When people talk about conducting KYC checks, they’re probably referring to the process that takes place at onboarding, i.e. identifying your customer and verifying that identity.
But the problem for most businesses, is that a quick identity check isn’t going to allow you to stand with your hand on a copy of the USA PATRIOT Act and swear in good faith that you really do Know Your Customer. Or comply with the global obligations from the FCA, MAS, FATF and so on.
What about if we thought of it more as an ongoing process to help you comply with requirements and continuously feed back into risk management and business strategy? That’s what it should be, and is more reflective of best practice in the financial services industry. KYC should be an ongoing process designed to ensure you know who your customer is, what activity you should expect from them, and the overall risk they present to your business. This enables you to monitor that risk and mitigate it.
Below we detail three common KYC and Due Diligence pitfalls, and clear up some common misconceptions, to ensure your AML program works for your regulators, your business, and your clients.
- KYC – it’s more than a passport check
KYC is one of many three letter acronyms across regulations and guidelines that touch on the process you put customers through to engage with your business. There is also CIP, IDV, or is it CDD? Perhaps EDD? To make things more confusing, these can sometimes change across geographies…
To meet the highest standards of a KYC program, you should be thinking of it as an umbrella term, into which the other processes feed. A Customer Identification Programme (CIP) is how US regulation refers to gathering basic customer information (name, address, date of birth for an individual and an ID number) to form a ‘reasonable’ belief that the true identity of the customer is known. Identity Verification (IDV) tools can be used to verify that identity. It is increasingly common to use electronic and non-documentary means to do this. CIP would also include a check against relevant sanctions lists.
This is the first phase of conducting Customer Due Diligence (CDD), whereby more information is obtained regarding the individual or entity. Things to consider could include where the individual or entity is based, whether they are a politically exposed person (PEP), the line of business they are in or more details about their management or corporate structure. If any of this information means the customer should be considered ‘high risk’, enhanced due diligence (EDD) may be applied.
This information helps your business determine the expected activity from that client, for example the volume, value and frequency of payments across an account. You can set transaction monitoring scenarios accordingly. Throughout the relationship, when those thresholds are breached, you can seek information about where this unusual behavior is coming from, report it if suspicious, realign expectations if this is to be a new normal for that customer, or approve a one-off or series of transactions if rationale is provided. You can decide on an ongoing basis whether this is a relationship you wish to continue with.
- Nobody talks to each other anymore
As companies expand, they tend to start operating in silos. A company may start offering payment services. Eventually they may expand their offering to savings, loans, or perhaps investments. It’s possible that as this process happens, information regarding the customer in the payments team is never properly shared with the investments team.
In some instances, there may be appropriate, data privacy reasons for keeping the records separate. More commonly, it means the customer is asked multiple times for the same information, leading to a poor experience for them, or details that could indicate suspicious activity are lost and the firm fails in its regulatory responsibilities.
In 2008, it was clear this was one of the failings of JP Morgan in their management of their client in the Madoff Ponzi scheme. “We recognise we could have done a better job pulling together various pieces of information and concerns about Madoff from different parts of the bank over time,” said a spokesperson at the time.
- KYC as a revenue driver
So we’ve established that KYC is more than just checking a passport, and is about getting a much fuller picture about your customer and their behavior. Doing so doesn’t just help you manage risk and report suspicious activity. In collecting information and gathering data points, you have insight into the nature of your customers’ needs. You may start to see increasing flows towards particular geographies, or across particular channels. Perhaps the intended use of your tool is crowdfunding, but behaviour indicates your customers are using it to collect payments for group activities instead. This information is extremely valuable for your strategy.
If a group of customers are expanding their activity in a particular geography, you could consider offering greater support in that area, or expanding your product base there. If customers have realised your tool solves a problem you hadn’t thought of, maybe there is a way you could adapt the process to make it better suited for that need. As you expand your product set, your ability to cross-sell to targeted customers you know could benefit from that service is multiplied.
KYC in your AML compliance program
What does this all mean for AML? Global regulations highlight KYC as fundamental to a strong AML compliance program. Without KYC, you’re not gathering the data you need to effectively structure your AML program and take a risk based approach, comply with regulations and prevent financial crime.
Originally published 25 April 2018, updated 11 October 2022
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2023 IVXS UK Limited (trading as ComplyAdvantage).