HEADER

Planning KYC remediation in a commercial bank: Some essential considerations

40 acams today

JuneAugust 2009

www.ACAMS.org

PRACTICAL SOLUTIONS
he focus on preventing money laundering took a new turn with 9/11. The days events highlighted the need to combat terrorist financing as an integral part of anti-money laundering (AML) processes. Until that time, financial institutions and intelligence agencies essentially focused on movement of funds related to drug trade and largescale financial fraud. It is believed funds necessary to enable execution of the 9/11 plot were primarily moved through the international financial system and withdrawn in The US through formal banking channels (encashment of travelers checks, cash withdrawal through ATMs and credit cards). The entire plot is expected to have been executed with a budget of $400,000 $500,000. Further, the hijackers also returned about $26,000 to a facilitator in the middle-east just days prior to the attack1. This led to the tightening of AML laws across the globe. The accent on legislative effort turned from being one of prudence and acceptable culture to necessary statutory requirement in word and spirit. Further, intelligence agencies started to interact more closely with other wings of the government to identify terrorist financing activities. The U.S. and UK led the way in legislative measures through the USA PATRIOT Act of 2001 and The FSMA & PoCA respectively. While other countries strengthened their respective regulations/rules, regional/global governance Generate list of bodies such as the Banking Customers with defective KYC information Committee on Banking Supervision (Basel II) , the Financial Action Task Force (FATF recommendations) Receive list of and the EU (MLDs) ensured Customers with defective KYC information that the prevention of money laundering was accorded equal priority with other types of risk managed by banks/financial services institutions2. Know Your Customer (KYC) processes The need to really KYC is at the very foundation of a good AML management system. KYC diligence is a continuous process and not limited to only customers seeking to open new accounts. While customer identification procedures (CIP) is aimed at establishing
www.ACAMS.org

a customers basic identity, the banker also is required to decide if the customers risk-profile necessitates enhanced due diligence (EDD) procedures. Based on initial risk-evaluation of the customer profile or as triggered by product usage or nature of transactions entered into, a customer may be subject to customer due diligence (CDD). While due diligence does not stop with the initial documentation of customer identity, successful clearance of the CIP/ EDD requirements is a prerequisite for the customer to open an account. However, due to changing requirements (internal policy/ regulatory), banks sometimes find that they do not have the necessary inputs to continue due diligence and assess moneylaundering risk of a customer. Banks growing through inorgranic means (mergers or acquisitions) also need to manage this challenge, especially when the entities involved carry differing risk-profiles (from a money-laundering perspective). The profile of the post-merger/acquisition entity needs to be evaluated carefully. Should the resultant entity carry a higher level of risk than the previously independent entities, the former may be faced with a situation to remedy deficiencies in existing KYC information.

KYC remediation Unavailable KYC information may have to be remediated by gathering the same post facto (after the customers accounts are opened). Some of the scenarios which precipitate such action include: 1) Finding of defects in the KYC processes, by external (regulatory,audit)/ internal (audit) reviews, which mean insufficient information has been collected toward identifying customers. This could be the result of either defective processes ab initio or due to processes not modified in light of change in regulation. 2) The money-laundering risk profile of a bank would be considered by the reviewers to judge the sufficiency of the KYC processes. Therefore, any activity resulting in changes to the nature/structure of the banking entity (including mergers, acquisitions, divestiture and re-structuring), introduction of new products or doing business in a new geography could influence the risk-profile of the bank and result in the need for improved KYC processes and the resultant remediation effort. This article aims to highlight some of the aspects that need diligent consideration in executing an effective remediation effort at a commercial bank. In going through the same, one needs to recognize

Update KYC information in the customer information system

Should KYC info be remediated?

Finalize list of Customers to be remediated

Satisfactory? Information available in public records? Send communication to Customer Preview Information

Access / Present KYC relevant info.

Present KYC relevant info.

Collect Customer response

Update KYC info. in frontend system / scan / fax

Fig 1. An Illustrative KYC Remediation Process

| acams today 41

JuneAugust 2009

PRACTICAL SOLUTIONS
that while the spirit of the KYC processes is the same across different types of banks, the specific requirements are driven by the target client segment, the types of products offered to customers and the geography in which the bank chooses to operate. While focusing on commercial banks with a mix of commercial and retail customers, some of the aspects covered are also relevant to such an effort in any type of financial institution. As a bank prepares to remedy KYC information, some of the important considerations to be evaluated are: 1. Should the remediation effort be (de) centralized? 2. What are the different pieces of inforpolicy for the bank, compliance is ensured by working with individual business lines to ensure policies and procedures specific to respective business. Further, the central policy unit also usually facilitates/champions the overall AML training effort, within the bank. For a remediation effort to succeed, it is a good practice to involve all the teams which are charged with the responsibility to ensure compliance with KYC requirements. While introduced at different stages of the remediation effort/ project, representation/participation from the following units would be essential the success (these are generic descriptions and may differ from one bank to another): Central AML policy unit single, comprehensive repository of customer information (usually different products or where accounts are opened across state-lines or where customer opened accounts in two different banks which subsequently merged), it is advisable to check if the relevant KYC information is available in any of the systems where such information could be stored. It is essential to ensure only KYC-relevant information is catalogued and the remediation effort is not to be used to gather information for any other purpose including marketing-related requirements. Requesting more than necessary information is most likely to dilute the remediation effort and also trigger customer-service issues. Identifying the drivers As a measure of prudent behavior/good practice, well-established banks often follow KYC standards which are stricter than what is called for under law. In combination with other factors, it is necessary to identify what information is really required (usually, all data required under law would be a must) and what could possibly be done without (regulators may be open to negotiating on some of the requirements under remediation effort for example, retail customers who are local residents and have maintained a relationship beyond a threshold period of time) . There is no simple/standard formula for deciding this and the internal AML policy unit, in discussion with the regulators, has to finalize the same. Prioritization logic The degree of money laundering risk is defined by the type of customer by way of the nature of business carried on by the customer. This is further enhanced by the customers choice of products and services and/or the country/geography in which the customer operates or does business. Since all customers do not carry the same degree of risk, it is important to prioritize receipt of information from customers who are deemed to pose higher risk. Further, it is not often that banks are faced with a customer about whom information is not only deficient but the customer also does not actively transact. Transaction history usually provides some indication of who the customer is. For example a customer who remits funds abroad through wires is possibly a Non-Resident Alien (NRA) or a customer who has a high volume of cash deposits is possibly into Money Services or runs an ATM service. Such inferences from existing transactional history may
www.ACAMS.org

The overall responsibility for managing the money laundering risk profile of the bank rests with the central AML policy unit
mation required? 3. Is the missing information required to be collected under law or due to internal policies? 4. Can we use a classification system to focus on gathering information from specific groups/categories of customers? 5. Where can the information be obtained? 6. How many customers do we need information about/from? 7. How do we process information received from public sources or the customer? 8. What should we do in cases where no information is received? Project management of the remediation effort The overall responsibility for managing the money laundering risk profile of the bank rests with the central AML policy unit (usually part of/working closely with the compliance unit and reporting directly to a CXO-level manager). While the unit usually owns the enterprise AML strategy/
42 acams today |
JuneAugust 2009

Business-line senior management Business-line money-laundering officers/risk managers Information technology (including telecom infrastructure) Training/Human resources/ Organization learning Branch customer service/relationship managers Cataloguing missing information In developed, as well as most of the developing nations, a high proportion of customer-records are stored in a digitized format. To understand the missing data or the gap between available data and requirement under regulatory/internal bank policy, a list of missing information (Type of business, Residential status, Services used, etc.) needs to be compiled. This needs to be catalogued by account/ customer. Usually, this is the easiest part of any KYC remediation effort. In case a customer has multiple relationships and the Financial Institution does not have a

PRACTICAL SOLUTIONS
help in prioritizing reach-out/follow-up to/with customers based on their level of risk3. An effective prioritization logic would help maximize KYC compliance for higher-risk customers at an optimal cost. Source of information public vs. customer While managing the remediation process, banks need to be sensitive to the fact that the customer should not be inconvenienced or perceive the financial institution to be inefficient (that they are seeking to rectify something that ought to have been done in the first place) . It is possible that some of the information regarding the customer could be validated from public records or through investigative/verification agencies. While hiring specialized vendors may be more costly, that may be the effective way to receive information about specific categories of customers. In the case of especially high net worth or large relationship customers, it is preferred that an account/relationship manager reach out to the customer to continue the personalized experience to which such customers are accustomed. Reach-out effort It is important to clearly define the medium (mail, email, etc.) by which a customer would be reached, as well as the total effort required to gather information from existing customers. Often times, it is not as easy as just sending an email with the expectation that customers would respond with necessary information. Gathering information from customers, especially when they reside/are located across a large geography is a complex effort. In many cases, and especially true of customers who have been with a bank for a longer period of time, some of them may not even truly understand the request for information being made. Usually, the effort to reach the customer would involve the use of traditional postal mail, a follow-up phone call, texting, in-branch servicing as well as through the internet banking platform. Response management Receiving information is just part of the job. It is important that requisite infrastructure, duly tested, is in place to process such information. If the decision on choice of the medium used for reach-out activity is a matter subject to budget constraint, so is the management of responses. An ideal system would be one where the bank reaches out (for all information not available across public sources) to the customers and ensures responses are gleaned from them through the branch/office nearest to the customer. From there, the information could be uploaded into an online system. Alternatively, information could be faxed using secure lines to a centralized unit where the information is uploaded into the automated customer/KYC management system. Whichever method is utilized, it would be important to invest effort in the following: Training: The various people following up with customers for information need to be trained not only on reachout techniques (use of script) but also on how to assess the response received (complete/rework) and further action required to be taken (usage of frontend systems, faxes/scans/postal mails to be sent) . Capacity Testing: The various hardware/software to be used need to be tested for performance as the speed with which remediation can be completed is directly influenced by the capacity of the various equipment used (telephonelines, faxes, scanners, OCR readers, email, etc.) and the ability of people to complete input of information into the chosen automated system. Metrics Management: It is important to measure response received. This usually lets the AML department understand the overall effectiveness of the remediation effort. An indicative list of some of the metrics to be monitored would include : u  Number of customers for whom all information has been received u  Number of customers for whom information has been received in part (requires rework) u  Number of customers for whom no response has been received Further, it is usually recommended to drill-down and understand this by: Medium of reach-out Geography Branch Product-usage In efforts where a bank is seeking to remediate a significant number of accounts, it is reasonable to plan a staggered approach (in combination with the prioritization logic) so that available resources can be utilized appropriately. In such a case, analysis of the metrics measured provides necessary inputs to refine the overall approach to reaching out to customers as well as recording response received. No response Despite all the planning, there will be some customers who will not respond. Therefore, any remediation effort should factor this issue (lack of response) in the overall plan. Should the rules for filtering the customers who would be included in the remediation effort be defined appropriately, it is highly unlikely any customer who has not responded to the information-request would qualify for any exemption. Hence, the accounts where necessary information is not received may have to be put on a temporary hold status (any transaction will be posted only after the customer provides necessary information) or even closed

Receiving information is just part of the job

under due notice to the customer at the last known address. Conclusion Any bank undertaking a remedial effort to update KYC information needs to recognize the significant dependencies involved. A successful effort is one which recognizes the necessity to prioritize receipt of information of risky customers (from an AML perspective) and have the propensity to use products or operate in geographies known to be used by money launderers. Further, communicating the effort to all relevant staff (from operations to customer service/relationship), accompanied by rigorous planning and training of all the staff involved in the process, play a significant role in the success of the remediation effort. Karthik Balasubramanian, principal, Banking & Capital Markets, Infosys Consulting, New York, NY, USA, karthik_ b03@infosys.com

www.ACAMS.org

JuneAugust 2009

acams today

43