The challenge of establishing automated continuous compliance KYC updates
Tolstoy began “Anna Karenina” with, “Happy families are all alike; every unhappy family is unhappy in its own way.” And much the same can be said of firms’ imperfect KYC systems. Some common themes, however, present themselves.
There is enough complexity in the IT of a typical firm to make even simple enhancements long, drawn-out, risk-laden affairs. Amending a single IT system is one thing, but few firms can boast a single system looking after all their KYC gathering, storage and distribution needs. Long before the advent of the ‘single client view’ requirements, firms struggled to see in one place and format all they knew about any given client. In many cases, this has only been achieved – if indeed it has – by grafting additional front-end applications onto a profusion of legacy systems that either resolve inconsistencies between systems on the fly or ignore them. They may typically fail to link client records, presenting one client in three different systems as three separate clients, for instance, or do the opposite by merging two similarly named individuals into an amalgam, a chimerical client, if you like.
Then there is the availability of information sources on which firms may unleash their scrapers. In Companies House, through an excellent API, firms can interrogate a huge, open database of corporate ownership information.
This is a dynamic database; thousands of filings are added daily, many of which establish new entities or material changes in the ownership and control of existing entities. Aggregated sources such as OpenOwnership and OpenCorporates provide feeds that incorporate international data, too. But the sad fact is that open registers are still the exception rather than the rule. Even in the EU where national beneficial ownership registers are mandated by law, their implementation is patchy across the union and few match the accessibility of the UK register at Companies House. In the US, the much-lauded new ‘corporate transparency’ measures rely for their name on a very specific definition of the word ‘transparency’ and these records will not be available to feed continuous compliance KYC machines for banks and other users.
Moving to Continuous Compliance Client Due Diligence
For a moment, let’s imagine we have achieved the Nirvana state of functional, continuous KYC. Where does that get us? Because KYC files, of themselves, are useless. They always have been.
Putting a book on your shelf about the Russian revolution looks good on your Zoom call; it will seem that you have at least a passing knowledge of that momentous point in history – you might even be a leading authority on it. But in reality, until you open the book and read it, owning the book has not done anything for you other than ticking a box. Likewise, having an immaculate KYC file by itself does not help you defend against financial crime in your organisation.
What you need to go along with your continuous KYC is continuous client due diligence. If continuous compliance is about buying the book, then continuous CDD is about reading it, understanding it and using it to inform your judgements. That means looking regularly at the relationship, the client behaviour and transactions – individually and collectively – in the light of the KYC and your experience of the client and the client’s world.
Financial criminals will usually have immaculate KYC. They need to have that to be onboarded in the first place, and to stay onboarded. Of course, it will be based on lies, because if they told you their actual purposes and the activity they planned to undertake on the account you would never let them through the door. But those lies come to light sooner or later when they start pursuing their criminal ends through the account. When what they do differs from what they led you to expect – which it must if they want to fulfill their illicit intent – that immaculate KYC will be their downfall, but only if you are paying attention. If the book stays on the shelf, the bad guys win.
So, we have to recognise that the ideal of continuous compliance KYC can never be an end in itself, much as owning a fine library alone does not make one well-read. But supplemented by good continuous due diligence it can deliver both efficiency and effectiveness benefits if the technical and data availability challenges can be overcome.