Publications & Resources

August/September 2007
Focus: Technology

Assessing Customer Risk to Meet the Patriot Act’s Rules

By Gary Bakker and Christopher Price

Uncle Sam’s familiar “I Want YOU” poster could be revised just for financial institutions. Aimed at their customers and underscoring post-Sept. 11 realities, this version would read, “I Want to Know about YOU.” Such a poster would reflect the challenges banking institutions still face in developing a risk-based approach to comply with the nearly six-year-old USA PATRIOT Act, especially the requirement that financial institutions verify the identity of their account holders. Many banks worry their approach is inadequate and that, as a result, regulators will adopt further requirements. This article presents an overview of the customer-assessment process.

Specifically, Section 326 requires financial institutions to employ reasonable procedures to:

  • Verify the identity of any new customer opening an account
  • Maintain records of the information used to verify the person’s identity
  • Determine whether the person appears on any list of known or suspected terrorists or terrorist organizations.

The regulations apply to banks and trust companies, savings associations, credit unions, securities brokers and dealers, mutual funds, futures commission merchants and those involved in futures trading.

Initially after the USA PATRIOT Act became law on Oct. 26, 2001, financial institutions focused on Section 352 that deals with the ability to monitor client activity to detect suspicious activity. Money-laundering concerns drew their attention then. As a result, technologies to monitor and identify money laundering proliferated and institutions embraced them. Later, banking institutions increasingly turned their attention to Section 326, which specifically outlines requirements banks must follow for two of the Act’s most basic tenets – the Know Your Customer and Customer Identification Program areas.

Identifying Risky Customers

So how do you assess the risks of your customer base and of new prospective customers? No longer can you simply establish risk categories that have little or no quantitative merit. Risk assessment is a science that requires real analytics and significant processes behind it. For instance, since a multitude of client types may exist, especially in financial institutions that offer a rich set of products and services, customer-acceptance processes must be developed and detailed for each client type. This is essential since identity-verification techniques and customer assessments against criminal, global sanctions and so-called “politically exposed person” databases are linchpins in this Know Your Customer requirement.

Fortunately, Section 326 regulatory guidelines encompass much of what many institutions already have applied under the Know Your Customer and other regulatory requirements. Therefore, only a restatement of current policies and procedures may be necessary since regulators primarily just want to know how financial institutions are handling different customer groups, transaction types and geographic locales based on their risk potential for illegal financial shenanigans.

Still, in developing a risk assessment of its customer base, a financial institution employs a basic framework that will, among other things:

  • Identify its customer demographics, including the percentage of customers that are commercial, consumer, resident aliens and non-resident aliens.

  • Ascertain the various account types that may carry risk

  • Determine the areas in its geographic area that may carry higher risk

  • Outline those categories of customers that might carry higher risk, such as money remitters and check-cashing businesses, and pinpoint the transaction methods that may carry higher risk

Risk Modeling Serves to Classify Customers

Enter risk modeling – the use of software to help classify a financial institution’s customers into various categories of risk, from little to very high. It proves an invaluable tool in meeting Know Your Customer requirements. When conducting such modeling, it’s critical that the Know Your Customer data collected are available for use in any software that performs the modeling because the data help assign a risk rating to new customers. If that information isn’t readily available, financial institutions face the prospect of limited risk factors in their modeling.

Each risk class should carry a numeric range into which a customer falls based upon their risk-modeling score. And once a customer has been assigned a risk class, a tolerance is applied to the expected incoming-and-outgoing volumes for purposes of profile monitoring. This tolerance relates inversely to the risk class; the higher the risk, the lower the tolerance.

As for today’s regulators, they are demanding a process that is logical, analytical and defensible as they scrutinize Know Your Customer and Customer Identification Program issues. They want to see risk modeling demonstrated clearly and they want to understand the rationale behind how it was developed. Why? Because this helps show an understanding of a banking institution’s customers and the perceived risks associated with the different segments of the bank’s customer base.

And that’s where that revised Uncle Sam poster comes in.

Gary Bakker is vice president of Metavante Risk and Compliance Solutions in Milwaukee, Wis. He can be reached at (414) 357-9609. Christopher Price is a compliance consultant within Metavante Risk and Compliance Solutions in Iselin, N.J. and can be reached at (732) 318-3224.

This information is for general educational purposes only and is in no way intended to be a substitute for legal or compliance counsel. Please contact your own legal or compliance advisors regarding these matters.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.