Global menu

Our global pages

Close

Wolfsberg publishes new best practice guidance on requests for information

  • United Kingdom
  • Financial services disputes and investigations

07-09-2022

Introduction

On 23 August 2022, the Wolfsberg Group published a guidance paper on Requests for Information (RFIs) as used in the anti-money laundering (AML) transaction monitoring process (the Wolfsberg RFI Guidance or Guidance). A copy of the Guidance can be found here.

In this article from our Global Corporate Crime & Investigations (CC&I) team, John Siu, Sarah Paul, Ruth Paley and Kim Jones consider the key takeaways and discuss how Firms can use this latest publication to improve internal AML systems and controls.

Background

The Wolfsberg Group is a non-governmental association of thirteen global banks. It develops frameworks and guidance for the management of financial crime risks, including industry standards for AML and Combatting Terrorist Financing (CTF) policies, controls and procedures.

The members of the Wolfsberg Group are Banco Santander, Bank of America, Bank of Tokyo-Mitsubishi UFJ, Barclays, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, HSBC, JP Morgan Chase, Société Générale, Standard Chartered Bank and UBS.

The Guidance is the latest in a series of publications from the Wolfsberg Group and aims to:

  • improve the awareness of the value that RFIs (or enquiries) provide in correspondent banking relationships;
  • present best practice guidance for both issuing Institutions (i.e., banks that issue RFIs) and Respondent Institutions (i.e., banks that receive them);
  • improve the overall effectiveness of the RFI process; and
  • add to Financial Institutions’ (FIs) understanding of how RFIs should be handled, what types of questions are being asked, the purpose of the questions, the role of RFIs in mitigating financial crime risks, and the benefits of effective RFIs and responses.

While the Guidance deals with correspondent banking, it applies to other payments-based relationships too.

What is an RFI?

An RFI is used when a Correspondent Bank (or any other provider of payment services) is seeking to understand the background of a transaction that has been processed through an account or relationship in its books and is directed at the customer entity that sent the payment instruction to the Correspondent – this is seen in correspondent banking and other payment relationships where a bank is acting as an intermediary.

The RFI process is a critical part of the feedback loop between Correspondent and Respondent. It is more than simply a process whereby information is conveyed about particular transactions. Used to its fullest potential, it is a vital source of information that allows the Correspondent to see how the Respondent’s AML/KYC programme works in practice.

When do Banks issue an RFI?

As explained in the Guidance, the key reasons for Correspondent Banks to issue an RFI include (but are not limited to):

  • Transaction monitoring AML or CTF concerns;
  • Financial Intelligence Unit (FIU) review projects;
  • Internal escalation/unusual activity referrals;
  • Account activity reviews;
  • Other financial crime risk factors of concern.

Overview of the Guidance

The Guidance provides helpful recommendations to both Correspondent Banks and Respondent Banks (i.e., the Bank utilising the services of the Correspondent Bank) with respect to issuing and responding to RFIs.

In particular, the Guidance discusses the benefits and value of RFIs, drivers for RFIs, roles and responsibilities for each party making and receiving an RFI, expectations for responses, and actions where no or insufficient replies are received.

The Guidance also incorporates an appendix of commonly asked RFI questions that fall under various  categories, including the following:

  • Account relationship (focused on the time period in which the customer has had a relationship with the Bank);
  • Account purpose and anticipated transactional activity;
  • Account status (i.e., is the account still open);
  • KYC and profile of the customer;
  • Source of funds and source of wealth;
  • Ultimate beneficial owner (UBO) information;
  • Transaction purpose;
  • Transaction pattern; and
  • Counterparty information

Key takeaways from the Guidance

The key takeaways from the Guidance can be summarised as follows:

  • RFIs can be used to mitigate transactional risk by securing greater amounts of information about the customer of the Respondent in order to understand the rationale behind a payment or set of payments.
  • RFIs also evidence the Respondent’s ability to manage risk and provide comfort around its controls to the Correspondent Bank.
  • When RFIs are used effectively by both the issuing and the Respondent Institutions, RFIs can be a valuable tool in the process of resolving a transaction monitoring alert, determining whether to file a SAR/STR or taking an action to mitigate risk.
  • In terms of setting expectations for a timeline for response, this will generally be between 10 to 30 business days, and should be specified by the Correspondent Bank upon issuing the RFI. There should also be a period of time allowed for to conclude the investigation post-response. Respondents are expected to process incoming RFIs ‘without delay’, to ensure information collection is initiated as soon as possible.
  • Correspondent Banks should allow Respondents more time in situations where historical records need to be retrieved, where there are aged transactions, and where cross border issues need to be resolved.
  • Correspondent Banks should have metrics, governance and escalation processes in place for failures to respond.
  • Written agreements between the Correspondent and Respondent can be entered into before establishing the Correspondent relationship in order to limit issues around the comprehensiveness and timeliness of responses.
  • Respondents located in jurisdictions requiring customer consent for disclosure of information should ensure relevant terms and conditions are in place with their customers to permit appropriate information sharing with the Correspondent.
  • RFI questions should be tailored based on individual circumstances, ensuring that any question asked is directly relevant to the investigation at hand. The Guidance’s appendix of commonly asked RFI questions should not be used as a template, but rather should serve as a guide only.

The roles and responsibilities of Correspondent Banks and Respondent Banks

The Guidance also discusses the roles and responsibilities of both the Correspondent and Respondent Bank in the RFI process. As described in the Guidance, a high-level summary of those roles and responsibilities is as follows:

Responsibilities of the Correspondent Bank:

  • Ensure an initial review or analysis is completed prior to RFI issuance;
  • Issue an RFI only to a Respondent that is the Bank’s customer;
  • Only request information that is pertinent to the investigation of financial crime-related concerns, with a brief rationale for the request;
  • Ensure the RFI is sent to the established points of contact;
  • Include expected timelines for receiving RFI responses;
  • Make Respondents aware of the Bank’s risk appetite and expectations around information-sharing before a Correspondent Banking relationship is established;
  • Encourage collaborative discussion with the Respondent;
  • Establish feedback loops within internal financial crime compliance teams so that the Bank’s coverage/advisory teams are aware of any potential risk concerns; and
  • Where an RFI response contains insufficient/incomplete information or is not responded to at all, Correspondent Banks should adopt a risk-based approach to disposal of the case.

Responsibilities of the Respondent Bank:

  • Establish clear point of contacts for receiving RFIs and assign RFIs to the responsible, accountable person promptly;
  • Determine information availability in internal systems and documents to provide a meaningful response, keeping in view any applicable regulatory limitations;
  • Gather relevant information from internal sources and/or the customer within a reasonable period;
  • Answer all questions and ensure responses are easy to understand;
  • Where possible and appropriate, inform the Correspondent Bank if the subject of the RFI is/was already under internal investigation or has been exited;
  • Establish terms and conditions with underlying customers permitting the sharing of information with Correspondent Banks;
  • Answer the Correspondent’s questions in such a manner as to allow the Correspondent to evaluate the underlying activity as well as the Respondent’s controls. Consistent failure to respond in a timely fashion is likely to trigger additional concerns by the Correspondent Bank

Finally…

Used properly, RFIs are a powerful tool to both the Respondent and Correspondent in demonstrating good systems and controls, and ensuring effective risk-mitigation.

For Firms to whom this Guidance is relevant, careful scrutiny should be applied to ensure that any improvements to processes, policies and standards are made swiftly. This will include a detailed read-through of terms and conditions around information-sharing to ensure explicit customer permissions are in place.

It shouldn’t take long to set up a process for sending or receiving RFIs, where not already developed, but as usual the ‘show your workings’ approach applies, and we expect most regulators will focus on evidence of good record-keeping, rationales and review. It’s also worth referencing this Guidance in the latest Money Laundering Reporting Officer (MLRO) report and reviewing whether additional structures around RFIs count as control enhancements for the purposes of any firm-wide risk assessment with a focus on AML.