Action Audit: Building A Customer Identification Program

The pressure is off, thanks to FinCEN's announced delayed effective date, but you'll still have to develop a customer identification program. Now you have the time to do it carefully. This is an opportunity to build a program from the top down and the bottom up. It is also a good time to take a hard look at your entire anti-money laundering program and consider a total makeover. There are ways we have become complacent. There are probably program elements that have not been reviewed or evaluated in a long time.

September 11, 2001 taught us that the efforts financial institutions make to identify, report, and prevent criminal uses of money simply must be a priority. The results of the anti-money laundering programs run by financial institutions have formed the foundation of several highly successful round-ups of terrorists and drug dealers. Compliance managers make anti-money laundering a priority by building the most effective program possible. This is the time to look hard at how to build such a program.

Customer identification is a core piece of your BSA program. The principle of a BSA program is to know who your customers are, where they obtained their money, and what they do with money - especially money that you lend them. Your anti-money laundering ("AML") program should therefore enable the institution to develop a fairly good understanding of where and how customers are moving and using their money.

Customer identification and funds movement is where the BSA ties closely to OFAC. As a practical matter, OFAC is simply one aspect of knowing your customer. In the process of establishing the customer's identity, you also establish whether they are on the OFAC list. If they are on the list, the OFAC rules click into place.

We learned a great deal about compliance and operations from Y2K and Privacy. In particular, we learned a lot about the systems that support the institution, the systems that run or store information, and the myriad ways that information about customers enters and moves around the institution. What we learned about the institution from those projects will prove important in the development of a CIP. While our goal in building a privacy program was to control the information, our goal in building a strong AML program is to put the information to use in identifying possible criminal actions.

Many compliance programs are built in a think-tank. Participants meet in a room and design a program. Too often, the people who carry out a program are not involved in the planning process. But they will be criticized when they don't follow the plan. This necessarily leads to some fundamental hostilities. It also can result in a program that doesn't work as well as it could.

This is an opportunity to build a strong and effective compliance program by using as resources the staff that carry out the program. Your program should be built around how customers and the front line staff interact. It should take into account behaviors of customers, both normal and questionable. No one knows this better than customer contact staff.

Customer contact staff also knows what they can or should ask, what they would like to ask, and the circumstances for doing so. They also know all about that gut feeling that something isn't right. They can tell you what triggers that concern.

Involve a variety of staff in developing the program. Be sure to include representatives from the front line. Listen to them carefully. Your success depends on them.

Meet with front line staff to discuss and develop answers to the following questions:

What are effective and viable methods for obtaining information from and about customers?
What are practical and reliable methods for verifying information about customers?
When and how should the staff refer to and use the OFAC list?
Where should information about customers be stored and when and how should it get there?
When and how should information about customers be used? Who should or should not do this?
When and how should information about customers be updated? Who should be responsible for this?
Who decides when something seems suspicious and what should they do about it?
Who prepares reports (CTRs and SARs) and maintains documentation?