If you’re in the financial services industry you should be painfully familiar with the KYC acronym (short for Know Your Customer) — an industry coined term with origins dating back to the USA PATRIOT Act and its Customer Identification Program (CIP) provision.
Like most components of the AML (Anti-Money Laundering) universe — KYC tends to get more complicated than it really needs to be. This story will aim at outlining the simplicity of the measure aimed at simply knowing who your organization is doing business with.
Yes that is the basic intent of every law and/or regulation falling under the coined KYC umbrella — who is your customer?
Top Line — Policy and Program
An organization must start with an effective (adheres to the spirit of the law) policy position (words on paper) and an efficient (makes sense for the business) program (how the policy is carried out).
Bottom Line — Execution
Here’s where it may tend to look challenging, but in reality it is rather simple.
It begins with data collection (often sourced directly from the customer). Tip — get this right or everything else is going to create ambiguity and/or opacity in the ensuing processes.
Take party names (legal entities or individuals) and screen them against public records; government watchlists; and/or other public data (negative news).
Take the aggregated data (screening results included) and ingest that data into a risk scoring engine — this model will rate the customer’s potential for money laundering and/or terrorist financing risk.
Assuming collection, screening, and scoring yielded no exceptions and/or heightened risk (probably 95+% of your portfolio) — send those customer profiles off to monitoring. The remaining profiles may involve decisions to decline further onboarding and/or accepting onboarding with a route to enhanced monitoring procedures.
Most customers within an organization’s portfolio should be managed with standard surveillance (transaction monitoring and/or significant changes to their KYC profile) — and remember that’s the general main point of all this anyway (identifying conduct that warrants a suspicious activity report). For those that were onboarded with exceptions (having heightened risk) — schedule reviews (enhanced due diligence) on a reasonable frequency that addresses the policy position and the business.
The KYC profile and ultimate lifecycle will be predominately influenced by the activity (conduct) — as most individuals and legal entities remain who they are vs. change significantly.
Fine Print — Tools Needed
Naturally you need smart people to formulate effective policy (an understanding of what’s required legally) and even smarter people to formulate an efficient program (the business processes).
Here’s where it gets really important — you don’t just need data — you need really good data and really good data management. On top of the data you need software solutions — one that can run an engine for modeling risk and one that can function smoothly as an integrated business process management (BPM) platform.
So for those you that like to skim to the bottom of my stories: policy/program/execution — collect/screen/score/route/monitor/adjust — people/data/software…the simplicity of KYC