Global financial firms have been fined $10 billion since 2013 for noncompliance with AML rules, including inadequate KYC record keeping. Regulatory focus and enforcement actions are expected to grow in the coming period.
The reputational damage from enforcement actions also has a cost impact, while individuals found to be at fault are being targeted for possible criminal prosecution as the tide turns to bestowing personal liability on financial services’ employees (particularly senior managers) for deficiencies in their firm’s Money Laundering / Terrorist Financing (ML/TF) programs.
Where financial institutions have insufficient client information to demonstrate this understanding or fall short of regulatory or policy requirements, remediation programs have commonly been implemented to update and refresh customer KYC information and profiles.
Regulatory enforcement actions or findings often require organizations to implement wide-ranging remedial programs or changes to business practices. The investment required to respond adequately to regulatory orders can be significant, with a single project often running into the tens of millions of dollars. A 2016 survey of financial institutions showed that, on average, firms spend $60 million a year on KYC procedures. The average KYC spend for firms in the United States is $78 million, while firms in Germany, Hong Kong and the United Kingdom each allocate $80 million or more annually to KYC.
Expenditure on KYC remediation is predicted to grow by double-digit percentages over the next four years.
The traditional approach to remediation is to attempt to bring KYC profiles up to the institution’s full on-boarding standard without consideration to the risk that each data point is seeking to mitigate. This process, which measures progress in throughput of files completed per day rather than risks mitigated, is deficient as well as inefficient.
The real purpose of a remediation exercise should be to ensure that the risks of financial crime posed by a customer are understood and mitigated, not simply to confirm that the KYC file is “complete.”
In addition, remediation projects often fail because, due to the amount of information required, the effort to render a file complete is underestimated. Projects run over in time and cost and are either abandoned or restarted. KYC files, which potentially pose the greatest risk to the financial institution, are often not reviewed, as effort is expended on collecting the last few lower-risk data points to make other files complete.
To break out of this cycle of remediation, financial institutions need to take a risk-based approach. By remediating risk, rather than files, firms can cut the cost of KYC remediation significantly, mitigate financial crime risks more quickly and break the remediation cycle for good.
The problems with KYC remediation programs begin with a weak underlying on-boarding and customer data management process. The issues here can be fourfold:
- Inadequate controls over required fields.
- Inadequate methods of obtaining and/ or maintaining current and correct customer information.
- A lack of experienced staff.
- Multiple poor-quality data-capture systems with no single “golden source” of information.
Issues with underlying data and the lack of a golden source record are an obvious challenge, as organisations are unable to determine where data is to be stored to create the single view of a customer and a complete KYC file.
Inadequate resource levels and sufficient experience are a challenge, and the sheer scale of collecting significant volumes of data presents a daunting task for most firms.
This places excessive pressure on business-as-usual (BAU) teams that often bring in temporary or third-party resources, which, if not carefully managed, create an additional challenge of headcount management and knowledge-capital loss. A further challenge is the common problem of there being no specific owner of the information and as such no accountability for poor individual client records.
Using smarter processes and data
Financial institutions are beginning to realize that the current approach is not a viable strategy if they are to have a realistic expectation of addressing their compliance challenges. First of all, KYC is costly. The average financial firm spends $60 million per year on KYC and CDD and $58 million per year on client onboarding. Some firms spend more than $500 million annually on these activities.
The usual approach includes the hiring of additional staff to process the avalanche of manual tasks required to ensure that information submitted by every new potential customer is complete and accurate.
In fact, 50% of financial institutions have added employees to keep up with KYC compliance over the past year, and an average of 68 employees work on KYC adherence and processing within a financial institution.
However, adding more humans to the equation invariably increases the likelihood of errors (not to mention labor costs and the difficulty in finding qualified compliance workers), and a snowball effect pattern begins to emerge. These manual inaccuracies lead to risk of non-compliance, which can lead to hefty fines and delays in the onboarding process. Delays can alienate customers, damage a firm’s reputation and result in slowed revenue realization or even loss of business.
Today’s customer demands a fast, frictionless engagement with any organisation, and it is this initial information-intensive first interaction that can make or break the relationship, whether you are on-boarding a retail customer, a wealth management customer, institutional customer or corporate customer.
For this reason it is important to have a system that holds a single “golden” record of your client in order to deliver the optimal client experience whilst giving your KYC department the tools and insight required to process information quickly and effectively. Using modern technologies such as AI, Machine Learning and simple data aggregation allows you to build a data driven approach. This reduces cost, the need for manual intervention and improves the client experience all in one step.
A periodic review process consists of the refresh of the full KYC profile. The cycle of such reviews varies by geography. In Europe, this is generally undertaken at one-, three- and five-year intervals, depending on the risk rating applied to the customer. In the United States, however, the standard is to undertake a periodic review at one-, two- and three-year intervals. Firms may choose to review clients more frequently depending on their risk appetite.
Because of the KYC effort being focused on the onboarding, the periodic reviews are often completely ignored which then leads to (even more) refresh activities because after onboarding nothing has been done. Other than that I don’t fully see the relevance of a section around regular reviews for remediations.
These periodic reviews require the necessary staff skills and expertise enabled by supporting tools and systems. The review process includes a link to other processes such as marketing- and event-review activities to identify abnormal behavior that triggers further review of a particular client. Firms also complete quality process checks to ensure that the periodic review cycle is working correctly.
A lack of direction from regulators concerning KYC remediation can add to the complexity of the exercise. Firms are unsure whether the regulators expect them to investigate every data point of their client files under the remediation program or focus on key risk areas. As a result, they often opt on the side of caution and attempt to remediate everything, which results in effort being focused on lower-risk issues, while high- risk issues may go to the bottom of the review pile.
Regulators are likely to accept a risk-based approach because it demonstrates an understanding of risk exposure when remediating KYC files.
By assessing the risks associated with certain types of clients first, firms are able to decide which files to prioritize as well as establish a clear baseline standard to which those files should be remediated. Having a clear, risk-based policy in place helps organizations reduce the time and resources spent on the remediation program while elevating the efficacy of the exercise to focus on those areas of highest risk to the organization. This risk can then be managed consistently going forward with the implementation of ongoing control activities, such as periodic reviews, to manage the risk exposure.
The primary guiding principle for executing a successful KYC remediation program is for organizations to focus on remediating the risk presented by the customers rather than every data point in the file.
Making the change
To ensure value from a KYC remediation exercise – and to help speed up the process – organizations need to ensure that they set remediation standards for their files. As previously mentioned, firms should prioritize those data points that are the most relevant from a risk perspective and ensure that all the files being remediated are elevated to the same standard. Setting a lower consistent standard enables the firm to get all the files under remediation to a common level that identifies the critical data points, revealing a good baseline understanding of the risk to which it might be exposed.
When this exercise is performed in conjunction with a transaction-activity review, and conducted as part of the remediation process, firms can build a strong view of their customer base and identify whether they are conducting activity in-line with expectations. This two- step periodic process first elevates the files to a known level on a common playing field and then allows the firm to prioritize client files under the remediation program.
The first step in this approach is for the organization to conduct a trial process up front to determine how to identify high-risk files. This may include assessing different product sets or client types, such as those that have links to offshore activities or with higher-risk ultimate beneficial owners.
Once the files have been prioritized into high-risk and low-risk activities, the organisation should establish a remediation standard that focuses on remediating the key areas of risk.
Once the remediation effort has been completed, it should be handed over to a BAU process, which puts in place a regular review process that can elevate all the files to a higher standard over an ongoing period. It is at this point that the firm may need to commence a client-exit process for any customers that have been determined to lie outside of the firm’s risk appetite or if requests for further required information have been unsuccessful.
Our approach allows us to quickly and effectively scale up for remediation projects and keeps a strong focus on the quality that needs to be attained during this process. We focus on the risk-based procedure and policy in order to develop the best and most effective way for your remediation to be completed with the highest standard and within the allotted timeframe. Our core system allows us to collect and analyze data rapidly and provide insight and find gaps in existing client data. Through our customer outreach portal data can be collected directly from clients as well as through 3rd party sources. This allows us to support a direct remediation process or a non-intrusive one.
Equiniti KYC Solutions uses a five stage process to quickly assess, scope and execute remediations. Our process has been improved and made highly efficient during our decade long experience. We define the following stages a key to a successful remediation.
Data quality assessment.
Finding out what data is missing and how reliable the existing data is will give an indication of the gaps in the current KYC case files and of any flaws in the current onboarding process that will need to be adjusted.
Scoping of remediation project.
During our decade long experience of remediation projects, the scope of the actual work has almost always become bigger as the work has gone on. By having a flexible work force that can scale whenever needed, we can easily increase workloads without jeopardising deadlines. Due to our highly configurable workflow tooling we can adjust instantly to any changes in scope required.
Although most remediations have been handled in house in recent years, we have noticed a strong demand in project management skills. More specifically, project managers that have experience with remediation that can plan and manage a large scale project. Our project managers have seen many remediation project within different organisations and are therefore well equipped to help design and manage your project.
During this stage it is imperative that the process and key focus areas of the remediation are clear and that all cases and handled consistently. Our KYCnet platform allows our analysts to work fast, efficiently and effectively. With all the information in one tool and every step of the policy and procedure laid out in a standardised workflow, all cases are handled consistently and with quality control at every step of the way.
Both internal and regulatory reporting are key to a successful remediation. We offer full transparency of our process and a full audit trial of every interaction with a KYC case. With our real-time management dashboards it is easy to get status updates and manage any risks involved with the project. During the project our API connection ensures that you keep full control of any data in all your core systems and reporting tools.
Through our combination of effective solutions along with our highly trained international team of analysts, we can offer these services all over the world and for any type of remediation. Contact us today if you have any questions or would like to know how we can help you.