KYC remediation: Where does it go wrong?
Against a background of continued and relentless regulatory focus on anti-money laundering, counter-terrorist financing and sanctions compliance, many firms have identified the need to undertake some kind of know your customer (KYC) remediation programme.
This might entail either a review of a small group of higher-risk customers or a full-blown review of the entire customer base. Regulators around the globe are also focusing attention on politically exposed persons (PEPs), correspondent banking relationships and other higher-risk client types, and on the effectiveness of enhanced due diligence and monitoring for these clients.
Know your customer remediation programmes can often be fraught with difficulty if the fundamentals have not been put in place. This article explores some of the essential prerequisites to the successful delivery of a KYC remediation programme and identifies where things can, and do, go badly wrong. The checklist below illustrates some of the critical questions which need to be considered before embarking on, and while conducting, a remediation programme, whatever its size.
Know your customer remediation: self assessment checklist
1. Are senior management engaged?
Front-line, customer-facing staff (e.g., relationship managers or their equivalent) must recognise that completing the KYC remediation is vital if both the firm and the individuals themselves are to be protected, and this message needs to come from the senior leaders in the business. The front line also needs to understand that what may look like a tedious administrative task is of critical importance to the business. Where possible, front-line staff should be recognised and rewarded by senior management for doing this work, and for doing it well.
2. Has the front line bought in to the programme?
Front-line staff need to understand that they are the ones who bring risk into the business, and accordingly they are the first line of defence for managing financial crime risks effectively. They also need to understand that it makes good commercial sense to know their customers better and to ensure that the KYC information which the firm holds is kept up-to-date. The most successful programmes are those where firms find ways to use additional KYC information obtained from clients to enhance or deepen the relationship between firm and client, and this helps secure buy-in.
3. Is there appropriate governance and oversight supported by effective management information?
A KYC steering group comprising senior management from each of the areas involved in the remediation exercise should be in place from the outset to track the progress of the programme against the plan and timetable and to resolve promptly any issues raised by those actually doing the work. At the start of a programme, this group should meet frequently (probably weekly), and only when the programme is running smoothly, and delivering on targets, should the firm consider meeting less frequently. The group should also look very carefully at what it needs to have on its management information dashboard to monitor progress and identify potential problems early on.
4. Does the risk-reward ratio demonstrate that it will be worth remediating this client?
Know your customer remediation can be expensive and time-consuming. A process should be put in place to enable management to assess the value of the client to the firm and whether it is economically more viable to proceed to remediation or exit the relationship.
5. What does a "good" complete file look like?
Relationship managers need to understand what is expected of them. Tools such as control sheets and decision trees can be helpful but there is no substitute for showing the front office what "good" completed files look like. This could be done by, for example, the money laundering reporting officer sharing examples of good practice, ideally using a number of real-life customer files.
6. Are there clearly-defined remediation processes and standards?
A clear, simple process which is understood by all participants (including compliance, KYC analysts, operations and the front office) will help to ensure that everyone understands each other's role, reduce the risk of an "us and them" mentality and minimise friction.
7. Do you have rigorous quality assurance from the outset?
All too often inconsistencies are only identified when the mistakes have already been made. The importance of strong quality assurance throughout the project cannot be overstated. Independent testing of 100 percent of completed customer files could be undertaken at the start of the programme, with the percentage reduced subsequently based on performance.
8. Can the firm rely on external databases or other KYC tools?
There are some powerful tools available to support KYC remediation but it is a mistake to rely too heavily on information from the internet which may not be reliable or verified. Using a search engine may well help gather some additional information about the client but firms should not think they can avoid contacting the customer by relying on information from public sources.
9. How can firms be sure that a consistent approach will be adopted by all KYC analysts?
Know your customer remediation is not a science and can be very subjective. If external contractors are employed to support a KYC remediation exercise, as is often the case, they will bring with them their own approaches based on their past experiences in a diverse range of firms with widely differing policies and standards. Know your customer analysts should be screened and assessed very carefully, and training will often be required to ensure they give consistent advice and support to the front office. Nothing has the potential to de-rail a KYC remediation programme more quickly than a relationship manager who has struggled to obtain what he thought was the right information from the client, only to be told by a different KYC analyst that it is not enough, or not right.
10. How will the firm communicate with customers and handle objections?
Often, the front line will say something like, "Our regulators/compliance people say that we have to ask you for this information." This is invariably the wrong way to ask the client for more information (where this is required). There is no doubt that it can be difficult to ask existing customers for additional information, some of which it might be culturally inappropriate to request. Careful consideration should be given to training for the front line to enable them to ask questions in the right way, and to anticipate and handle client objections.
11. Do completed files pass the "smell test"?
In many cases, where the client documentation has technically been completed, no one stops to ask the simple question, "why?" For example, what consideration has been given to the commercial rationale for a particular corporate structure or complex chain of ownership? Does it make sense? Is it within the firm's stated risk appetite? Is there something that does not feel right about the arrangements? This is a commercial judgement which must be made at a high level within the firm.
Remediation looks as if it is here to stay and can be a huge cost to the business. One thing is worse that a remediation exercise: a re-remediation exercise.
Peter Brooke is an experienced risk and regulation consultant at FTI Consulting, based in London. With a unique blend of in-house and consulting experience, Mr Brooke has worked in financial services for more than 24 years. The views expressed are his own.