier and cheaper to get a copy made in a street in Bangkok, with all the correct details, than to get an official replacement. The copy was, to the untrained eye (which is more or less all bank staff), the real thing and, if photocopied for records purposes, would have passed all future inspections in a back office (he chickened out and went through the tortuous process of getting a real duplicate, but does have a scanned, colour, laminated version which is sometimes left with the shop when hiring a motorcycle, for example).
Fourth: a small lie often hides an important truth. Rather than challenge the small lie (which may be relatively easily identified) the interviewer should be looking for the important truth which is being hidden. Often the truth will also be small. For example, it may be that the interviewee says that he has to leave soon because his car is on a meter. But the truth may be that he is trying to rush the interview, hoping that the interviewer will scoop up the documents, copy and return them quickly and therefore not spend time in small talk which is often where a person gives away a hint of a problem.
Lastly, beware the customer in a hurry. There should be no such thing as a banking emergency, especially to make a deposit. Why is that person so anxious to open the account and to give you money? Why was it not better planned? The greater the amount of money, the more this rule holds true. It is alleged that, during his last 18 days in power, Egypt's president Mubarak moved several hundred millions of dollars around the world, some of it out of Switzerland where his accounts were frozen as soon as he resigned. Somewhere, bankers have taken that money quickly and alarm bells should have rung wherever the money actually appeared. It is alleged that much of it was in accounts in Mubarak's name or in the name of relatives with the same surname: the SWIFT data should have raised suspicions, even if the destination account was in an unrelated name.
But being in a hurry is not only a question of transaction speed: it is also to do with how the customer presents himself. It is a long-established practice of salespeople to deluge the prospect with words, much of it irrelevant or vacuous. Or to adopt a technique of heading off questions with a blunt "that's not important, look at..."
Many UK readers will remember a 1960s TV sitcom called "Never mind the quality, feel the width." Feeble as the programme was, the title demonstrates the tactic with simple elegance.
In this article, little attention has been paid to the specifics, the "how to-s" of gathering information for these are well documented elsewhere. Instead, the focus has been on some of the ways that money launderers and fraudsters create the environment to defeat risk management systems at the stage where the organisation is at its most vulnerable — the point of sale where documents are presented and information is gathered. And where the money launderer faces his greatest risk: the staff of the financial institution; if they are prepared for him.