In recent years, banking customers have increasingly relied on electronic banking tools to open accounts, make deposits, transfer funds and otherwise manage their money — and the COVID-19 pandemic has accelerated this trend. All of these activities increase an institution’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance risks, particularly the opening of online accounts. So, while offering these conveniences can be attractive to current and prospective customers, you’ll need to implement policies, procedures and controls to mitigate the risk.
Recognizing risk factors
In its BSA/AML Manual, the Federal Financial Institutions Examination Council (FFIEC) emphasizes that accounts opened online — that is, without face-to-face contact — pose a greater risk for money laundering and terrorist financing because:
In light of this enhanced risk, the FFIEC cautions banks to consider how an account was opened as a factor in determining the appropriate level of account monitoring.
To reduce the risks associated with online account opening, banks should develop an effective customer identification program (CIP) and ongoing customer due diligence (CDD) processes as part of a robust, risk-based BSA/AML compliance strategy.
To comply with CIP requirements, an individual opening an account must provide, at a minimum, his or her name, date of birth, address and taxpayer identification number (or other acceptable identification number for non-U.S. persons). In addition, if an account is opened for a legal entity — such as a corporation, partnership or LLC — the bank must verify the identities of the entity’s beneficial owners.
Verifying applicants’ identities
A significant challenge in electronic banking is verifying the identity of someone opening an account online (including a person opening an account on behalf of a legal entity). For in-person transactions, bank personnel often examine identification documents, such as driver’s licenses or passports, but this may not be possible for accounts opened online.
For online transactions, banks should develop reliable nondocumentary methods of verifying an individual’s identity. These may include comparing the information provided at account opening with information from a credit reporting agency, public database or other source. They also may include contacting the person (for example, calling them at work or sending them a piece of mail they must respond to), checking references with other financial institutions, obtaining a financial statement, or asking “out of wallet” questions, such as previous addresses, former employers or mortgage loan amounts.
The bank should develop alternate or backup verification methods for situations in which one of these methods fails. For example, if there’s an identification mismatch, the applicant may be required to bring identification in person to a bank branch.
In addition, as with accounts opened in person, the bank should check the person’s name against lists of known or suspected terrorists or terrorist organizations maintained by the Office of Foreign Assets Control. It’s also a good idea, for ongoing monitoring and CDD purposes, to collect information about the purpose of the account, the occupations of the account owners and the source of funds.
After an account is opened online and the applicant’s identity is verified, you’ll want to conduct ongoing customer due diligence. That means, among other things, monitoring account activity for unusual or suspicious activities.