Editor's Note: This article originally appeared on the Prescient blog on June 15, 2016.
It’s a dynamic time in the financial crimes world and this is especially true for Customer Due Diligence (CDD) regulations, as demonstrated by the following recent developments:
- The leak of the Panama Papers highlighted well-known fears in the financial compliance world that the use of shell companies obfuscates the true ownership of the entities.
- Financial Institutions (FI) are working to comply with the new rules on beneficial ownership.
- The Financial Crimes Enforcement Network (FinCEN) released the “Customer Due Diligence Requirements for Financial Institutions; Final Rule” on May 11, 2016.
In adapting to these new realities, many financial institutions have been reevaluating their KYC programs and enhancing their current policies, procedures and systems. The recent FinCEN release will only expedite this process as financial institutions invest in new KYC technologies to keep up with the shifting regulatory climate.
KYC Projects Required to Comply with New Rules
FinCEN describes in the “Customer Due Diligence Requirements for Financial Institutions; Final Rule” document that the new requirements for beneficial ownership are similar to the existing Customer Identification Programs (CIP) already in place at financial institutions. Since beneficial ownership requires the financial institution to ask questions that it may not currently be asking of its customers, certain technology projects need to be initiated to enhance current on-boarding systems or possibly implement new platforms. CDD projects can be some of the most complex financial crimes projects to execute with a high degree of accuracy, due to the number of people involved and the potential to adversely impact client-facing processes. This stands in stark contrast to the implementation of transaction monitoring systems (TMS), which has essentially no impact on the customer experience and therefore is given less urgency by senior management to get it right the first time.
Given the criticality of these projects to regulatory and compliance success, financial institutions must implement the following five key steps to mitigate risks associated with a customer due diligence backlog.
Step 1: Defining the Requirements
Financial Institutions must define the requirements of their new Customer Due Diligence (CDD) models to meet current regulatory guidelines, such as for beneficial ownership. Given the new requirements for capturing beneficial owner information, it is prudent for financial institutions to review their current customer risk rating methodology. Key items to be evaluated include:
- What is the definition of a customer?
- How can the amalgam of customer information – scattered across multiple disparate systems – be synthesized to arrive at a holistic view of the customer?
- Under what conditions is Enhanced Due Diligence (EDD) on a customer required?
- Is it simply based on the customer type, such as a Money Service Bureau (MSB), a precious metal dealer, a casino, a high cash intensive business, among others?
- Or could the risk model score a seemingly low-risk customer as high-risk based on the numerous accounts held across various business lines? In instances where false-positive hits are possible, financial institutions should weigh the benefits of escalating the depth of due diligence to fully elucidate all risk factors.
Once this initial review is completed, a new customer risk rating methodology should be built to meet the financial institution’s specific requirements.
Step 2: Deciding on In-House Development or Vendor Selection
Institutions must decide whether to utilize a Customer Due Diligence (CDD) vendor or develop the software in-house. In ideal projects, this will be an extension of the requirements step, as the particular data requirements need to be documented. Models are mere approximations that attempt to provide an accurate depiction of reality, but there are always assumptions and limitations with every quantitative model that need to be acknowledged, especially by financial institutions implementing or enhancing KYC systems. To address these concerns, financial institutions will need to make decisions on whether they will purchase software from a CDD vendor or develop the model in-house. For particularly complex CDD projects, an Enhanced Due Diligence vendor should also be identified to escalate the level of scrutiny.
Step 3: Implementation
Required changes will be made to new or existing client on-boarding applications to gather additional information on the customer for risk scoring. This step is subject to deficiencies such as requirement gaps, configuration errors, data quality issues and lack of data for model optimization. Changes will need to be made to multiple systems, and new technologies may need to be implemented to support the new custom risk rating methodology. First, the on-boarding applications need to be enhanced to ask the customer additional questions (including those regarding beneficial ownership information), or to collect additional personally identifiable information. Second, the CDD system needs to be enhanced or possibly implemented from scratch to consume these new data elements and consider them for risk scoring. Finally, the CDD system needs to have specific rules that will add a point score for each attribute that the risk model is considering, such as country of incorporation, politically exposed person (PEP) status and products being used, among others. Optimizing the transactional system is a much easier task—in principle—than optimizing the KYC systems, because there is usually a significant amount of historical activity to reference. However, new customer information is generally captured in incremental waves, and using samples to forecast how many customers will fall into each risk category can be troublesome. The lack of data to optimize the system is a risk “in and of itself.”
Step 4: System Delivery
A new Customer Due Diligence (CDD) model is delivered and the additional customer information captured by the on-boarding systems is passed to the risk scoring engine. Alerts on high-risk customers and periodic reviews are traditionally generated in an incremental fashion. Once the new KYC system is fully operational, customers are asked additional questions based on the new customer risk rating model. Alternatively, a customer may inquire about a new product and trigger the KYC process to commence, where they would be prompted to answer additional questions as defined by the model. Essentially, what is happening is that the risk scoring application receives a slow-but-steady flow of new customers to evaluate. Be aware, though, that unless the financial institution’s new risk rating methodology focuses mainly on historical attributes – which is usually not the case – then it could be difficult for the enterprise to determine how many high-risk customers it actually serves.
Step 5: Backlog of Reviews
The Customer Due Diligence (CDD) model can potentially generate more alerts than expected, and this could lead to a precarious situation for financial institutions. Implementing new models is risky, although neglecting to implement new models could be even riskier. Financial institutions must be aware of implementation factors that could cause a CDD system to produce unwarranted spikes in alerts: improper execution of the implementation; use of model risk scoring that is too conservative; or unexpected behavior from customers. Some questions that a financial institution should consider throughout the implementation of a new CDD system include:
- If more high-risk customer alerts are generated than expected, how will this situation be handled?
- Will additional CDD investigators be hired on a full-time or contract basis?
- Will the level of due diligence be escalated by engaging an Enhanced Due Diligence (EDD) vendor?
- Does the customer risk scoring model need to be reviewed in terms of its accuracy with regard to the financial institution’s risk appetite?
- If tactical changes are truly required for the customer risk rating methodology, how long will it take to complete the analysis, document proposed changes and implement those changes to reduce the number of high-risk customer alerts?
- If the CDD system requires recalibration due to a spike in high-risk customer alerts, will the institution have a way to scale up and produce high-quality CDD reviews in a matter of days?
Finding the Right Balance
At the end of the day, financial institutions – in the face of new regulatory challenges – must decide for themselves which competing factors to prioritize in planning for a Customer Due Diligence backlog. In taking stock of risk scoring models, options for vendor selection and efficient methods for implementation, a well-thought-out CDD program can instill confidence and peace of mind in the success of a financial compliance program.