KYC process steps: what you can automate and where you still need humans
As we know, financial criminals are getting smarter and regulations are evolving at pace, as criminals find new ways to circumvent the financial crime defenses of traditional banks.
More sectors have come under the scope of Anti-Money Laundering (AML) rules, including financial technology, legal and accounting, and real estate. As a result, more finance, legal and law firms are introducing and revamping their Know Your Customer (KYC) processes.
If your existing KYC processes are slowing down onboarding, driving up overhead and lacking quality control, then you need to look at ways to streamline, improve, and drive efficiency. If you have no process (or a poor one) in place, your organisation is exposed to financial, reputational and competitive risks. In some cases, depending on your level of corporate accountability, you might even be exposed to personal risk.
Fortunately, advances in technology enable you to implement process changes that offer maximum benefits at a much lower cost than traditional approaches. Applied correctly, automation of critical KYC process steps frees human resources to apply reasoning and analysis. In many cases, this ultimately leads to better decisions and decreased risk.
For example, Intelligent Process Automation can help with the heavy-lifting while your high-value decision makers, compliance officers, and analysts focus on shaping policies and making the best business decisions, and artificial intelligence can help prioritise risks to focus limited resources where they are most needed.
By breaking down the KYC process steps one-by-one, you can identify which areas would be best handled by people, and what can be automated. In so doing you help your skilled professionals focus on those tasks that still require human reasoning, and leave the repetitive information-gathering tasks to automation.
How traditional KYC processes inhibit growth
A traditional KYC process flow involves sequential steps taken by an individual or team. Hours of work go into manual processes and at any stage, a client could be off-boarded for any number of risk or compliance reasons. The hard work still has to be done and the labour costs still hit your bottom line, whether or not you’ll see a return on investment.
Automation executes many steps simultaneously, therefore reducing the number of keystrokes, time, and money invested. What could take hours for a team or days for an individual can be cut down to minutes with the help of the right tools. Intelligent Process Automation offers the flexibility to allow you to keep existing processes by simply replicating the steps your analysts take with automation, or to develop a new process based on your increased capacity. Your policies and methodology form the backbone of the decision-making engine, whether that engine is robotic or human.
Typically you’ll see three layers of validation to comply with internal policies and external regulations for customer onboarding and KYC remediation:
Typically a team of junior and mid-level researchers and analysts performing data gathering and reporting.
Senior analysts and compliance heads preparing reports, flagging risks and delving deeper into customer profiles.
Senior team members, and even board-level leadership making decisions on potentially high-risk customers both at the onboarding stage and through remediation programmes.
Traditionally, the processes of gathering data, compiling customer profiles and creating audit trails have been manual, but these time-consuming, expensive practices can make the cost of onboarding prohibitive for some of your products and services. The cost of gaining new customers can hinder your growth and make you more reliant on existing customers. But even existing customers can become a risk.
And while it’s a well-documented fact that existing customers are more profitable than new business, there’s only so much cross-selling and upselling you can do. To fall in line with KYC best practice, you need to continuously monitor existing customers for material changes that impact their risk profile, as well as perform regular, scheduled KYC refreshes in line with your risk-based approach or wholesale remediation of entire customer segments if you update internal policies. Taking all this into consideration, a technology-led approach is needed to ensure you have the flexibility to amend your KYC processes in line with new regulation, or to scale up the number of customers you can handle with existing resources as your business scales.
Which KYC process steps can you automate?
Holistic KYC processing still requires a human hand at high-level decision points, but much of the legwork can be reallocated to Intelligent Process Automation. Firstly onboarding, which done manually is one of the highest risk KYC processes with the lowest rate of return – in fact, data indicates that only 10% of onboarded customers generate any revenue in the first 12 months.
We’ll look at each step sequentially as per the traditional methods but do bear in mind that many of these steps can be run simultaneously with process automation.
This is, of course, the very beginning of your potential relationship with a new customer or the introduction of a new product to an existing customer. It incorporates two essential steps – client identification and the initial risk assessment.
Identifying the correct name of the entity you’ll be dealing with is a bigger challenge than most people would expect. Significant time is wasted when front office staff or partners provide compliance with details of the wrong legal entity.
A typical example is a lack of understanding in the front end around corporate structures. When a sales rep starts a relationship with a new entity, it’s easy for them to use the wrong entity name. Very often, the holding company might not have the same name as the brand or branch that your people are speaking to. For example, BA isn’t really called BA. HSBC could describe thousands of entities. Which one are you really dealing with? Just typing HSBC as a client name into your Customer Relationship Management (CRM) platform can cause major headaches and unnecessary back and forth between compliance analysts and the business to confirm the actual entity to be onboarded before any other steps are taken.
Initial risk assessment
This is a preliminary triage using customer-provided information to apply an initial risk rating, such as high, medium or low. Information used could include director and shareholder details, company incorporation documents and perhaps a basic risk screen to identify major red flags, like sanctions.
Based on the top-level information you have on the client, you can assess the level of risk they pose to your organisation. Determining a high, medium, or low level of risk will inform the steps taken in the rest of the process. Not all customers will be high risk; and dedicating time and resources to performing unnecessary due diligence steps makes for an inefficient process and inhibits the ability to devote more rigorous steps to those customers who truly need it.
The due diligence phase accounts for a number of steps in the KYC process. When approached manually, it requires large teams of analysts for top tier banks and can overwhelm the often limited resources available to smaller enterprises such as law firms, accountants and property agents.
Identifying ownership structure
To identify Ultimate Benficial Owners (UBOs), you need to dig into corporate structures, subsidiaries, and find the natural persons behind the corporate face. Typically this means going to multiple sources. In the UK, you might go to Dun & Bradstreet and Companies House, but those data sources will vary according to jurisdiction so if your client operates internationally, you’ll have multiple databases to crawl.
These first two steps alone can take three-four hours for a basic case, automation can get it down to three-four minutes.
The critical question being asked and answered in this step is: Is the customer who they say they are? The customer will supply physical documentation belonging to them, usually in the form of a passport or government issued ID and bank statement or utility bill for an individual, or incorporation documents and annual reports for a corporate entity. When onboarding individual customers, enhanced automation software is speeding up the verification process with biometrics, using facial, fingerprint, and voice recognition to confirm identity.
The screening process is comprised of three core checks:
1. Identifying politically exposed persons (PEPs)
Is the customer in question a politically exposed person?
A politically exposed person (PEP) is an individual who has a prominent public function, or close connections to someone in a positive of power. PEPs are considered higher-risk customers because they may be more susceptible to gaining funds unlawfully, and therefore have more reason to commit money laundering crimes. Being a PEP does not mean the customer is high-risk, but it does mean you need to apply enhanced due diligence.
Identifying PEPs is another heavy-lifting manual process and you may need to access a range of publicly-available and premium data sources. For example, both the United Nations and the CIA maintain heads of state lists, but as the definition of a PEP varies by jurisdiction these rarely provide the full level of information needed. While researching and collecting this data can be automated, the final decision about onboarding PEPs still needs to be reviewed and approved by member of your leadership team or risk committee.
2. Sanctions checking
Do they have any sanctions enacted against them?
Sanctions checking means knowing whether your customer appears on a list that would prohibit you from doing business with them. When it comes to corporate customers a complete and accurate view of corporate hierarchy is critical before you begin in case the branch you’re dealing with comes back clean, but a parent company or UBO does not.
3. Adverse media screening
Have they been publicly associated with relevant criminal activity, or risky individuals and entities?
Adverse news stories can be devastating to everyone connected with them. One minute your CEO is enjoying the company of a high-profile customer at a networking event, the next he’s standing next to someone who’s just been headline news for all the wrong reasons. Researching national and international news sources helps you keep abreast of changes in your customer’s public profile as well as finding out about financial and criminal issues heading your way.
Looking for bad press on the entities and individuals in your client list is an arduous and ongoing task. Fortunately, much of the world’s news is now online, making it ripe for automation. Using a tool to identify news items that mention your customers, and presents these back in a prioritised list based on relevancy, saves valuable time and flags risk faster than a manual process. It also cuts through the noise of PR fluff and false positives that can obscure critical information.
Artificial intelligence-powered news filtering provides assurance you only receive articles of true relevance.
When your first line analysts need to escalate a high-risk customer, they’ll be engaging with one of your top-level decisions makers or a risk committee. The people at the top need all of the information compiled in a comprehensible way that facilitates fast, confident decisions. This means that they need to quickly understand the customer risk profile, as well as the steps and decisions taken as part of the KYC process up to that point.
Data visualisation plays a key role here, especially for corporate customers, as a visual representation of corporate structure is far easier to digest than reams of documents on connected entities and UBOs. Automating the mapping of corporate structures has the additional benefit of saving significant time versus a manual approach of drawing these by hand, and eliminates the risk of human error.
This is a perfect opportunity to save costs and improve decision-making. A SaaS tool with built-in data visualisation tools can produce a KYC process flow chart detailing each concern that needs human attention ― enabling better decisions, faster.
Final risk rating
With the necessary data gathered, analysts can now make informed decisions about the true level of risk posed by the entity being onboarded. The final rating determines the level of ongoing monitoring needed to ensure any potential changes in risk are being accounted for. Within an automated platform, you can align your organisation’s processes to match ratings of high, medium, or low. Risk ratings can be applied to individual risks presented by the entity’s ownership and control, industry, project, region, screening results, and identity verification.
Building an audit trail to track KYC process steps
AML and counter-terrorism financing (CTF) regulatory standards require thorough documentation to prove the necessary steps were taken to identify a customer and apply a risk-based approach. Where can you house all of these steps in one place that’s accessible and guarantees accurate information is logged? Building an audit trail can be tedious and time-consuming when done manually. Automation can provide a history of actions taken on a customer profile down to the date, allowing you to prove compliance when the time comes.
Why you still need humans in your KYC process steps
While most of your KYC processes can be handled with smart technology and automation, you still need humans to steer the top-level functions, and handle more complex or borderline decisions. Automation offers you the ability to significantly improve straight-through processing based on your internal policies and processes, but there will always be exceptions that require review by a person.
Eventually, we expect AI to help with those decisions too. In the meantime, you can reduce more than 90% of the manual work while simultaneously improving consistency and control over your KYC processes. Interested in learning more about how automation can work for your KYC process? Watch the video to learn more about how Encompass can benefit your business.