Remediate Risk, Not Files: Breaking the KYC Remediation Cycle (Executive Summary)
Financial institutions are required to have processes in place to detect and help deter money laundering and terrorist financing (ML/TF). These processes require certain client information to be maintained in order to develop, and demonstrate, an understanding of the customer and the ML/TF risk it poses to the organization.
The cost of noncompliance with know-your-customer (KYC) and other anti-money laundering (AML) regulations has entered into the billions of dollars.
The latest research shows that global financial institutions have been fined $10 billion since 2013 for noncompliance with AML rules, including inadequate KYC record keeping.1
The level of regulatory scrutiny of firms’ ML/TF programs remains high and the trend for regulators to issue penalties does not show signs of abating. The reputational damage from enforcement actions also has a cost impact, while individuals found to be at fault are being targeted for possible criminal prosecution as the tide turns to bestowing personal liability on financial services’ employees (particularly senior managers) for deficiencies in their firm’s ML/TF programs.
Where financial institutions do not have sufficient client information to demonstrate this understanding or fall short of regulatory or policy requirements, remediation programs have commonly been implemented to refresh KYC profiles.
Definition of KYC Remediation:
The uplift of client KYC information to an agreed standard focused on the highest-risk elements of the customer KYC profile.
Regulatory enforcement actions or findings often require firms to implement wide-ranging remedial programs or changes to business practices. The investment required to respond adequately to regulatory orders can be significant, with a single project often running into the tens of millions of dollars. A 2016 survey of financial institutions showed that, on average, firms spend $60 million a year on KYC procedures. The average KYC spend for firms in the United States is $78 million, while firms in Germany, Hong Kong and the United Kingdom each allocate $80 million or more annually to KYC.2 Expenditure on KYC remediation is predicted to grow by double-digit percentages over the next four years.3
The traditional approach to remediation is to attempt to bring KYC files up to the institution’s full on-boarding standard without consideration to the risk that each data point is seeking to mitigate. This process, which measures progress in throughput of files completed per day rather than risks mitigated, is deficient as well as inefficient.
The real purpose of a remediation exercise should be to ensure that the risks of financial crime posed by a customer are understood and mitigated, not simply to confirm that the KYC file is “complete.” In addition, remediation projects often fail because, due to the amount of information required, the effort to render a file complete is underestimated. Projects run over in time and cost and are either abandoned or restarted. KYC files, which potentially pose the greatest risk to the financial institution, are often not reviewed, as effort is expended on collecting the last few lower-risk data points to make other files complete.
To break out of this cycle of remediation, financial institutions need to take a risk-based approach. By remediating risk, rather than files, firms can cut the cost of KYC remediation significantly, mitigate financial crime risks more quickly and break the remediation cycle for good.
The Remediation Cycle
The Remediation Cycle
The cycle of KYC remediation programs is a common problem that financial services firms are struggling to break. A poll taken of audience members at a recent industry conference showed that approximately 90 percent of the audience had been involved with KYC remediation programs, with half of those participants further confirming they had participated in multiple,repeat KYC remediation programs. One participant referred to it as “re-re-re-remediation.”
As the graphic below shows, remediation projects are almost always required due to weak client-onboarding processes and inadequate periodic-review processes of KYC data.
Weak Onboarding Processes
The problems with KYC remediation programs begin with a weak underlying onboarding process. The issues here can be fourfold: inadequate controls over required fields, inadequate methods of obtaining and/ or maintaining current and correct client information, a lack of experienced staff, and multiple poor-quality data-capture systems with no single “golden source” of information. Issues with underlying data and the lack of a golden source record are an obvious challenge, as organizations are unable to determine where data is to be stored to create the single view of a customer and a complete KYC file.
Inadequate resource levels are a challenge, and the sheer scale of collecting significant volumes of data presents a daunting task for most firms. This places excessive pressure on business-as-usual (BAU) teams that often bring in temporary or third-party resources, which, if not carefully managed, create an additional challenge of headcount management and knowledge-capital loss. A further challenge is the common problem of there being no specific owner of the information and as such no accountability for poor individual client records.
The Obstacles to KYC Remediation
Challenges in Remediation
Weaknesses in the client onboarding process lead to significant remediation challenges. Although it is a very basic requirement, firms often find it difficult to access a definitive client list, which hampers their ability to prioritize high-risk customers for remediation. Included within this challenge is a lack of agreement about what constitutes a “client” consistently within an institution, particularly where organizations have complex structures involving intermediaries, agents, distributors and other third parties. In each instance, KYC requirements may vary and can be interpreted differently by separate lines of business or geographies.
Too often, organizations set targets to complete the upload of files that are unrealistic, and they do not fully appreciate the end-to-end time required to review a file, contact a customer, obtain additional data and then update core systems.
Firms need to be aware of constant changes in regulations and must implement them via changes in policy, which the organization can also initiate without being prompted by regulatory changes. Firms may have changed their policies several times and will need to determine which standard they intend to remediate the files to at the outset. They also need to be aware of the organization’s risk-appetite statement to understand the tolerance for certain customer types. Firms must determine remediation project parameters, which also include how they transition out of remediation to make file maintenance part of a periodic review cycle.
Reliance on Regular Review
A periodic review process consists of the refresh of the full KYC profile. The periodicity of such reviews varies by geography. In Europe, this is generally undertaken at one-, three- and five-year intervals, depending on the risk rating applied to the customer. In the United States, however, the standard is to undertake a periodic review at one-, two- and three-year intervals. Firms may choose to review clients more frequently depending on their risk appetite.
These periodic reviews require the necessary staff skills and expertise enabled by supporting tools and systems. The review process includes a link to other processes such as marketing- and event-review activities to identify abnormal behavior that triggers further review of a particular client. Firms also complete quality process checks to ensure that the periodic review cycle is working correctly.
A lack of direction from regulators concerning KYC remediation can add to the complexity of the exercise. Firms are unsure whether the regulators expect them to investigate every data point of their client files under the remediation program or focus on key risk areas. As a result, they often opt on the side of caution and attempt to remediate everything, which results in effort being focused on lower-risk issues, while high- risk issues may go to the bottom of the review pile.
Regulators are likely to accept a risk-based approach because it demonstrates an understanding of risk exposure when remediating KYC files. By assessing the risks associated with certain types of clients first, firms are able to decide which files to prioritize as well as establish a clear baseline standard to which those files should be remediated. Having a clear, risk-based plan in place helps organizations reduce the time and resources spent on the remediation program while elevating the efficacy of the exercise to focus on those areas of highest risk to the firm. This risk can then be managed consistently going forward with the implementation of ongoing control activities, such as periodic reviews, to manage the risk exposure.
Breaking the Cycle
- Remediate risk, not files.
- Not all data points are created equal.
- The biggest risk is the one you don’t know about.
- Get to know what you don’t know – identify your highest-risk data gaps quickly.
- Remediation is best managed in a two-step process.
The Break Point – Remediation Cycle
The left side of the Break Point diagram shows the various data points that carry different levels of risk depending on the firm’s risk-appetite statement. These data points are not equally important when conducting a remediation program; each firm must determine which of the data points are most important. The data on the left of the diagram, including the name, ultimate beneficial owners of corporate client accounts, sources of wealth, etc., are essential pieces of KYC information that firms need to ensure they possess and which must be closely monitored for any abnormal activity or change in status. These data points could be referred to as the key risk records, because they help the institution understand key facts about the customer, which risks they are presenting to the organization and where they sit against the firm’s risk appetite.
The data points on the right of the diagram, required for all customer accounts, are considered generally less important from a risk perspective. The organization must decide at the planning stage whether these data points help provide a greater view of the client’s risk profile. Frequently, organizations spend a lot of time and resources collecting this information to complete customer files even though the value the information brings from a risk perspective may be minimal.
To ensure value from a KYC remediation exercise – and to help speed up the process – firms need to ensure that they set remediation standards for their files. As previously mentioned, firms should prioritize those data points that are the most relevant from a risk perspective and ensure that all the files being remediated are elevated to the same standard. Setting a lower consistent standard enables the firm to get all the files under remediation to a common level that identifies the critical data points, revealing a good baseline understanding of the risk to which it might be exposed.
When this exercise is performed in conjunction with a transaction-activity review, and conducted as part of the remediation process, firms can build a strong view of their customer base and identify whether they are conducting activity in-line with expectations. This two- step periodic process first elevates the files to a known level on a common playing field and then allows the firm to prioritize client files under the remediation program.
The diagram below sets out one possible approach for implementing this two-step process.
The first step in this approach is for the organization to conduct a triage process up front to determine how to identify high-risk files. This may include assessing different product sets or client types, such as those that have links to offshore activities or with higher-risk ultimate beneficial owners. Once the files have been prioritized into high-risk and low-risk activities, the organization should establish a remediation standard that focuses on remediating the key areas of risk.
Once the remediation effort has been completed, it should be handed over to a BAU process, which puts in place a regular review process that can elevate all the files to a higher standard over an ongoing period. It is at this point that the firm may need to commence a client-exit process for any customers that have been determined to lie outside of the firm’s risk appetite or if requests for further required information have been unsuccessful.
Addressing Common Remediation Issues
This suggested approach to the KYC remediation process, as shown in the diagram on page 8, allows firms to address common issues encountered during such exercises.
The risk-based process allows firms to gain a better understanding of their risk exposure in this area more quickly and remediate the highest-risk data points first. Once identified, the higher-risk clients can be remediated first, leaving those presenting a lower risk to the company to be checked later. Focusing on the key data points has the additional benefit of reducing system requirements, which enables full client-risk assessments to be conducted much more rapidly. Likewise, standardizing remediation templates simplifies data-capture requirements.
This process works well in an environment of rapid policy changes. Furthermore, taking such a risk-based approach enables firms to target their resources at higher-risk areas while maximizing efforts. The culture of AML risk management is enhanced within the organization, and the business benefits from a better understanding of its risk profile.
Breaking free of the KYC remediation cycle for good requires an effective periodic review process, which has several components that firms need to follow to avoid falling back into the KYC data trap. The first of these is undertaking a KYC refresh project.
Components of a Robust Periodic Review
- KYC refresh: Ensures that all information is kept up-to-date
- Activity review: Checks that the process is in-line with expectations
- Business sign-off: Confirms accountability for the KYC program
- Risk appetite: Ensures that client and activities are within set thresholds, as well as ensuring a reassessment of high-risk parameters such as politically exposed persons (PEPs) and changing status of certain industries, etc.
- Suspicious activity reports
- Nameless screening/negative news
- Transaction monitoring
A KYC refresh project ensures that all files are kept up- to-date, at least with changes that have occurred over the past 12 months – such as, for example, updates of annual reports from corporate clients.
Once the data is up-to-date, further activity reviews can be conducted if they are triggered by an event that is out of the ordinary for certain accounts. For example, a review could be triggered by a company suddenly trading in a different line of business. Once such issues have been highlighted, it is up to the business to sign off on an explanation for the abnormal behavior, and the organization will be held accountable for accepting the change or for elevating the client file for further review.
It may be that certain changes initiated by a customer push them above the company’s stated risk-appetite threshold. For example, if an unregistered charity on an organization’s books is suddenly sending funds to Panama or to another high-risk location, it may have breached the firm’s risk-appetite threshold. Similarly, a customer may operate in a certain industry that could breach the firm’s risk appetite. For example, some organizations now consider oil and gas to be a high-risk industry.
The periodic review can also screen suspicious activity reports (SARs), conduct transaction monitoring and scan for negative news about individuals or organizations to consider in terms of breaching the organization’s risk appetite threshold.
A quality-assurance review conducted by a large financial institution identified that KYC files for the highest-risk politically exposed persons (PEPs), relatives/close associates (RCAs) and special-interest persons (SIPs) did not meet a common and acceptable standard. The company was required to remediate more than 1,800 client files to a hard deadline when a regulatory review was scheduled. The client had previously attempted to remediate these files as part of a wider remediation program but had failed to address them due to competing priorities and a lack of focus on high-risk clients.
Protiviti was engaged to assist with the process and followed the approach described above. The stakeholder group was defined, the remediation standard was agreed upon, the risk-prioritized files were selected for review, and the remediation template and methodology were developed.
The first step of the process was to triage the files against a remediation standard and conduct public source verification, identifying data gaps or items in question for further review. The agreed remediation standard covered approximately 70 percent of the key data points required by the client’s KYC policy. Following this process, the risk exposure was defined and the files were prioritized. Once the process was completed, Protiviti hosted a workshop for file sign-off of the remediated files and the handover to the BAU process.
This project succeeded primarily because it ensured the early engagement of key stakeholders, the iterative development of a remediation standard and the continuous confirmation of risk issues, risk appetite and ownership of files moving to BAU at file sign-off. As a result of this risk-based approach, the institution came to a common understanding of its risks, enabling the efficient identification of risk exposures to implement a risk-based action plan for full remediation. The applied concept of remediating risk, not files, was a success for all parties. The process was a success for the client, which now has a better understanding of its risk, and for the regulator, because the process gave the regulator a clear view of the risks the firm was trying to manage.
Using Risk to Break the Remediation Cycle
It is no longer necessary for financial institutions to spend significant resources in costly KYC remediation projects if they follow a risk-based approach that seeks to remediate risk rather than KYC files. Taking this approach allows firms to better understand their risk exposure, and by prioritizing data points according to risk, they can streamline the KYC process significantly. By rapidly identifying gaps in the KYC data, firms can target the biggest risk of all, which is a lack of knowledge.
Once files are remediated to a common standard, firms can prioritize remediation on those highest-risk areas, taking time to address those deemed to be lower risk. By putting in place a robust and comprehensive periodic review process, firms can break the KYC remediation cycle once and for all.