Creating an Exclusion List is a great way for a Compliance department to manage risk associated with people and entities that the financial institution determines are too high of a risk to pursue or continue a relationship with. They are often considered a fallback to keep those that pose excessive risk away from your institution. Reasons that some institutions implement an exclusion list vary; keeping out bad actors, barring entities for which some sort legal action may be in place, and adding potential criminal identities identified in various fraud task force meetings, to name a few. Regardless of the reason, managing and creating an exclusion list can be instrumental in maintaining the safety and soundness of your financial institution.
Exclusion lists do not have to stop at names of people or businesses. For example, one good use of an exclusion list can be to monitor compromised physical or mailbox addresses1 known to the institution or law enforcement to be involved in some sort of criminal conspiracy. Phone numbers can also be a great addition to a list, as often, certain phone numbers may be logged and used repeatedly by criminal elements. Tax Identification Numbers (SSN, EIN, TIN, etc.) as well as State Issued Identification details are also used similarly and can be added to an institution’s exclusion list. Often these entries are due to identification theft or even more sinister, theft of a deceased person’s identity2.
Regardless of data points used or reasons for adding a record or detail to an exclusion list, it is critical to have some sort of remediation process in place, in the event an entry in the exclusion list is no longer valid. While tax identification numbers are not reused3, a compromised number may not be realized for some time, with the person assigned unaware of the previous use of said number. More common is the recycling of phone numbers, so this data can go stale within a shorter length of time. Similarly, address information can change with ownership or further redevelopment of property.
Consequently, the Compliance professional should review the exclusion list periodically. As technology changes, finding other identifiers or seeing patterns in a list can be beneficial to continually improving your BSA Compliance Program.