Getting to know you

When it comes to satisfying anti-money laundering legislation requirements, "know your customer" programmes could be the most important weapon in any firm"s arsenal, as David Craik discovers

In December 2012, banking giant HSBC was fined $2bn by US regulators because of its involvement with money laundering and transactions that financed terrorism. HSBC failed to enforce rules preventing "rogue states", such as Iran and Syria, and drug kingpins in Mexico laundering cash. Indeed, it was found that it had not properly monitored £9bn worth of cash transactions through the US financial system between 2006 and 2009, and was accused of inadequate staffing and high turnover in its compliance units.

HSBC apologised and vowed to spend $700 million on a global "know your customer" (KYC) programme, increasing staff numbers and ending over a hundred client relationships in the US.

It was not alone. In 2012, Citi, ING and Standard Chartered were also sanctioned by regulators, either because of deficiencies in their anti-money laundering (AML) methods or transactions made on behalf of organisations from states on US sanctions lists.

The regulatory action taken against these huge global banks revealed that their attitude to KYC and AML legislation was, at best, lax. At the time, Andrew Clark, Partner of Forensic Accounting at PwC, said: “Banks still see compliance as a hard cost. Some don"t see it as an investment that can protect them from serious reputational risk.”

Fast forward to 2014, and recent revelations that French bank BNP Paribas could be handed a huge $10bn fine for violating US sanctions shows the problem still exists.

So what exactly is KYC? Wayne Atkinson, Senior Associate at law firm Collas Crill in Guernsey, says it"s always been essential practice for regulated businesses such as banks to know their customers and ensure they don"t inadvertently facilitate money laundering.

“Ultimately it"s about identifying the people you"re doing business with,” he says. “There"s a risk that they"re using you as a means to commit financial crimes, such as laundering money, or unwittingly involving you in it. If you know who you"re dealing with you should be able to identify that risk and provide yourself with a means of closing it off. In the past, if a new client came into your bank then a look at their passport or a look in their eyes was all you needed. But those days are gone.”

KYC and AML regulations have existed for decades around the world, but really came into the spotlight with the creation of the Financial Action Task Force by the G7 nations in 1989 - it recognised that money laundering was a global issue demanding a global response. But certainly the visibility, importance and complexity of the issue were heightened by the terrorist attacks of 9/11 and the subsequent US Patriot Act in 2001.

That Act required all regulated financial service providers to establish AML programmes with the aim of catching potential cases of terrorism financing. Firms should perform due diligence in verifying the identities of potential clients and keep detailed records of the process used. This means that if a bank unwittingly did fund terrorists and their activities, then proof of due diligence could potentially mitigate the level of civil or criminal action taken against them.

According to intelligence group World Compliance, the processes you need to include begin with a Customer Acceptance Policy - this involves background checks to verify that a customer is using their real name and is not involved in any nefarious activities. This is known as "onboarding". You also need to find out whether they"re politically exposed persons (PEPs), whether they"ve been involved in or have contacts involved with drug trafficking, human trafficking, or whether they"re on any terrorist watch lists.

IT firm Fiserv sells its KYC software to companies in around 80 countries. Jeroen Dekker, Senior Product Manager in risk and compliance at the firm, says its clients are mainly banks, building societies and insurance companies.

“KYC starts when someone physically walks into your office and wants to open an account. If you"re a politician with a real estate business then different levels of data are required than if you"re a local postal worker,” he says. “Where does your money come from? Will you be sending cash abroad and receiving money abroad? If it"s a business, you have to understand the ownership of that company all the way up the tree.”

Businesses should also continuously monitor transactions - especially in high-risk accounts, classified based on country of origin or fund sources, or complex or unusually large transactions. Existing clients could also set up new accounts, which need to be checked.

Finally, all financial institutions should establish internal audits and compliance functions to ensure adherence with KYC. This could include a company-wide training programme on rules and procedures.

“There are many AML handbooks out there, and the procedures have become complicated. You can get lost in the specifications,” says Wayne Atkinson. “But what is clear is that good staff training is your first line of defence. You might hire an expert KYC consultant at the top of an organisation to carry out your processes, but if the guy on the shop floor is not spotting the red flags then you"re in trouble. The ultimate risk is criminal action and that some of your staff go to jail. Knowledge of KYC must be widespread throughout an organisation.”

On the issue of continuous monitoring, Atkinson adds: “Businesses can be taken over with new people in charge, or someone could become a politically exposed person during your relationship, which makes them higher risk.”

Cultural shift

The complexity of the subject is added to by the increased proliferation of technology allowing money to be passed around the world more freely, and cross-border account opening. There is also a myriad of country and region-specific regulations.

“One area we frequently see larger groups struggle with is differing KYC requirements in different jurisdictions,” states Atkinson. “A client may have a direct relationship with a firm"s office in, say, Switzerland and may have met all local requirements, but when that client needs to do business with an office in the Channel Islands the requirements may differ. There is a real risk of upsetting your client - that you may be seen as being too rigorous if they"re being asked for stuff they"ve already been asked for in other parts of the world. Taking a joined-up approach across your offices isn"t just good business sense, but essential risk management.”

The importance of maintaining relationships - particularly those at a private bank, for instance - has led to businesses making a shift in the gathering of information.

Chris Hamon, Head of Relationship Services at Deutsche Bank International in Jersey, explains its KYC team is an "arms-length unit", not impinging on the client relationship. “They"re a dedicated team collecting information, which then reports into a separate reporting line,” he says. “We have a very robust and strong model. With regards to KYC, sometimes it"s who you refuse that turns out to be more important for the company than who you take on.”

Hamon says the rise of the internet has helped Deutsche Bank gather the necessary information on potential clients. “We have "hot scan" AML software that automatically alerts us if it picks up certain data, which can then lead to further management review,” he says.

Dekker of Fiserv says using IT for KYC helps consistency of data collection, which is very important for the regulators. He says: “Data checking and screening things such as drivers" licences and millions of records of PEPs takes time. It"s impossible for us humans to wade through that material. Transaction monitoring behaviour on an ongoing basis can also be key. Has the behaviour changed against expectations of frequency, volume and destination? Is there anything unusual or suspicious that needs investigation by a compliance team?”

More regulated businesses, according to Dekker, are outsourcing KYC data capture to IT firms but must be careful as they retain personal liability if legal issues emerge. “You can outsource the work but not the responsibility. It"s about collaboration and maintaining a relationship with your IT firm,” he states.

So how will KYC develop in the near future? Deutsche Bank"s Hamon expects more complexity and more requirements from regulators, while Atkinson disagrees, seeing scope for more simplified rules to stop KYC from being dragged away from its central themes.

One certain curveball is the US Foreign Account Tax Compliance Act (FATCA), which aims to detect US tax evaders concealing their assets overseas . Banks and other financial institutions worldwide will have to submit detailed information on their customers to the US tax authority. Subsequent similar agreements in the UK and the OECD"s intention to impose a global tax standard only muddy the water further.

It"s expected that banks will be able to align their existing "onboarding" systems for KYC and AML with FATCA requirements, but will probably need more input and collaboration with their tax departments. However there is uncertainty over how well these distinct departments will work together.

“Governments want institutions to understand their clients 100 per cent,” says Hamon. “Our approach is to utilise our core KYC system to cover the requirements.”

Bear all this in mind next time you open a bank account - just consider the conveyor belt of work you will have started…