Skip to main content Skip to navigation

The State of Financial Crime 2024: Download our latest research

The Compliance Team’s Guide to Customer Onboarding - Part 1

AML Compliance Reports
Array ( [0] => Array ( [toc_item_title] => Introduction: Compliance’s critical role [toc_item_description] => [toc_item_link] => introduction ) [1] => Array ( [toc_item_title] => How to prioritize risk [toc_item_description] => [toc_item_link] => prioritization ) [2] => Array ( [toc_item_title] => Types of risk [toc_item_description] => [toc_item_link] => risk_types ) )
Reading:

The Compliance Team’s Guide to Customer Onboarding – Part 1


Customer onboarding is where the rubber hits the road for compliance teams.

Where the theory of anti-money laundering and counter-terrorist financing meets the commercial reality of the business.

In this 5-part training series, we’ll outline the kinds of issues you’ll face, how to manage them and how to effectively manage your own role in this critical process.

At the end of the series, you’ll find a final quiz to test your knowledge. Complete the questions successfully and you’ll receive a certificate you can share with your LinkedIn network!

Let’s dive in.

Compliance’s critical role in customer onboarding

As a process, customer onboarding has a unique impact on the long-term health of a business.

Not only does it have a direct impact on customer retention and churn. It also determines precisely how much risk the business takes on and how well it’s set up to deal with that risk.

This is the critical role compliance teams play.

To effectively manage all this risk in a way that accounts for the day-to-day commercial realities of the business.

It’s an intensely complex challenge, and the demands are only growing.

For instance, in recent years, many believe that businesses should be positively vetting new clients for money laundering, terrorist financing, sanctions evasion, corruption (and a whole host of other activities) before any services are proffered.

The fear, of course, is that organizations may be exploited by criminal or terrorist elements to disguise the origin of illicitly derived funds or to transfer funds for terrorist activities.

The result is such detailed regulatory prescriptions that businesses are obliged to spend billions of dollars developing and implementing anti-money laundering and counter-terrorist financing processes.

Especially at the onboarding phase.

Where did this focus on risk come from?

Over the last few decades, national financial systems have integrated into an increasingly connected and mutually dependent global network.

But the integrity of this broader system is still ultimately impacted by its weakest link. Illegal funds can and still do get placed, layered, and integrated into our financial system.

In terms of regulations, a lot of the sensitivity to terrorist financing and the emphasis on plugging defensive gaps within nations and institutions can be traced back to the surge of international terrorist activity during the 1990s and 2000s.

Since then, several national and international organizations have identified methodologies of criminal and terrorist financing and productive steps to counter them.

The Financial Action Task Force in particular, has played a key role in developing anti-money laundering and counter-terrorist financing policies and procedures for institutions to adopt, including at the client and matter onboarding phase.

These recommendations have even been further developed and given more local focus by national authorities who implemented them at the national and regional level where, naturally, onboarding realities are markedly different.

Your judgment is necessary.

There is primary and secondary legislation in various jurisdictions aimed at setting out requirements for institutions. The goal is to check that proposed and continuing clients, their transactions, and their funds are free from criminality and terrorism.

The thing is, in the anti-money laundering and counter-terrorist financing space, some of these requirements are more effective than others.

Some lack clarity and commercial realism. Some are clearly contradictory.

They all require the investment of a significant amount of money, time, and skill. And they’re constantly changing.

The core of compliance’s role in onboarding

  1. Make sure no work begins for a client until the business is confident of their identity as well as the nature and purpose of their proposed transaction.
  2. If there are suspicions about the identity of the client or the provenance and legitimacy of related funds, then efforts should be undertaken both with the client and independently of them to resolve the case expeditiously.
  3. If the issue can’t be resolved, work for the client (or in respect of a particular matter) should not be undertaken.
  4. If for any reason work has begun for the client or on a matter, then it should stop.
  5. These concerns about the client and/or matter should be escalated within the business to those ultimately responsible for onboarding, as well as those who decide which suspicions need to be escalated to relevant authorities.

Implementing this process is never easy.

Inevitably tensions arise between the transaction teams securing the business and managing client relationships on the front line and the people ensuring that onboarding and ongoing monitoring requirements are fulfilled.

Tensions also arise between the business and clients. Clients become frustrated with the time and energy required to satisfy the anti-money laundering and counter-terrorist financing demands coming from the compliance function.

And the severity of the onboarding experience may even ultimately deter some clients from engaging with your business.

This kind of complexity is why businesses need sufficiently complex policies, controls, and procedures (PCPs) to govern the intake of new clients.

If you get it wrong, you risk penalties, financial loss, and a massive hit to your reputation.

But if you make your PCPs too severe, you might limit the growth of the business.

This is the fine line the compliance team must toe.

15 common policies, controls, and procedures (PCPs)

Your PCPs will vary depending on the nature of your business, jurisdiction, and the specific risk assessment of money laundering and terrorist finance threats you face.

But they’ll likely include:

  1. PCPs identifying the ownership and control structures of both natural and non-natural persons (individuals, companies, trusts, foundations, etc.). You also need to differentiate between regulated and non-regulated entities so you can determine how much due diligence is needed.
  2. PCPs for the identification and verification of natural persons including PCPs in respect of ultimate beneficial owners (UBOs) of non-natural clients and those acting on behalf of clients. Many jurisdictions now require tracing ownership structures back to the ultimate natural, beneficial owner.
  3. PCPs to determine the client’s general source of wealth and also their specific source of funds (SOW/SOF) for the particular transaction. The key point here is whether the wealth of the onboarding individual or entity is coterminous with the proposed transaction and where the funds for the proposed transaction come from. You’ll also need relevant PCPs setting out the level and type of evidence required for determining SOW/SOF as determined by the risk profile of the client and/or the risk profile of the matter.
  4. PCPs for enhanced due diligence measures (EDD) where the clients are politically exposed persons (PEPs), or otherwise present increased risk, high-risk jurisdictions, or any other transactional considerations giving rise to a greater threat of money laundering or terrorist financing. These circumstances will vary between jurisdictions and businesses and will, to a certain extent, be a function of subjective judgments. These PCPs will also need to set out what quantitative and qualitative upgrades in the due diligence process will be needed for these clients (for instance, what additional evidence is needed?).
  5. PCPs for simplified due diligence (SDD) so as to speed up the onboarding process and lower evidentiary requirements. You’ll need to be very clear about which circumstances you can rely on these simplified procedures for.
  6. PCPs for standardized due diligence that will cover most of the business’s clientele and matters and will reflect the bulk of the onboarding team’s activities. This categorization between various levels of due diligence is critical.
  7. PCPs for the timing of due diligence processes and when they may need to be refreshed. At the immediate onboarding stage, this is about when services or products can begin to be provided to the client. As a general rule, no work should begin before onboarding has been properly completed. Inevitably, there will be circumstances where this will not be possible. For these cases, you’ll need written procedures and records of relevant decisions.
  8. PCPs for when you can rely on the due diligence of third parties and in what circumstances you would be prepared to provide onboarding due diligence to others.
  9. PCPs for the ongoing monitoring of previously onboarded clients. These processes will outline when monitoring will need to continue and what evidentiary material will be required. Factors that were apparent at the time of onboarding may change over time and these will need to be integrated into any decision as to whether to continue business as is or change the terms of the relationship.
  10. PCPs dealing with the receipt and return of unsolicited funds. You need to carefully set out and record the circumstances in which funds need to be returned as well as the reporting requirements for these financial flows.
  11. PCPs to appoint relevant personnel including a money laundering officer. Ultimately, responsibility for the PCPs has to lie with certain individuals and this responsibility will need to be clearly defined.
  12. PCPs for record-keeping throughout the onboarding process. Both PCPs and decisions made in relation to anti-money laundering and counter-terrorist financing need to be recorded so that external authorities can properly review and analyze the decision-making process.
  13. PCPs for training staff for the onboarding process. It’s never enough to document PCPs, you need effective training that motivates the right engagement from both those on the compliance team and those in the wider business.
  14. PCPs to independently audit the onboarding function. This is about both conducting an objective assessment of your efforts and ensuring that any recommendations from the audit are duly acted upon.
  15. PCPs for the reporting of any suspicious activities revealed during the onboarding process to the relevant authorities. You need clear lines of reporting both internally and externally. And depending on the jurisdiction, external escalations to relevant authorities may consist of requests to proceed with the onboarding process or just notifications.

Ready to test your knowledge?

Click the link below to answer the quiz question related to Part One of The Compliance Team’s Guide to Customer Onboarding.

Take me to the quiz

How to prioritize risk

Given how many different kinds of risk you’re dealing with, not to mention the complexity of all the regulations you’re seeking compliance with, it helps to formulate a risk-based approach (RBA) to anti-money laundering (AML) and counter-terrorist financing (CTF).

The idea is to identify the highest compliance risks the business faces so you can make them the focus and priority for all your AML and CTF controls, policies, and procedures.

Once these priority threats are contained or reduced to tolerable levels, the business can move on to identifying and dealing with lower-level risks. This identification and prioritization of the most critical risks to the business is the main role and core objective of the RBA.

In the regulatory context, risk is often viewed as a combination of two factors: the likelihood of non-compliance and the ultimate impact of such non-compliance.

  1. How likely is it that a specific regulatory requirement is breached?
  2. And if that requirement is indeed breached, what are the consequences for the business?

This is why the RBA is distinct from a check-box, comprehensive approach, which treats all threats, no matter their likelihood, with similar urgency and importance.

In practice, it’s just too inefficient and expensive to tackle risk this way. And even if you do, you may still fall victim to a low-probability but a highly-damaging criminal act.

The RBA instead acts to maximize efficiencies through the allocation of resources to sectors of greatest risk.

You improve compliance by focusing on those issues that pose the greatest compliance risk.

And you lower the overall cost of compliance by reducing the need for intervention where the risks posed are less severe.

Now let’s look at some of the better practices of the RBA and some of the pitfalls to avoid when implementing it for your customer onboarding process.

Implementing a risk-based approach (RBA)

To make your onboarding process as effective, efficient, and client-friendly as possible, you need to focus your due diligence efforts on those areas at greatest risk of being exploited for money laundering and terrorist financing.

That means focusing more heavily on some clients and transactions than others.

The goal of an RBA is to deploy systems and risk management protocols that are flexible enough to devise an effective, proportionate response to different levels of risk.

The higher the money laundering and terrorist financing threat, the more you need to enhance the due diligence in your onboarding process.

Without a system capable of detecting and responding to the highest-priority risks, your team would be overwhelmed by the sheer volume of due diligence demands during onboarding.

A risk-based approach is about increasing the chances of prevention or, at the very least, mitigation of your biggest risks by targeting your team’s efforts at your biggest threats.

The importance of risk assessments

Money laundering and terrorist financing are incredibly dynamic threats. Businesses can’t afford to just check boxes on a pre-determined list of potential issues.

Instead, you need to engage in a demanding and complex risk assessment.

That means that prior to any onboarding, the business needs to perform an initial business-wide risk analysis.

The goal is to determine the biggest money laundering and terrorist financing threats to the business and, therefore, which clients and transactions require the most attention.

Then, based on these requirements, you can determine the appropriate and proportionate processes for various tiers of clients and transactions.

This initial analysis will need to be updated and refined constantly as new money laundering and terrorist financing threats to the business emerge and demand new responses.

Crucially, the business-wide RBA and all its iterations need to be reviewed and approved by senior management.

And eventually, the initial business-wide risk assessment will need to be integrated with client- and transaction-specific risk assessments which would take place at the time of actual onboarding.

Identifying levels of risk

At the time of onboarding, you need to figure out what level of risk any given client or transaction presents.

As part of your RBA, you can employ a risk-scoring approach to identify four levels of risk that directly impact the decision of whether to accept the new client or new matter and what level of due diligence to apply.

The borders between these levels will naturally vary depending on your business’ risk appetite, products, types of clients, and geographies.

But once the risks have been assessed, they’ll need to be mitigated by the business’s AML and CTF control systems.

And these protocols will need to be applied with varying degrees of frequency, intensity, and amount — depending upon the level of risk. In some cases, you’ll need to report breaches to authorities. In others, you’ll simply need more information.

This is where your judgment comes in.

There are no internationally recognized methodologies prescribing how to implement the risk assessment.

You need to identify, assess and comprehend the money laundering and terrorist finance risks to which your business is uniquely exposed. And you need to adopt countermeasures that are commensurate to those risks so they’re properly mitigated.

Common questions about a risk-based approach (RBA)

Should my RBA be an obstacle to doing business?

No, implementing your RBA shouldn’t be geared towards prohibiting transactions or clients for the sake of it. On the contrary, your RBA should be geared towards mitigating your most critical risks so most of your activity can proceed.

Should I be aiming for a 100% success rate?

You can’t guarantee that criminals and terrorists won’t ever succeed. An RBA is about being prepared for their best attempts and ensuring you can demonstrate your best efforts to the relevant authorities.

Is the RBA adequate for the threat of terrorist financing?

Terrorist funds may derive from legal activities which makes it inherently difficult to distinguish terrorist funds from legitimate funds. But the RBA may play a residual role in identifying terrorist funds that derive from criminal money laundering.

What does it take to successfully implement the RBA?

You need in-house, skilled and reliable expertise backed up by sophisticated onboarding technology to properly implement the ultimately subjective judgments that make up an RBA. The more complex the business’s operations, the more important this subjectivity is.

Should the RBA be defined in concert with authorities?

Businesses should not be alone in crafting their onboarding processes and structures. International organizations such as the Financial Action Task Force (FATF), the International Money Fund (IMF), the United Nations Office on Drugs and Crime (UNODC) as well as local and regional supervisory authorities and trade organizations provide important guidance on setting up and maintaining an RBA as it relates to client onboarding.

Should the RBA be changing constantly?

Your risk assessment needs to be a dynamic one that evolves as the nature of the threat changes and evolves.
It is possible that after the client has been onboarded, the threat alters, and the risk rating of that client may need to be raised or, in some circumstances, lowered.

New money laundering and terrorist financing techniques may present themselves; the business may become active in new markets or be involved in marketing new products; and international and national AML/CTF and sanctions regimes are constantly changing, as are, of course, domestic laws and guidelines and industry standards.

You’ll need to adapt and adjust your onboarding focus and update the business-wide RBA. Indeed, in some jurisdictions, you’ll be mandated by law to do so.

Is it important to document the RBA?

It’s critical to commit your approach to writing. In addition to periodic reviews of the RBA, you should also document any changes that have been made to that system and the reasons for those alterations.

You’ll also need records of how the RBA is applied in the onboarding processes. At the very least, these records will demonstrate the business’s AML and CTF controls should they ever be audited by external authorities.

When is the RBA non-applicable?
In some jurisdictions, legislation establishes that it is not permissible to engage in certain activities without consent and that it is required to make such reports if suspicions emerge.
Similarly, in certain sanctions regimes, the legal requirements are absolute and so a risk-based approach wouldn’t suffice.

Ready to test your knowledge?

Click the link below to answer the quiz question related to Part One of The Compliance Team’s Guide to Customer Onboarding.

Take me to the quiz

Types of risk

In addition to your firm-wide risk assessment, you’ll also need a risk assessment at the level of actual client and matter onboarding.

These two levels of risk assessment are tightly linked.

The former determines the general predisposition of the business to money laundering and terrorist financing threats.

The latter provides a method by which the business engages with real clients and matters.

The goal is to be able to view your RBA in the context of your organization’s actual transactional activities and not according to some theoretical standard.

In this section, we’ll break down three kinds of risk that you’ll encounter.

1. Client risk

You’ll need to determine whether any given client represents a high-risk money laundering or terrorist financing threat and whether there are mitigating factors to account for.

There are no definitive categorizations of high-risk or low-risk clients.

But the following types of clients will likely require enhanced due diligence at the onboarding stage:

  • Clients with a history of money laundering or other criminal activity
  • Politically exposed persons (PEPs)
  • Clients involved in cash and cash-equivalent businesses, such as money transfer agents, bureaux de change, casinos, and other businesses involved in gambling activity
  • Virtual currency exchanges
  • Banks and other financial institutions located in offshore banking havens
  • Unregulated charities and those acting across borders
  • Import and export companies
  • Travel agents
  • Dealers in high-value items, such as art, precious metals, yachts, and aircraft, as well as property brokers, antique dealers, and auctioneers
  • Accounts set up for professional gatekeepers, such as accountants and lawyers, where the underlying client is not revealed
  • Armament dealers and related intermediaries
  • Public work contractors and construction businesses
  • High-value goods businesses
  • Businesses in the tobacco, nuclear, and mining industries

Just because a prospective client that needs to be onboarded fits into one of these categories does not mean that enhanced due diligence will be required, let alone that the transaction be prohibited.

You’ll need to apply various risk factors to these clients in order to reach the ultimate category risk score. And indeed, launderers and terrorist financiers may not fall within the parameters of this kind of list.

So it’s vital that your analysts have the software they need to rapidly access the necessary details for them to make an informed judgment.

For instance, here are some risk variables that would influence their judgment:

  • The duration of the relationship between the business and the client
    When you’ve worked with clients for a long time, and regularly, there should be less money laundering and terrorist financing risk because you know them better. That said, businesses with high turnover may be subject to greater risk as turnover may impact the quality of your due diligence.
  • The timing of the legal infringement
    Just because a client has previously committed a crime does not mean they can never transact again. Not all legal travesties are equal, and their criminal activity may have occurred many years ago. Provided the issue has been resolved by the authorities, past mistakes should not mean permanent exclusion from the financial system or the institution’s services.
  • The client’s role (if determined to be a PEP)
    Whether PEP status increases risk depends upon the actual role in question and any attendant negative media. There are many hundred thousands of PEPs so you’ll need to clarify their precise role and political status.
  • The level of oversight or regulation to which the client is subject
    If the client is subject to a competent, recognized regulatory regime, then you can trust previous due diligence activities. For instance, publicly-listed companies and businesses in regulated industries have often been rigorously supervised before.
  • The size of the proposed transaction
    Large transactions might raise a client’s risk profile. For instance, imagine a client spending a larger amount than they typically do. Conversely, small amounts of funds may act to lower the risk as the danger of money laundering will appear reduced. This may, however, not be the case for the threat of terrorist financing, where small amounts of funding sometimes mask the true scale of the threat.

2. Geographic risk

At the point of onboarding, there are a lot of factors you need to consider from a jurisdictional point of view.

The location of the client, their citizenship, the locus of the transaction or the jurisdiction of where the majority of the business is conducted, and even the jurisdiction from which funds are to be received.

Some authorities have lax AML and CTF systems but others don’t. So you’ll need to be on guard against clients and transactions that represent certain risks.

Once again, there is no globally accepted approach where specific jurisdictions can be determined to be high risk.

There are, however, various publicly available lists of problematic jurisdictions that point to issues in AML and CTF systems. These jurisdictions include:

To put it broadly, onboarding teams should be concerned where jurisdictions are known to have high levels of crime or corruption, high degrees of drug trafficking, deficient AML legislation, and practices, allow for nominee shareholders, or are considered to be tax havens or offshore financial centers.

When your clients cover several jurisdictions all at once, you may need enhanced due diligence to make sure money launderers and terrorist financiers aren’t trying to exploit gaps in cross-border AML and CTF defenses.

This is an overwhelming amount of data.

Manually keeping track of all these lists and their constant daily changes is hugely inefficient if not practically impossible.

So it’s important you use software capable of monitoring these lists and flagging any relevant adverse media that could help your analysts make better decisions.

Again, your judgment here is key.

Just because a client is found to be related to a jurisdiction appearing in one or more of these lists does not mean you need to elevate due diligence or refuse to work with them.

If, as a result of its past activities, the business has developed knowledge and expertise of a particular jurisdiction, including its laws and regulations, this could enhance the business’s assessment of the client and ameliorate the onboarding risk.

3. Product and Services Risk

You’ll also need to apply risk scores to each of your products and services so you can determine how each is vulnerable to money laundering and terrorist financing.

No two products are the same, and no two businesses will necessarily apply similar risk scores to them.

But there are some general principles that can help you determine how to approach this.

  • Does this product or service permit the client to hide their identity from you or even operate anonymously?
  • Does it allow the client to act autonomously, relatively independent of oversight?
  • Is it a significantly complicated product or service?
  • Can the client use this product for payments to or from unrelated third parties who haven’t been subject to your due diligence?

More specifically, high-risk services or products typically include:

        • Private banking services
        • Correspondent banking services
        • Services involving precious metal trading
        • The establishment of payable through accounts
        • Foreign exchange transactions
        • Providing money orders or traveler’s checks
        • Loan guarantee schemes
        • Supporting offshore transactions
        • Sale and purchase of real property
        • Management of companies and trusts
        • Cash management functions
        • Trade-based and trade finance arrangements
        • Acquisitions of businesses in liquidation
        • Wire transfer functions
        • Providing official bank checks




      Read Part 2: Understanding due diligence

Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.

Copyright © 2024 IVXS UK Limited (trading as ComplyAdvantage).