Op-Ed: Compliance is not checking boxes

Op-Ed: Compliance is not checking boxes
Derek Smith Jr.

By Derek Smith Jr

I recently had the opportunity to sit and discuss the evolving roles of both the compliance officer (CO) and the money laundering reporting officer (MLRO) with a group of second-year law students from the Eugene Dupuch Law School. During this cross-examination-like exercise, the group ventured to ascertain my position on whether all customer due diligence documentation should be requested from every client during the onboarding process, considering the process is so diverse and requires a detailed level of understanding. I strongly submitted no. I further said the process should be used to ascertain facts about a potential customer that would help an organization identify potential risks and determine if those risks are within the organization’s risk appetite and how to monitor the potential client, among other pressing factors.

It is important to note that best practice does not always align with laws, regulations and guidance around the world. However, the organization that provides global best practice standards is the Financial Action Task Force (FATF). They have produced 40 recommendations and have subsequently updated them over the years to adapt to the changing environment. There is an expectation among compliance and anti-money laundering experts that the FATF’s approach and methodologies may be updated within 2021.

The recommendation that applies to customer due diligence is recommendation number 10 and it notes: “Financial institutions should be required to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers. Countries may permit financial institutions to complete the verification as soon as reasonably practicable following the establishment of the relationship, where the money laundering and terrorist financing risks are effectively managed and where this is essential not to interrupt the normal conduct of business.”

Locally, paragraphs 37 through 121 of the Central Bank of The Bahamas’ AML/CFT guidelines provide guidance to their supervised financial institutions (SFI) and references key legislation. Designated non-financial businesses and professionals (DNDBP), such as law firms that are supervised by the Compliance Commission of The Bahamas, also have updated guidance based on the risk-based approach (RBA) regarding customer due diligence.

It is against this backdrop and for good governance that I would suggest you ask yourself: “How strong is our institution’s customer identification program (CIP)?” Failure to implement a robust framework could result in costly fines and unsettling findings by auditors and regulators alike. Here are two tips:


Know your regulatory landscape and your internal landscape

When last has your institution completed a gap analysis between your current policies and procedures and the current regulatory landscape? If you are a c-suite member, compliance or risk professional and paused before answering this question, I am afraid it has either been too long or the process is not as robust and consistent as it needs to be. The art of regulatory compliance (I will address in a standalone article) is quickly becoming an exciting area that involves a myriad of steps to prevent or mitigate potential risks to the institution. Being aware of the parameters of your regulatory and internal environment would greatly assist your CIP. It also lowers the potential of irritating potential customers with irrelevant requests based on the type of service being requested.


Pay attention to your risk variables

The FATF notes: “When assessing the money laundering and terrorist financing risks relating to types of customers, countries or geographic areas, and particular products, services, transactions or delivery channels risk, a financial institution should take into account risk variables relating to those risk categories. These variables, either singly or in combination, may increase or decrease the potential risk posed, thus impacting the appropriate level of CDD measures.” These risks appear in the form of purpose of an account or relationship, source of wealth and source of funds, domicile of the client, the nature of the business relations and or industry of employment, politically exposed position, potential negative media, among other risks. Your entity’s corporate and individual risk assessment tool(s) must have at minimum the above triggers that would assist with risk rating a client.



My external audit and internal audit journey, along with traveling to conferences and interacting with regional and international risk and compliance professionals, have highlighted that a “one-size-fits-all approach” in regards to an institution’s approach to client onboarding and monitoring is an equation for disaster and unwanted inefficiencies.

Derek Smith Jr is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.