Skip to main content

Lesson 08 of 9

Exit, Offboarding & Escalation

5 min read · KYC Analyst

Handle the hardest part of the job correctly. You'll learn the de-risking trap, why exiting a customer never cancels SAR duties, and the cardinal tipping-off rule (31 USC 5318(g)(2)) — plus how to escalate and build an audit trail that survives an examiner.

When a relationship has to end

  • Offboarding = ending a customer relationship
  • Drivers: unacceptable risk, unresolved EDD, refusal to provide info, confirmed concerns
  • It's a decision with rules — not just 'close the account'

Sometimes the right answer is to exit the customer. Offboarding means ending the relationship and closing the accounts, and it happens for several reasons: the residual risk is simply unacceptable, EDD couldn't resolve the concerns, the customer refuses to provide required information, or you've confirmed something that makes continuing untenable. But exiting isn't as simple as hitting 'close.'

It's a regulated decision with traps around it — especially the rules on suspicious activity reporting and on what you may and may not tell the customer. Get the sequence wrong and you can break the law even while trying to do the right thing.

De-risking: the blunt-instrument trap

  • De-risking = exiting whole categories to avoid managing risk
  • Regulators have warned against it as indiscriminate
  • Manage risk where you can; exit the specific, real risk
  • Document the why for every exit

First, a word of caution about de-risking. De-risking is when an institution exits entire categories of customers — say, all money services businesses, or all customers from a region — simply to avoid the cost of managing their risk, rather than assessing them individually. Regulators including FinCEN and FATF have warned that wholesale de-risking pushes legitimate people and businesses out of the regulated system and into the shadows, which is the opposite of what AML is for.

The professional stance is to manage risk where you reasonably can, and to exit the specific, real risk you actually identified. And whatever you decide, document why — an undocumented mass exit is exactly what examiners and fair-banking regulators question.

SAR considerations

  • Exit doesn't erase the duty to report suspicious activity
  • If you have suspicion, a SAR may be required (31 CFR 1020.320)
  • Closing the account and filing a SAR are separate decisions
  • Continuing-activity SARs may follow even after closure

Here's a connection people miss: deciding to exit a customer does not cancel your duty to report. If the activity that drove the exit meets the threshold for suspicion, a Suspicious Activity Report — a SAR, filed under 31 CFR 1020.320 — may be legally required.

Closing the account and filing a SAR are two separate decisions, and you may well do both. In fact, suspicious activity can warrant a SAR even after the relationship ends, and patterns sometimes call for continuing-activity SARs. As a KYC analyst you typically don't file the SAR yourself — you escalate to the financial intelligence unit or AML investigations — but you must recognize when your findings cross into reportable territory and route them, rather than quietly closing the file.

Tipping off — the cardinal rule

  • Never tell a customer a SAR was filed or is being considered
  • SAR confidentiality is law — 31 USC 5318(g)(2)
  • FATF Rec. 21 prohibits 'tipping off'
  • Even the closure reason must avoid disclosing the report

Now the cardinal rule of this entire lecture: never tip off the customer. It is illegal to disclose that a SAR has been filed, or even that one is being considered or prepared. In the U.

S. that confidentiality is codified at 31 USC 5318(g)(2), and FATF Recommendation 21 prohibits tipping off across jurisdictions. The reason is obvious: warn a launderer that they're under report and you let them move the money, destroy evidence, and flee.

This shapes how you offboard. You can close an account, but you cannot tell the customer it's because of a suspicious activity report, and you must be careful that the stated reason for closure doesn't effectively reveal one. When in doubt about wording, escalate.

Escalation and the audit trail

  • Know the path: senior analyst → FIU / AML compliance → MLRO
  • Escalate findings; don't make unilateral calls on suspicion
  • Document everything: facts, analysis, decision, approvals, dates
  • The file must let an examiner reconstruct your reasoning later

Two things to close. First, escalation. Know your institution's path — typically from you, to a senior analyst, to the financial intelligence unit or AML compliance, up to the money laundering reporting officer or equivalent.

Your job is to surface findings clearly and route them, not to make unilateral calls on whether something is suspicious or whether to report. Second, the audit trail, which ties this whole course together. Every step — the facts you found, your analysis, the decision, who approved it, and when — must be documented so that an examiner, an investigator, or a court can later reconstruct exactly what you knew and why you acted.

In financial crime work, if it isn't written down, it didn't happen. The record is the work.

Recap

  • Offboard for real, documented risk — not blunt de-risking
  • Exit doesn't cancel SAR duties (31 CFR 1020.320)
  • Never tip off — SAR confidentiality (31 USC 5318(g)(2); FATF Rec. 21)
  • Escalate properly; document everything. Next: putting it all together

Let's recap. When a relationship can't continue, you offboard — but for specific, documented risk, not indiscriminate de-risking. Exiting never cancels your duty to report suspicious activity under 31 CFR 1020.

320, and the cardinal rule is that you never tip off the customer about a SAR, because confidentiality is the law under 31 USC 5318(g)(2) and FATF Recommendation 21. You escalate findings through the proper path and you document everything, because the audit trail is what proves the work. You now know the full lifecycle.

In our final lecture, we'll put it together — the analyst's day, quality assurance, common mistakes, and how to prepare for the interview. Get this lecture right and you protect both the institution and yourself, because clean escalation and a complete record are what stand up under scrutiny.

Sources

  • 31 CFR 1020.320 (Suspicious Activity Report filing)
  • 31 USC 5318(g)(2) (SAR confidentiality / prohibition on disclosure — 'tipping off')
  • FATF Recommendation 21 (tipping-off and confidentiality)
  • FATF Recommendation 20 (reporting of suspicious transactions)
  • FFIEC BSA/AML Examination Manual (SARs
  • Account Closure)
  • FinCEN guidance on de-risking

Test your knowledge

A few KYC Analyst questions on this material — pick an answer to see the explanation.

  1. Q1. An institution's risk model rates a customer medium based on geographic and channel factors, but the analyst identifies that the customer's business is a high-volume cash importer operating in three FATF-listed jurisdictions. Which action is most consistent with sound risk-rating practice?

  2. Q2. An institution uses a weighted scoring model: the customer-type factor carries 40% weight, geography 30%, product 20%, and channel 10%. A PEP customer scores 90/100 on customer type, 80/100 on geography, 50/100 on product, and 30/100 on channel. What is the weighted composite score?

  3. Q3. Under FATF Recommendation 10, which of the following triggers enhanced due diligence as the most direct and clearly established basis?

  4. Q4. A high-net-worth private banking client claims their wealth was accumulated through three decades of owning a manufacturing business. Which combination of documents would best corroborate this source-of-wealth claim?

Ready to practice?

Put this lesson to work on real KYC Analyst questions.

Drill the full KYC Analyst bank →