Knowing who you are doing business with is more important than ever. However, in a faster moving and more digitally connected world, where there is less face-to-face interaction, it is becoming ever more challenging.
Potential outcomes of ineffective ‘Know Your Customer’ (KYC), ‘Customer Due Diligence’ (CDD), ‘Enhanced Due Diligence’ (EDD) and record keeping go much wider than simply placing the firm at risk of breaching ’compliance’ requirements. Failing to prevent your firm from being used to further financial crime creates risks for your customers, your firm and for the wider society. Ineffective controls could also cause your customers to experience worsened customer service, could create avoidable cost and so could place the firm at a significant commercial disadvantage.
Regulatory compliance should be regarded as the minimum threshold to be met by firms, with customer expectations, customer experience and other factors also being priorities. A firm that meets regulatory requirements but fails to do so in a way that provides customers with a positive experience, are unlikely to retain those customers for the longer term. Ensuring that KYC, CDD and EDD processes are designed effectively (i.e. aligned with the business and utilising both people and technology) ensures that customers are provided with a positive experience, regulations are satisfied, risks are managed, and processing quality / times remain highly competitive.
Here, we examine the issues that individual firms, and the industry as a whole, must address for future success.
TODAY’S FLUID KYC LANDSCAPE
As a specialist in financial crime risk management, it would be remiss of me not to recognise that some of the challenges in this space are beyond the direct influence of individual firms.
Regulatory change continues at pace. For example, this year the Fifth Anti-Money Laundering (5MLD) required greater transparency from companies with beneficial ownership and calling for customer verification in virtual currency markets, which has a similar focus to OFAC’s introduction of the ‘50% rule (i.e. requirement to assess whether organisations that are not named on OFAC Sanction lists are in fact controlled by a Sanctioned entity). This increased scrutiny on identity and ownership has been occurring at the same time as we have been witnessing the high profile ‘leaking’ of confidential customer material (e.g. Panama Papers) and while emerging technology providers have been offering new solutions to KYC needs. The requirements, solutions and events have all been evolving. Firms must continually refresh and monitor KYC records if they are to adequately manage AML and financial crime risks.
KYC / CDD / EDD process design and operational delivery have become one of the fastest growing operational costs in the banking industry, with the largest costs arising from data remediation and periodic reviews as a consequence, in part, of a re-categorisation of the risk posed by specific customers. A 2016 Thomson Reuters survey found that an average of USD$60million has been spent on KYC / CDD compliance by large firms. The same survey also found that the lack of sufficient people resources and the volume of regulatory change are firms’ main concerns, regardless of their size and despite them already having invested heavily in KYC improvements.
ENSURING A PROPORTIONATE KYC APPROACH
When it comes to getting KYC right, solutions are available, provided that firms are prepared to progress beyond the use of historic tools. Getting it right can help align KYC with other business processes, meet compliance requirements and provide customers with a greatly improved experience. To achieve an effective approach, a firm should consider the areas below and how they apply to their business.
RISK ASSESSMENT AND MITIGATION
Firms must establish clear risk categories for customers, which must align to pragmatic controls. The risk factors should consider specific risk characteristics (e.g. client type, legal entity type, product type, etc) as well as specific risk themes (e.g. terror financing, money laundering, trade sanctions, etc). Specific records should be utilised in order to establish the facts in relation to each characteristic and theme, and analysis of the results should be used to establish the customer risk rating.
The challenge is to ensure that the records that are utilised are appropriate and kept up to date. This is made more difficult by the range of risk characteristics that could be checked, the range of possible records that could be used to complete the checks and the varied availability of that data. Some of the data is available via public or commercial databases, but other data elements are available only via the customer themselves.
In order for risk categorisation to function effectively, a firm must maintain and document a well thought through financial crime risk assessment.
The effectiveness of risk assessment will be influenced by the firm’s internal culture. Support and alignment from the top will help ensure that the risk assessment is relevant. If they are not already, boards should be aware of the value of defining and reacting to risk on an ongoing basis in protecting their firm and its customers.
Risks change. Many firms assess customer risk infrequently but later discover that the customer's profile has changed to such an extent that they should be re-categorised as presenting a lower or higher risk. If a lower risk customer continues to be subjected to checks and controls that are relevant to a higher risk customer, they may experience more checks and controls when attempting to transact than they should be exposed to. By contrast, a customer that had been lower risk but who should now be considered higher risk, may avoid increased checks and monitoring that are relevant to a customer in their correct risk category. In both cases, the firm will have failed to maintain its own risk standards if it has failed to identify that the risk categorisation for the customer should have changed.
To help ensure that effective monitoring is in place, firms should consider;
- The frequency of risk refreshes or triggers that cause existing customer accounts to be reviewed
- The ' Red Flags' that cause immediate escalation and assessment of high risk activities (e.g. transaction monitoring and routine PEP / Sanction / list checking)
- Frontline employee knowledge and awareness (e.g. targeted and tailored regulatory training with regular refreshers or, in some cases, reviewing the level of expertise they require when recruiting staff)
- General employee and Senior Management Awareness to ensure that all operations managers understand the relevance of KYC controls to their processes
EFFECTIVE OPERATIONAL PROCESSES
Many firms continue to perform KYC as standalone checks at single points within a specific operational team. They also fail to embrace technology to support the checking or to automate administrative tasks that have traditionally been performed by people. As a consequence, firms regularly find themselves performing KYC checks more frequently than is necessary, disrupting their customers more than is needed and struggling to investigate large numbers of KYC checking false positives.
Where firms ensure that their KYC checking / monitoring processes are refreshed and designed to be effective, it is possible to significantly improve processing times and improve the quality of checking while also providing significant cost savings when compared against more established, legacy KYC processes. In Huntswood's experience, it is possible to improve quality to ensure 98% QA process standards whilst reducing processing times by 96%.
Deploying an effective, compliant and customer centric KYC framework can usually be achieved at lower cost than will be experienced by firms maintaining outdated solutions.
WITH THIS IN MIND:
- Has your firm benchmarked its KYC arrangements against industry practices (both good and bad)?
- Have all your customers been risk rated and all necessary KYC records and controls been completed for that risk categorisation?
- Are your processes effective at monitoring, investigating and updating changes in KYC and AML risk profiles?
- Have your KYC processes been 'mapped' and improved to ensure they operate effectively and in alignment with other operational activity?
- Do your customers experience better KYC checks with your firm than with others?
- Are your KYC costs lower than industry peers?
FOCUS ON WHAT YOU CAN CONTROL
There’s no doubt that increasingly sophisticated criminal methods and fluid regulatory environment mean firms will continue to be faced with significant challenges in establishing a consistent KYC approach.
However, with the right assistance, firms can ensure their KYC arrangements remain effective and customer centric, usually at a lower cost than the firm currently experiences. Achieving this is within your control. As an industry, we must not let public commentary around financial crime cloud what is achievable right now. Thinking about some of the factors listed above can help firms achieve KYC success in the long-run.
The most successful organisations of the future will be those who tackle the challenges of financial crime proactively, despite the challenges they face.