TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
| SUBJECT: |
Private Banking Activities
|
Private banking activities, which involve, among other things,
personalized services such as money management, financial advice, and investment
services for high net worth clients, have become an increasingly important aspect of
the operations of some large, internationally active banking organizations. The Federal
Reserve has traditionally reviewed private banking activities in connection with regular
on-site examinations. In 1996 and 1997, the Federal Reserve Bank of New York
undertook a comprehensive review of private banking activities at approximately 40
domestic and foreign banking organizations in the Second District in order to enhance
the Federal Reserve's understanding about private banking operations. Examiners
focused principally on assessing each institution's ability to recognize and manage the
potential reputational and legal risks that may be associated with inadequate
knowledge and understanding of its clients' personal and business backgrounds,
sources of wealth, and uses of private banking accounts. In carrying out the reviews,
examiners considered the parameters of an appropriate control infrastructure that is
suited to support the effective management of these risks.
The reviews indicated that there are certain essential elements
associated with sound private banking activities, and these elements are described in a
paper, prepared by the Federal Reserve Bank of New York, entitled "Guidance on
Sound Risk Management Practices Governing Private Banking Activities". A copy of
the sound practices paper is attached for the use of your examiners, and we are
requesting that you provide copies to each domestic and foreign banking organization
in your District that conducts private banking activities. A suggested transmittal letter is
also attached.
The sound practices paper provides banking organizations with guidance
regarding the basic controls necessary to minimize reputational and legal risk and to
deter illicit activities, such as money laundering. The essential elements associated
with sound private banking activities are, in brief outline, as follows:
- Management Oversight. Senior management's active oversight of
private banking activities and the creation of an appropriate
corporate culture are crucial elements of a sound risk management
and control environment. Goals and objectives must be set at high
levels, and senior management must be proactive in overseeing
compliance with corporate policies and procedures.
- Policies and Procedures. All well run private banking operations
have written "Know Your Customer" policies and procedures,
consistent with guidance provided by the Federal Reserve over the
past several years, that require banking organizations to obtain
identification and basic background information on their clients,
describe the clients' source of wealth and lines of business,
request references, handle referrals, and identify red flags and
suspicious transactions. They also have adequate written credit
policies and procedures that address, among other things, money
laundering-related issues, such as lending secured by cash
collateral.
- Risk Management Practices and Monitoring Systems. Sound
private banking operations stress the importance of the acquisition
and retention of documentation relating to their clients, as well as
due diligence regarding obtaining follow-up information where
needed to verify or corroborate information provided by a customer
or his or her representative. Inherent in sound private banking
operations is the retention of beneficial owner information in the
United States for accounts opened by financial advisors or through
the use of off-shore facilities. Adequate management information
systems capable of, among other things, monitoring all aspects of
an organization's private banking activities are also stressed.
These include systems that provide management with timely
information necessary to analyze and effectively manage the
private banking business and systems that enable management to
monitor accounts for suspicious transactions and to report any
such instances to law enforcement authorities and banking
regulators as required by the regulators' suspicious activity
reporting regulations.
- Segregation of Duties, Compliance, and Audit. Because private
banking activities are generally conducted through relationship
managers, banking organizations need to have an effective system
of oversight by senior officials and by board committees, as well as
guidelines pertaining to the segregation of duties to prevent the
unauthorized waiver of documentation requirements, poorly
documented referrals, and overlooked suspicious activities.
Likewise, strong compliance and internal audit programs are
essential to ensure the integrity of the risk management and
internal control environment established by senior management
and the board of directors.
Other Related Projects and Products
The lessons learned from the private banking reviews will be incorporated
into a new examination manual for private banking activities. The manual will be in two
parts: one which describes the examination procedures for a comprehensive, top to
bottom review of a private banking operation; and the other, a set of "risk focused"
guidelines aimed at assisting examiners in determining which procedures should be
followed depending, for example, on the level of private banking activity, any noted
deficiencies, management's responsiveness in implementing corrective action, and the
sufficiency of the organization's internal audit program. We expect to start field testing
these new procedures within the next three months.
In the next few weeks, the Federal Reserve will also distribute an updated
Bank Secrecy Act examination manual. The updated version will include examination
procedures relating to recent additions and changes to the Bank Secrecy Act, as well
as updated sections related to anti-money laundering initiatives.
Staff is in the process of developing a draft regulation that would require
banking organizations to establish "Know Your Customer" policies and procedures.
The results of the private banking reviews will be incorporated into the proposed
regulation. In moving forward with this initiative, the Federal Reserve will coordinate its
efforts with the other federal banking agencies regarding the breadth and scope of the
rules in order to ensure that all banking organizations in the United States operate
under the same standards.
In the event you have any questions regarding the attached sound
practices paper, please contact Ms. Nancy Bercovici, Senior Vice President, Federal
Reserve Bank of New York, at (212) 720-8227, or Mr. Richard A. Small, Special
Counsel, Division of Banking Supervision and Regulation, at (202) 452-5235. Other
questions can be directed to Mr. Small.
Richard Spillenkothen
Director
Attachments
Suggested Transmittal Letter
to the Chief Executive Officer or General Manager of
Each State Member Bank, Bank Holding Company, and
U.S. Branch and Agency of a Foreign Bank
That Conducts Private Banking Activities
Subject: "Sound Practices" For Private Banking Activities
Dear ______________________:
Private banking activities, which involve, among other things,
personalized services such as money management, financial advice, and investment
services for high net worth clients, have become an increasingly important aspect of
the operations of some large, internationally active banking organizations. The Federal
Reserve has traditionally reviewed private banking activities in connection with regular
on-site examinations. In 1996 and 1997, the Federal Reserve Bank of New York
undertook a comprehensive review of private banking activities at approximately 40
domestic and foreign banking organizations in the Second District in order to enhance
the Federal Reserve's understanding about private banking operations. Examiners
focused principally on assessing each institution's ability to recognize and manage the
potential reputational and legal risks that may be associated with inadequate
knowledge and understanding of its clients' personal and business backgrounds,
sources of wealth, and uses of private banking accounts. In carrying out the reviews,
examiners considered the parameters of an appropriate control infrastructure that is
suited to support the effective management of these risks.
The reviews indicated that there are certain essential elements
associated with sound private banking activities, and these elements are described in a
paper, prepared by the Federal Reserve Bank of New York, entitled "Guidance on
Sound Risk Management Practices Governing Private Banking Activities". A copy of
the sound practices paper is attached for your information.
The sound practices paper provides you with guidance regarding the
basic controls necessary to minimize reputational and legal risk and to deter illicit
activities, such as money laundering. The essential elements associated with sound
private banking activities are, in brief outline, as follows:
- Management Oversight. Senior management's active oversight of
private banking activities and the creation of an appropriate
corporate culture are crucial elements of a sound risk management
and control environment. Goals and objectives must be set at high
levels, and senior management must be proactive in overseeing
compliance with corporate policies and procedures.
- Policies and Procedures. All well run private banking operations
have written "Know Your Customer" policies and procedures,
consistent with guidance provided by the Federal Reserve over the
past several years, that require banking organizations to obtain
identification and basic background information on their clients,
describe the clients' source of wealth and lines of business,
request references, handle referrals, and identify red flags and
suspicious transactions. They also have adequate written credit
policies and procedures that address, among other things, money
laundering-related issues, such as lending secured by cash
collateral.
- Risk Management Practices and Monitoring Systems. Sound
private banking operations stress the importance of the acquisition
and retention of documentation relating to their clients, as well as
due diligence regarding obtaining follow-up information where
needed to verify or corroborate information provided by a customer
or his or her representative. Inherent in sound private banking
operations is the retention of beneficial owner information in the
United States for accounts opened by financial advisors or through
the use of off-shore facilities. Adequate management information
systems capable of, among other things, monitoring all aspects of
an organization's private banking activities are also stressed.
These include systems that provide management with timely
information necessary to analyze and effectively manage the
private banking business and systems that enable management to
monitor accounts for suspicious transactions and to report any
such instances to law enforcement authorities and banking
regulators as required by the regulators' suspicious activity
reporting regulations.
- Segregation of Duties, Compliance, and Audit. Because private
banking activities are generally conducted through relationship
managers, banking organizations need to have an effective system
of oversight by senior officials and by board committees, as well as
guidelines pertaining to the segregation of duties to prevent the
unauthorized waiver of documentation requirements, poorly
documented referrals, and overlooked suspicious activities.
Likewise, strong compliance and internal audit programs are
essential to ensure the integrity of the risk management and
internal control environment established by senior management
and the board of directors.
In the event you have any questions regarding the attached sound
practices paper, please contact Ms. Nancy Bercovici, Senior Vice President, Federal
Reserve Bank of New York, at (212) 720-8227, or Mr. Richard A. Small, Special
Counsel, Division of Banking Supervision and Regulation, Board of Governors of the
Federal Reserve System, at (202) 452-5235.
Sincerely,
Enclosure
Guidance on Sound Risk Management Practices
Governing Private Banking Activities
Prepared by the
Federal Reserve Bank of New York
July 1997
Guidance on Sound Risk Management Practices Governing Private Banking Activities
This paper presents the observations of examiners of the Federal Reserve Bank of New
York regarding sound risk management and internal control practices with respect to private
banking activities. Findings are based on a year-long cycle of on-site examinations of the risk
management practices of approximately forty institutions in the Second Federal Reserve District
that are engaged in the provision of financial services to high net worth individuals, which is
commonly referred to as private banking. These examinations represented a cross section of
commercial banks, Edge Act corporations, trust companies, and U.S. branches of foreign banks.
Our examiners found varying degrees of sophistication and depth in private banking activities.
And, we recognize that what constitutes sound practice may vary according to the particulars of
each organization's business.
The guidance presented in this paper is not a regulation and should not be interpreted as
such. The sound practices reflect the type of information banks need to have to satisfy existing
legal requirements as well as transactions testing performed by examiners, and the types of
controls essential to minimize reputational and legal risk and deter money laundering. The goal
of the paper is to ensure that banks are aware of the major issues currently under review by
regulatory and legal authorities and to further the dialogue with institutions engaged in private
banking.
Heightened supervisory interest in private banking activities primarily reflects market
developments. Recently, domestic and foreign banking organizations have been increasing their
private banking activities and their reliance on income from this business line. Several large
institutions reported plans to increase sharply the net contribution of private banking to their
organizations' earnings. Additionally, the target market for private banking -- high net worth
individuals -- is growing and becoming more sophisticated and diverse with regard to product
and service preferences and risk appetites. As the target market for private banking is growing,
so is the level of competition among institutions that provide private banking services. Banking
organizations are experiencing competition for private banking clients from non-bank financial
institutions, including securities dealers, and asset management and brokerage firms.
Accordingly, there are increased pressures on the relationship managers and marketing officers
of banking organizations to obtain new clients, increase their assets under management, and
contribute a greater percentage to the net income of their organizations.
The reviews underlying this paper focused primarily on assessing each banking
institution's ability to recognize and manage the potential reputational and legal risks that may
be associated with inadequate knowledge and understanding of the clients' personal and business
background, source of wealth and use of their private banking accounts. Also considered were
the essential characteristics of an appropriate control infrastructure that is suited to support the
effective management of these risks.
To varying degrees, the sound practices identified here either are currently in place or are
in the process of being implemented in most institutions, although it is recognized that practices
observed in the United States may differ from global practices. The discussion is structured as
follows: (I) management oversight, (II) policies and procedures, (III) risk management practices
and monitoring systems, and (IV) segregation of duties, compliance and audit.
I Management Oversight of Private Banking
Senior management's active oversight of private banking activities and the creation of an
appropriate corporate culture are crucial elements of a sound risk management and control
environment. Senior management is responsible for identifying clearly the purpose and
objectives of the organization's private banking activities. A statement that describes the target
client base, the range of services offered to clients, and the financial objectives and risk
tolerances should be approved by senior management and establish accountability for risk
management and control functions. Well-developed goals and objectives not only describe the
target client base in terms of factors such as minimum net worth, investable assets and the types
of products and services sought, but specifically indicate the types of clients the institution will
and will not accept, and establish multiple and segregated levels of authorization for new client
acceptance. Institutions that follow such sound practices will be better positioned to design and
deliver products and services that match their clients' needs, while reducing the likelihood that
unsuitable clients will be accepted.
Senior management should be actively involved in strategic planning for the private
banking operation. Sound strategic planning should involve not only setting targets such as
revenue, assets under management, and the number of new accounts, but also include the
establishment of control and risk management goals, such as satisfactory audit and compliance
reviews. The most control-conscious institutions have passed these and other specific
qualitative goals through to relationship managers. In some cases, they have included these
factors in employee compensation schemes, thus promoting accountability and responsibility for
risk management and control processes.
The culture that exists within the private banking operation invariably reflects senior
management's level of commitment to controls and risk management. A focused, integrated,
"top-down" approach to embracing risk management and control concepts will most effectively
foster an environment in which managers and staff are knowledgeable and aware of the risks in
their portfolio. This approach to private banking activities will help ensure that staff members
apply consistent practices, communicate effectively, and assume responsibility and
accountability for controls.
Each organization should ensure that its policies and procedures for conducting private
banking activities are evaluated and updated regularly, and that there is a clear delineation of
roles, responsibilities and accountability for implementing such policies and procedures.
II Policies and Procedures
As a private banking operation frequently functions as a "bank within a bank," there are
different policies and procedures needed to govern its activities and operations. This paper
focuses primarily on the significance of sound Know Your Customer ("KYC") policies and
procedures in managing the reputational and legal risks inherent in private banking activities.
Know Your Customer Policies and Procedures
Nearly all of the institutions examined had written KYC policies and procedures -- most
of which captured the spirit of sound KYC guidelines. These institutions have taken a
reasonable approach to including essential components of a sound KYC policy in their written
policies, such as: obtaining identification and basic background information on the clients,
describing the clients' source of wealth and line of business, requesting references, handling
referrals and identifying red-flags or suspicious transactions. Policies also should require that the
clients' source of wealth and funds be corroborated and include specific guidelines on how to
corroborate information provided by the client. Sound policies also define acceptable KYC
information for different types of account holders, such as individuals, operating companies,
personal investment companies ("PICs"), trusts, clients of financial advisers or other
intermediaries, and financial advisers. These policies also should recognize that
contact/visitation reports written by private bankers, which document their meetings with clients
in their home countries and places of business, are an important component to the KYC process.
Additionally, sound policies require that the type and volume of transactions expected to
be passing through the clients' accounts be documented, with actual flows monitored to assist in
detecting suspicious or unusual transactions. Accountability for following up on suspicious
activities and making such reports as may be required should also be clearly assigned.
Compliance with policies should be expected by senior management as a matter of
course; waivers should be the exception, not the rule, and reasons for any exception should be
documented. Moreover, all waivers should be handled by authorized personnel -- thus
reinforcing senior management's oversight of the risk management process. Clearly, the best
written policies and procedures will not work unless they are implemented effectively and
modified appropriately to reflect changing industry practices.
Credit Policies and Procedures
Lending to high net worth individuals and their business concerns often takes on unique
banking characteristics. The majority of private banking lending is fully secured -- often by
cash, securities and other assets held by the private banking function. Thus, the extensions of
credit to high net worth individuals on a secured basis should not result in compromising sound
underwriting standards. If credit is extended based on collateral, even if the collateral is cash,
repayment is not assured. For example, collateral derived from illicit activities may be subject to
government forfeiture. Accordingly, when extending secured private banking loans, institutions
should be satisfied as to the source and legitimacy of the client's collateral, the borrower's
intended use of the proceeds and the source of repayment. Some institutions have appropriately
recognized that, when lending to high net worth individuals, whether on a secured or unsecured
basis, the creditworthiness determination is bolstered by a thorough and well-structured KYC
process.
III Risk Management Practices and Monitoring Systems
Effective risk management practices and systems that carry out the KYC policies are the
foundation of a sound risk management process. These practices should be well-integrated
within the organization and reassessed on an ongoing basis. Additionally, relevant personnel
should recognize their roles in the process, as well as their accountability.
Documentation and Due Diligence
Virtually all institutions perform more due diligence on relationships established
currently than on accounts that were opened in the past. They are supplementing basic account-
opening information, such as identification through passports and national identity cards and
other basic personal and business data, including the client's mailing address, profession, and
estimated net worth, with more detailed and substantive information. Sound practice requires
institutions to obtain references on their clients from reliable, independent sources, such as other
financial institutions, the client's business associates, attorneys or accountants. Independent
references that describe the capacity in which the referring party knew the client and the nature of
their relationship are important components of the KYC process, and institutions routinely
should seek to obtain these references. Furthermore, if internal references from personnel that
serve the client from an affiliated office are used, such references should be accompanied by
detailed, well-supported documentation.
Institutions employ a wide array of sound practices to corroborate a client's source of
wealth and business activities, in addition to obtaining references. For example, some
institutions have obtained private credit agency reports on their clients' businesses, including
those in foreign countries. Private bankers have also sought out public information on high
profile clients in the press, periodicals and through standard database searches. Sound practice
also suggests that private bankers obtain financial statements, marketing brochures, and annual
reports of clients' businesses as additional corroboration sources.1 Examinations have
confirmed that there are relatively easy and unobtrusive ways to corroborate a private banking
client's source of wealth, whether that client is from the United States or abroad.
A concerted effort should be made to embrace these due diligence practices with
prospective and existing private banking clients to assure that a client's source of funds is
legitimate. While most institutions emphasized the significance of documentation and due
diligence during the client acceptance process, it is equally important to ensure that client
profiles are appropriately updated throughout the relationship with the client.
Most banking institutions maintain and manage accounts for PICs in their U.S. offices; in
fact, frequently PICs are established for the client -- the beneficial owner of the PIC -- by one of
the institution's affiliated trust companies in an offshore secrecy jurisdiction. The majority of
these institutions employ the sound practice of applying the same general KYC standards to PICs
as they do to personal private banking accounts -- they identify and profile the beneficial owners.
Most institutions had KYC documentation on the beneficial owners of the PICs in their U.S.
files.
The beneficial owners of PICs have a legitimate right to protect their financial privacy,
and some high net worth private clients may have a special and legitimate need for
confidentiality -- because of their public prominence, for example. The needed confidentiality in
these cases may be afforded by promulgating special protections as to access to the records
revealing the identity of a beneficial owner of a PIC. However, the ability to make proper
identification of the beneficial owner remains an important control within the banking
organization. First, without this control, the banking organization cannot satisfy its compliance
obligations with respect to legal process served on the banking organization, which might reach
property owned or controlled by a particular beneficial owner, including the PIC itself. If the
banking organization has structured its records in a way that makes it impossible to comply with
such process, this could cause the organization serious compliance problems. Second, the lack of
transparency may be an impediment to the banking organization's understanding of its overall
relationship with a particular beneficial owner; and the existence of accounts for one or more
PICs could confuse the organization about the nature and depth of the overall relationship if the
identity of the beneficial owner is masked within management information systems. Finally,
there is no legal impediment to maintaining appropriate records. The law in the foreign
jurisdiction where the PIC is organized ordinarily should present no obstacle to recording the
beneficial owner in a record that the banking organization maintains with respect to a PIC
account in the United States.
KYC standards for the beneficial owners of PICs (and similarly for those of offshore
trusts and foundations) should be no different from those of other personal private banking
accounts. Further, institutions maintaining such accounts in the United States should be able to
make available, within a reasonable period of time, the identities and full KYC profiles of the
beneficial owners when requested by supervisors performing test-checks of their KYC
programs.2
Use of "Omnibus" and "Concentration" Accounts
Sound practice calls for each private banking client to have its own account(s) at the
bank, through which all of the client's transactions are directed. Private banking operations
should have the policies and controls in place to confirm that a client's funds flow into and out of
the client's account(s), and not through any other account, such as the organization's suspense,
omnibus or concentration accounts. Generally, it is inadvisable from a risk management and
control perspective for institutions to allow their clients to direct transactions through the
organization's suspense account(s). Such practices effectively prevent association of the clients'
names and account numbers with specific account activity, could easily mask unusual
transactions and flows, the monitoring of which is essential to sound risk management in private
banking, and could easily be abused.
Management Information Systems
The management information systems ("MIS") associated with private banking activities
were reviewed with a focus on the utility, thoroughness, timeliness and accuracy of data reported
to management and responsible individuals. While the size and complexity of the private
banking operation at each organization will affect the resources devoted to MIS, private banking
operations should make effective use of current technology to support their risk management
framework. The level of MIS support given to private banking frequently was weaker than the
support given to other areas of the same banking organization. In such cases, institutions should
develop specific plans to change or upgrade their MIS.
MIS should be migrating towards providing management with timely information
necessary to analyze and manage effectively the private banking business. The types of reports
that may meet this objective are those that reflect each client's holdings, including those held
through PICs and any affiliated accounts; any missing account opening documentation;
transactions made through a client's accounts that are unusual; and the private banking function's
profitability. Institutions that manage private banking activities on a decentralized, functional
basis may face challenges in uneven implementation of policies and procedures and in
aggregating a client's total relationship with the institution, as the client's account balances
might be recorded on disparate systems. Institutions with integrated management of private
banking activities have more success in capturing and reporting a client's complete relationship.
Management's ability to measure and analyze each client's complete relationship with the
organization is a key element for sound risk management, and MIS should support that objective.
MIS should be capable of monitoring accounts for unusual and potentially suspicious
activities. Many institutions are developing or enhancing systems which will identify
transactions that warrant explanation and evaluation because of their size, volume, pattern,
source or destination. Systems that identify individual transactions on an exception basis, for
example those that are above established thresholds in dollar amount and volume, are more
appropriate in the detection of aberrations in transactional behavior than systems that only
recognize net balance changes. There is a wide array of thresholds used to initiate exception
reports -- some institutions use a dollar minimum for each transaction, regardless of the type of
client or activity, while others segregate their client base and establish different dollar/volume
thresholds for transactions pertaining to each client grouping or to each individual client account.
Each institution should implement exception reporting that makes sense and provides appropriate
information within the context of its particular business. It should recognize that the systems and
reports are valuable only if there are individuals who are responsible for receiving, analyzing
and acting on the information generated.
Reporting Suspicious Activity
Procedures established to investigate and, if necessary, report suspicious private banking
activity also were reviewed. If legal, reputational, and other risks are to be controlled, there
must be a heightened focus on preventing and detecting money laundering and other unlawful
activity. Financial institutions clearly have a key responsibility in that process. The Federal
Reserve's Suspicious Activity Reporting regulations, which became effective April 1, 1996, and
are similar to regulations issued by the OCC, FDIC, OTS, NCUA and the Treasury, impose a
duty to file a Suspicious Activity Report ("SAR") for any transaction that:
"has no business or apparent lawful purpose or is not the sort in which the
particular customer would normally be expected to engage, and the institution
knows of no reasonable explanation for the transaction after examining the
available facts including the background and possible purpose of the
transaction."
Some institutions with global private banking activities have recognized the advantages
in applying their suspicious activity monitoring procedures globally, as they will be better
equipped to detect and analyze patterns and trends of suspicious transactions within their
organizations. Private banking senior management should ensure that sound practices are being
followed throughout their organization. Management should ensure there is a proactive approach
and well-established procedures covering the SAR process and that accountability exists within
their organization for the analysis and follow-up of internally identified suspicious activity, for
the decision-making process as to whether or not to file a SAR, and for maintaining or closing an
account. Because there is a legal requirement to report suspicious transactions, it is essential for
banking organizations to maintain internal programs that ensure compliance.
IV Segregation of Duties, Compliance and Audit
Ensuring effective implementation of established policies and procedures is a significant
challenge to many private banking operations. Institutions that evidence ongoing progress
towards conformity with stated policies and procedures are those that recognize the importance
of segregation of duties and provide adequate attention, direction and support to the individuals
responsible for compliance and internal audit.
Segregation of Duties
Adequate segregation of duties in the KYC process is of critical importance. Institutions
should not rely exclusively on any individual relationship manager or immediate supervisor to,
for example, waive documentation required to open an account, approve the client profile,
authorize a new client relationship, fully identify (or "know") the client, and monitor client
accounts for unusual transactions. The more control-conscious institutions ensure that an
independent unit -- such as compliance, risk management or senior management -- also has
responsibility for these functions. Some institutions have segregated KYC duties in a KYC
committee comprised of relationship managers, compliance, and senior management to
determine, prior to the acceptance of any new client, if the potential client's profile meets the
institution's KYC standards. Many institutions have also introduced the concept of "back-up
relationship managers" or "client teams" to minimize the risk of a single relationship manager
having exclusive knowledge and control over individual relationships.
Segregation of duties clearly facilitates the private banking operation's compliance with
policies and procedures and, consequently, minimizes reputational and legal risk. Institutions
that have not already established independent control over the above-mentioned activities are
urged to introduce such measures as soon as possible.
Compliance
Compliance functions are most effective if they are proactive in ensuring the integrity of
the control infrastructure of the private banking operation, as opposed to being reactive to
specific, isolated events. They should ensure that policies and procedures are being followed by
conducting frequent ad hoc reviews and tests that measure how different groups within the
private banking function are complying with the policies and procedures. Some institutions
assign to compliance the responsibility for reviewing all prospective client profiles to determine
if the relationship managers have satisfied the institutions' profiling requirements, obtained
necessary documentation and taken appropriate action where problems arise. Compliance
functions should also be in a position to recognize promptly any client activity that may be
unusual, to question relationship managers about the nature of potentially suspicious activities,
and to follow through on their inquiries and suspicions. Compliance functions work effectively
only when they have senior management commitment and sufficient resources to accomplish
their mission.
In creating a culture that follows best practices of risk management and internal control,
institutions should conduct frequent training of personnel that is reinforced at regular intervals,
particularly in providing the "how to" of client profiling, conducting due diligence, preparing
customer call reports and detecting and responding to unusual activities. In some cases, KYC
training has been incorporated into the overall marketing and sales training programs. This
serves to integrate the concepts of knowing the client's personal and business background, and
source and legitimacy of wealth with those relating to the selling of appropriate products and
services that meet the client's needs and interests. The majority of institutions provide training
on money laundering and documentation requirements for their compliance staff. Institutions
also should incorporate this training into programs conducted for their relationship managers.
Internal Audit
Comprehensive private banking audit programs are based on risk ratings that apply an
appropriate weighting to the major risks of the business, such as reputational and legal risk, and
audits that are conducted with sufficient frequency and involve adequate transaction testing to
determine the effectiveness of the internal control environment. KYC testing, for example
should be a critical element.
As internal audit plays a crucial role in independently evaluating the risk management
and controls, management should ensure that audit functions are staffed adequately with
individuals who are well-versed in private banking. In addition, auditors should be proactive in
following-up on their findings and criticisms.
Conclusion
The purpose of this paper is to provide sound practice guidance to institutions that are
engaged in private banking, while at the same time contribute to the ongoing national and
international discussion of the difficult challenges of implementing effective Know Your
Customer policies and procedures. Banks face a major responsibility with their affirmative legal
obligation to prevent money laundering. This is particularly true in light of the general
expectation that private banking will grow significantly in size, complexity and diversity over the
next several years, with the result that business practices, policies and procedures will need to be
reviewed and revised to ensure effective risk management. We look forward to continuing our
dialogue with banks engaged in private banking.
Footnotes
1. Note that dealings with certain types of entities -- pension funds or public entities such as municipalities -- require additional procedures. When dealing with a pension fund certain disclosure requirements of ERISA may apply, and a knowledge of relevant statutes or regulations may be required when dealing with public entities. Return to text
2. Similarly, KYC standards should be no different than those applicable to private banking accounts when the institution deals with a financial adviser or other type of intermediary acting on behalf of a client. In order to perform its KYC responsibilities, the institution should identify the beneficial owner of the account (usually the intermediary's client, but, in rare cases, the intermediary itself) and perform its KYC analysis with respect to the beneficial owner. The imposition of an intermediary between the institution and the counter party should not lessen the private bank's KYC responsibilities. Return to text