Banks and financial institutions continue to struggle to comply with some regulations – the Bank Secrecy Act and Anti-Money Laundering (BSA/AML) to name just two… Penalties against financial institutions for non-compliance, enforced by the regulators, continue to rise with some reaching tens of millions of dollars.
It’s no surprise banks are eager to understand and address the problem. The core challenges sit within the following business processes: to Know Your Customer (KYC), to Know the Customer’s Accounts (KYA), and to Know the Customer’s Intermediaries (KYI). These processes, and the underlying technology that enables them, are being looked at now through a magnifying glass. And in many cases, they’re found to be unsatisfactory. The key here is to really know the customer during the onboarding process and not stop there, ensuring it continues throughout the relationship.
So, what are the issues?
1. Lack of uniformity in administering the KYC processes across different subsidiaries of a large multinational bank.
2. Lack of real-time screening during customer onboarding
Customers flagged during the sanctions or other types of screening pose a much higher risk; therefore, they require more scrutiny and due diligence (DD) during the onboarding process.
3. Lack of real-time risk scoring for a prospective customer
Customers with a higher risk level will require more scrutiny and DD during onboarding.
4. Lack of real-time monitoring, reassessing the risk and re-certification of existing customers
For example, customers whose identification information or transaction nature changes significantly after onboarding may lead to a higher risk rating, which will require more scrutiny and DD.
5. Lack of periodic and timely risk re-assessment and re-certification of the customer’s groups.
A robust and real-time KYC platform is important not only for compliance, but also for the Lines of Business (LoB) to up-sell new services to a customer. If, for example, a customer declares during the onboarding process to write under 9 checks a month, but has been found to write 50, a check protection service could be offered as a safety precaution.
It’s all about the steps…
The KYC process generally goes like this:
Step 1. Gather data by asking a prospective customer questions or sourcing data from external sources.
The question set might be composed from a number of modules with the logic connecting the flow of different questions. For example, if the answer to question X is true, and the answer to question Y is greater than A, then ask question Z. Compound this with the business organization’s desire to customize the question set to fit their own typical customer profile, and it can lead to missed questions or inconsistent answers… and ultimately be reflected in an incorrect risk scoring and rating of the customer.
Step 2. Decide on the level of DD that is needed.
Step 3. Make sure that the customer file is complete.
Step 4. Assess the current customer risk.
Getting a realistic current customer risk in step 4 is highly dependent on steps 2 and 3 – making sure that the customer file is complete and the appropriate DD has been done.
Step 5. Make a decision to approve or deny.
Step 6. For an approved customer, perform ongoing monitoring and on-demand, or periodic, customer risk re-assessment and re-certification.
Step 6 is the key and requires event-driven management. When the customer changes the country of residence, country of activity, or nature of the business, as indicated by the NAICS code, the risk rating might move up. This may require reassessment and potentially re-certification of the relationship. That said, it is also good practice to reassess all customers’ risk periodically.
As step 6 suggests, in order for the banks to successfully cope with regulatory challenges, they need to become event-driven enterprises. In similar cases, usually it takes both IT and the business working together to change the status quo. Luckily, IT can rely on a well-established and proven event-driven architecture, where several pipes attached to the data sources submit events to the monitoring platform.
The monitoring platform uses a filtering mechanism to sort out events of interest and submit them to a processor. The processor will then execute a required action that might send an event to initiate an instance of a business process which reassess the customer’s risk and re-certifies the customer’s relationship. The LoB executes the corresponding process in a timely manner, while IT records its audit trail. What if the LoB fails to execute the process during the established time? It would create an event in the monitoring platform which will follow up with outgoing reminders to the LoB.
By becoming event-driven enterprises, banks will fulfill one of the requirements of digital bank 2.0 for the 21st century. They will have a far better chance of effectively complying with regulations (such as BSA/AML) and avoid costly penalties in the future. Is it an easy road to travel? It all depends on the level of collaboration between the business and IT, the organization’s maturity, and sustained executive sponsorship.