Globally there has been an exponential increase in money laundering and terrorist financing activities, and COVID-19 has only abetted this surge. The emergence of app-based, cross-border digital lenders, peer-to-peer lending, e-invoicing services, and a host of other new financial products and services that require minimal customer identification procedures are also fuelling this rise in illegal activities.
Financial institutions must make their customer due diligence practices more robust to counter these new challenges and threats.
Anti–money laundering (AML) regulations aim to prevent money laundering, and one of the primary ways to do this is to put in place a robust KYC framework. This means that the business entity should be able to identify the legitimacy of the customer—and ensure they’re not tarnished by political or criminal connections and don’t have a history that would be too risky to deal with.
Institutions are moving toward perpetual KYC solutions for performing customer due diligence wherein customers, irrespective of their risk profile, are screened in real time or near real time based on trigger events.
“Perpetual KYC is a framework to dynamically maintain and update a customer’s profile and risk assessment based on internal assessment and various external triggers in perpetuity.”
Examples of trigger events include negative news about the individual or entity, a legal status or domicile change, and so on. These trigger events initiate the customer due diligence process if the events breach specified thresholds (for example, frequent negative news). This approach enables financial institutions to be more proactive in identifying and acting on risk events early compared to periodic reviews, thus averting any negative impact on financial institutions and their reputations.
With the increase in money laundering crimes, banks have realized the importance of maintaining accurate and up-to-date KYC and transactions-related information on their customers that allows them to proactively manage risks at an early stage and across the customer lifecycle by monitoring them continuously. This has led to a renewed focus on the concept of perpetual Know Your Customer.
Adopting perpetual KYC means shifting to a radically new way of doing KYC in which periodic reviews give way to a dynamic process where technology is the key enabler. Handling and contextualizing a large volume of data is critical to maintain an accurate and up-to-date view of regulatory risk at all times. Below are the key drivers of perpetual KYC.
Regulatory drivers: Regulators are increasingly laying down guidelines to widen the customer due diligence process. For example, firms must perform adverse media searches as part of their enhanced customer due diligence to comply with Financial Action Task Force recommendations. However, these searches are error prone and are more subject to bias if done manually rather than through the automated process of retrieving data from multiple media sources and evaluating them using defined rules and guidelines.
Reputational risk: Although regulators prescribe periodic assessment of a customer’s risk profile, if a customer is subjected to AML fines or sanctions during the period between reviews, all the firms involved with the customer or transaction will be exposed to reputational risk. In such cases, having a system that monitors customer profile changes regularly and triggers customer due diligence when thresholds are breached would help detect early warning signals.
Technological enhancements: The emergence of artificial intelligence and machine learning technologies, coupled with cloud-based deployment and processing, has opened new avenues and business cases in the AML compliance domain. Small and medium-sized enterprises can leverage these technologies by adopting a software-as-a-service approach. The technologies required for perpetual customer due diligence, such as natural language processing, optical character recognition, web scraping, and high computational and storage capabilities, have become easy to adopt and implement, enabling a quicker transition to this new approach.
Cost optimization: Although implementing perpetual KYC solutions has up-front cost implications, the benefits outweigh the costs in the long run. The benefits include resource optimization, lower manual intervention, reduced rework, process consistency, and effective compliance.
Better customer experience: In the perpetual KYC process, only customers whose profile changes breach the thresholds (for example, customers with more than a 25% controlling stake) are contacted for new documentation and information. This significantly reduces friction at customer touchpoints. Also, the collection of additional information helps build a 360-degree view of the customer, which can be used to customize their products and services. All this results in a better customer experience and more effective risk management.
We’ve explored the forces—and benefits—driving institutions to adopt a stable, scalable perpetual KYC approach, but financial institutions must also anticipate the potential challenges of implementing such a framework. Here are some of the key challenges.
Disparate systems and sources
Most organizations do not have integrated systems that provide a holistic view of the customer and monitor the customer’s risk profile internally. This is the biggest roadblock in implementing an organizationwide perpetual KYC solution.
Non standardization of the KYC model/regulations
The very nature of KYC and AML regulations globally prohibits organizations from following a uniform KYC model. In an ever-changing regulatory landscape, with no standardized model, the processes and rules for collecting, maintaining, and updating client data differ vastly across banking organizations.
Limitations of publicly available sources
Customer data is often gathered from publicly available sources that may be inaccurate, incomplete, or unconfirmed. Also, because of multiple privacy regulations and customer concerns, banks find it increasingly challenging to verify the accuracy of the data gathered.
Incomplete data capture during the onboarding process
Banks generally capture data only for the mandatory fields during the onboarding process, ignoring the value-added fields. This means that the accuracy of any adverse media match might be reduced due to the limited customer data points available.
Having considered the market drivers contributing to the development of perpetual KYC requirements, the next step is to look at how a financial institution could build a stable, scalable perpetual KYC framework. The following three steps are essential elements of a robust KYC framework:
Step 1: While acquiring a customer, scrutinize their identification documents and ensure that the customer or entity is not part of any sanctions list.
Step 2: Implement customer due diligence measures, such as collecting all available data on the customer from trusted sources, determining the purpose and intended nature of the business relationship and key beneficiaries, and continuous periodic monitoring of relationships to ensure that activities are consistent with the customer’s risk profile.
Step 3: Schedule KYC rereviews based on the customer’s risk profile. The highest-risk customers are often screened annually or sometimes more frequently (depending on their risk profile and jurisdiction), medium-risk customers are typically screened every three years, and the lowest-risk customers are usually screened every five years. Enhanced customer due diligence measures, such as more-intense monitoring and deeper investigative research as mandated in perpetual KYC, are carried out if the firm perceives that the customer’s behavior is at a higher risk than expected or a trigger event has occurred.
Despite the challenges involved in implementing a perpetual KYC framework, it’s still possible for financial institutions to establish a successful perpetual KYC program. Here are the critical elements that every financial institution needs to build into their KYC program.
Once onboarded, customers must be monitored continuously against internal and external data changes that might impact their customer profile—for example, electoral registers may provide data that changes a customer’s profile from a low-risk customer to a PEP (politically exposed person).
Data consolidation and enrichment
The data is collated from various sources, cleansed, and enriched. Data cleansing is one of the most critical steps in this process. The dataset will be massive, and only a subset of user data must be extracted, ignoring superfluous, surplus, and duplicate data.
Utilizing data for customer due diligence
The above process provides input data required for the customer due diligence process, such as business relationships, beneficial owners of the entity, sources of funds, and capital structure. In addition, firm-level policies and procedures define the risk factors for the customer due diligence process—for example, the percentage threshold for a controlling interest, verified media sources, and threshold limits—in line with regulatory requirements.
Customer risk assessment
The data collected is screened against defined events such as frequent negative news, a criminal court order against the entity or individual, and new business relationships with sanctioned countries. If the event changes the customer profile and exceeds the defined threshold (for example, the number of negative news items), the customer due diligence process is triggered. The updated information is stored in the customer repository for reference and future use if the change is not a material change. Customer due diligence reports are generated, and alerts are sent to the case management system for further action.
Dynamic Customer Due Diligence: The Need for Perpetual KYC