The AML practitioner will encounter situations where a solution is not readily apparent. Policies and procedures (PnPs) will not have specifically dealt with these instances. It is also illogical to assume that a PnP will have been prepared with foresight of every eventuality.

Risk assessment is not perfect foresight; it is a profiling, estimation, and mitigation handbook of solutions to problems that the practitioner’s firm has understood to be most likely given past events and the firm’s judgment of the future. It is not meant to explicitly address the extreme outlier. Such an exercise would be a misuse of resources. However, the exercise of good judgment, grounded in sound PnPs, can assist the AML practitioner in addressing every potential situation.

The guidance

“reasonable measures to obtain”

“reasonable measures to ascertain”

“reasonable measures to confirm”

“reasonable measures to establish”

“reasonable measures are designed to detect and deter”

“to be reasonable, the measures used must achieve the prescribed outcome.”

The core meaning of these instructions are as different as the situations in which they are required. Words are read and understood in context. The practitioner must first isolate the environment in which she is able to clearly identify the specific situation or request in which any of these instructions are required.

There are 3 such overarching situations: a) onset due diligence b) offset diligence and c) streaming–monitoring

For this discussion, only onset DD will be handled. The other situations and the impact of the reasonable will be discussed later.

“reasonable measures to obtain”

Consider an instruction for onset DD where guidance suggests to take “reasonable measures to obtain” a piece of identification not present in prescribed guidance. The practitioner can dispense with the obvious: not making even a bare attemp to obtain is unacceptable.

Subsequent compliance with this instruction are variations of the following:

• If the firm’s user journey for data collection is through an online form, then requesting that information through outbound communication, and receiving it, may satisfy the instruction.
• Through face-to-face interaction and a request.
• Through a subsequent face-to-face meeting request (after an initial remote query)
• A query by another channel may satisfy.

Where none of these alternatives obtain the missing data, the practitioner will find herself at a fork: onboard or derisk.

Firms will generally be the view that derisking at onset is net suboptimal to incomplete onboarding. However, onboarding with concomitant measures diminish the exposure risk to the firm. Such measures may include limiting transaction sizes, capping volume velocity, or product feature reduction.

The practitioner will notice that the effort to set these limits and integrate them into ongoing monitoring, on balance, will yield a negative margin for the firm on that account. Some firms — perhaps with a goal focused on user growth and not revenue — will adopt this practice. A firm that is primarily revenue-driven might choose this path as well if it foresees a roadmap where this customer acquisition can yield profits.

Conversely, if activity-limiting actions are not in firm’s procedures, obtaining the missing datum piece may include seeking third-party neutral confirmations from employment, background history, or even past financial records. “[t]o be reasonable, the measures used must achieve the prescribed outcome.”

“reasonable measures to ascertain” “reasonable measures to confirm”“reasonable measures to establish”

In the online firm scenario, if the practitioner uses an automated knowledge-based authentication (“out-of-wallet” tool) to confirm identity, it is conceivable that a reasonable measure was taken. On the other hand, automated and credit agency-sourced primary or secondary resellers are not immune to data gaps. If a firm is catering to a customer composition born after 1985, a significant rate of false positives of no information may emerge. This rate will be even higher for under 25 year olds. Generally, this customer cohort has not embarked on a credit acquiring or usage practice (for any number of economic or social reasons). As such, data from these sources may yield a result that does not ascertain, confirm, or establish what is required.

From this, we arrive at social networks. Social networks are enriched with data useful to the practitioner. Therefore, the practitioner can take steps — whether manual or automated — to harvest the information. Cleaning up the data retrieved is then necessary, parsing the required data from unuseful data, and disposing of the rest securely and transparently if she is considering the onset DD.

“reasonable measures are designed to detect and deter”; “to be reasonable, the measures used must achieve the prescribed outcome”

This social network harvest, online or offline, can be useful during streaming and monitoring, too. It involves measuring data points that are apparent; highest interactions; highest spending habits; and, general tendencies. Analyzing this requires the practitioner to take an overarching view of public social network data and digest it into her action schematic and decision-making process.

There is a strong dislike for the practitioner to carry out this measure as it is beyond her skills or mandate. However, this is an argument for raising the AML bar and imbuing AML practitioners with more judgment than perhaps is emphasized in the current environment. Furthermore, as the data is public, and if the practitioner did not use it, it may be evidence to law enforcement or regulators that the practitioner did not take “reasonable” measures.

Required reasonable measures aren’t reasonable and measurable.