Bank Secrecy Act
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with private banking activities, and management’s ability to implement effective due diligence, monitoring, and reporting systems. This section expands the core review of the statutory and regulatory requirements of private banking in order to provide a broader assessment of the AML risks associated with this activity.
Private banking activities are generally defined as providing personalized services to higher net worth customers (e.g., estate planning, financial advice, lending, investment management, bill paying, mail forwarding, and maintenance of a residence). Private banking has become an increasingly important business line for large and diverse banking organizations and a source of enhanced fee income.
U.S. banks may manage private banking relationships for both domestic and international customers. Typically, thresholds of private banking service are based on the amount of assets under management and on the need for specific products or services (e.g., real estate management, closely held company oversight, money management). The fees charged are ordinarily based on asset thresholds and the use of specific products and services.
Private banking arrangements are typically structured to have a central point of contact (i.e., relationship manager) that acts as a liaison between the client and the bank and facilitates the client’s use of the bank’s financial services and products. Appendix N (“Private Banking — Common Structure") provides an example of a typical private banking structure and illustrates the relationship between the client and the relationship manager. Typical products and services offered in a private banking relationship include:
- Cash management (e.g., checking accounts, overdraft privileges, cash sweeps, and bill-paying services).
- Funds transfers.
- Asset management (e.g., trust, investment advisory, investment management, and custodial and brokerage services).246For additional guidance, refer to the expanded overview and examination procedures, "Trust and Asset Management Services," page 280 and 284, respectively.
- The facilitation of shell companies and offshore entities (e.g., Private Investment Companies (PIC), international business corporations (IBC), and trusts).247For additional guidance, refer to the expanded overview and examination procedures, "Business Entities (Domestic and Foreign)," pages 314 and 320, respectively.
- Lending services (e.g., mortgage loans, credit cards, personal loans, and letters of credit).
- Financial planning services including tax and estate planning.
- Custody services.
- Other services as requested (e.g., mail services).
Privacy and confidentiality are important elements of private banking relationships. Although customers may choose private banking services simply to manage their assets, they may also seek a confidential, safe, and legal haven for their capital. When acting as a fiduciary, banks have statutory, contractual, and ethical obligations to uphold.
Private banking services can be vulnerable to money laundering schemes, and past money laundering prosecutions have demonstrated that vulnerability. The 1999 Permanent Subcommittee on Investigations’ Report "Private Banking and Money Laundering: A Case Study of Opportunities and Vulnerabilities"248Refer to U.S. Senate, Committee on Governmental Affairs, Private Banking and Money Laundering: A Case Study of Opportunities and Vulnerabilities (frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=106_senate_hearings&docid=f:61699.pdf). outlined, in part, the following vulnerabilities to money laundering:
- Private bankers as client advocates.
- Powerful clients including politically exposed persons (PEPs), industrialists, and entertainers.
- Culture of confidentiality and the use of secrecy jurisdictions or shell companies.249Refer to the expanded overview section, "Business Entities (Domestic and Foreign)," page 314, for additional guidance.
- Private banking culture of lax internal controls.
- Competitive nature of the business.
- Significant profit potential for the bank.
Effective policies, procedures, and processes can help protect banks from becoming conduits for or victims of money laundering, terrorist financing, and other financial crimes that are perpetrated through private banking relationships. Additional information relating to risk assessments and due diligence is contained in the core overview section, "Private Banking Due Diligence Program (Non-U.S. Persons)," page 125. Ultimately, illicit activities through the private banking unit could result in significant financial costs and reputational risk to the bank. Financial impacts could include regulatory sanctions and fines, litigation expenses, the loss of business, reduced liquidity, asset seizures and freezes, loan losses, and remediation expenses.
Customer Risk Assessment
Banks should assess the risks its private banking activities pose on the basis of the scope of operations and the complexity of the bank’s customer relationships. Management should establish a risk profile for each customer to be used in prioritizing oversight resources and for ongoing monitoring of relationship activities. The following factors should be considered when identifying risk characteristics of private banking customers:
- Nature of the customer’s wealth and the customer’s business. The source of the customer’s wealth, the nature of the customer’s business, and the extent to which the customer’s business history presents an increased risk for money laundering and terrorist financing. This factor should be considered for private banking accounts opened for PEPs.250Refer to the core overview section, "Private Banking Due Diligence Program (Non-U.S. Persons)," page 125, and to the expanded overview section, "Politically Exposed Persons," page 290, for additional guidance.
- Purpose and anticipated activity. The size, purpose, types of accounts, products, and services involved in the relationship, and the anticipated activity of the account.
- Relationship. The nature and duration of the bank’s relationship (including relationships with affiliates) with the private banking customer.
- Customer’s corporate structure. Type of corporate structure (e.g., IBCs, shell companies (domestic or foreign), or PICs).
- Geographic location and jurisdiction. The geographic location of the private banking customer’s domicile and business (domestic or foreign). The review should consider the extent to which the relevant jurisdiction is internationally recognized aspresenting a greater risk for money laundering or, conversely, is considered to have robust AML standards.
- Public information. Information known or reasonably available to the bank about the private banking customer. The scope and depth of this review should depend on the nature of this relationship and the risks involved.
Customer Due Diligence
CDD is essential when establishing any customer relationship and it is critical for private banking clients.251Due diligence policies, procedures, and processes are required for private banking accounts for non-U.S. persons by section 312 of the USA PATRIOT Act. Refer to the core overview section, "Private Banking Due Diligence Program (Non-U.S. Persons)," page 125, for additional guidance. Banks should take reasonable steps to establish the identity of their private banking clients and, as appropriate, the beneficial owners of accounts.252Guidance on Obtaining and Retaining Beneficial Ownership Information, was issued by FinCEN, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission, in consultation with the U.S. Commodity Futures Trading Commission, in May 2010. The guidance consolidates existing regulatory expectations for obtaining beneficial ownership information for certain accounts and customer relationships. Adequate due diligence should vary based on the risk factors identified previously. Policies, procedures, and processes should define acceptable CDD for different types of products (e.g., PICs), services, and accountholders. As due diligence is an ongoing process, a bank should take measures to ensure account profiles are current and monitoring should be risk-based. Banks should consider whether risk profiles should be adjusted or suspicious activity reported when the activity is inconsistent with the profile.
For purposes of the CIP, the bank is not required to search the private banking account to verify the identities of beneficiaries, but instead is only required to verify the identity of the named accountholder. However, the CIP rule also provides that, based on the bank’s risk assessment of a new account opened by a customer that is not an individual (e.g., private banking accounts opened for a PIC), the bank may need "to obtain information about" individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity25331 CFR 1020.220(a)(2)(ii)(C). and to determine whether the account is maintained for non-U.S. persons.254Refer to the core examination procedures, "Private Banking Due Diligence Program (Non-U.S. Persons)," page 130, for additional guidance.
Before opening accounts, banks should collect the following information from the private banking clients:
- Purpose of the account.
- Type of products and services to be used.
- Anticipated account activity.
- Description and history of the source of the client’s wealth.
- Client’s estimated net worth, including financial statements.
- Current source of funds for the account.
- References or other information to confirm the reputation of the client.
Some shell companies issue bearer shares (i.e., ownership is vested via bearer shares, which allows ownership of the corporation to be conveyed by simply transferring physical possession of the shares). Risk mitigation of shell companies that issue bearer shares may include maintaining control of the bearer shares, entrusting the shares with a reliable independent third party, or requiring periodic certification of ownership. Banks should assess the risks these relationships pose and determine the appropriate controls. For example, in most cases banks should choose to maintain (or have an independent third party maintain) bearer shares for customers. In rare cases involving lower-risk, well-known, long-time customers, banks may find that periodically re-certifying beneficial ownership is effective. A strong CDD program is an effective underlying control through which banks can determine the nature, purpose, and expected use of shell companies and apply appropriate monitoring and documentation standards.
Certain jurisdictions also allow for registered shares to be converted to bearer shares. These types of entities also carry the same type of risk as bearer shares, primarily centered on the lack of transparency regarding the potential transfer of ownership or control of those shares. Risk mitigation for relationships belonging to corporate entities with a convertibility option is essentially the same as traditional bearer shares. Financial institutions should assess the risk posed by these relationships and implement appropriate and ongoing beneficial ownership certifications, establish prudent measures as necessary to restrict conversion to bearer share form without prior notification from the customer or require control of the shares by a reliable independent third party.
Board of Directors and Senior Management Oversight
The board of directors’ and senior management’s active oversight of private banking activities and the creation of an appropriate corporate oversight culture are crucial elements of a sound risk management and control environment. The purpose and objectives of the organization’s private banking activities should be clearly identified and communicated by the board and senior management. Well-developed goals and objectives should describe the target client base in terms of minimum net worth, investable assets, and types of products and services sought. Goals and objectives should also specifically describe the types of clients the bank will and will not accept and should establish appropriate levels of authorization for new-client acceptance. Board and senior management should also be actively involved in establishing control and risk management goals for private banking activities, including effective audit and compliance reviews. Each bank should ensure that its policies, procedures, and processes for conducting private banking activities are evaluated and updated regularly and ensure that roles, responsibilities, and accountability are clearly delineated.
Employee compensation plans are often based on the number of new accounts established or on an increase in managed assets. Board and senior management should ensure that compensation plans do not create incentives for employees to ignore appropriate due diligence and account opening procedures, or possible suspicious activity relating to the account. Procedures that require various levels of approval for accepting new private banking accounts can minimize such opportunities.
Given the sensitive nature of private banking and the potential liability associated with it, banks should thoroughly investigate the background of newly hired private banking relationship managers. During the course of employment, any indications of inappropriate activities should be promptly investigated by the bank.
Additionally, when private banking relationship managers change employers, their customers often move with them. Banks bear the same potential liability for the existing customers of newly hired officers as they do for any new, private banking relationship. Therefore, those accounts should be promptly reviewed using the bank’s procedures for establishing new account relationships.
MIS and reports are also important in effectively supervising and managing private banking relationships and risks. Board and senior management should review relationship manager compensation reports, budget or target comparison reports, and applicable risk management reports. Private banker MIS reports should enable the relationship manager to view and manage the whole client and any related client relationships.