Digitising KYC operations: Digital transformation of the KYC operating model

According to McKinsey & Company, a “well-executed, end-to-end risk-function transformation can decrease costs by up to 20% while improving transparency, accountability, and employee and customer experience”.

In this blog, we examine the pre-digital Know Your Customer (KYC) operating model and how digital innovation increases efficiency and effectiveness for KYC operations.

People in the KYC operating model

Authorities including the Office of the Comptroller of the Currency in the United States Department of the Treasury, the Federation of European Risk Management Associations and the UK’s Chartered Institute of Internal Audit recommend that institutions align the people within their risk management system as three lines of defence.

The first line of defence is formed typically of customer-facing staff; these could be client relationship managers in a financial institution or a Partner in a legal firm.

The second line of defence is commonly the compliance function, responsible for setting policies and KYC operations, while internal audit forms the third line of defence.

This alignment ensures that individuals develop a clear understanding of their individual and collective responsibilities and accountabilities for assessing, controlling and mitigating AML risks and recognise when they should interact with professionals in other teams within the broader risk management system. The three lines of defence approach is proven as an effective means of organising professionals working in different roles across multiple departments.

Exploring the relationship between people and technology in KYC operations

People and policies

A KYC policy is a written statement of how an institution will operate its business to remain within limits of the risk appetite established by its Board. A policy can be understood as a sequence of business rules. In pre-digital operations, interactions between KYC policies and people can be categorised as interpretative, and it is not uncommon to find inconsistent and incomplete application of policy, particularly in institutions with multiple teams responsible for onboarding and due diligence in different locations.

Any gap between a policy’s intent and its implementation can present operational risk. Breaches also damage the effectiveness of business operations.

Digital KYC policies can be rendered in a machine-readable form. Interaction between KYC policies and people responsible for KYC becomes declarative as the policy definition serves as a digital instruction set controlling activities of software robots. KYC due diligence outcomes are now binary.

Either KYC operations complete with absolute consistency or they stall before completion. When they stall, their incomplete status is brought to the attention of human experts to complete a task that then allows execution to completion consistent with the policy’s definition. This digital transformation greatly increases the effectiveness of KYC.

People and processes (and the role of automation in KYC operations)

KYC operations can span multiple departments, which has resulted in increasing adoption of the three lines of defence approach.

Pre-digital operations typically use electronic communications such as email, with either attachments or links to shared drives, to pass task outputs along the chain of work. While this can be made to work, it lacks a control infrastructure to enforce individual responsibility and accountability and to ensure coordination across departments.

Sharing electronic files means KYC professionals must re-interpret work already completed by colleagues to understand the current state of customer due diligence – this is particularly true for internal auditors responsible for providing independent assurance that the institution’s risk management and internal control processes are operating effectively. These inefficiencies have the potential to create gaps in an institution’s defence against money laundering.

Customers using an intelligently automated KYC solution can establish a digital process with a formal workflow across all three lines of defence. Customer-facing staff in the first line of defence use their time with clients to collect documents necessary for identification and verification. For companies requesting access to products and services it is a regulatory requirement that institutions collect each individual’s full name, date of birth, nationality, residential address and government-issued unique identification number.

Staff capture this information as digital images of two documents, typically a passport or driving licence and a bill from a utility provider. The automated KYC platform validates information within these images by connecting in real-time to public and private databases to quickly verify whether an individual is who they claim to be. This activity at the first line of defence initiates creation of a digital profile that will persist throughout the institution’s relationship with the corporate client.

This verified identity information is now routed to KYC operations in the second line of defence where a digital policy automates due diligence – the collection and integration of information from independent and trusted sources of information. The output of this activity is to discover the beneficial owners of the company and to generate a risk score.

This is necessary as individuals requesting access to the institution’s services for their company may be employees but not beneficial owners. In many instances, the company requesting access to products and services may be owned by another company and beneficial owners of that company may reside overseas. All activities undertaken in the second line of defence, including the person responsible for each task and data sources used in due diligence, are securely logged. This is necessary to support the needs of internal auditors in the third line of defence.

These professionals must satisfy external auditors and regulators that: their institution has a compliance policy that is risk-based and satisfies regulatory expectations; operational procedures fulfil the compliance policy; and operational teams in the first and second lines of defence have consistently executed the policy in every case.

People and information systems

Anti-Money Laundering (AML) regulations require KYC professionals to work with multiple external sources of information. Documents have been typically downloaded as files in PDF or as screen grabs from websites. KYC analysts would usually append these primary documents with spreadsheets and other files showing their integrated data from multiple sources to resolve entities and track ownership across multiple companies. This way of working is inefficient and creates challenges of interpretation and understanding for work colleagues and auditors.

Third-party information systems, such as company registers and business information aggregators, are increasingly open to digital operations via APIs (this is the Digital Outside).

Digital KYC creates a Digital Inside, capable of connecting to third party systems in real time, interrogating their contents and streaming data directly to an automated workflow. A digitized workflow supports identification and verification work in the first line of defence and due diligence in the second line of defence.

The results of this KYC work are recorded and secured in a database as a digital profile of each client. For corporate clients with complex structures this will include the relationship between each corporate entity and the chain of ownership.

This rolling record persists for the lifetime of the business relationship through multiple cycles of refresh – an activity typically undertaken every three years – and remediation made necessary as jurisdictions update regulations to strengthen defences against financial crime.

The previously mentioned McKinsey & Company report identifies nineteen risk processes as candidates for automation. The authors highlight Bank Secrecy Act and AML operations as having the highest automation feasibility as these operations yield both the highest effectiveness and the highest efficiency impacts. While automation of the entire risk function can decrease costs by up to 20%, the returns from digitising AML operations are likely to be far higher.