Financial institutions offer services to companies that also provide downstream services to businesses, and those businesses offer services to their consumers/users. These types of relationships are often referred to as “layered relationships,” and financial institutions may struggle with how to implement an effective know-your-customer (KYC) and know-your-customer’s-customer program. Layered relationships are inherently higher risk based on the difficulty of understanding the downstream relationships and the unknown risks that may exist between all parties in the chain of transactions.

Below are best business practices for financial institutions to effectively perform KYC and monitor it throughout the duration of the relationship. While the layered relationship may not be a money service business, it is still important to know all downstream parties involved, as financial institutions can’t control what they don’t know.

Below are leading practices that provide a safe and sound approach for banking clients that offer financial services to downstream consumers/users.

• Obtain and Document Downstream Agreements Between Relationships – All parties in the relationship, including the user of services, should have an agreement in place that links each party contractually to a set of operational and legal obligations. Financial institutions should ensure they have strong KYC procedures that clearly document the downstream relationships, and they should understand how each party is connected through agreement. The absence of knowing downstream relationships increases the financial institution’s risks of having an unknown party, parties, or clients lack the ability to comply with regulatory requirements and in some cases conducting illegal activity.
• Document and Understand the Flow of Funds – Financial institutions offering services to a layered relationship should understand the flow of funds, documenting all payment channels and systems used in the chain and participant responsibilities and services offered. The flow of funds should be clearly documented and shared with all applicable areas in the bank. Be prepared to discuss this flow of funds with your auditors and examiners. The absence of understanding the flow of funds questions whether or not the financial institution understands its risks, and it can impact your regulatory exam and potentially be reputationally damaging.
• Verify Downstream Internal Controls and Independent Audits – It is important that financial institutions validate downstream internal controls by requesting policy, procedures, and independent audits and reviews. This validation control is a third line of defense control that ensures all parties in the relationships are following effective KYC procedures. It is important that any noted deficiencies are resolved timely. Financial institutions often employ a requirement for the client to document a detailed remediation plan that includes clear milestones and evidence that any remediation plans are implemented timely and completed.
• Perform High-Risk Review – As layered relationships are inherently higher risk, it is important that the financial institution treat this relationship as high risk and perform a periodic review using a risk-based approach. Financial institutions can set the frequency of periodic reviews based on the risks presented by the client.
• Structured Exception Item Procedures and Reviews – Exception items that result from outgoing ACH, check deposits, mobile deposits, remote deposits, and other payments provide financial institutions an opportunity to research and determine if there are errors or represent a more concerning pattern such as fraud. Financial institutions banking layered relationships should not normalize exceptions but perform a review of each type of exception received. The risk of not paying attention to daily transactional activity may result in financial and reputational damage. Financial institutions should implement clearly documented procedures for not only handling exceptions but also including an escalation point for recurring exception items that may represent a pattern of fraud and/or money laundering.
• Board Reporting – It is recommended to report any high-risk customers that may fall outside of the risk tolerance of the financial institution. This approach allows the board of directors to have visibility into the extent of risks the financial institution is taking on, and as the oversight arm of the Bank Secrecy Act (BSA) program, the board should ensure that the financial institution has the subject matter expertise, agreements, and technology available to appropriately manage the risks associated with this type of client.
• System Optimization – As part of an effective fraud and BSA program, it is important to ensure your fraud and AML systems are appropriately optimized to effectively monitor layered relationships. Financial institutions should ensure their systems are optimized with the right scenarios to effectively alert for fraud and suspicious activity.