Jump to:
| Step 1: Customer Identification Program (CIP) |
| Step 2: Customer Due Diligence |
| Step 3: Enhanced Due Diligence |
| Step 4: Continuous monitoring |
| Step 5: Reporting and compliance |
In the financial sector, the acronyms KYC and AML refer to “know your customer” and “anti-money laundering” protocols that banks and other financial institutions use to verify customer legitimacy and protect the institution and its customers from fraud, corruption, money-laundering, terrorist financing, and other financial crimes.
KYC/AML practices are both necessary and mandatory. In the United States (U.S.), the Bank Secrecy Act (BSA) requires financial institutions to develop and maintain an ongoing KYC/AML program that includes a wide range of policies, procedures, and controls. Furthermore, most major banking countries (e.g., European Union (EU), United Kingdom (UK), Australia, Canada, Mexico, Japan, India, Brazil, etc.) have their own KYC/AML rules and compliance requirements.
A responsibility to comply
Failure to comply with KYC/AML regulations doesn’t just invite the risk of expensive penalties and reputational damage. Insufficient KYC/AML oversight can also cripple a financial institution if, for example, criminal elements are successful at exploiting weaknesses in an institution’s procedures and are allowed to operate undetected.
In any case, the responsibility for complying with KYC/AML requirements usually rests on the shoulders of a dedicated risk and compliance director and/or team. When a new customer applies, these are the people tasked with conducting the due diligence necessary to identify and verify an applicant’s legitimacy, reporting any suspicious information or behavior they may uncover to the proper authorities, and keeping customer records.
ESSENTIAL STEPS FOR KYC ONBOARDING
Effective due diligence begins with thorough KYC onboarding protocols. Best practices for KYC onboarding due diligence typically begin with these five steps:
Step 1: Customer Identification Program (CIP)
Under the BSA, financial institutions must have a CIP, which is the part of an overall KYC program that focuses on verifying information provided by the customer.
When a new customer is onboarded, the minimum requirements of a CIP are to collect the applicant’s name, address, date of birth, and social-security number or other government-issued ID numbers. In addition, the applicant’s name must be compared against global sanctions lists and politically exposed persons (PEPs) databases to determine if the applicant is subject to any sanctions or other legal restrictions.
For businesses, some additional information is required, including corporate/business registration documents, the company’s registration number (CRN), and ultimate beneficial ownership (UBO) information, which includes the names of the business’s owner(s) and top management employees.
Step 2: Customer Due Diligence
Customer Due Diligence (CDD) is not technically part of a CIP, but it is the process by which additional information on customers is gathered and evaluated. In general, the purpose of CDD is to help financial institutions better understand the nature of their customer’s business and to assess any potential risks, including involvement in illegal activity.
Step 3: Enhanced Due Diligence
If the CDD process uncovers anything unusual or questionable that may represent additional risk, another level of investigation may be necessary—called enhanced due diligence (EDD).
EDD is aimed at high-risk customers and is intended to either clarify—or catch—behavior or patterns that may indicate involvement in illegal activity. There are many reasons why a customer may require EDD. Among them are customers who:
- come from sanctioned nations
- disguise ownership through a series of shell companies
- exhibit unusual transaction patterns
- are involved in industries prone to illegal activity (e.g., cryptocurrency, gambling, some forms of international trade)
- have a questionable financial history
- are in some way associated with people or businesses known to be involved in illegal activity, particularly money-laundering or terrorist financing
- have been penalized or fined for business non-compliance in the past
- have unpaid debts or liens they failed to report
KYC/AML is not always easy
Unlike standard CDD, EDD may involve in-depth investigations that involve site visits, interviews, and advanced search tools that can scan court records, international corporate registries, and sanctions lists, as well as authenticate documents and identification data that may elude standard CDD practices. Because while compliance with KYC/AML rules is essential, it is not always easy.
For example, when onboarding a new business client, most KYC/AML policies require financial institutions to gather information that verifies the legitimacy of the business and identities of its owners. No matter how thorough a financial institution’s due diligence procedures are, however, it can be difficult to obtain certain types of information (beneficial ownership disclosures, for example, or associations with suspicious actors), especially if the applicant is purposely trying to hide incriminating information.
IMPLEMENTING AML STRATEGIES
Step 4: Continuous monitoring
The need for due diligence does not stop when a customer is onboarded. To protect the institution, ongoing monitoring is necessary to ensure continued compliance and detect suspicious activity, especially activity associated with money laundering, terrorist financing, or financial fraud.
Indeed, AML procedures differ from KYC protocols in that they are specifically designed to detect and deter criminal and/or fraudulent behaviors in active accounts. After all, it can be difficult to identify a customer who intends to defraud an institution but hasn’t yet, whereas a customer engaged in fraud leaves a data trail that can be identified and investigated.
Step 5: Reporting and compliance
If any questionable or anomalous activity is uncovered during KYC procedures, the BSA requires financial institutions to file a Suspicious Activity Report (SAR) with the U.S.’s Financial Crimes Enforcement Network (FinCEN). FinCEN investigates SARs and, as of Jan. 1, 2024, has begun compiling a database of corporate beneficial ownership information that qualifying financial institutions may soon be able to use to corroborate information provided by potential new customers—though companies established before 2024 still have until Jan. 1, 2025 to register.
In any case, timely reporting of SARs is essential, as is the need to keep up with changing regulations and maintain up-to-date customer records, both for the security of the institution itself and to aid a possible audit or investigation.
Ongoing compliance and regulatory concerns
Even with best practices in place, compliance professionals must always strive to keep up with a constantly changing regulatory landscape and maintain constant vigilance against fraudsters and criminals whose tactics continue to adapt and evolve.
Currently, for example, criminal use of artificial intelligence (AI) is threatening the foundational principles of identify verification upon which the banking system relies. At the same, as legislators debate how to regulate AI, new AI technologies may ultimately be the banking system’s best defense against those who are weaponizing AI.
Likewise, regional conflicts erupting around the world—e.g., Russia/Ukraine, Israel/Gaza, Sudan, Myanmar, Iran, etc.—mean that sanctions lists, and terrorist watch lists are being constantly updated. Compliance professionals must also stay abreast of how criminals are using cryptocurrencies, shell companies, inventive money-laundering schemes and other tactics to exploit vulnerabilities in the financial system.
For a deeper insight into the challenges that compliance professionals are facing in this dynamic environment, you can download the latest report from Thomson Reuters Institute, ’10 Global Compliance Concerns for 2024′.”
