The four key challenges involved in ensuring effective customer due diligence

Posted: 27th April 2017

First published on Thomson Reuters Regulatory Intelligence in April 2017

The challenges of anti-money laundering (AML) regulation and the obligation to ‘Know Your Customer’ (KYC) are well documented, but with the changing regulatory environment, there are additonal challenges for firms.

There is plenty of industry commentary which discusses the need for clarity around AML regulation; however, some room for individual firms’ own interpretation of the rules must exist in order to ensure the principles-based, risk-based and proportionate approach works. This is certainly the case for the due diligence performed on new and existing customers.

Regulation will not explicitly provide firms with all the answers. Often, regulation has to reconcile:

• The different regulatory and legislative jurisdictions that firms operate across
• The variety of products in the market with differing risk levels
• The differing circumstances, aims and risks of customers
• The wide variety of ways of doing business and/or distributing products and services

In order to achieve success – both in terms of compliance and customer satisfaction – firms must reasonably mitigate the risk of money laundering while offering customers as smooth an onboarding experience as possible. The information about customers required to be held on record is affected by a number of the factors above, and so different scenarios will result in different information requests from firms.

When the extra clarity around AML is provided in the form of the Fourth and Fifth Anti-Money Laundering Directives (4AMLD and 5AMLD), with accompanying guidance from the Joint Money Laundering Steering Group (JMLSG) there will still be an element of interpretation for firms to make. Further to this, the Fourth Anti-money Laundering Directive highlights that simplified due diligence (SDD) may be being overused in the onboarding of customers, and that firms should assess whether their use of it is appropriate.

How can firms accurately determine whether their application of SDD is compliant and not likely to lead to detrimental consequences for customers? How can they apply it in the future in a way that meets with their desire to maintain a customer-centric and commercially successful business?

Filling the gaps with action

Away from the external challenges of regulatory change, firms should be looking to assess their internal approach to customer due diligence, refine it for future business and remediate past issues. This presents four key challenges for firms:

Challenge one – establishing a baseline for the view of risk

Introducing change without a clear idea of the benefits it will provide presents a commercial and compliance risk.

Firms must establish their own view on risk; what their appetite is for it, and what that means for system, process and governance requirements given the set of products and services they provide. Any existing and future potential risk can be assessed against this pre-agreed stance.

As well as this, to gain a view of the current risk inherent in a firm’s business model, the most effective and reliable starting point is a documented financial crime risk assessment, and our article, 'Protecting your firm and safeguarding your reputation – the role of financial crime risk assessments' spoke about how to do this effectively. If a robust and ongoing risk assessment is performed and able to be evidenced, a firm can establish a baseline for making appropriate and proportionate future changes.

If there is a gap between historical business and the acceptable level of risk agreed by the firm, then there may be cause to remediate by making contact with customers to enhance the information being held on them.

Challenge two – using the baseline to govern policy (including due diligence options)

Once a risk assessment is performed, a firm can determine against a consistent set of criteria the information they require from customers, and can adjust policy, process, systems and training to meet this requirement.

Using the recent consultation by the JMLSG as an indicator of the likely rules on customer due diligence, we can draw out some considerations for firms that are very relevant now, even ahead of 4AMLD becoming law:

• The JMLSG guidance suggests examples of customers and organisations which could be onboarded using SDD, including publicly owned enterprises, residents of geographical areas of low risk, financial institutions subject to 4AMLD and companies listed on a regulated market, to name a few. However, firms will certainly need to do their own thinking on specific business they are performing and what it requires in terms of due diligence
• Does your firm view each risk as unique, and is your thinking around the mitigation or acceptance of each risk also unique?
• Has your firm assessed its customer base to segment existing customers into cohorts and analyse what information is being held on file for each, and has this been transposed into training for staff?
• Is there an overreliance on traditional country risk ratings when determining the level of due diligence performed?
• Are you in a position to cross-reference customer risk with the risk levels of your products so certain products and certain customer circumstances (and the various combinations of both) trigger a reaction; whether this is the need for less or more information on that customer?
• Can this be done for new customers and, just as importantly, can it be retrospectively applied to existing customers in a way that maintains their satisfaction with the service they receive?

Challenge three – remediate

If there is a mismatch between acceptable risk and the standard of due diligence in the customer base, a firm may need to remediate by making contact with customers and gaining more information. When it comes to this sometimes sensitive task, has the firm:

• Determined with accuracy the areas of the customer base to be remediated? This will ensure proportionality and fits with the risk-based approach the regulator wishes to see
• Looked at the information they already hold on file for a customer? Customers with multiple products may have provided the necessary information to your business already
• Ensured there is a customer-centric articulation of the reasons for the contact? After all, the exercise contributes to a safer society, and articulated in the right way can create customer advocacy
• Decided what sort of training is required in order for frontline staff to make the contact?

Challenge four – evidence and articulation

In the principles-based regulatory landscape we exist in today, an inability to articulate the reasons for business decisions is a risk. The financial crime risk assessment is again vital here, and the need for firms to ‘show their working’ is great. Can you currently reference your risk assessment to justify the application of SDD measures in certain situations?

As well as evidencing the process of applying SDD / CDD, firms should be able to evidence their ongoing assessment of products and customer groups. Do you ensure your assumptions about risk remain correct over time, and can you prove you look at this periodically? This helps firms not only to stay abreast of regulatory requirements, but minimise the risk of their organisations being used as a vehicle for money laundering.

Preparing for FUTURE AML regulation

With the constantly increasing threat of money laundering activity and the societal implications that financial crime can have, firms are right to be concerned about a lack of clarity in regulatory rules.

However, they must also accept that to regulate according to key principles (and avoid a ‘tick box’ attitude to compliance that is a proven source of customer detriment) firms must be responsible for determining and reacting to their own individual exposure to risk. Importantly, they must not wait until 4AMLD is transposed into law – they must act now to establish whether their historical business will cause regulatory issues and, if so, what can be done to remediate any issues in their customer base. JMLSG guidance can be seen as key to this process, and effective financial crime risk assessment plays an important role here, too.

When it comes to selecting the right level of due diligence for customers (both current and new), firms must recognise the external challenges, but understand that they do have an element of control if they are realistic about the nature of principles-based regulation. Focusing on the activities above can help firms arrive at a compliant approach that works for customers.