Best Practices in KYC for Financial Institutions
Our Alacra Compliance Workflow solutions have been serving financial institutions since 2005. Our sales and implementation process usually involves many client meetings. As we work out the configuration with the client, the question we are often asked is, “What are other banks doing to solve KYC process challenges?”
That’s a tough question for us to answer for three reasons. First, we have confidentiality and non-disclosure agreements in place with all our clients so we can’t say anything about a specific firm. Second, our clients are spread out geographically and are therefore subject to different regulatory regimes. That influences what they do and how they do it. Third, processes and procedures for KYC vary widely not only from bank to bank but within different departments in a single bank.
To help answer the question, “What are other banks doing?” we put together this helpful series, which ties together various regulations with best practices in three key areas of the Know-Your-Customer process.
The three areas we focus on are:
1. Customer Identification
2. Customer Due Diligence
a. Risk-based Approach
b. Sanctions Lists, PEPs and Database Checks
c. Beneficial Ownership
3. Ongoing Monitoring
We have reviewed much of the relevant regulation from both government regulators and industry trade groups and have highlighted key segments of the regulations at the beginning of each section. Our focus has been on regulations related specifically to anti-money laundering (AML) and KYC, and we also included information on FCPA, UK Anti-Bribery, and FATCA, as there is an important KYC component to each. We then describe what we believe are the best practices in each area based on our work with our clients and prospects.
While I talk about the KYC process, we have found that firms that focus on improving each part of the process usually exhibit more of the best practices we have described herein and that these firms were much less likely to experience difficult regulatory audits.
Customer Identification–Regulatory Agency Overview
Every regulatory framework that oversees a financial institution interacting with a customer emphasizes customer identification as a critical first-step in anti-money laundering compliance.
FinCEN (Financial Crimes Enforcement Network, US Department of Treasury): In the United States, FinCEN regulates the customer identification procedures (a.k.a. “know your customer rules”) at banks. A bank’s CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. It is critical that each bank develop procedures to account for all relevant risks including those presented by the types of accounts maintained by the bank, the various methods of opening accounts provided, the type of identifying information available, and the bank’s size, location, and type of business or customer base. Thus, specific minimum requirements in the rule, such as the four basic types of information to be obtained from each customer, should be supplemented by risk-based verification procedures, where appropriate, to ensure that the bank has a reasonable belief that it knows each customer’s identity.
According to FinCen’s documentation, the Agencies note that the CIP, while important, is only one part of a bank’s BSA/AML compliance program. Adequate implementation of a CIP, standing alone, will not be sufficient to meet a bank’s other obligations under the BSA, regulations promulgated by its primary Federal regulator, such as Suspicious Activity Reporting requirements, or regulations promulgated by the Office of Foreign Assets Control.
JMLSG (Joint Money Laundering Steering Group): Their report, Prevention of money laundering/combating terroristfinancing – GUIDANCE FOR THE UK FINANCIAL SECTOR PART I states, “the firm identifies the customer by obtaining a range of information about him. The verification of the identity consists of the firm verifying some of the information against documents, data or information obtained from a reliable and independent source.”
FATCA (Foreign Account Tax Compliance Act, US Department of Treasury, Internal Revenue Service): “Requires a financial institution to report indicia of US status: US citizenship or lawful permanent resident (green card) status; a US birthplace; a US residence address or a US correspondence address; standing instructions to transfer funds to an account maintained in the US; an “in care of” address or a “hold mail” address that is the sole address with respect to the customer; a power of attorney or signatory authority granted to a person with a US address.”
The Importance of Your KYC Process
There is a clear correlation between firms that are focused on process and those following “best practices.” I always advise clients to “begin with the end in mind.” The start of the process is critical to the entire endeavor and the start of the process is communication between the sales team and relationship managers and the KYC team. The more information gathered from the customer up front and the more clearly this information is communicated to the due diligence professionals, the more effective the onboarding team will be.
Firms display a wide range of techniques when conducting the actual due diligence. Individual investigators conduct KYC research using different databases and different levels of care. “Best practice” firms train their investigators to use consistent processes that are more rigorous than other firms. While all firms are conscious of cost and time spent on each investigation, those that deployed more rules, checklists, and structure to the process are more cost-effective.
The firms that exhibit the most “best practices” try to anticipate what a regulator would look for during an audit. They are concerned about audit trails for their investigations and having well-organized documentary evidence of their decisions to accept new customers.