The Pandora Papers provide a stark reminder of the importance of having a robust risk assessment process in place for due diligence and source of wealth checks.
The Pandora Papers released by the International Consortium of Investigative Journalists (ICIJ) just weeks ago has put the magnifying glass back on financial crime, highlighting the many cracks in the system. These millions of leaked documents have uncovered the financial secrets of 956 companies in offshore tax havens, 35 current and former world leaders, more than 330 politicians and public officials in 91 countries and territories, and a global lineup of fugitives, con artists and known criminals.
The fallout has been wide-ranging. In the US, lawmakers are proposing legislation that would impose new due diligence requirements on trust companies, lawyers and other gatekeeper professions who facilitate the flow of foreign assets into the country. In the EU, legislative proposals to tackle tax avoidance and tax evasion are being prepared.
In the UK, the government faces calls to crack down on dirty money, including in its offshore financial centres such as the British Virgin Islands and the Cayman Islands. Meanwhile, authorities in up to a dozen countries, including Australia and Malaysia, have launched investigations into the financial activities of some of the high-profile individuals named in the Pandora Papers.
While the mere act of holding funds offshore is not in and of itself illegal, the Pandora Papers, like similar document leaks before them, provide a stark reminder for FIs – who often bear the brunt of weighty regulatory fines – of the importance of having a robust risk assessment process in place for due diligence and source of wealth (SoW) checks, and the need to ensure that the process is followed as part of normal business operations.
Trust but verify
Identifying a client’s SoW has long been a challenge for financial institutions. While there are clear regulatory expectations for banks to perform SoW checks, there is often insufficient guidance on process and difficulties obtaining the relevant data due to a lack of transparency on asset ownership and privacy-related restrictions.
There is no one-size-fits-all approach, i.e. the due diligence conducted to determine a client’s SoW is different depending on the client’s circumstances, the information already made available to the bank, and the bank’s assessment of the business versus the risk proposition. There is no one correct process a bank should have in place for conducting SoW checks.
“The level of due diligence for SoW checks often depends on the life cycle of the client,” says Beth Epstein, Director of Due Diligence Proposition at Refinitiv. “The majority of it is front-loaded, i.e. when you are onboarding the customer. At that point in time, the challenges are different than they are later on in the client’s lifecycle. But ultimately, you have to judge whether the information from the client is plausible and credible based on the bank’s risk tolerance.”
According to Epstein, there are often clear indicators that would trigger a deeper due diligence process to corroborate SoW information obtained from a client. These include whether the client is from a high-risk country, whether they are politically exposed persons (PEPs), and even whether they use cash transactions excessively, among other risk indicators.
Epstein advocates a “trust but verify” mindset. Investigations should not start out with the assumption that there is something wrong, she says. Rather, banks should be looking at the information they have in hand with “an open mind” and work to “put the pieces together” using a range of different information sources, such as intelligence from Refinitiv KYC Due Diligence Reports, to understand whether there is cause for concern.
Experience into process
According to Dilip Varma, APAC Regional Head of MUFG’s AML/CDD Advisory & KYC Programme, banks can sometimes go wrong by not continuing with the same level of due diligence scrutiny even as the customer lifecycle and relationship with the institution progresses. “This is where more focus needs to be spent. Banks need to continually assess whether the client’s situation and the purpose of the account or relationship setup during onboarding continues to remain true.”
Experience and judgment are crucial to determining whether the information the bank has at hand makes sense, Varma says. “At a very high level, when we’re conducting KYC, due diligence, and corroborating the SoW, you always have to take the information presented by the client with a pinch of salt and apply your ability to objectively assess how it reflects real world circumstances.”
For Epstein, experience also factors into whether AML professionals understand how to use the information on hand, what additional information is needed and whether it is available, when and how to use information gathered from media and public domain searches, and whether to source commentary from people in the same industry as the client, their former employers, colleagues, and even alumni groups.
“A lot of it is about assessing credibility. It requires experience and knowledge to assess whether or not the information that’s been provided to you … makes sense, even for information that is directly provided by the customer,” she says. “From a country perspective, being able to understand the information that’s presented and ask the right questions can often require direct knowledge of not only languages but particularly country knowledge.”
But, as Epstein highlights, it’s not a “one and done process”. Technology plays a crucial role, especially in monitoring a client after onboarding, she says. “As the relationship evolves, the circumstances of the individual and the enterprises they’re associated with changes, as do the sources from which they derive their wealth and factors such as whether they have any political status.”
Given that AML staff may not always have the requisite experience, Epstein emphasises the need to “build experience into the process” by ensuring that regulations and historical lessons have been incorporated into checklists, reminders, sets of questions and other protocols. “By building some of the experience into the process, you don’t have to have people necessarily start from scratch, and your process gets better over time.”
Historically, the most frequently cited challenges in conducting SoW checks have been related to privacy restrictions, verification of property and land ownership, and transparency of beneficial ownership behind shell companies and complex corporate structures. Each of these areas is often credited with creating roadblocks to effective due diligence and SoW corroboration.
Varma prefers not to call privacy an “impediment” in the due diligence process. While it does have an impact, he says it is more about explaining to the customer what information is required for the bank to provide a specific service or product, why it is required, and the protections in place to safeguard the client’s information.
“So long as these feel-good factors are clearly explained to the customer, and the rationale presented, more customers are open to sharing the level of information that the banks need to meet this due diligence requirement on SoW,” he says. “My view is you should take a balanced view and not jump to the conclusion that privacy is a roadblock.”
Privacy regimes present challenges to independent verification of SoW, but Varma says there are also ways to manage this. “This is where the risk-reward ratio comes into play. Suppose the customer is really very important for the business to onboard. In that case, the answer is to then go beyond what is available in the public domain and utilise other methods, which are already well adopted across the financial industry.”
Varma refers to the practice of utilising third party providers for assessments on prospective clients to facilitate a risk-based decision on the part of the bank. While these methods are not always cost-effective, they do exist and ultimately force the bank to ask itself whether it is willing to invest in the client in order to make an informed decision and obtain assurance that the bank is protected from potential risks and reputational concerns.
On the issue of property and land ownership, Varma says access to information for SoW purposes depends on individual countries and the various stages of technology adoption they are in. Singapore, for example, has embraced technology, and as a result, ownership is well documented, and this information is properly maintained, reliable, and easy to access.
In countries where technology adoption is not that high, information may be available, but at slower speeds, which can often hinder the client onboarding process. “In such cases, this would depend on how quickly banks want this information, and how persistent they are in obtaining the information to be able to make a decision, not to mention whether the information is reliable,” Varma says.
As bad actors use more innovative ways to hide their true identities, including through the use of shell companies and complex ownership structures, regulators and international bodies such as the Financial Action Task Force (FATF) have made clear that effective due diligence requires banks to identify individual beneficiaries of legal persons.
Varma says that banks should clearly identify economic beneficial ownership in all situations, and distinguish between individual and corporate beneficial owners. “This is something which is eventually going to catch up with everyone. Slowly but surely, this particular requirement … will certainly make its way to KYC files going forward.”
According to Epstein, shell companies and complex ownership structures should immediately raise questions from a risk management perspective. Banks should ask why such complexity exists and whether the corporate structure makes sense for the business’s particular industry and location.
She says that unravelling economic beneficial ownership of complex corporate structures requires more time, experience, information, data sources, source commentary, and certainly more cost. “Is the time and effort it’s going to take to unravel that worth the benefit? Or do you already have enough indicators as a financial institution to say this is already too risky for us?”
Checks and balances
Varma says banks need to ensure adequate checks and balances are in place at every level. Within the first line of defence, this involves KYC teams and quality control (QC) and quality assurance (QA) processes. In the second line, compliance testing processes ensure that the required policies and procedures have been followed.
Finally, the most important check, which Varma says gives “authenticity” to the whole process, is done by internal audit teams, which provide an unbiased view on the actual processes, and how far they may be from what is required. This model ensures that there is always a sufficient level of control to identify whether processes have been followed, he says.
In terms of the actual process, Varma says banks should remain relevant at all times. “You have to be continuously evolving; your processes should be adaptable and allow for creativity. This enables your people to then continually enhance the process.”
Listen to this webinar on-demand to hear more from Refinitiv’s Beth Epstein and MUFG’s Dilip Varma about SoW checks.