ID Verification, Money Laundering and Regulatory Compliance

The last decade brought about a tumultuous change in financial institution regulations. Many pre-2000 “suggestions” or “guidelines” became hard rules enforced by stiff fines. The new regulations were long overdue – the terrorist attacks of 2001, and the string of large corporate scandals a few years later proved once again we aren't in Kansas anymore – but they did significantly complicate compliance procedures. There is first an alphabet soup of overlapping legislation under the PATRIOT Act, Bank Secrecy Act, the Financial Anti-Terrorism Act, FINRA and “know your customer” requirements, Sarbanes Oxley and a fair amount of other stringent regulations. In short, financial institution executives are quite burdened familiarizing themselves with dozens of potentially applicable rules and regulations.

These rules, in various guises, have been adopted throughout Europe and the UK as well. The European Union in 2007 enacted the Third Money Laundering Directive, expanding the definition of “financial institutions” affected to include commercial lenders, brokers, and financial leasers, as well as strengthening the burden of customer due diligence on those institutions. In some areas those regulations go beyond even the American version, particularly in requiring firms to keep “up-to-date” customer identity documents to help prevent identity fraud (although the interpretations of “up-to-date” have remained somewhat vague).

Under the new terms, not just the large banks but any business extending credit can be considered a “financial institution”. So with the multitude of complementary - and sometimes contradictory - rules out there, what is a well-meaning business to do? The good news is, despite their sometimes overwhelming numbers, most of the rules still revolve around several central themes – the identification and verification of trusted customers. The first and best step is to establish a reliable means of ensuring the people opening accounts, establishing business relationships and conducting financial transactions are who they say they are. A corollary to that step is monitoring client accounts for suspicious activity and reporting it to the proper authorities. Banks are advised to take a “risk-based” approach, scrutinizing activities in certain geographical regions, accounts, or transactions more closely than others.

The government regulations on “suspicious activity” remain intentionally loosely defined, so as to empower the institutions, who are after all much closer to the action and much better able to separate out the routine from the possibly illegal. That said, it did establish and communicate some guidelines: in a 2001 article for the State Department journal Economic Perspectives, Anne T Vitale, a New York-based AML consultant noted which types of transactions to watch out for:

A bank should review any single transactions or series of transactions that exceed a money threshold set for its typical services.… Accounts that may have a high risk for suspicious transactions — such as accounts of non-bank financial institutions, offshore accounts, personal investment company accounts, correspondent accounts, accounts subject to subpoena or other legal process, accounts of politicians, accounts from high-risk jurisdictions lacking effective anti-money-laundering controls — should receive greater scrutiny.

This is the foundation of any good compliance program, and is actually quite easy to achieve. A properly implemented identity documentation authentication program – verifying the ID presented is in fact real – would really help in identity theft prevention and greatly cut down on money laundering and related illegal transactions, and keep the financial institution clear under the most intense scrutiny.

We will talk more in depth about money laundering and how to combat it, in all its unwholesome incarnations, in our next article.