Home / Banking Strategies / When de-risking is appropriate for compliance

When de-risking is appropriate for compliance

The concept of de-risking has become increasingly in vogue in the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) field. The idea behind de-risking is making a decision that specific customers of your financial institution present a risk of violating BSA/AML standards that is beyond the risk appetite of your institution. In other words, there are certain customers that simply do not appear to be conducting legitimate business.

In the past, financial institutions made a habit of filing repeated Suspicious Activity Reports (SARs) and monitoring more closely. The regulatory focus on high-risk customers has changed and the current guidance directs financial institutions to do more. As anyone associated with the BSA process at a financial institution will tell you, the decision to de-risk can be a difficult one. High-risk customers often represent a good source of fee income and the decision to close the account can have financial consequences. To paraphrase a Kenny Rogers’ song, you have to know when to hold ‘em and when to fold ‘em’.

Regulatory Expectations

At the end of the day, whether or not a customer should be de-risked is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process. As a best practice, it is a bad idea to continue the relationship if there aren’t several members of your institution’s staff that fully understand the business model of a client. Regulators expect that financial institutions have the ability to know the source of funds, the customer base and the typical transaction flow of the peers of your customer.

For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted. Does the customer sell for cash only? Why? What level of cash is normal for a flower stand? Is it likely that a flower stand would send or receive wires? The point is that the more that is known about the business, the more likely that unusual activity can be determined.

This includes your whole process for filing SARs. According the FFIEC BSA examination manual, the process should include five parts: identification of unusual activity, managing alerts, SAR decision-making, SAR completion and monitoring on continuing activity. Once a SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing. At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story.” Was the activity repeated, or was it just a bump in the road?

So, you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior. The question still remains: just what exactly is suspicious? Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder. This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.

Additionally, the institution must have the means to monitor activity in a transparent manner. Through a combination of online searches, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity. In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customers will have no trouble providing documentation to support their activities. Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or new client.

Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble. The decision to keep the customer as a client is one that your institution must be able to live with and defend through documentation.

Defensive SARs

In many cases, banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively.” The idea here is that if we can’t tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, filing a SAR can be a temporary fix. However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If you can’t properly monitor or research the client, you should consider them a candidate for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.  

If the customer activity may be considered suspicious or unusual on an ongoing basis, there are really only two clear choices. The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that the shop is sourcing a rare flower from Europe to deliver to customers in its area. Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.

The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income, get in the way of safe and sound operating. When a customer’s operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rogers would say, to know when to walk away and know when to run.


Mr. DeFrantz is a principal at Hayward, Calif.-based Virtual Compliance Management. He can be reached at [email protected]