FORUM: KYC technology for screening, verification and monitoring
August 2018 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS: STRATEGY, COMPLIANCE & RISK
Financier Worldwide Magazine
August 2018 Issue
FW moderates a discussion on KYC technology for screening, verification and monitoring between Matt Galvin at AB-InBev, Gwendolyn L. Hassan at CNH Industrial, Derek Ryan at Deloitte LLP, and Jane Grinblat at Reed Smith LLP.
FW: Could you explain why it is so important for companies to know their customers against the backdrop of today’s regulatory environment?
Galvin: The regulatory environment has become less predictable and generally more strict. Markets such as China, Brazil, Guatemala and France have changed dramatically over the last few years. Many companies are more worried about what their service providers and customers are doing supposedly on their behalf than what their own people are doing. Companies should have strong controls not only on spend for their employees, but also with respect to third parties and business partners working on their behalf. Typically, company controls tend to be more focused on the former – so compliance is often put in the position of creating and implementing much of the controls around who companies worth with.
Ryan: Economic crime, identity theft and cyber crime are having a significant impact on society. The effects of human trafficking, terrorist financing and tax evasion are also becoming more prevalent, and this is driving ongoing changes in the regulatory environment. Regulators and enforcement agencies have an expectation that organisations should play a pivotal role in preventing economic crime and protecting customers’ interests. Organisations need to have a comprehensive understanding of their customers, and customer behaviour, to ensure that they are not involved in these types of illicit activities. This allows them to make informed decisions about how, or indeed if, they should engage or continue to engage with them.
Grinblat: Since the statement of the Basel Committee on Banking Supervision on the “prevention of criminal use of the banking system for the purpose of money-laundering” in December 1988, followed closely by the establishment of the Financial Action Task Force (FATF) under the auspices of the Organisation for Economic Co-operation and Development (OECD) a year later, the sphere of persons caught by Know Your Customer (KYC) obligations contained in various laws and regulations has grown ever larger. At the same time, the fines associated with a failure to observe the law have also increased. For example, in the EU, pursuant to the Anti-Money Laundering Directive (AMLD), legal persons can incur fines of at least €5m or 10 percent of total annual turnover, which, for corporates with consolidated financial accounts, could mean the turnover of the group. There may also be reputational damage as the respective national competent authorities are required to publish information on the type and nature of the breach and the identity of the persons involved. In a world where change, flux and disruption have become the norm, so long as ongoing customer monitoring obligations persist, it is imperative that companies have a good understanding of their customers and the nature of their businesses.
Hassan: Today’s regulatory environment is truly a reflection of our currently chaotic geopolitical climate. Companies are trying to limit their risk in an environment where they often first receive notice of new entities they may not do business with through means of a presidential tweet. Add to this the revelations of the Panama Papers and the resulting focus on transparency of ownership, and it has truly become imperative that companies understand exactly with whom they are doing business at all times.
FW: In your experience, do senior executives and boards need to be more proactive when it comes to optimising KYC resources and functions?
Ryan: KYC and compliance activities have the attention of senior executives and boards, yet due to increased competition in the market, organisations need to differentiate themselves on customer experience, simplicity and speed, and reputation. KYC is a potential barrier to this because the current process is cumbersome and not customer-centric. Institutions must avoid regarding KYC as a compliance overhead. Instead, they should invest resources in optimising practices to deliver effective risk management, built on sustainable customer-centric solutions. Advances in technology present a good opportunity to achieve compliance in a more efficient way and, as a result, rebalance some of the current, more manual, and therefore resource-intensive KYC activities. However, institutions have to be proactive in building a flexible, sustainable digital infrastructure, which can evolve in line with regulations and customer expectations. This is particularly the case for the more mature institutions. This approach presents an opportunity. As firms increase their understanding of customers, they can better target the products and services they offer. In other words, they should start to see KYC as a business-enabler rather than a cost.
Grinblat: Often, regulatory requirements are perceived as constraints on the ability of business functions to do their job. The consequence of this is a knee-jerk and unsystematic response to the demands of the law. While this may or may not solve the problem in the short term, in the long term this creates inefficiencies, as layer upon layer of compliance processes are added. Moreover, this leads to a poor client experience, since client onboarding processes are often uncoordinated as a result. It should be noted that in certain circumstances senior executives and other persons performing higher management functions can be held personally liable for failures to observe the applicable regulatory requirements.
Hassan: I often hear how difficult it is for people to convince their senior executives and board members of the true value of penalty avoidance. KYC functions and tools are seen as a non-income generating ‘overhead’ for which a return on investment cannot be calculated. This, in my view, is very short-sighted. The return on investment for these tools and functions is immediately calculable in terms of cost and reputational damage avoidance. The Panama Papers alone have spawned worldwide regulatory investigations, and the expensive legal fees associated therewith, and The Harvard Business Review has calculated that those firms caught-up in the Panama Papers leak have collectively lost some $230bn in market capitalisation. If those kinds of numbers do not immediately justify the usually moderate costs associated with a KYC function and tools, then I do not know what will.
Galvin: The responsibility for KYC can fall between different functions, depending on the organisation, which means it does not always have a single owner and a single group responsible for overseeing all of it and having one view. But this is a process best done with a unified vision and comprehensive data set. At board level, members should expect companies to have processes and systems in place to know their customers and service providers. But at the management level, there should be an effort to ensure that those processes do not overlap and that there is a single source of truth in terms of data management. Third-party risk can best be managed when there is a quality data set from which one can draw inferences and conclusions as part of a risk assessment. One-off risk snapshots will not always get the job done.
FW: How can KYC technologies assist companies in terms of their screening, verification and monitoring requirements?
Grinblat: Different stages of the KYC process open up different opportunities for the application of new technologies. These may be chat-bots guiding customers through the initial registration process or smart technologies assisting with collating and ordering collected information, for example machine translation which enables cross-border data processing or optical character recognition which makes data searchable. Robotic process automation technologies can be used to validate data by running checks against internal and external databases, watchlists and publicly-available information. A combination of data mining and recommender systems could then be used, for example, to monitor the relationship and make recommendations for action.
Galvin: Technological investment in this area is key. Many companies have invested in data aggregation and analytics to review and assess their business partners. Advantages can be obtained on the compliance side to aggregate and review risk trends in payment, risk adjudications in onboarding and investigation data and by combing that with the ambient risk of the jurisdiction and space where the third-party is operating. In other words, companies must create a dynamic risk profile for their entire ‘universe’ of vendors. Companies must also look at ways to expand this network. As such a system matures, it will get more accurate as it learns from the adjudication of the risk models, so it will become more efficient over time.
Ryan: Integrated technology is critical in helping companies across the KYC lifecycle. Greater speed, efficiency and accuracy in verification, screening and monitoring helps institutions manage risk better. It can also have a positive impact on the customer experience. Customer verification during onboarding is moving toward digital processing, removing the need for physical documentation to prove identity. Facial recognition, optical character recognition (OCR), biometrics and geolocation techniques can streamline risk management processes and enhance the customer experience. The integration of technology platforms makes it easier to leverage data obtained at onboarding, which can then be used for verification, screening and monitoring. As the quality and completeness of data improves, institutions are able to perform more accurate customer screening, and move away from simple rules-based transaction monitoring systems, making better use of customer profiling and behavioural analytics.
FW: In what ways could a greater degree of automation assist companies in understanding where their KYC risks lie and implement strategies to deal with them on a day-to-day basis?
Ryan: KYC processes are often manual and fractured, involving multiple touchpoints with customers. This has resulted in poor customer experiences, high operational costs and a high level of client churn for some organisations. Process automation is one way to unlock efficiencies. It replaces the human operation of repetitive tasks, such as the collection and review of customer data to identify high-risk indicators, with robotics. By creating this operational capacity, KYC analysts are able to spend more time on risk management activities that require human judgment. Looking to the near future, machine learning will be another way to detect financial crime more accurately. Machine learning has a range of applications in identifying customer risks. For example, it can be used to investigate transaction monitoring or customer screening alerts, and to determine whether the findings are relevant when assessing the client’s risk profile.
Galvin: Automation in terms of data aggregation and harmonisation is the holy grail. The more companies can find ways to streamline and ensure the quality of their data, the more every part of the company will excel. But automation has the potential to backfill every part of the process. Automation will make it easier for companies to analyse and prioritise the risks flagged within their systems.
Hassan: I consider automation to be an intelligence multiplier. We all hire smart people, but the smartest of people still have only so many working hours each day. Automation in this space allows companies to focus their limited resources in areas that are truly a value-add. A tool can perform repetitive, manual and lower-complexity screening and continuous monitoring tasks on an automated basis, thus freeing-up valuable time for highly trained staff to use their experience and training to resolve more complex issues and tasks. Automated KYC tools can serve the valuable function of ‘narrowing the focus’ of often scarce human resources to the resolution of only higher risk and more complex situations.
Grinblat: The adoption of a risk-based approach is central to the AMLD. The required level of engagement with customer data will differ, depending on whether customers display characteristics suggesting a heightened or reduced risk in terms of money laundering and terrorist financing. By way of example, where customers are regulated entities or listed on a regulated market, they are likely to require less detailed inspection. By contrast, persons linked to countries which are considered high risk or who are politically exposed persons (PEPs) will require a greater degree of screening and verification. Ultimately, the aim of automating processes should be to free up qualified and costly employee time to deal with the more ‘unique’ cases; often these are high-risk customers, where enhanced due diligence requirements apply.
FW: What steps should companies take when incorporating KYC technologies into existing business systems? How can they ensure processes are as efficient as possible?
Hassan: The key to maximising the efficiency of KYC technology is to make sure you are building into and leveraging existing business processes, as opposed to creating new or additional processes you then ask the business to follow. The more you can integrate into a system or process your business is already using, the lower the compliance burden will be. When you leverage processes already in use by the company and ‘insert’ your KYC tool and process in as unobtrusive a way as possible, you maximise your likelihood of adoption and success.
Galvin: Cross-functional support is key to incorporating technology into an organisation. One needs to ensure ‘buy in’ from key stakeholders across the organisation. For example, it does one little good to build a system and process that will work off one or more systems if IT plans on replacing that system next year. One needs to build these systems with a view toward the future so that they are not swallowed in an IT black hole as soon as they are launched. But conversely, this concern can lead to paralysis as IT plans tend to be dynamic and reactive to a multiplicity of commercial, budget and licensing concerns. But since data aggregation is key, I would counsel against creating additional systems to solve narrow issues such as KYC. It is better to build together with other groups to ensure longevity and acceptance.
Grinblat: One of the main weaknesses of KYC processes, especially in larger organisations, is the uncoordinated approach, resulting in inefficiencies and delay. To maximise the benefits offered by KYC technologies, a holistic approach should be adopted. Companies should take the opportunity to assess both the effectiveness and the user-friendliness of the systems they have in place and consider which technologies would best address the disclosed deficiencies. This may mean tapping into the know-how of a business process management tool to streamline processes and optimise case management.
Ryan: At some organisations, KYC requirements and procedures do not reflect the current expectations of customers, because they have not been developed and updated on an ongoing basis. This presents a danger. Organisations struggle when they look to incorporate technology into processes that are not working well, or into procedures that are inconsistent. Responding to this problem, companies need to look at the end-to-end business process from a customer perspective, to drive efficiency and create customer value, by achieving goals such as frictionless onboarding. By improving this end-to-end experience, they can build competitive advantage.
FW: With the likes of MiFID II and the GDPR radically altering regulatory frameworks, how would you characterise the ability of companies to meet their KYC obligations while balancing other regulatory demands?
Hassan: There is no shortage of articles decrying as ‘impossible’ compliance with both KYC and, for example, the General Data Protection Regulation (GDPR), but I, for one, do not agree. That is not to say it will be easy, however. There are certainly many potential ‘traps’ companies can fall into if they are not careful and thoughtful in how they structure their programmes. GDPR, for example, provides data subjects with the ‘right to be forgotten’ and to have their data removed from company systems. At the same time, of course, the updated Markets in Financial Instruments Directive (MiFID II) specifies record retention requirements of five or even seven years for client information. While these seem contradictory, the GDPR does allow data to be held ‘as long as required’ under other statutory retention periods. The key, in my view, will be to self-test and audit your own procedures. Have you accounted for these potential areas of overlap? Does your process include a method for resolving these types of regulatory tensions? If not, it should.
Grinblat: The regulatory burden is not only increasing, it is also shifting. Keeping abreast of developments can assist with staying on top of one’s legal obligations. Here again, technology and innovation can be of assistance. Artificial intelligence (AI) tools built around natural language processing can be brought in to identify and alert people, products and processes affected by legal and regulatory changes. Additionally, companies can and should build tailored solutions together with their legal advisers to ensure that the information the company receives is appropriate to its specific circumstances.
Ryan: We disagree with the consensus that these regulatory requirements both contradict regulators’ KYC demands and make it harder for companies to meet them. This is because we see principles common both to MiFID II and the GDPR on the one hand, and good KYC practice on the other. These include customer control of data, a transparent risk model for KYC procedures, decisions that support the customer interest, and an ongoing focus on protecting and delivering value to customers, through a greater understanding of their businesses and needs. Organisations that can integrate their approaches to meeting these different regulatory demands will create a ‘wow’ factor for customers and will achieve competitive advantage.
FW: What advice would give to companies on deploying KYC technology that can unravel complex corporate structures, retrieve data on controlling entities and individuals, and identify beneficial owners?
Grinblat: Workflow automation is key to bringing together information outputs from different sources to ensure nothing gets missed, reducing scope for human error and providing an audit trail of reports and notifications. This can be especially useful when dealing with complex corporate structures. Companies should be aware, however, that as soon as they have identified the beneficial owners and start dealing with their personal information, this may trigger their obligations under the GDPR, meaning that appropriate safeguards will need to be built into the process. It is important, in this context, to remember that technology is merely a tool and that the legal obligation will remain with the company and senior management to ensure its appropriateness for the task.
Galvin: There are three important things to remember. First, identify the systems and take steps to aggregate the data from places that can help assess the problem. It is an obvious point that data analysis is only as good as the data. It is not always obvious where one can get the data to solve any particular risk in the company, but once you find it, make friends with the owners and find a way to access the key systems. Second, it can take time to build the infrastructure of processes and controls necessary to create data sets that are usable. It is critical that the data inputs are accurate and clean or the most advanced system will crumble. Third, this will take time to build well. If a company is in year two of a five-year plan, that does not mean that it has not shown results, it means that the company has had to encourage a great deal of organisational patience along the way.
Ryan: We advise against blind trust. For example, these technologies are often effective for large companies, but limited when it comes to small commercial businesses, as there is not enough data to do sophisticated profiling. Technology is not a silver bullet. Responsibility and accountability for ensuring compliance remain with the institution. Moreover, transparency about the information and techniques used by technology to reach decisions is essential. If an analyst cannot explain in simple terms how the technology has arrived at its answer, they will not be able to understand the risks created by relying on it. In any case, KYC technologies should ultimately be seen as enhancing risk-based judgment by humans, by creating more time for them to focus on value-adding analysis. It should definitely not remove humans from the equation altogether. A final issue requiring care is that with data protection regulation evolving, companies need to ensure they have the right authorisation to source and hold data.
Hassan: Deployments often fail for having tried to achieve everything all at once. Organisational change management must be a key part of your deployment strategy. You can deploy the most sophisticated tool in the world, but if your business people do not know how to use it, or it creates what is perceived to be ‘more work’ and so will not use it, your deployment will fail. My advice would be to start simple. Look for ‘quick wins’ and areas where automation can immediately provide additional efficiency and the most return on your investment in terms of process improvement. Then, once those are in place and functioning well, look to add automation of the next area.
FW: How do you see the application of KYC technologies developing in the years ahead? What innovative solutions do you expect to emerge?
Ryan: The concept of user-owned, controlled and permissioned data sharing will become ever-more important, because of both regulation and broader concerns about data security and privacy. Technologies will need to be embedded into end-to-end digital customer journeys, as opposed to being siloed solutions to specific points on the customer journey. We also forecast a growing availability of permissioned transaction data, and a greater use of advanced analytics to build behavioural profiles of customers and to understand networks in real time. Looking at general principles, we see a paradigm shift in the KYC solutions of the future. Solutions will be developed to optimise user-controlled digital identity, and to develop and maintain holistic profiles of customers. Perhaps the most radical change will be a shift from solutions within individual organisations, to industry-level solutions that will enable better identification and management of economic crime risks and help institutions better protect their customers.
Hassan: I am increasingly convinced we will see a use case for blockchain in the area of beneficial ownership; a type of self-evidencing ‘chain’ of ownership transfer that will be immutable and will create a reliably accurate chain of entity ownership. I am also excited about the potential of AI in the area of KYC. I can see, in the not too distant future, the use of machine learning to gather, sort and interpret customer and ownership information, perhaps even integrated with other diligence information including adverse media, political exposure and corruption risk. I think that eventually, the distinction between KYC and third-party due diligence will disappear and we will see the rise of Know Your Business Partners (KYBP), knowing detailed information not only about our customers but also about those who sell for, supply and service our companies, to give us a truly transparent view of those we do business with.
Galvin: The key obstacle is aggregating and harmonising disparate data sources to run a single, centralised set of learning algorithms to solve problems. Many organisations have evolved through combination and acquisition. But corporate combinations tend to move far more quickly than the underlying technological infrastructure of the companies, meaning that most organisations have patchworks of data. The greatest demand is therefore finding ways to bring together and analyse those different networks and that is where we see the greatest development in this space. Once you have done that, running solutions on the data will be relatively easy.
Grinblat: The RegTech sector has been booming and further growth is expected as companies become more aware of the advantages of investing in the right technology. RegTech can harness global data sets, offering more slick and slender KYC management solutions. As legislators and regulators pay more attention to data protection and storage, RegTech will also be able to offer new possibilities in terms of data encryption and security. An additional area to watch is the application of blockchain technologies to KYC tools and procedures, since blockchains offer an immutable and transparent record of up-to-date customer data.
Matt Galvin joined AB-InBev in 2015 and is responsible for the company’s global compliance programme. He is a New York and Hong Kong-qualified lawyer who practiced for 10 years at a number of leading international law firms, advising on anti-corruption, economic sanctions and other compliance risks. Mr Galvin is a leader in the use of data analytics to manage corruption risk within multinational organisations and in 2017 was one of five leading in-house lawyers nominated by the Financial Times as innovative lawyer of the year in North America. He can be contacted on +1 (212) 503 2886 or by email: firstname.lastname@example.org.
Gwendolyn L. Hassan provides legal counsel, and has day-to-day operational responsibility for the global compliance and ethics programme for CNH Industrial, the world’s third largest capital goods maker and second largest manufacturer of farming equipment. Her expertise includes compliance programme structure and operation, compliance investigations, enterprise risk assessment and management, compliance strategy, corruption prevention, trade compliance, policy development and training. She is a graduate of DePaul University School of Law and the University of Wisconsin – Madison. She can be contacted on +1 (630) 887 2187 or by email: email@example.com.
Derek Ryan is a partner in the forensic financial crime practice of Deloitte LLP in the UK. He has over 15 years of experience in financial services, specialising in the delivery of large scale transformation programmes with technology, data and operations components. He has focused on building eminence in the financial crime domain with a foundation in AML-KYC complex programme delivery, operating model design and establishing sustainable business as usual functions. He can be contacted on +44 (0)20 7007 8277 or by email: firstname.lastname@example.org.
Jane Grinblat works from the Munich office of Reed Smith advising on English and German law aspects of financing transactions. Her core practice areas include funds financing, structured finance and real estate finance. She has undertaken a secondment to the securitisation team of a major European bank. She also has a keen interest in emerging technologies and how these can be deployed to improve clients’ businesses and her own practice. She is a member of the FinTech Team at Reed Smith and advises on the regulatory aspects of nascent financing forms. She can be contacted on +49 (0)89 20304 165 or by email: email@example.com.
© Financier Worldwide