The recent Credit Suisse leak revealed shortcomings in their due diligence policies, account closure procedures, and deficient compliance culture. While they had been making commitments and working hard to improve their compliance operations before this leak, it will take time to earn back the trust of regulators and the public especially if they continue their bad behavior.
Compliance teams are required to conduct periodic due diligence reviews as part of a know your customer (KYC) program. In the industry, the interval between re-reviews of client information tends to be dictated by an assessment of the riskiness of those being reviewed. Credit Suisse performed periodic reviews every one to three years, with higher-risk clientele subject to more frequent checks. Unfortunately, these “sliding scale” diligence cycles are often based on incorrect or outdated information. Criminals, politically exposed persons, and other high-risk clients will not always onboard under their own names and will use opaque company structures to make sure funds aren’t frozen or confiscated. When this information is checked against an OFAC sanctions search in the US, the analyst needs an exact match of the full name, date of birth, and jurisdiction of residence to declare that the individual has been found. Barring that level of similarity, a match may not be declared. Using only this data to determine the risk profile of clients is critically flawed.
Our industry could improve this system by using data that is already being analyzed in other areas of a compliance program. The current regime trusts the very information that we are verifying to decide how trustworthy it is. A more effective way to establish review cycles would be to incorporate monitored activity into customer risk scores and use those as the basis for determining review periodicity. Monitoring of transactions is already required, and historical activity would be a better assessment of risk than using original declarations from years ago. The continuous assessment is also helpful in providing a current risk assessment when deciding to maintain or exit a client’s relationship. Since Credit Suisse is involved in the transmission of international wires, they get to see information and metadata that others do not. These details derived from transaction activity provide a more holistic assessment of the client and likely would have raised red flags for some of these clients and pegged them for earlier review.
The leak shows that some bad actors seemed to have accounts at Credit Suisse longer than expected and that the bank could have expedited the closure process for many of these relationships. But it is important to understand that account closure is not always the best solution in this type of situation, and leaving these accounts open may have been not only reasonable but necessary.
When we want to close an account, this process could be sped up at most institutions. Unfortunately, there are operational inefficiencies or external factors which impede the process. Credit Suisse was found to be banking these high-profile criminals for quite some time even after confirming that a client poses a risk to the bank; operational procedures and external inquiries can slow the closure process. Mandated reviews at three or four-month intervals and investigations that drag on are common causes for delay. There should be procedures in place that allow for overrides to expedite this process when it is prudent to do so.
It is also true though that there are external factors that make account closure less desirable. Keep Account Open letters for a client are sent so that law enforcement can collect more data on suspicious activity to bolster their own investigation. If a bank receives one of these letters, they can continue serving the client and are given safe harbor from BSA liability, but the decision on account closure belongs to the bank. Shutting down accounts too quickly can cut off a valuable stream of information. A suspect will scatter their activity into many new institutions after being tipped off and may vary their behavior to avoid shutdown again. Closing accounts too soon could consequently make it harder to root out financial crime, locate and analyze financial relationships, and enable suspicious activity to continue and evolve.
Whether a bank closes an account or not, the most important thing is building a high-quality compliance culture to stop suspicious activity. It isn’t just a moral obligation to stop criminals, it’s also a business obligation as audit findings and regulatory action have major consequences. Failures to sufficiently track down this behavior can stifle expansion into new markets, products, and client types.
Culture is a key driver of whether or not a bank can bring criminals to justice. Culture affects written risk policies, technology decisions, and the propensity to turn a blind eye to suspicious activity. When a culture is degenerate, our ability to hold criminals to account suffers. It has recently been revealed that Credit Suisse executives ordered the shredding of documents and erasure of evidence surrounding loans backed by luxury assets of recently sanctioned Russian oligarchs. This is a culture where criminal activity thrives.
Switzerland’s regulatory agency, FINMA, specifically stated last year that banking high-net-worth, international clients in a privacy-friendly jurisdiction increases the risk of dealing with illicit activity. These higher risks mandate a more robust culture and follow-through on reporting suspicious activity. It will take time for Credit Suisse to gain back the trust of the regulators and the international community after these revelations, and doing so starts with a fundamental revamp of how they think about risk. A healthy compliance culture leads to better identification of risk trends, rapid response to illicit activity, and ultimately the prosecution of more bad actors.