By: Chris Dempsey, Sr. Software Product Manager — KYC
The FFIEC manual references “business type” as a risk factor 342 times, almost as many mentions as correspondent banks. Recent events in the payments processing industry have highlighted the need for commercial banks and TPPPs to adopt business classification best practices. Specifically, banks and TPPPs need to do more to verify their customer’s business models do not change over time.
Are High-Risk Customers Hiding in Your Portfolio?
Commercial banks face myriad risks stemming from the activities of their business customers, especially high-risk business types. Know Your Customer (KYC) and Know Your Customer’s Customer (KYCC) requirements place a heavy regulatory burden on commercial banks. Key to these requirements is understanding what business model their customers operate and what activities can be expected from that business. Complicating this, many high-risk business types that could not be banked by traditional banks have moved to TPPPs to avoid additional screening and higher fees. However FinCEN has affirmed that TPPPs, TPSs and Money Services Businesses (MSBs) are also subject to KYC and KYCC rules as noted in previous G2 Web Services blogs from 2016.
Relying entirely on paid list screening services from companies such as Dun & Bradstreet to classify legal entity business customers does not sufficiently cover a commercial bank’s KYC and KYCC requirements. These lists rely primarily on self-reported information originating from business registration documents with minimal independent verification done. If the principal of a high risk, fraudulent or malicious business wants to avoid higher fees and increased scrutiny, they won’t be honest when registering their business for the first time or subsequently, if they change business models.
As effectively demonstrated in a case study conducted by G2 Web Services earlier in 2016, significant risk stemming from misclassified and misrepresented legal entity business customers lie hidden within commercial banking portfolios unbeknownst to compliance and risk professionals. Lack of information about customers that have materially changed the way in which they operate or the products and services they offer, means banks are unaware of the actual risk profile of its portfolio. For example, analyzing the business classifications of major North American banks and TPPPs, G2 Web Services has uncovered gun dealers classified as “Hardware Stores”, escort services classified as “Caterers”, cryptocurrency dealers classified as “Other Business Services”, and cannabis distributors classified as “Miscellaneous Apparel”.
These and many other examples of misclassified businesses pose significant risk as well as lost revenue opportunities to the commercial banking industry. Banks that wish to continue relationships with legal, yet higher risk business types should designate additional business classification categories that specify the high-risk business activity. Additionally, these banks and TPPPs need to specify which activity they will not tolerate, whether outside of their risk profile or outright illegal activity.
The burgeoning marijuana industry in the United States serves as a prime example of how business models that do not easily lend themselves to traditional classification schemes need to be addressed. Not only do marijuana businesses vary widely in how they operate, but the business model may or may not be within the bank’s risk profile threshold. Without a baseline classification for the various operating models of these businesses, banks, and their high-risk customers alike have a limited ability to determine when the business activity violates the banks risk threshold. Readers may find additional guidance on BSA/AML compliance for the marijuana industry by clicking here.
In the second part of this blog, readers will find an outline of the best practices G2 Web Services recommends to ensure their financial institutions have a robust business classification program in place.