In Stephen Covey's "The Seven Habits of Highly Effective People," Habit Two is "Begin with the end in mind." Customer Identification is the start of the KYC process. Basically, a thorough customer identification procedure can set the stage for best practices throughout the entire onboarding process. One variable is how much data is the front desk or the relationship manager responsible for acquiring? Weaker firms in terms of process required only the customer's name. Stronger, process oriented firms had relationship managers getting address and other basic dBSocumentation from the customer, which was then verified by the due diligence team.
Our experience with "how customer identification is achieved" varies widely from firm to firm and occasionally from department to department. In some cases customer identification is handled with aplomb by the relationship managers dealing with the customer, in other cases customer identification responsibilities are delegated to the customer due diligence team. When customer identification is given to the Customer Due Diligence (CDD) team, the method of communication between the relationship manager and the CDD team is where a best practice can most effectively be deployed.
We found three ways this communication is completed:
- Unstructured—essentially no process.
- Structured—through a request form or email that is used consistently.
- System-to-system—electronic communication from a relationship management system to a KYC/onboarding system.
As a general rule, financial institutions with unsystematic data entry mechanisms also had an overall poor KYC process. Therefore, a crucial "best practice" recommendation is to start the process in a robust manner. Without a clean and precise data entry process, it is practically impossible for a financial company to create an accurate onboarding audit trail (which will be discussed later in greater detail). Another potential risk is that the on-boarding process from initiation to completion includes many expensive, manual processes that can take days or weeks to finalize.
Often, an unsystematic process requires scanning or re-keying information into multiple internal and external back-office systems, which increases the risk of inaccuracies and spelling mistakes. To address these issues, companies should invest in an electronic data system that enables staff to key information once and then have duplicate data auto-populated into other areas of the same form or into other forms.
This will become even more critical as regulations such as FATCA become effective as the customer identification process becomes more complex, with various indicia being required to determine if the client falls under the FATCA regime. There are likely to be regulations that are similar to FATCA in other jurisdictions in coming years.
Regulatory Highlights in KYC
The CDD area is where Alacra has the most experience so we have taken a more detailed look at the CDD process by breaking it up into three sections: risk-based approach; sanctions lists, PEPs and database checks; and beneficial ownership. Directly below are excerpts that reveal the vagueness of regulatory instructions for CDD and KYC; we will have other more specific regulatory examples in the sections that follow.
FFIEC/BSA (Federal Financial Institutions Examination Council/Bank Secrecy Act): As stated in CDD Overview of the BSA Manual, "the objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base."
FSA (Financial Services Authority, UK): The UK Financial Services Authority Discussion Paper 22: Reducing Money Laundering Risk; August 2003 states, "although there are no specific legal or regulatory KYC (as opposed to simple identification) requirements, high-level obligations in the Money Laundering Regulations and the FSA Handbook require a firm to counter the risk of money laundering,"
FATF (Financial Action Task Force): "Financial institutions should be required to undertake customer due diligence when:
a) Establishing business relations
b) Carrying out occasional transactions over a designated threshold
c) There is a suspicion of money laundering or terrorist financing
d) The financial institution has doubts about the veracity or adequacy of previously obtained customer data.
CCD includes identifying and verifying the customer's identity; identifying the beneficial owner; understanding the business relationship; conducting ongoing due diligence on the business relationship,” according to FATF Recommendations.
Best Practices in Customer Identification
While only the language from the FSA says, "there are no specific legal or regulatory KYC requirements," the truth is that there are few KYC process mandates in any of the jurisdictions in which Alacra has clients. This has led to a wide range of practices across firms and across department within firms. Whereas the stronger firms have robust practices in place for each of the next remaining sections of this paper, we’ve seen weak customer identification followed by a handful of Google searches and some paper files constituting an entire KYC effort.
Here are a few overall best practices before we get into more specific customer due diligence areas. These might seem obvious, but a surprising number of financial institutions do not have these practices in place.
1. Anywhere you can create a process you should create a process. In a regulatory audit, having onboarding professionals conducting due diligence in a consistent fashion will indicate the organization takes KYC seriously and has trained employees on how to do their jobs effectively.
2. Have an audit trail for each investigation. This will prove that the onboarding process was adhered to for each and every investigation and that there was no material adverse data as of the investigation date.
3. Have a "do not do business with" database. This will eliminate unnecessary work and indicate to regulators that you’re keeping track of bad guys.
4. Have a database of entities that have been successfully onboarded. This can save significant amount of resource when an existing, already vetted customer wants to do more or different business with your institution. This can also help define your refresh schedule and reduce the number of times you need to go back to the customer for more information.
5. Don’t fall behind on your refresh schedule.