The unprecedented exodus of deposits from small and regional banks has increased the risks to financial institutions of guarding against fraud and money laundering, potentially exposing challenges in complying with "know your customer" rules.
Large banks and money market mutual funds have been the main beneficiaries of the flight of deposits from corporate and small business customers in the wake of the failures of Silicon Valley Bank and Signature Bank. Deposits rose at the largest 25 banks, but some small and midsize banks also were beneficiaries of depositors moving funds that exceeded the $250,000 limit in federal insurance.
Experts say it is too early to tell whether the rush to onboard millions of new, mostly business depositors in such a short period has led to mistakes in identifying high-risk customers. The surge in deposits can strain a bank's resources, lead to mistakes in assessing a customer's risk and potentially cause some banks to fall behind in conducting due diligence on risky customers.
"Whenever you have a big surge in volume of activity — even if it's routine — it can stress banks' operating systems if they're not designed to accommodate the surge," said Michael Dawson, a partner at WilmerHale and a former deputy assistant secretary and senior advisor at the Treasury Department. "In the rush to onboard new customers, mistakes can be made that don't surface until months or years later when a bank is doing a customer refresh or event-driven reviews."
The rationale behind "know your customer," anti-money laundering and Bank Secrecy Act rules is to prevent criminals — from sanctioned Russian oligarchs to drug kingpins — from creating layers of corporate entities to disguise and obscure their ownership of assets. Banks not only are required to identify their customers, but also must review accounts for suspicious transactions and illegal activity.
When a customer moves to another bank, the due diligence that has already been performed at their first bank "is essentially lost and then has to be repeated by another bank," said Robert Baron, chief experience officer at StandardC, a San Francisco provider of software and advisory services, and a former senior vice president at Technicolor Federal Credit Union in Burbank, California.
"When that business goes to a new institution, that new institution has to perform its initial [know your customer] on the beneficial owners and it has to perform due diligence on the business," Baron said. "All of that has to be repeated, so the risk of fraud, identity theft and money laundering all goes up."
John Byrne, chairman of the advisory board at AML RightSource, a global provider of AI and advisory services, said banks have been conducting customer due diligence effectively for 25 years and have built in processes and policies to verify the identities of customers to root out financial crime. Banks need not be worried if they have risk, compliance and BSA officers involved in handling the influx of deposits, he said.
"We always push for having a strong culture of compliance," said Byrne. "Bring your compliance officers to the table. Don't let your business lines make the call that they're going to grab all these deposits. Have a plan, right? And if you have a plan, it's not going to be perfect, but it's going to be a strategy. If institutions are taking in lots of new deposits and then they alert compliance a week or two later, they could have problems."
Last year, the Treasury Department issued its final
The registry is supposed to take effect on January 1, 2024, as part of the implementation of the Corporate Transparency Act. But many experts say the FinCEN registry would not have made it any easier for financial institutions to onboard new customers during the crush of deposit inflows in March. FinCEN is still developing the technological infrastructure for the registry.
"The FinCEN registry, as it's written today, would not be helpful at all," said Chuck Taylor, executive vice president and head of financial crimes advisory at AML RightSource, and a former senior vice president and BSA officer at City National Bank.
The problem with the FinCEN registry, Taylor said, is that financial institutions would be required to get permission from a customer to access information in the registry, making it time-consuming and cumbersome. The registry's information itself is limited because it will not be validated by FinCEN, he said. Plus, financial institutions would still be required under current regulations to conduct due diligence to capture beneficial ownership information, making the registry itself redundant.
"There's no mandate for anybody to validate the information to see that it was actually the correct information," Taylor said. "So there's no benefit to the registry."
Baron agreed, saying there needs to be a more effective and efficient "pre-vetting," of customers. While banks can request information retroactively from FinCEN, he thinks there is a more fundamental problem in the way data is collected but not shared across the banking system. Baron's company, StandardC, has developed a blockchain-based network that allows a business to create a portable digital business identity based on self-declared data that could be carried over from one institution to another. The goal is to simplify the vetting and due diligence process and protect financial institutions from onboarding bad actors.
"If the data was structured in a distributed ledger, where all banking data was within a permissioned, private blockchain, then if a business moves from one bank to another, the due diligence on that business would be shared with the new institution," Baron said.
Currently, banks spend an inordinate amount of time and money complying with subpoenas from state and federal law enforcement agencies or the Internal Revenue Service investigating criminal activity. A bank typically has 30 days to produce all the documentation including account histories, maintenance and the beneficial ownership information on a customer to comply with a subpoena.
"Law enforcement or supervisory agencies would be able to access the data with a valid subpoena without burdening the financial institutions to have to reproduce and share the information," Baron said. "It wouldn't just make it easy on the banks and it would prevent and deter insider activity that may be linked to a target of a criminal or civil investigation."
Banks may make mistakes at the front-end of the onboarding process when collecting data and determining risks, said Dawson. Identifying the right industry a business operates in can be crucial to determining how risky the customer is. A conglomerate, for example, might have a range of products, from military munitions to fertilizer, and if they are classified as operating in agriculture instead of defense, it can change the risk assessment, Dawson said. A bank has to decide, based on the information collected, what type of due diligence needs to be performed, and employees under pressure to onboard lots of customers can lead to an inaccurate risk assessment.
"Employees under pressure may not onboard customers as correctly or thoroughly as they should and determine if there needs to be a second phase that goes deeper," Dawson said. "It is possible that some fraudsters may use this window as an opportunity to open accounts and hope they will not receive the same degree of scrutiny that they might in a normal period."
