Learn more about how community banks can leverage artificial intelligence and other topics at Bank Director’s Experience FinXTech May 13-15 in Tampa, Florida.
Digital channels and technology have made it easier than ever for criminals to enter a bank — developments that have implications for institutions interested in stopping fraud and money laundering.
“Every American’s identity — at least the core elements of it: name, date of birth and social security number — [is] available for purchase on the dark web,” said Tommy Nicholas, cofounder of identity risk solution Alloy, which helps firms with customer due diligence, during a recent episode of Bank Director’s Reinventing Banking podcast. “[F]ree yourself of the idea that knowing information about an individual is a way to authenticate them. It isn’t.”
Customer identification programs and customer due diligence programs, sometimes shortened to CIP and CDD, help a bank understand the nature and purpose of their customers’ relationships and inform each customer’s risk profile. Bank Director analyzed more than a dozen formal enforcement actions that looked specifically at technology issues or identified issues at banks with complex financial technology partnerships from 2023 and 2024 and found that CIP/CDD programs were a major focus of at least seven of those actions.
[This article is the third in a series about consent orders; you can read about Bank Secrecy Act and money laundering compliance here and third-party relationships here.]
CIP occurs at account origination, while CDD covers the customer’s lifecycle at the bank. The effectiveness of a customer identification program can be undermined by fraudsters using stolen information and generative artificial intelligence to correctly answer knowledge-based authentication questions and create legitimate-looking driver’s licenses or pass a liveness check with a manipulated selfie. Although the enforcement actions didn’t specifically address AI-generated hacks, the newer threats and ongoing issues at banks underline why it’s so important to have strong CDD programs to monitor these accounts’ transactional and payment activities and establish a baseline of expected, normal behavior as well as any suspicious behavior.
“Maybe the [bank’s] front door is not as strong; therefore, you have to make sure that the back door is strong,” says Soups Ranjan, the cofounder and CEO of fraud and compliance platform Sardine. “CIP is a one-time thing, but CDD is continuous.”
The ease of digital banking and payments, coupled with the sophistication of fraudsters, means all banks should be concerned about the effectiveness of their CIP/CDD programs, says Matt Michaud, global head of financial crimes compliance at LexisNexis Risk Solutions.
“I think having a central, single view of your customer is really important,” Michaud says, pointing out that a customer relationship may span retail and commercial accounts and products like mortgage and wealth management. After that, banks should attempt to identify who their customers’ counterparties are. “Having good visibility and understanding into those counterparties — where the money is coming to the customer from and vice versa, where they’re sending it” is also critical to understanding suspicious activity.
Identity-related suspicious activity is a “cybercrime concern” for the Financial Crimes Enforcement Network, or FinCEN, according to a January report analyzing identity themes in 3.8 million suspicious activity reports, or SARs, filed in 2021. The report identified three ways that criminals use identity information to facilitate their attacks: impersonate others, circumvent authentication attempts and compromise credentials.
Impersonation often entails providing identifying information that doesn’t belong to the individual, often at account opening. FinCEN defines circumvention as an attempt to avoid verification steps, either by intentionally targeting institutions with lax standards, refusing to provide requested information or leveraging legitimate credentials that act as a straw man or decoy. Finally, compromise refers to attackers’ efforts to target victims’ credentials or funds through account takeovers, phishing attempts, data breaches and ransomware.
Banks can use new and emerging technology to strengthen and augment their CIP/CDD programs and assist employees with compliance. FinCEN referenced tools like digital identity, artificial intelligence and privacy-enhancing technology that could “help mitigate customer identity process exploitations and combat a wide variety of illicit finance” techniques. AI may be particularly useful in assisting employees with their analysis by aggregating data and documents, calculating risk assessments or identifying AI-enabled identity impersonation or other attack attempts. In other words, AI could combat AI.
Changes could be in store for customer due diligence rules and tools, according to February testimony from FinCEN Director Andrea Gacki. She said FinCEN will revise the customer due diligence rule, which came out in 2016 and required banks to collect information on the beneficial owners of corporate entities that have accounts at their institutions, so that it conforms with the 2021 Corporate Transparency Act. The updated CDD rule will outline FinCEN’s expectations for banks now that the agency operates a beneficial ownership information, or BOI, database. FinCEN expects to issue a notice of proposed rulemaking in the coming months, she said.
Since the start of 2024, U.S. companies have been required to submit BOI directly to FinCEN’s database; as of her testimony, FinCEN had received more than 430,000 reports from companies. FinCEN is working out how to permission access to the database for stakeholders such as financial institutions. Gacki said banks will be able to access the database with customer consent to facilitate their CDD requirements, and regulators will be able to access it for supervisory purposes.
Bank Enforcement Actions That Target CIP/CDD Required the Following Actions:
• The customer identification program should ensure the bank can comply with its obligations under the Bank Secrecy Act and applicable anti-money laundering laws. It should include risk profiles the bank has developed that identify specific risk indicators for individuals or categories of customers, as well as the bank’s protocol for how it will monitor higher-risk customers and their transactions.
• CIP programs should collect and verify customers’ information, regardless of whether they are onboarded directly by the institution or through a third-party relationship. It should include written procedures and processes for identifying and verifying beneficial ownership information of legal entity customers such as businesses.
• A customer due diligence program should include risk-based policies, procedures and processes for conducting consistent due diligence on new and existing customers and monitoring for updates. The programs should also include ongoing monitoring to identify and report suspicious transactions.
• It should outline management and bank staff’s responsibilities for ongoing due diligence, including who has the authority and responsibility for decisions to open higher-risk accounts or change a customer’s risk profile. Robust programs should include what to do for accounts where the institution doesn’t believe it knows the customer’s true identity or fails to receive the required information.