Introduction
During my time as a regulator many moons ago, I remember compliance staff candidly explaining to me the challenges encountered when trying to establish a customer’s source of wealth (“SOW”) and source of funds (“SOF”). Those challenges stemmed largely from regulatory uncertainty as to how far their firm needed to go to show the regulator they understood a customer’s SOW and SOF.
To be fair, regulators too have wrestled with explaining in practical terms how firms are meant to treat SOW and SOF information and how it should inform their Know Your Customer (“KYC”) and monitoring activities.
So, establishing a customer’s SOW and SOF is not an easy task. For years, firms have been asking for a steer from national regulators as to what they are expecting to see firms do to satisfy these KYC and ongoing Customer Due Diligence (“CDD”) requirements.
And this KYC is proving to be critical during the COVID-19 pandemic. A recent article has reported on how one KYC provider has identified elevated financial crime risks in a client’s customer base, related to the SOF provided to their businesses by third parties. It reported that businesses looking to move into the provision of personal protective equipment, had in some instances taken funding provided through a network of shell companies “with ties to Russia, China and various nefarious places.” SOW and SOF information, now more than ever, is essential to gaining the full picture of potential financial crime risks related to a customer.
So, what does “good” KYC and CDD information about a customer’s SOF and SOW look like?
2020 – SOW and SOF Guidance
Recently, two publications were released with the aim of providing that much sought-after guidance about SOW and SOF. The first is the Wolfsberg Group’s FAQ guidance (“Guidance”), targeted predominantly at bank’s private banking/wealth management customer segments.
The second is a report on the results of a thematic review (“Report”) on how firms actually undertake SOW and SOF KYC and CDD, published by the Guernsey Financial Services Commission (“GFSC”).
To start with, the GFSC Report provides a nice, practical explanation of the difference between SOW and SOF:
SOW: | Activities which have generated the total net worth of a customer or beneficial owner, both within and outside of the business relationship, i.e. those activities which have generated a customer’s or beneficial owner’s net assets and property |
SOF: | Activity which generated the particular funds for the business relationship or occasional transaction |
Both publications provide useful information on how firms are or should be operationalising these KYC requirements, and, perhaps more helpfully, how other firms are undertaking this work. Here is my high-level summary of them.
Wolfsberg
The overall message of the Guidance is that a risk-based approach should be taken in deciding how much information should be obtained to corroborate a customer’s SOW and SOF. The nature of information collected and source from which to obtain it should be determined depending upon the type of customers, their specific circumstances and risk rating, and ultimately the risk appetite of the business.
1. Purpose of Establishing a Customer’s SOW and SOF
The Guidance also makes clear that SOW is about assessing a customer’s wealth generating activities. It is NOT intended to account for, or verify, the exact value of the customer’s overall net worth. Broad categories and descriptions are provided of the sources from which a customer’s wealth might be generated.
Similar guidance is related in terms of establishing a customer’s SOF. Again, no big surprises. Verifying a customer’s SOF should include establishing on a risk-basis, (a) the amount or value and type of financial instruments or assets funding the account (other than cash), including the activities that generate the funds, (b) how the funds were transferred, (c) the remitting party and, where applicable, (d) the firm from which the transfer originated and country from where the fund transfer(s) originated.
2. Use of Judgment Re: Corroborating Information
The Guidance emphasises the use of judgment in deciding how much information is required to corroborate a customer’s SOW. If the customer provides a legitimate and plausible (i.e. reasonable) explanation which aligns with the overall KYC information obtained about them, further verification or requests for more information may not be needed.
3. Importance of Documenting Steps Taken
Banks are reminded that all SOW and SOF enquiries must be documented, especially when it is not possible to verify an existing customer’s SOW based on existing procedures. In other words, if alternative measures need to be taken to corroborate existing customer information, this should be recorded so it can be explained, if necessary, to the regulator.
4. Review and Ongoing Monitoring
In terms of ongoing CDD and monitoring, the Guidance suggests that the classic combination of periodic plus trigger-based reviews form a part of SOW and SOF procedures, emphasising that when these reviews are triggered, focus should be on new information and not revisit the existing and documented SOW information for the customer. A general list of risk factors is provided that might indicate a need for further information to be obtained about a customer’s SOW or SOF.
GFSC
In addition to the Guidance, the GFSC Report summarises the results of its review of 47 firms including private banks, trust and corporate service providers, investment managers and lawyers, in terms how they go about establishing customer’s SOW and SOF.
The AML/CFT framework Guernsey requires that firms take reasonable measures to establish and understand a customer’s (and that of any beneficial owner who is a Politically Exposed Person (“PEP”) SOW and SOF, in cases where elevated ML/TF risks were present [Emphasis added]. The Commission undertook the review to better understand how firms were interpreting the meaning of “reasonable measures”.
The findings from the review reveals some surprising results.
1. Most customers are asked about their SOW and SOF
First, 91% of firms reviewed asked all customers, irrespective of their risk rating, how they generated their total wealth. 85% of those same first did the same for customers’ SOF. This was viewed by the GFSC as a sensible measure, as the information helped firms better understand the overall risk profile of their customers.
2. Mixed Practices on Corroboration of SOW and SOF Information for High Risk Customers
Despite the almost uniform approach taken to collecting SOW and SOF information from customers, the same could not be said for how that information was corroborated.
The GFSC’s feedback to firms currently applying the same level of corroboration is: stop boiling the ocean. This approach is not effective. The GFSC explained that the unintended consequence of this approach was that it either:
risk setting the bar too low and obtaining insufficient corroboration for those high-risk customers where the risks are much higher, or
risk setting the bar too high whereby it becomes overly resource intensive relative to the higher risk factors present in the relationship.
3. Source of Information to Corroborate SOW and SOF
The Report found that sources used by firms were evenly split between client sourced, third party sourced and open source information. The combination of information sources required is best determined on a risk-basis.
The Report lists some of the risk indicators that firms have adopted to signal for their staff when additional SOW or SOF corroboration is warranted. These included customers:
Who are PEPs or Commercially Exposed Persons (“CEPs”);
Who are the subject of adverse media;
Who have wealth/activities emanating from jurisdictions with reported higher levels of corruption and less established AML/CFT regimes;
Who have generated their wealth in industry activities where bribery and corruption is more commonplace, for example in the minerals and hydrocarbon extraction industries; and
Where there is little information available in the public domain about how they have generated their wealth or the entities/companies involved.
The Report encourages firms to make it clear in their procedures what sorts of high-risk factors require that staff refer to open source or specialist third party sourced information to corroborate a customer’s SOW or SOF.
4. Not all Monitoring Triggers Should Require a SOW or SOF Review
The way in which firms have organised their ongoing monitoring and review of customer SOW and SOF also drew comments from the GFSC.
Essentially, all firms use both a periodic and trigger-based review process to check information about a customer’s SOW and SOF. The GFSC’s feedback to this approach is: Don’t go over the top here. Or reviewing for the sake of reviewing is not what the regulator is expecting to see. Instead, a risk-based approach should be taken for triggers, based on the information that has raised them, for example. The GRFC also provides suggestions as to the types of information that may warrant undertaking a review of a customer’s SOW or SOF, signalling that this is also an area where firms need to take a risk-based approach.
Concluding Thoughts
Both publications provide useful information for banks and other financial institutions about how a customer’s SOW and SOF should be established and corroborated. They both endeavour to help firms better understand the most effective way to fulfil this KYC and CDD requirement.
My preference, however, is the messaging provided in the Guernsey Report. It makes clear that going over the top with controls in this area will not earn firms a “gold star” from the AML/CFT regulator. Especially where all that effort does not result in the effective detection and mitigation of possible financial crime risks.
If your firm is due to review its KYC procedures and processes, consider the points raised in these two publications.
Is your firm boiling the ocean?
How does customer SOW and SOF information inform their risk classification?
Are periodic and trigger reviews performed on a risk-basis?
And finally, consider whether, given the current circumstances in which we’re operating, there are risks around customer SOW and SOF that may not be fully understood by your KYC review teams and how you might go about raising their awareness about how these might be detected through information about a customer’s SOW and SOF.