Know Your Customer (KYC) proves to be valuable and

White Paper
Know Your Customer
Introduction
Money laundering, fraud, terrorist financing, and other financial crimes continue to rise and are
becoming more sophisticated. To facilitate the reduction of illegal activities being perpetrated
against financial institutions, regulatory agencies operating under the provisions of the USA
Patriot Act are providing a broader focus on Anti-Money Laundering (AML) activities. A large part
of this focus is on activities related to Know Your Customer (KYC). KYC is a critical component of
the regulations directed at reducing the incidents of money laundering, fraud, and terrorist
financing.
Too often financial institutions are not aware of their vulnerability until an illegal activity is
discovered, after the fact, and/or the regulators have imposed penalties for lack of compliance.
Protecting your institution’s assets, reputational credibility and integrity with the regulators is
essential in this environment.
Another important consideration is that the cost of remediation and satisfying a regulatory action,
over and above any monetary penalties incurred, can far exceed the cost that would be incurred
to proactively develop a strong Know Your Customer (KYC) program. The KYC program must
satisfy regulatory requirements, effectively manage and mitigate the risk of non-compliance while
still providing a quality customer experience.
Questions that should be asked to ensure that best practices are deployed within your
organization include:
• Do you know what the regulators are looking for when they evaluate your program?
• Is your KYC program robust and rigorous enough to effectively mitigate the risks to your
institution?
• What actions are being taken by your organization to make the changes needed to provide
for an ongoing process that ensures compliance and reduces risk exposure?
A sound KYC process depends on many factors and it should be noted that there is no formula or
“one-size-fits-all” solution that works for every institution. The regulations are often subject to
interpretation. Risks vary based on the mix of the institution’s customer base; the size and nature
of businesses served; geographical location; the products and services offered; customer
transaction activity; and finally, on your institution’s appetite for risk. This article will address the
actions that financial institutions should be taking, administrative issues, and the role of
technology.
ADS / 50 Braintree Hill Office Park, Suite 101 / Braintree, MA 02184 USA / (800) 729-3334
www.adsfs.com
Activities that Financial Institutions Should be Taking
Financial institutions are facing many challenges in today’s business environment from both
market and regulatory fronts. With this understanding, it is even more critical that they make a
greater effort to implement and adhere to the critical components of “Know Your Customer”
activities which are described below.
Customer Identification Program (CIP) – Simply put, verifying that customers and clients are who
they say they are. According to provisions of the USA Patriot Act all financial institutions must
verify the identity of individuals wishing to conduct financial transactions with them. The law was
implemented by regulations in 2003 which require financial institutions to develop a Customer
Identification Program appropriate to the size and type of its business. The CIP must be
incorporated into the financial institution's Bank Secrecy Act/AML compliance program, which is
subject to approval by the financial institution's board of directors.
The CIP is intended to enable the bank to form a reasonable belief that it knows the true identity
of each customer. The CIP must include new account opening procedures that specify the
identifying information that will be obtained from each customer. It must also include reasonable
and practical risk-based procedures for verifying the identity of each customer. Financial
institutions should conduct a risk assessment of their customer base and product offerings, and in
determining the risks, take into consideration:
•
•
•
•
The types of accounts offered
The methods of opening accounts.
The types of identifying information available
The institution's size, location, and customer base
Customer Due Diligence (CDD) - Assessing the risks associated with a customer by predicting the
types of transactions in which a customer is likely to engage. These procedures assist the
institution in determining when transactions are potentially suspicious. The cornerstone of a
strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD
policies, procedures, and processes for all customers, particularly those that present a high risk for
money laundering and terrorist financing.
The objective of CDD should be to enable the bank to predict with relative certainty the types of
transactions in which a customer is likely to engage. These processes assist the bank in
determining when transactions are potentially suspicious. The concept of CDD begins with
verifying the customer’s identity and assessing the risks associated with that customer. Processes
www.adsfs.com
should also include enhanced CDD for high-risk customers and ongoing due diligence of the
customer base. Effective CDD policies, procedures, and processes provide the critical framework
that enables the bank to comply with regulatory requirements and to report suspicious activity.
CDD policies, procedures, and processes are critical to the bank because they can aid in:
•
•
•
Detecting and reporting unusual or suspicious transactions that potentially expose the
bank to financial loss, increased expenses, or reputational risk.
Avoiding criminal exposure from persons who use or attempt to use the bank’s products
and services for illicit purposes.
Adhere to safe and sound banking practices.
In addition, CDD guidelines should include policies, procedures, and processes that address
whether they:
•
•
•
•
•
Are commensurate with the bank’s BSA/AML risk profile, paying particular attention to
high-risk customers.
Contain a clear statement of management’s overall expectations and establish specific
staff responsibilities, including who is responsible for reviewing or approving changes to a
customer’s risk rating or profile, as applicable.
Ensure that the bank possesses sufficient customer information to implement an effective
suspicious activity monitoring system.
Provide guidance for documenting analysis associated with the due diligence process,
including guidance for resolving issues when insufficient or inaccurate information is
obtained.
Ensure the bank maintains current customer information.
Assessing customer risk is also an important component of CDD. Management should have a
thorough understanding of the money laundering or terrorist financing risks of the bank’s
customer base. Under this approach, the bank should obtain information at account opening
sufficient to develop an understanding of normal and expected activity for the customer’s
occupation or business operations.
Much of the CDD information can be confirmed through an information-reporting agency, banking
references (for larger accounts), correspondence and telephone conversations with the customer,
and visits to the customer’s place of business. Additional steps may include obtaining third-party
references or researching public information (e.g., on the Internet or commercial databases).
CDD processes should also include periodic risk-based monitoring of the customer relationship to
www.adsfs.com
determine whether there are substantive changes to the original CDD information (e.g., change in
employment or business operations).
Enhanced Due Diligence (EDD) - Due diligence or investigative actions beyond what is required by
standard KYC customer due diligence procedures based on high-risk client profiles and/or activity.
Customers that pose high money laundering or terrorist financing risks present increased
exposure to banks; due diligence policies, procedures, and processes should be enhanced as a
result.
Enhanced due diligence for high-risk customers is especially critical in understanding their
anticipated transactions and implementing a suspicious activity monitoring system that reduces
the bank’s reputation, compliance, and transaction risks. High-risk customers and their
transactions should be reviewed more closely at account opening and more frequently
throughout the term of their relationship with the bank.
The bank may determine that a customer poses a high risk because of the customer’s business
activity, ownership structure, anticipated or actual volume and types of transactions, including
those transactions involving high-risk jurisdictions. If so, the bank should consider obtaining, both
at account opening and throughout the relationship, the following information on the customer:
•
•
•
•
•
•
•
•
•
•
•
Purpose of the account.
Source of funds and wealth.
Beneficial owners of the accounts, if applicable.
Customer’s (or beneficial owner’s) occupation or type of business.
Financial statements.
Banking references.
Domicile (where the business is organized).
Proximity of the customer’s residence, place of employment, or place of business to the
bank.
Description of the customer’s primary trade area and whether international transactions
are expected to be routine.
Description of the business operations, the anticipated volume of currency and total sales,
and a list of major customers and suppliers.
Explanations for changes in account activity.
As due diligence is an ongoing process, banks should take measures to ensure account profiles are
current and monitoring should be risk-based. Banks should also consider whether risk profiles
should be adjusted or suspicious activity reported when the activity is inconsistent with the
profile.
www.adsfs.com
Administrative Issues
KYC also poses significant administrative challenges. While recordkeeping may appear to be a
lesser concern, this is, in fact, an area where an institution can leave itself most vulnerable.
Without adequate documentation, many of the KYC requirements cannot be met. Auditable proof
of your institution’s KYC activities is required and the regulatory agencies are scrutinizing this area
very closely. Written AML/KYC policies and procedures should clearly define and support the KYC
process. They must continually be reviewed and brought up-to- date as changes to regulations
and your institution’s processes dictate.
In addition, due diligence analysts and EDD investigators need to know how to properly interpret
KYC data. Penalties for regulatory non-compliance are also on the rise and the regulators are
becoming more diligent in imposing these penalties.
There are different types of AML/KYC enforcement actions that regulatory agencies can issue.
Informal actions are issued when an agency deems it necessary to obtain a written commitment
from an institution that an AML/KYC compliance problem will be corrected. These actions are not
made public.
Formal actions are more severe and are disclosed to the public. They include:
• Written Agreements – These describe violations and prescribe corrective action. They are
not enforceable in court; however, violations of these can provide the basis for Civil
Money Penalties.
• Cease and Desist Orders – These describe violations and prescribe corrective action and
are enforceable by the court. (More than 125 cease and desist orders have been issued
relating to AML since 2000).
• Civil Money Penalties – These have increased in frequency and value over the years. They
can be levied against a bank, its directors, officers and affiliated parties and have even
skyrocketed up to $40 million.
Role of Technology
Technology plays a significant role in addressing KYC issues and a variety of technological services
are available to support the process; however, there is a risk in relying too much on technology.
Data must be analyzed and interpreted. The interpretation of data and, the subsequent
investigation of the information provided, involve human intervention. This process usually
becomes more manual as the level of due diligence increases.
All high risk entities require Enhanced Due Diligence (EDD) and closer monitoring on an ongoing
basis. In order to manage this process and perform effective investigations, appropriate tools and
processes are required involving the use of technology resources. The integration of data and
information, profiling of clients and other intelligent uses of the available technology can reduce
the number of cases requiring manual intervention.
www.adsfs.com
The specific needs and feasibility of monitoring requirements will be different according to the
size of your institution. Ultimately the goal is to find a balance between mitigating the risk of
doing business with someone using your institution as a vehicle for illegal activity, and over
burdening your resources.
Conclusion
KYC activities should be risk-based and tiered on a regularly scheduled, continual basis whether
on-boarding accounts or reviewing existing client relationships. While there are many different
approaches to ensure regulatory compliance as there are banks, we have tried to identify the
critical components necessary to establishing a comprehensive, efficient, and well managed
approach to your bank’s KYC activities.
About ADS
ADS has been serving the financial services industry for over 30 years. Our expertise in strategy,
operational planning and implementation has been instrumental in helping our clients solve their
critical business challenges. ADS prides itself in our ability to create productive partnerships with
our clients resulting in creative, timely and cost effective solutions. For more information please
visit our website at www.adsfs.com.
www.adsfs.com