One of the biggest concerns of any financial institution – that is, any institution that routes payments between individuals / organizations, or which accepts payments over time – is money laundering. Profits obtained from some nefarious activity need to be 'washed' through the system to remove any trace of their origin; and individuals have found no shortage of ways to wash them – creating shell companies, giving out loans to themselves, buying and selling casino chips, or simply paying for everything in cash. Indeed, as our previous article about the depth and breadth of the practice showed, laundering comes in a variety of creative shapes and sizes, with some more apparent than others.
Yet for all of its diversity, money laundering can be thwarted with a few relatively simple practices such as counterfeit money. Financial industry and government officials realized this with the Bank Secrecy Act of 1970, the first attempt to create a comprehensive legislative solution designed to thwart money laundering and related ills. The act created a set of requirements for banks and institutions to follow, including:
Currency transaction reports for any single or series of related transactions totaling $10,000 or more
Suspicious activity reports which can include, for example, a series of structured transactions slightly under $10,000 - seemingly designed to avoid reporting requirements. What constitutes “suspicious activity” is left to the judgement of the bank or financial institution.
While the BSA was a solid beginning, it became over the years increasingly insufficient to bring down the more modern money launderers. As financial transactions increased in complexity, so did the opportunity for launderers to slip in undetected. Amazingly, it took sixteen more years until the actual criminalization of money laundering and structured transactions, and two more after that to expand oversight to credit institutions such as car dealerships or real estate firms. The expanded laws were successful insofar as they went, but then came that fateful day in September of 2001.
The attacks of 9/11 changed everything inside the financial world as well. With a renewed focus on terrorist financing, what before were suggestions or guidelines quickly became hard laws. Within a few months of the attacks, Congress passed the Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act (USA PATRIOT Act), which required verification of customer identities, enhanced due diligence, and a slate of anti money-laundering programs to take effect across the broad spectrum of the financial industry.
The verification and due diligence parts were further refined under the Know Your Customer (KYC) program. This is the one that every financial officer, administrator, or security personnel must know in detail. A good KYC program involves understanding the customer's business profile in order to identify and monitor potential risks. Taking a risk-based approach, it calls for continual, ongoing monitoring of higher risk accounts over their entire lifetime. Most importantly, it also requires verification of the customer's identity.
This is the cornerstone of a good KYC program: the ability to tell with great certainty that the individual conducting the recorded transaction is truly who they say they are. While the Basel Committee that drew up KYC regulations originally left it to the banks themselves to determine adequate identity verification methods, promising “to develop essential elements of customer identification requirements” at a later time, a cottage industry has grown around interpreting the meaning and helping business comply with the regulations.
The bottom line is there is no better way to prevent identity fraud than to use advanced equipment designed to authenticate identification documents. “Knowing” your customer’s identity starts with verifying who they are when they initiate a relationship with the financial institution. Several influential organizations within the financial security industry have already said the guidelines call for machine-verifiable identification, but even if there is no direct reference to mechanical verification, the convenience and certainty cannot be beat. Identity theft prevention is a must.