Assessing Preventive Measures: The Example of Customer Due Diligence
FATF Recommendation 5 calls for financial institutions to undertake customer identification measures in a variety of circumstances: when establishing business relations, when carrying out certain occasional transactions, when there is a suspicion of money laundering or terrorist financing, and when the financial institution has doubts about previously obtained identification data.
Recommendation 5 also addresses the types of customer identification measures to be undertaken in various circumstances: using reliable, independent source documents, data, or information; identifying beneficial owners, including the owners and controllers of legal persons and arrangements; obtaining information on the purpose and intended nature of a business relationship; and monitoring transactions on an ongoing basis for consistency with the business relationship, including the source of funds. Recommendation 5 provides that the extent of customer identification measures may be adjusted on a risk-sensitive basis, depending on the type of customer, business relationship, or transaction, with enhanced due diligence required for higher risk transactions.
The corresponding criteria in the methodology state that financial institutions should be required to undertake customer identification in the various circumstances and should use the various measures called for in Recommendation 5. Assessors evaluate compliance at two levels. They confirm that financial institutions (or other covered parties) are subject to binding customer identification obligations—in the form of law, regulation, or other enforceable means—for each of the requirements identified in the methodology. In addition, they verify that supervisory arrangements are in place to monitor and enforce compliance with the formal customer identification requirements. This action requires the assessor to evaluate supervisory procedures for offsite monitoring and onsite examination of financial institutions’ customer identification policies and procedures. Typically, assessors also visit with financial institutions to verify that customer identification requirements are being followed and that supervisory oversight is effective.
Assessments undertaken during the 12-month pilot program identified a variety of banks’ weaknesses in compliance with FATF’s recommendations with respect to customer identification. In some cases, the obligation for banks to undertake customer identification was advisory rather than mandatory. In a number of cases, customer identification obligations were vague and did not address a number of issues covered in the recommendations. In several cases, supervisors did not have an effective program for monitoring and enforcing compliance with customer identification requirements. Failure to monitor compliance frequently occurred because of inadequate supervisor resources.