Policy-Manual Time Bombs
If you are working in a financial instruction, you will have at least one policy manual on Due Diligence (DD) and Know Your Client (KYC). These manuals have probably been assembled in a perfectly perfunctory manner, recognizing at the time, current laws and regulations. If you are a securities broker dealer a DD and KYC manuals are required, and they must address specific topics, such as client credentials and AML law to thwart criminals and terrorists. In our role we have had the opportunity to read many, many manuals addressing DD and KYC. My favorite quote (instruction?) from one manual was “…and to supplement our policies on terrorism, any terrorist that walks through our office doors will be shot dead on the spot!” The NASD took a dim view of this policy ‐‐ but the B/D insisted it remain. To this day, it remains the strongest policy on terrorism we have ever seen.
Most DD procedures are the result of combined efforts to address the legal and regulatory issues in an effort to standardize the approach across a large organization. In theory, policies are meant to raise the standards of DD and KYC to a “best practice” level.
So where are the policy bombs, and how are they fused and detonated?
As policies are created out of a need to address regulatory requirements and law, a manual only represents a snapshot in time ‐‐ the time it was created.
For example …
The original author of a manual drafted in 2000 addressed the rules and threats of the day, and no doubt it was an exemplary manual. In 2002 regulations were substantially changed ‐‐ requiring more information to be gathered, shared, and retained. In 2004 the company using this manual merged with a new firm. In 2006 the office changed locations ‐‐ not far, but to a different county. In 2007 the parent company was bought out by a private equity firm, reincorporated in a new state, and had a substantial reduction in staff. In 2008 the office added insurance and estate planning professionals. In 2009 the office manager is confronted with a warrant, and law enforcement officers gathering records. It is suspected that one of their clients has been running a financial fraud, and has been laundering money though their accounts. The good news is that the firm has not been charged criminally ‐‐ but was fined by regulators. The bad news is that the victims of the fraud view the firm as the deep pocket that can make them whole ‐‐ since the firm was a part of the scheme. It’s known as scheme liability.
The victims are not accusing the firm of being a malfeasor, but as a misfeasor. They will attempt to ascribe liability to the firm for failing to follow the policies and procedures in their manual.
Maybe the original author did a great job. Problems began when the manual was revised by Mary ‐‐ who left the project to Don when she left the firm. Don made his changes, and gave the project to Eric, who began to automate some of the processes. Angelina, CFE and CAMS certified, took over when Don was made redundant. Angelina took the process in a new direction. Is that five or six versions of the manual?
In the end, what DD/KYC procedures were used when the fraudster’s account was opened probably doesn’t matter. What matters is whether the branch deviated from the manual and its own policy. Deviance from policy is what opens the door for liability. This deviation may also allow an insurance company to deny coverage for attorneys’ fees and any awards given to the victims. The polices and procedures it approved and agreed to insure were not the ones followed by the firm.
The solution is simple (but boring). Keep a pedigree of every version of the manual, including a record of the drafting efforts, dates, participants, and content. Appended this material to the current version, and date the version on every page. Review and revise manuals as needed in response to regulations, court rulings, changes in the business, changes in jurisdiction, changes in suppliers, or any other change that should affect policies. This must be done no less than annually. If you have a meeting, and the result of that meeting that there are no changes – document that meeting and add it to the record. Send copies of your most recent version to both regulators and your insurance company ‐‐ and invite comments. It’s difficult for regulators to issue fines and insurers to deny claims when they have been included in the process.