Financial institutions' KYC process under the spotlight following BSI Bank's closure

BSI Bank's breach of Singapore's anti-money laundering regulations has put the spotlight on how financial institutions in the city-state have been conducting their know your customer processes. Officials singled out KYC as one of main areas where loopholes can be exploited, especially in light of the various regulatory breaches by the Swiss private bank.

BSI Bank is facing Criminal Proceedings from the Swiss Office of the Attorney General for its links with the case involving Malaysia's troubled state investment fund 1Malaysia Development Berhad (1MDB). Six former employees in its Singapore operations are also facing prosecution.

The Swiss Financial Market Supervisory Authority (FINMA) has found that BSI Bank not only failed on many occasions to report unusual and suspicious transactions carried out on behalf of its customer 1MBD, but also allowed those transactions to pass through unquestioned. That has raised questions about BSI Bank's entire KYC process.

Identifying and verifying customers' information 

Lem Chin Kok, partner, AML practice at KPMG in Singapore, said financial institutions have put considerable emphasis on identifying and verifying information about customers based on what was required by regulations. But merely collecting information from customers and verifying it against their identity card or what had been stated in the documents they produced to banks might not be adequate, he said. 

"Banks may be able to verify their customers' information through their identity cards but they do not necessarily know who they are, or [that they are] who they claim to be. What is important for banks is to really know their customers. Know your customer means knowing the client so that banks can make [an] informed decision as to whether they should accept a particular client," he said. 

Lem cited a client who operates a restaurant business as an example, who may appear to be low-risk, but could still be considered a high-risk customer because the business is cash-intensive. A client who claimed to manufacture components might be manufacturing components that were used for missiles and should perhaps therefore be considered high-risk. 

"Customers are doing all sorts of things [in their businesses], but it is really up to banks to know their customers and to better understand who they are," he said. 

KYC challenges

Lem said financial institutions faced challenges when conducting customer due diligence largely because of different regulatory expectations and different levels of complexity in their clients' business. He described the current KYC practice at most financial institutions as "industrialised", in that they were using standard operating procedures when conducting KYC processes and might not be doing enough analysis of client accounts. 

Such processes tend to involve assigning one employee to perform the same basic procedure over and over again, often with a view to speeding up the process and reducing cost. This can mean that the employee does not spend enough time analysing individual clients' accounts and is unlikely to see the KYC process in its entirety, Lem said. 

"Once you 'industralised' the KYC process, the staff who is performing the task won't see the big picture and the role is relegated to a box-ticking exercise," he said.

Continuous monitoring

Lem said the BSI Bank case has also raised questions about whether the Swiss private bank had carried out adequate continuous transaction monitoring, particularly given its long-standing relationship with 1MDB. The revelation which led to the bank's closure suggested that transactions which were highly unusual and suspicious may not have been given the scrutiny or close analysis they deserved.

A Thomson Reuters KYC survey conducted earlier this year revealed that an alarming 11 percent of Singaporean-based financial institutions, when asked about their ongoing monitoring methods, had no formal or core process in place to refresh client records. Only 7 percent reported that their client records were dynamically checked to ensure that they were up-to-date; even this is below the international average of 11 percent. The survey also showed that 16 percent relied solely on triggers, which was higher than the international average of 13 percent. 

With regard to implementing changes in line with the Financial Action Task Force's 2012 recommendations, as many as 61 percent of Singapore's financial institutions had failed to implement changes as at the survey date and 18 percent had no plans to do so.

Annual spend on KYC

The financial institutions surveyed indicated that staff who carried out KYC had often not been specifically trained to deal with such matters. The survey said this could lead to issues such as inconsistency in the kinds of documents that were requested, different parties making contact with the clients and a lack of standards in requirements. 

The survey also showed that the costs incurred in conducting KYC and customer due diligence were generally high, and were set to increase still further. Even so, Singaporean financial institutions spent less than the international average on KYC every year, at $38 million annually compared with the annual international average of $60 million, according to the survey. Hong Kong spent around $80 million every year on KYC while Australia fell behind at $27 million.

Nobody is "too big to be jailed"

Keith Pogson, senior partner, Asia-Pacific financial services at EY in Hong Kong, said a lesson from the BSI case is the need for banks to recognise that they have to bear the full cost of compliance to remain in the business regardless of the scale of their operations. He said regulators are increasingly notching up their expectations, with a clear focus on consistency in operations and in ensuring that banks have the controls and operational framework in place across the entire business. 

"It's clear that if banks want to remain in the business, they have to get their business to carry those costs or they exit the business. The cost of compliance is very real. It's either you are in business with appropriate controls and oversight or you are not in business," he said.

Pogson said the Monetary Authority of Singapore's enforcement action against BSI Bank is nothing new and is in line with those taken by global regulators who punished banks for regulatory breaches either by revoking banking licenses or pursuing criminal prosecution. 

Patricia Lee is South-East Asia editor at Thomson Reuters Regulatory Intelligence in Singapore. She also has responsibility for covering wider G20 regulatory policy initiatives as they affect Asia.