Banks are racing to comply with the USA PATRIOT Act's requirements that terrorists not be allowed access to the financial system, such as by assuming a false identity in order to shift funds electronically from one account to another.
For a diversified global financial institution such as Citigroup, USA PATRIOT Act compliance means finding a way to implement an enterprise-wide policy that satisfies regulatory entities including the SEC, NASD, the Federal Reserve, and the OCC.
Regulators expect USA PATRIOT Act compliance to "come from the very top," according to Pamela J. Johnson, senior anti-money laundering coordinator, division of banking supervision and regulation for the Board of Governors of the Federal Reserve System.
The latest Treasury rulings mean that banks have to meet several common standards with regard to customer identification programs, while also addressing the specifics of the various businesses within banking. "I can put in one customer identification program at the top, and I can have different procedures to implement the program in different businesses and look at the nuances in the rules to make sure that I can cover specific things," said Richard Small, global anti-money laundering director of Citigroup. "For the most part, what we need to do is very similar."
But certain channels require new procedures to handle the gray areas. For example, consider a person who comes into a branch about once per week to cash checks, but does not have a checking or savings account with the bank. Going forward, banks may prove less willing to provide regular services without establishing a formal relationship. "At some point we're saying you either have to become a customer, or stop the business," said Small. "Why would this person not open an account, and am I comfortable doing this type of business without doing the due diligence I would do if I opened them an account?"
On the corporate side, Citigroup is making efforts to determine which types of entities require the most scrutiny. "We are actually looking at risk-ranking some 400 various types of businesses to get a better idea of how to look at risk scoring for the type of business," said Small.
However banks make judgment calls across their organizational footprints, it's evident that they will have to document both their actions and their decision-making processes. "That's what I like about this rule-it requires you to write everything down," said Johnson. "There has to be some paper trail."
Small and Johnson spoke at a Web seminar hosted by LexisNexis.