Interview of Susan Galli by John Byrne
Susan Galli, an ACAMS Advisory Board member and long-time AML veteran, is currently assisting AML RightSource in their advisory practice. While involved in a vast array of issues that challenge financial crime prevention professionals, one area of focus is the risks involved in correspondent banking. Susan recently moderated a panel at the ACAMS Vegas conference on this topic and sat down to discuss some of the key concerns covered by her and the panel.
The following are excerpts from that conversation:
What are the overall benefits of correspondent banking despite the risks?
Galli: Correspondent accounts, and in particular, correspondent banking, is critical to the safe and efficient functioning of global payment systems, and is of keen interest to central banks. The dollar continues to be the major global currency, followed by the Euro, and correspondent banking facilitates access to financial services in different jurisdictions, as many of these transactions are denominated in dollars or euros. Correspondent banking underpins cross border payment services, international trade, and is critical to financial inclusion.
There have been a number of regulatory criticisms and dramatic enforcement actions against financial institutions that offer correspondent banking. What are the key themes from those critiques?
Galli: If we consider the top 10 banks in the United States in terms of dollar clearing, nearly all are or have recently been under and enforcement action involving correspondent banking. If we look at the root causes, there are some common themes that emerge. The most significant in my view is a failure to understand the risks involved with this business. Most of these banks did not have robust financial crime risk models that effectively identified high risk jurisdictions, financial institutions and products and services. As a result, the CDD and transaction monitoring programs that were put in place did not adequately control the risks, and suspicious activity often went unreported, and in some cases, criminal transactions or sanctions violations were allowed to flow through some of these banks. The other major factor at the banks with enforcement actions was cost cutting to the detriment of financial crime compliance, and business interests trumping compliance. This cost cutting negatively impacted all three lines of defense which are all critical to a robust correspondent banking compliance program, and the fact that the compliance function in these banks was often understaffed and did not have the appropriate stature in the organization. In other words, there was not an effective and visible culture of compliance.
Besides the difficulty that charities have had due to banks exiting or “derisking” those account relationships, correspondent banks have seemed to suffer the same fate. Why?
Galli: As referenced above, the most spectacular enforcement actions and, in some cases, Deferred Prosecution Agreements, all involved sanctions and AML issues involving the correspondent banking business line of many of the largest US dollar clearing institutions. This led to huge fines, and very intense scrutiny of this business by regulators, and in some instances independent Monitors, and extremely costly remediation efforts that included initiatives to revamp the customer risk rating process, KYC remediations of the banks’ entire correspondent banking portfolio and, often times, mandatory lookbacks of correspondent banking transactions that could involve thousands, if not millions of transactions. As a result, to avoid penalties and damage to reputation, there has been a trend for banks to scale back their correspondent banking relationships, de-risking away from high risk jurisdictions or de-marketing away from respondent banks that don’t generate sufficient revenue to justify the associated compliance costs, and in some cases, banks are eliminating certain product lines like USD wholesale banknote service or international cash letter.
The panel in Vegas certainly had strong recommendations for correspondent banking due diligence. Can you describe some of those?
Galli: Yes, the panel emphasized that the management of correspondent banking relationships requires not only a robust due diligence process at the initial on-boarding of a respondent bank client relationship, but also a continuous assessment and monitoring after onboarding that includes an assessment of the AML/CFT/fraud risks associated with the geographies and the products and services that the correspondent bank is providing to its respondent bank clients. We also noted the importance of conducting due diligence on each respondent bank customer that is commensurate with each customer’s risk level, conducting ongoing monitoring of customer transactional activities (particularly payments and currency) to identify possible AML, sanctions, CFT or fraudulent transactions and having a good understanding of each respondent bank client’s AML/CFT program. Our Federal Reserve speaker also emphasized the importance of ensuring that the U.S. correspondent has effective payment security protocols with each of its respondent bank clients when making payments for these clients.
Payment systems continue to evolve and grow. Are there issues in the correspondent banking area that demand staying current with those new systems and if so, how is that accomplished?
Galli: With increased globalization and the rise of innovative alternative solutions from FinTECH, and the need for faster settlement (T+3 down to minutes or seconds), more efficient, cheaper and more transparent payments is growing in demand. Some examples of this would be making ACH payments eligible for same day processing, SWIFT gpi, a new standard for cross border payments and cryptocurrency technologies such as Ripple, Bitcoin, among others. Since global payments is one of the main products offered through correspondent banking relationships, it is critical for these banks to stay tuned in with product innovations. This is best accomplished through internal coordination between key internal stakeholders, some of whom should also be plugged into key industry groups such as The Clearing House, NACHA or BAFT as well as their international equivalents. The new product approval process in the institution should ensure that any new payment products or significant modifications to existing products undergo a product approval process that includes vetting and signoff from all key internal stakeholders including product management, the business leader responsible for transaction services/financial institutions, legal, risk, technology and compliance before any new products are launched, particularly to a higher risk business line such as correspondent banking clients.
How does the Wolfsberg Group fit into this area and describe their involvement?
Galli: The Wolfsberg group has been in existence since 1999 and is an association of global banks that meet annually to define principles or standards for a number of business areas that are of interest to the group. The area of payments and correspondent banking has been a particular focus of the Wolfsberg Group, and with regard to correspondent banking, in collaboration with The Clearing House, the group published a Statement on Payment Message Standards to ensure that payment messages are transparent and compliant. More recently, Wolfsberg also published Guiding Principles for Anti-Money Laundering Policies and Procedures in Correspondent Banking, and this year a revised version of The Wolfsberg Group Due Diligence Questionnaire (“CBDDQ”) for Correspondent Banks and associated support materials. These documents are particularly useful as they embody not only U.S. AML/CFT standards, but are actually global leading practices given the global nature of the member banks.
If firms want to continue to work with correspondent banks, what are leading or recommended practices?
Galli: First, the Board should define its risk appetite for correspondent banking and clearly articulate any limitations it may want to place on the business. This will help avoid debates between the business and compliance later on down the line in terms of policy questions or with respect to the onboarding of specific high risk clients. Next the bank needs to ensure that it has a customer risk assessment process that accurately captures the risk posed by each respondent bank. The business is the first line of defense, so it must have adequate personnel who can vet high risk clients, and who are trained to conduct due diligence and enhanced due diligence on the respondent banks. Use of the Wolfsberg correspondent banking due diligence questionnaire is a good starting point. Several banks have adopted an approach that utilizes correspondent banking review teams that can conduct in-depth reviews of correspondent relationships. The reviews are defined by risk-based factors and are prioritized by risk. The findings of these reviews are made available to key stakeholders in the business and in compliance and report on an assessment of the bank’s correspondent banking relationships, potential issues/concerns and any recommendations.
Transaction monitoring seems key but how does it work with CB?
Galli: As referenced earlier, the U.S. dollar is the world default currency, and that means there is a tremendous amount of funds passing through and terminating with U.S. banks. Thus it is imperative that U.S. banks have robust transaction monitoring and sanctions filtering systems to monitor those transactions for suspicious or illicit activity. When U.S. banks seek to implement transaction monitoring for correspondent banking activities, they need to consider whether the transaction monitoring system they plan to use is capable of monitoring the product activity that the respondent bank clients will be using. In other words, are the rules and scenarios tailored to the various products offered by the U.S. correspondent, and can rules that contemplate pseudo customers (the originators and beneficiaries on wires) be run on the system. The main difference with monitoring correspondent banking activity is that often times, the focal party of interest, is not the respondent bank itself, but rather one of the respondent bank’s clients or another counterparty unrelated to that bank. While the U.S. bank has KYC on its client, the respondent bank, it does not have KYCC information on each and every client of that respondent bank. That means that at the time a transaction(s) is flagged for review, the U.S. bank will have to send a Request for Information (“RFI”) to the respondent bank to attempt to get sufficient information about the transaction and parties involved to assess whether or not the transaction makes sense. Whether a response comes back in a timely manner or at all, and whether the information is of sufficient quality to make a meaningful assessment, varies widely, and is particularly problematic when a secrecy jurisdiction is involved.
Same with AML investigations---best practices?
Galli: U.S. banks that need to investigate correspondent activity from foreign locations are best served when they have analysts/investigators with foreign language skills and local knowledge of the jurisdictions that the transactions are coming from. Another best practice that was highlighted is a robust manual case program that includes adverse media searches, legal process and engagement with law enforcement, when appropriate. If the bank has a local presence, it is key to engage with the local regions where payments originate to better understand the environment, and also to provide feedback to business partners in those regions about potential suspicious activity trends to avoid repeat behavior. It’s also a best practice to use the 314(b) information sharing process and the RFI process alluded to above, as these processes often reveal a lot more information about the parties identified through transaction monitoring who are not the U.S. bank’s direct customers, and the last point was to ensure that the U.S. bank has reviewed the laws in all of the secrecy jurisdictions, as many times the legal interpretation provided by colleagues in some of these jurisdictions is not exactly a true reflection of the actual situation and ability to share information cross border.
What were the key takeaways from your session and where can folks find more resources on this difficult issue?
Galli: The panel offered a number of key takeaways. First and foremost, is that risk assessments must identify and evaluate all risks and that maintaining correspondent banking relationships requires continuous assessment, ongoing due diligence and monitoring of customer activity. While KYCC/CCDD is not technically required by the new CDD rule that went into effect last May, the panel noted that in certain instances, it is implicitly required after the fact as part of transaction monitoring as one of the only ways to truly identify risk and potential suspicious activity. The Wolfsberg Correspondent Banking Due Diligence questionnaire was put forth as a minimum standard for correspondent banking due diligence, and each bank is urged to decide and document their decision of how it plans to adopt and implement the Wolfsberg CBDDQ. Finally, our Federal Reserve speaker reminded the audience that cyber fraud is a growing threat and may challenge the faster payments initiatives, and also poses concerns when determining the authenticity of payment requests sent to correspondent banks by their respondents. The panel provided a list of resources, most of which can be found on the FATF, Wolfsberg or The Clearing House websites.