Continuous Compliance: Why KYC Isn’t Enough
Continuous KYC is a phrase that has begun to appear quite frequently now in Compliance circles. It describes a system in which a firm’s KYC files sit at the centre of a web of automated information sources, each source feeding new information directly into the firm’s records as it comes to light. In this article I’ll look beyond the immediate attractiveness of this paradigm to ask some key questions.
The challenge of establishing automated continuous compliance KYC updates
Tolstoy began “Anna Karenina” with, “Happy families are all alike; every unhappy family is unhappy in its own way.” And much the same can be said of firms’ imperfect KYC systems. Some common themes, however, present themselves.
There is enough complexity in the IT of a typical firm to make even simple enhancements long, drawn-out, risk-laden affairs. Amending a single IT system is one thing, but few firms can boast a single system looking after all their KYC gathering, storage and distribution needs. Long before the advent of the ‘single client view’ requirements, firms struggled to see in one place and format all they knew about any given client. In many cases, this has only been achieved – if indeed it has – by grafting additional front-end applications onto a profusion of legacy systems that either resolve inconsistencies between systems on the fly or ignore them. They may typically fail to link client records, presenting one client in three different systems as three separate clients, for instance, or do the opposite by merging two similarly named individuals into an amalgam, a chimerical client, if you like.
Then there is the availability of information sources on which firms may unleash their scrapers. In Companies House, through an excellent API, firms can interrogate a huge, open database of corporate ownership information.
This is a dynamic database; thousands of filings are added daily, many of which establish new entities or material changes in the ownership and control of existing entities. Aggregated sources such as OpenOwnership and OpenCorporates provide feeds that incorporate international data, too. But the sad fact is that open registers are still the exception rather than the rule. Even in the EU where national beneficial ownership registers are mandated by law, their implementation is patchy across the union and few match the accessibility of the UK register at Companies House. In the US, the much-lauded new ‘corporate transparency’ measures rely for their name on a very specific definition of the word ‘transparency’ and these records will not be available to feed continuous compliance KYC machines for banks and other users.
Moving to Continuous Compliance Client Due Diligence
For a moment, let’s imagine we have achieved the Nirvana state of functional, continuous KYC. Where does that get us? Because KYC files, of themselves, are useless. They always have been.
Putting a book on your shelf about the Russian revolution looks good on your Zoom call; it will seem that you have at least a passing knowledge of that momentous point in history – you might even be a leading authority on it. But in reality, until you open the book and read it, owning the book has not done anything for you other than ticking a box. Likewise, having an immaculate KYC file by itself does not help you defend against financial crime in your organisation.
What you need to go along with your continuous KYC is continuous client due diligence. If continuous compliance is about buying the book, then continuous CDD is about reading it, understanding it and using it to inform your judgements. That means looking regularly at the relationship, the client behaviour and transactions – individually and collectively – in the light of the KYC and your experience of the client and the client’s world.
Can you answer these Key Questions Below:
· Is what I’m seeing in the client’s behaviour and transactions consistent with the nature and purpose of the business relationship?
· Is everything in line with the expectations we and the client had at the outset, or that we have subsequently explicitly identified?
· Do we understand the economic purpose of the client’s activities, both at a micro (single transaction) level and on a macro (aggregated transactions) basis – and are the detail and the big picture telling us a consistent story?
· Does our client risk rating match (or continue to match) the financial crime risks inherent in this relationship?
· Where the risks have changed, do we understand why? Do we recognise what the potential implications are? Do the ongoing monitoring controls at the assessed risk category match the risks we observe?
· Given all this, are we happy to maintain this relationship for a further period, and does the risk level require others to approve also?
Of course, we need to be documenting all of this and tracking it over time.
Difference between cKYC & cCDD
We sat down with Ray Blake, Director of The Dark Money files, to discuss the difference between continuous KYC and continuous CDD. Watch video now to learn what Ray had to say.
Moving to Continuous Reporting & Analytics
Monitor continuous Client Due Diligence (CDD) processes in real-time with NorthRow’s Reporting and Analytics solution. Book an online demo today to learn more.Book Demo
Financial criminals will usually have immaculate KYC. They need to have that to be onboarded in the first place, and to stay onboarded. Of course, it will be based on lies, because if they told you their actual purposes and the activity they planned to undertake on the account you would never let them through the door. But those lies come to light sooner or later when they start pursuing their criminal ends through the account. When what they do differs from what they led you to expect – which it must if they want to fulfill their illicit intent – that immaculate KYC will be their downfall, but only if you are paying attention. If the book stays on the shelf, the bad guys win.
So, we have to recognise that the ideal of continuous compliance KYC can never be an end in itself, much as owning a fine library alone does not make one well-read. But supplemented by good continuous due diligence it can deliver both efficiency and effectiveness benefits if the technical and data availability challenges can be overcome.