Moving to a Perpetual KYC Model – the Benefits and the Challenges
With increasingly stringent KYC requirements meaning that financial institutions must periodically refresh information held about their customers, Charmian Simmons and Neil Isherwood examine the benefits and challenges of a perpetual KYC model
Under Know-Your-Customer (KYC) regulatory requirements, banks and other financial institutions are expected to periodically review and refresh relevant information they hold on their customers. This goes beyond the initial Customer Due Diligence (CDD) carried out within the initial onboarding phase as institutions must monitor clients on an ongoing basis and maintain their records.
Financial services firms have been looking for many years to improve efficiency in this space, looking towards a data led approach and automation to reduce costs. For many, this has been a slow process, with many other programs taking priority due to cost or resource limitations.
Despite the numerous challenges a large institution faces when attempting to overhaul its processes, the benefits can be huge.
The evolving face of Customer Due Diligence
Ongoing monitoring often takes the form of periodic reviews – the frequency of which is determined by the initial view of risk during onboarding. Periodic reviews can be cumbersome, a drain on resources and not always a good experience for the customer.
With greater focus being placed on truly understanding a customer and their behaviours, especially in the light of recent data leaks, news headlines, and cross-border activity, even the likes of continuous KYC under CDD, hasn’t provided enough to plug the gaps and meet heightened expectations.
Automation, data and perpetual KYC are key in helping to accelerate the due diligence process and minimize the gaps, leading to faster onboarding, reduced exposure to risk, and increased resilience.
Perpetual KYC or pKYC is a process that responds to changes as soon as they are made, rather than a time based review of information. It is proactive rather than reactive, which means its ongoing approach to due diligence is dynamic refreshed based in response to key triggering events.
Sustainable and successful perpetual KYC requires investment in data quality, KYC standards, and cultural buy-in from senior management.
Why periodic reviews are no longer the best form of review
Periodic reviews can be laborious to carry out. They also allow for windows of change, where criminal activity can stay under the radar for long periods of time. Even continuous CDD and KYC remediation – whereby firms frequently update customer data and profiles – can miss key changes in behavior and activity, masking the gaps.
The benefits of perpetual KYC over periodic review are in two key areas:
- Risk mitigation – Many institutions already have an element of perpetual KYC around sanctions and PEPS as they are usually checked daily against watch lists. However, it’s often overlooked that although daily checks are done, institutions may be regularly screening the wrong individuals if they have missed updates to their directors or beneficial owners. Perpetual KYC will flag these changes so institutions can begin screening the new individuals. Additionally, changes in beneficial ownership several layers away in other countries may not be realized or surfaced as part of traditional reviews. The right data and alerts can surface this kind of information more readily and automatically via perpetual methods, and in turn, help in understanding client risk impacts on the institution.
- Right-sizing effort – Often, periodic reviews can be 12 months or more apart. Within a 12-month period, some entities will have seen change – whether that be new directors, watch list hits, new Ultimate Beneficial Owners (UBOs), a new address or contact information, but many will have had no changes at all. During the review, all aspects of all entities are re-checked, eliminating gaps and windows of change that impose risk.
With perpetual KYC, the initial KYC/CDD onboarding process is the same. The difference is that when changes happen in the data, they are picked up in real-time and trigger an event that is captured, then automatically assessed and actioned by the system. If there is concern, a CDD operative or analyst intervenes and decides whether to take further action. This allows institutions to ‘right size’ their approach and spend more time on entities where there are more changes and higher levels of risk.
Utopia vs reality
There are some foundational elements that must be in place to achieve perpetual KYC and higher levels of automation in CDD. It is easy to overlook these, so being informed and prepared to address them before starting will help for a successful transition:
- Data strategy – often the most challenging and overlooked part of the puzzle, this is a necessary fundamental for perpetual KYC. Certain types of data are hard to capture and maintain, so institutions need to consider how to do this, as well as how to bring together information held in disparate systems to be integrated with live feeds and generate triggers.
- Workflow – to aid high levels of automation, the compliance policy needs to be capable of being digitised into the workflow. An example of this is flow or decision-making rules for what is sent to simple vs. enhanced due diligence.
- Monitoring – often an existing element in the compliance process, institutions need to focus on how to integrate live updates into monitoring processes for increased levels of automation. This also includes data held in separate systems to screening systems, to enrich and maximize the monitoring process.
- Human Intelligence and review – the combined power of automation and human intelligence should not be underestimated in achieving sustainable pKYC. While it is impossible to automate 100% of cases, what can be automated and straight-through-processed, should, enabling analysts to their spend time on cases with the most risk, such as false positive reviews that require manually review and action closure.
A best practice when creating a perpetual KYC programme with automation is to consider updates and monitoring are included by design, rather than being an afterthought. Institutions should think about the data they capture while onboarding and how that can be monitored automatically and maintained. This may mean re-engineering parts that are too manual or not using structured data. If thought about as part of the foundational steps like data strategy, policy, or workflow, it will be much easier to move into monitoring and adjudication.