A key concern and critical risk for financial institutions (FIs) remains the possibility of unknowingly becoming complicit in money laundering actions where illegitimate money is moved into legitimate institutions. In order to mitigate such risk, FIs have strengthened their internal control systems by increasingly making use of Know Your Customer (KYC) and Customer Due Diligence (CDD) requirements, as part of their anti-money laundering (AML) strategies.
In designing a solid KYC/CDD programme there are key elements that need to be incorporated. Namely the key four elements (as outlined in the relevant figure below) for an effective KYC Programme are the following:
- Client Acceptance Policy
- Customer Identification
- Ongoing Monitoring
- Risk Management
Four key elements of an effective KYC programme
Firms should not only establish the identity of their customers, but should also monitor account activity to determine those transactions that do not conform with the normal or expected transactions for that customer or type of account and manage the related risk accordingly. Each of these activities is reviewed separately, highlighting the importance of each of one separately, and how these need to be properly executed in order to for the KYC programme to be effective. An additional factor, the training of personnel, is also reviewed.
Customer acceptance policy
Firms should develop clear customer acceptance policies and procedures, including a description of the types of customer that are likely to pose a higher than average risk to a firm. In preparing such policies, factors such as customers’ background, country of origin, public or high-profile position, linked accounts, business activities or other risk indicators should be considered.
Firms should develop graduated customer acceptance policies and procedures that require more extensive due diligence for higher risk customers. For example, the policies may require the most basic account-opening requirements for a working individual with a small account balance. It is important that the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to financial services, especially for people who are financially or socially disadvantaged.
On the other hand, quite extensive due diligence would be essential for an individual with a high net worth whose source of funds is unclear. Decisions on whether to enter into business relationships with higher risk customers, such as politically exposed persons, should be taken exclusively at senior management level.
Customer identification
Customer identification is an essential element of KYC standards. A customer can be:
- The person or entity that maintains an account with the firm or those on whose behalf an account is maintained (i.e. beneficial owners)
- The beneficiaries of transactions conducted by professional intermediaries
- Any person or entity connected with a financial transaction who can pose a significant reputational or other risk to the firm
Firms should establish a systematic procedure for identifying new customers and should not establish a business relationship until the identity of a new customer is satisfactorily verified.
Firms should “document and enforce policies for identification of customers and those acting on their behalf”. The best documents for verifying the identity of customers are those most difficult to obtain illicitly and to counterfeit. Special attention should be exercised in the case of non-resident customers and under no circumstances should a firm short-circuit identity procedures just because the new customer is unable to present himself for interview. The firm should always ask itself why the customer has chosen to open an account in a foreign jurisdiction.
On-going monitoring of accounts and transactions
On-going monitoring is an essential aspect of effective KYC procedures. Firms can only effectively control and reduce their risk if they have an understanding of the normal and reasonable account activity of their customers so that they have a means of identifying transactions which fall outside the regular pattern of an account’s activity. Without such knowledge, they are likely to fail in their duty to report suspicious transactions to the appropriate authorities in cases where they are required to do so.
The extent of the monitoring needs to be risk-sensitive. For all accounts, firms should have systems in place to detect unusual or suspicious patterns of activity. This can be done by establishing limits for a particular class or category of accounts. Particular attention should be paid to transactions that exceed these limits. Certain types of transactions should alert firms to the possibility that the customer is conducting unusual or suspicious activities. They may include transactions that do not appear to make economic or commercial sense, or that involve large amounts of cash deposits that are not consistent with the normal and expected transactions of the customer. Very high account turnover, inconsistent with the size of the balance, may indicate that funds are being “washed” through the account. Examples of suspicious activities can be very helpful to firms and should be included as part of a jurisdiction’s anti-money-laundering procedures and/or guidance.
Risk management
Effective KYC procedures embrace routines for proper management oversight, systems and controls, segregation of duties, training and other related policies. The board of directors of the firm should be fully committed to an effective KYC programme by establishing appropriate procedures and ensuring their effectiveness.
Explicit responsibility should be allocated within the firm for ensuring that the firm’s policies and procedures are managed effectively and are, at a minimum, in accordance with local supervisory practice. The channels for reporting suspicious transactions should be clearly specified, in writing, and communicated to all personnel. There should also be internal procedures for assessing whether the firm’s statutory obligations under recognised suspicious activity reporting regimes require the transaction to be reported to the appropriate law enforcement and and/or supervisory authorities.
Internal audit and compliance functions have important responsibilities in evaluating and ensuring adherence to KYC policies and procedures. As a general rule, the compliance function should provide an independent evaluation of the firm’s own policies and procedures, including legal and regulatory requirements. Its responsibilities should include ongoing monitoring of staff performance through sample testing of compliance and review of exception reports to alert senior management or the Board of Directors if it believes management is failing to address KYC procedures in a responsible manner.
Training Requirements
A final point that needs to be raised and is arguably of equal importance in achieving efficient and effective KYC/CDD policies is the training of personnel. Given the rapidly developing regulatory environment and the complex challenges that arise for FIs, it is imperative for a successful KYC programme that the relevant personnel be adequately trained and equipped to deal with such challenges.
As a result, all firms must have an ongoing employee-training programme to ensure that staff systematically undergo the appropriate training in KYC procedures. The timing and content of training for various sectors of staff will need to be adapted by the firm for its own needs. Training requirements should have a different focus for new staff, front-line staff, compliance staff or staff dealing with new customers. New staff should be educated in the importance of KYC policies and the basic CDD requirements. Front-line staff members who deal directly with the public should be trained to verify the identity of new customers, to exercise due diligence in handling accounts of existing customers on an ongoing basis and to detect patterns of suspicious activity. Regular training should be provided to ensure that staff are updated on regulatory developments and kept alert. It is crucial that all relevant staff fully understand the need for and implement KYC policies consistently.
Conclusion
The above elements are vital in the design and implementation of sound KYC programmes thus helping to mitigate the risks involved with money laundering practices and at the same time ensure the long-term credibility and reputation of the organisation. No FI has the luxury of by-passing or undermining KYC programmes as it will not only make the organisation vulnerable to risks and the facilitation of illegal practices, but the organisation will also be faced with legal repercussions resulting from violations of regulatory requirements.