As published in A-Team RegTech Insight.
Know Your Customer (KYC) requirements for anti-money laundering (AML) programmes are entering a new era. Evolving regulations, industry best practices, and ongoing scrutiny of compliance programmes are pushing organisations subject to KYC regulations to reevaluate their approach to customer due diligence (CDD), the process of verifying a customer’s identity and assessing the risk of doing business with them. This article explores the drivers for change, typical CDD challenges, and how to implement an intelligent, perpetual KYC programme fit for the future.
Understanding KYC and CDD obligations
The world’s financial intelligence units (FIUs), the investigative units established by several countries to centralise analysis of financial crime-related intelligence, require regulated organisations to conduct CDD. CDD aims to establish who the customer is, the nature of their status and business, and the purpose of the financial services requested so that unexpected, suspicious, and/or illegal activities can be more readily detected.
Failure to comply can result in large fines, as evidenced by high-profile examples of banks and trading companies that have engaged with customers in sanctioned jurisdictions or failed to identify large discrepancies between anticipated and actual account activity.
Identifying changes to customer circumstances more quickly
The challenge for chief compliance officers (CCOs) and their teams is that KYC and CDD obligations are constantly evolving. The requirement is shifting from the traditional, static approach of conducting identity checks when onboarding customers and at certain intervals over their lifecycle to intelligent, perpetual KYC, whereby organisations must identify and react to changes to customers’ circumstances more quickly.
This shift is partly driven by changing industry best practices. The influential Wolfsberg Group’s July 2024 Statement on Effective Monitoring for Suspicious Activity, which provides new guidance in light of technological advances, is a case in point.
Regulatory changes, such as the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) notice of proposed rulemaking (NPRM) issued in June 2024, also play a part. FinCEN’s NPRM amends current regulations to explicitly require financial institutions’ (FIs) AML programmes to be effective, risk-based, and reasonably designed so that FIs can focus their resources consistently based on their risk profiles.
CDD challenges continue to revolve around data issues
In meeting these changing requirements, organisations face several obstacles in establishing robust data-gathering processes and turning data into actionable insight.
The first hurdle is collecting customer information with minimal friction. While onboarding a retail customer may be a momentary process in today’s digital world, establishing a relationship with a business or other entity can take as much as three to six months. The information collected also must be validated for authenticity and enriched with additional information, both internal and external, public and paid, to present a detailed picture of the customer.
The second barrier relates to the ongoing monitoring of customer behaviour to ensure up-to-date, accurate risk ratings. Organisations are obliged to identify updates to customer profiles, such as changes in ownership, and to track key event triggers, including, for example, bankruptcy filings, negative news, and changes in locations where services are accessed. Equally, institutions must monitor behaviour relative to customer peer groups and anticipated activity levels. The issue is that the required information is often housed in multiple databases and risk systems, both internal and external, making it near impossible to gain a holistic view of customer risk.
Effective CDD requires proactive risk management
As organisations reevaluate their onboarding and CDD processes, the first vital step is to shift the mindset from technical compliance towards proactively managing AML risk. Often, institutions build their processes around satisfying the regulatory outputs; this typically results in a lack of transparency and understanding of the key risk indicators (KRIs).
A more robust approach is to start with the inputs. By identifying the key data elements (KDEs) needed to understand financial crime risk and linking them to KRIs, companies are better positioned to design more meaningful reports and documentation as the link between the KDE and KRI is well established.
The next step is to embrace technology to collate the KDEs from the various internal sources—such as product databases, screening and monitoring tools, and transaction tools—and to layer that information with external sources, such as corporate ownership directories, credible news sources, and social media. This collation of information avoids duplication of requests during onboarding and aids ongoing monitoring throughout the customer lifecycle. For maximum impact, it is critical that all data sources are cleaned, parsed, and standardised; the better the data quality, the more effective it is in highlighting potential risks.
Finally, digital currency exchanges or institutions with international customers may need to factor in additional sources into their CDD efforts. For example, geofencing technology is increasingly used to prevent transactions in sanctioned jurisdictions. Alerts raised by this technology should be fed back into CDD reports.
Future-proofing KYC in a new era
The world is changing, and so are KYC and related CDD requirements. Traditional KYC methods are no longer sufficient. Today, CDD must be perpetual and intelligent, building on the information collected at the onboarding stage. For a successful KYC programme, organisations need to focus on effectiveness in identifying, measuring, mitigating, and monitoring risk rather than technical compliance. This mindset can help institutions foster a proactive approach that satisfies regulatory requirements and business objectives.