In recent years, the inadequacy of many financial institutions KYC controls have been exposed and punished in the form of significant fines, public embarrassment and brand damage. Whilst those in the spotlight have been the focus, many outside of the spotlight remain nervous that they may be next.
At the same time, Basel III, MiFID and other new regulations are ramping up the pressure for financial institutions to really know the ins and outs of who they are trading with. Adapting to and adopting new regulations is essential to avoid the regulators gaze.
Historically, meeting KYC regulatory requirements has been a matter of defining a policy that categorises clients into various risk levels, and then dictates greater due diligence the higher up the risk scale you go. The policies not only dictate what you need, but what sources are acceptable to use in gathering that information, how it should be verified and what to do when the information can’t be sourced. It is from this policy-led approach that risk based decisions can be made on who to trade with.
To support this, many of the biggest financial institutions in the world have made significant investments in policies, systems, screening tools or services and large Operations teams.
The results of this approach and investment – estimates of well over a trillion dollars still laundered each year. The outcome for financial services firms has been fines of over $10bn over the last 2 years for AML / KYC breaches.
Something isn’t working
At Clarasys, we think it’s time for a rethink. The current policy led approach is premised on the basis that you can predict where money laundering and terrorist financing is most likely, collect more detailed information in these areas, and as a result catch the bad guys before trading begins. This approach is fraught with problems:
- Once a policy is embedded it is painful and costly to change – it means system changes, revised processes, resetting of productivity assumptions and a wave of communication and training. It’s hardly surprising given this that policies remain relatively static and therefore struggle to keep up with the changing face of money laundering. This is compounded by the fact…
- Policies by their nature tend to reflect the risks that exist at the time they are written. As a result, they are likely to always be changed reactively – when a new ML or TF risk has already emerged. It makes it almost impossible to ever get ahead of criminals. Add in the complexities of change associated with 1, then an extended delay between a new route for criminal emerging, and compliance teams having readily available information to change how they make their decisions is inevitable.
- It leads to discarding of potentially important and relevant data by discriminating up front what data should be considered when making a decision.
A policy-led approach is the equivalent of Google taking your search term and only giving you the top 3 results. You’d never know if result 4 had what you were looking for.
So what’s the alternative
The alternative is to look at KYC as a data problem – not a policy problem. It is fundamentally about gathering and interpreting data to make a decision.
Where as a policy-centric approach is premised on trying to disprove that someone is laundering money (by finding ways to reduce the diligence to be conducted on them), a data led approach objectively looks to source as much information as is possible and organise it in a way that enables informed decision making. It is the equivalent of Google: Taking your search term, ranking the results based on usefulness and reliability, but most importantly not discarding potentially useful information.
Most reactions to this sort of a statement are that it will drive the need for an Operations team 2/3 times the size. In a world where processing a heightened record can take 2-3 times the duration to process a simplified one, this would be true.
However, this would also miss the point of a data-led approach. A data-led approach standardises the upfront data gathering to such an extent that the wealth of existing web scraping and big data tools available become opened up to the world of KYC. To date, the scope for automation has often been constrained by the complexity of policy. A policy-led approach is premised on analysing up front to determine what data to gather. A data-led approach is premised on gathering what you can, then analysing – the gathering rules are much simpler.
KYC Operations teams shift their focus from gathering data to prove a policy, to analysing and interpreting available information to make risk based judgements on how to proceed. It also means investment can shift from expensive tools that dictate what data is to be gathered in which circumstances to tools that help make sense of the data available and, in turn, what the actual risk is. Where would you rather spend your money?
A data led approach also allows FIs to adapt to new regulations quickly and at a much lower price point. New regulations mean adding more data points, but the underlying approach stays the same, so there is no longer a need for a fundamental change in how things work.
Most importantly, a data-led approach makes it harder and harder for criminals to ‘work around’ existing policies to find ways to launder their money – it exposes the hiding places.
At Clarasys we have a team of business analysts and project and change managers who can rapidly help you assess the state of your current KYC operation, identify opportunities for improvement and make change happen – fast.