Know Your Customer (KYC) is a fundamental process used by Financial Institutions (FIs) to verify the identities of their customers and assess the associated financial crime risk. Its primary goal is to prevent money laundering, fraud, and other illicit activities within the financial system. Therefore, it should be more than a documentation process, but a process designed to effectively identify and manage risk.
Given that the KYC process is often the first interaction a customer has with an FI it is also important that the process is as smooth as possible. However, there is a natural tension between these two goals. On one hand, the FI needs to obtain sufficient customer information to manage the risk and serve the customer’s needs and, on the other hand, the customer simply wants to execute transactions as quickly and seamlessly as possible. The key objectives of KYC are to enable the FI to:
- Create and maintain a complete, up-to-date, and accurate customer profile;
- Risk assess customers accurately to determine the depth of due diligence and enable on-going monitoring;
- Identify the purpose of the relationship and the customer’s expected transaction profile; and,
- Identify customers who should not be onboarded as they are outside of risk appetite.
To achieve the above, it is necessary to take a risk-based approach whilst ensuring regulatory adherence. KYC must be conducted at onboarding and during the customer lifecycle. For the latter, periodic reviews have been traditionally conducted at a frequency determined by the customer's risk rating e.g. many FIs adopt a 1, 3, 5 approach which means periodic reviews are performed every year, three years, and five years for high, medium, and low-risk customers respectively. However, the depth of periodic review varies between FIs and for different customer types e.g. low-risk clients may only be subjected to a “light touch” periodic review, or it may be fully automated.
Several FIs have been subject to well-publicised regulatory censure because of a lack of risk insights due to KYC backlogs or due to the quality, completeness, and accuracy of the customer profile. Whilst the reasons may differ between FIs, there are several inherent issues that contribute to the KYC challenge:
- Reliance on physical documentation for customer identification and verification
- Low-quality information for longstanding customers
- Poor quality data in public records
- Legacy technology ill-equipped to meet today’s KYC standards
- Increasingly demanding regulations and regulatory expectations
- Lack of automation and use of technological advancements
- Escalating operational costs and workforce instability
- Complexity of requirements for different customer types
- Insufficient ownership and involvement of front office staff
- Fluctuating customer populations subject to KYC review
- Low customer satisfaction
All the above issues are exacerbated due to the sheer volume of customers, particularly for FIs operating in a retail environment where numbers can be measured in the tens of millions. Many FIs have responded to these challenges through the augmentation of their KYC operational teams via consultancies, the contract market, outsourcing, or a combination of all three. Paradoxically, these responses have in many instances led to rising operational costs or a reduction in KYC quality.
What Is Perpetual KYC?
Ultimately, FIs have struggled to operationalise what is perceived to be a cumbersome process. However, due to technological advancements like digitisation, robotics, and artificial intelligence, the KYC ecosystem is rapidly changing. One aspect of this paradigm shift is that several FIs are moving away from the customary periodic review process to a more agile approach where customer reviews are performed perpetually. PKYC allows a FI to move away from periodic assessments in favour of a continual cycle of automated scanning to identify material events relating to static or transactional customer behaviour. In essence, this allows an FI to take a more risk-based approach to the KYC process: do more where required, and do less where possible. It leverages advanced technology and real-time data to continuously assess the customer's risk profile. There are several compelling reasons for the shift towards PKYC:
- Real-time identification of potential risks including unusual or suspicious behaviour.
- The ability to maintain a more up-to-date and accurate customer profile.
- Minimise human errors.
- Improved customer experience.
- Resources are focussed on higher-risk customers.
- Promotes integration of financial crime controls.
- Reduced costs as resources are right-sized based on material changes to the customer profile as opposed to a “one size fits all” approach.
- Predictability and consistency of operational volumes.
PKYC relies on cutting-edge technologies to allow for the continual collection and analysis of customer data from various internal and external sources such as transactional history, the FI’s financial crime controls (customer screening, transaction screening, transaction monitoring, investigations), government databases, and more recently social media. For each source, it is imperative that automation is used to reduce the need for human intervention. Once all the customer data is collected and analysed the customer risk rating is calculated to assess whether a manual or automated KYC review is required. PKYC continuously performs this process meaning that the customer profile is always up to date with the selected internal and external sources. Examples of events which may trigger a KYC review:
- Unusually large cash deposit(s) and/or withdrawal(s).
- Extensive use of high denomination notes.
- Change of business sector.
- Transactions/activities with high-risk countries.
- Transactions that do not align with the expected transaction profile e.g. transactions with unrelated business sectors.
- Change of beneficial ownership.
- Adverse media.
- Law enforcement requests.
- Activity assessed as suspicious.
- Sanctions violation and circumvention concerns.
In essence, PKYC requires the integration of all key sources of information to provide a holistic view of the customers' financial crime risk. Whilst this may seem like an obvious requirement for any financial crime control environment, this can present a significant challenge due to the development of siloed controls with limited connection to the underlying customer profile. For instance, sanctions screening or transaction monitoring alerts are frequently processed using separate technologies, separate teams, and separate workflows which are predominantly designed to dispose of significant alert volumes. Linking these processes back to the customer profile is often either missing, prone to error, or laborious, as the systems were not designed to cater to this requirement. The involvement of different teams of specialists can also lead to a lack of clarity over who owns the customer profile and manages the financial crime risk.
Challenges to a Successful Implementation of PKYC
While PKYC brings significant advantages, it also raises some challenges and concerns, including:
- Data privacy and data security due to the continuous monitoring of customer information e.g. social media.
- High volumes of false positive events particularly for corporate clients where their activities and management changes are less predictable and more frequent.
- Significant investment in technology and training.
- Reliability of data from external sources such as company registries especially in less mature markets which tend to be higher risk.
- Regulatory acceptance of PKYC. Many regulations explicitly state the need for a periodic review.
In relation to the regulatory acceptance of PKYC, it is imperative that the FI can demonstrate that each aspect of the control environment is operating robustly and effectively. This includes compensating controls such as transaction monitoring, and adverse media screening as well as the on going controls associated with PKYC such as a robust transactional analysis of actual versus expected activity. If not carefully managed, these prerequisites drive expense, which could lead to an equivalent cost environment to the historic periodic processes.
As PKYC looks at both static and transactional customer data the gap between transaction monitoring and KYC can become blurred e.g. what transactional activity triggers a KYC review versus a transaction monitoring alert? It is important that duplication is avoided and that the controls complement each other. One way to achieve this distinction is to focus transaction monitoring on transactional activity over a shorter time e.g. 6 months whereas other controls, such as PKYC, focus on the longer term. This type of approach also ensures that the effort required to review the unusual activity is proportionate as generally, a transaction monitoring alert is less resource intensive and costly than a KYC review. Notably, the fact that a transaction monitoring alert has been created may influence the customers' risk rating which could trigger a KYC review within the PKYC process.
Arguably, PKYC may be more achievable in a retail environment where many customers receive salary and pay bills monthly with only significant life events changing their profile. For many large and complex international corporates, it may be more beneficial to limit the number of triggering events to prevent false positives, particularly for transactional behaviour which can be difficult to predict and continue to rely on periodic reviews.
Furthermore, a FI needs to be able to show that the coverage of PKYC over the total customer portfolio is sufficient, especially when the volumes of files tend to be significantly less than for periodic reviews. This may explain why numerous FIs have taken a hybrid approach or run both processes in parallel. This status quo is likely to remain until regulators get more comfortable with PKYC and FIs can demonstrate its effectiveness in addition to the efficiency gains.
Although many FIs have adopted a PKYC approach, there are often justifiable exclusions from the process based on risk appetite. For instance, customers in special risk categories like payment service providers, correspondent banks, trusts, or customers in remediation with identified deficiencies tend to be excluded from PKYC.
The benefits of PKYC should not be seen as limited to pure economics but should also be noted in the increased surveillance leading to a continually updated customer profile and more timely response to material changes in customer risk profile. The increased oversight should improve the confidence in the risk assessment of the client base and the accurate basis for risk decisions.
FIs are embracing the concept of PKYC to stay ahead in an ever-changing regulatory landscape. PKYC is an exciting development that can drive improved compliance and cost efficiencies. The benefits of holistic customer monitoring allow for more proactive identification and management of risk. As technology continues to advance, we can expect more automation and ultimately PKYC to play a more significant role in the future of financial services. However, the implementation challenges of PKYC should not be underestimated. The stability of the underlying data and client platform is integral to success. The full implementation of PKYC will require a multi-year project with regular checkpoints. However, the long-term benefits will bring the FI into the future with the ability to scale its process in relation to its risk appetite. FIs must become more agile to continue to grow their business in markets where Fintechs already have the latest technology and can more readily adapt their platforms.
Lee Hale is a Senior Managing Director for Ankura with over 25 years of financial crime experience at Deutsche Bank, HSBC, and Barclays.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.