Short KYC Guide – explaining the regulations and how they are going to affect your company
What is the relation of AML to KYC?
4 steps of KYC compliance
1. Identifying the customer and verifying their true identity.
2. Assessing customer risk.
3. Identifying the beneficial owner and taking measures to verify that person’s identity.
4. Ongoing monitoring and record keeping.
Customer Due Diligence
What is the difference between SCDD and ESDD?
Simplified CDD (Customer Due Diligence)
Enhanced CDD (Customer Due Diligence)
How will regulations affect obliged entities?
The development of new technologies and emergence of FinTechs changed customer expectations of financial services. However, along with FinTech growth, there has been growth in money laundering and terrorist financing. To limit financial institutions vulnerability to such crimes, they are required to have AML and KYC programs in place.
For example in the EU, laws in different member countries are created according to regulations like 4th and 5th AMLD. As a result, the laws of various countries are similar and often just differ slightly. However, those differences add another challenge when companies have global reach and customers in many countries. It might mean the responsibility to meet not only the local requirements but the international AML standards too. Subsequently creating and maintaining AML programs by financial institutions and other regulated entities becomes even more complicated.
Regulations become even more rigorous every year and continuously include new parties from the financial sector. However, as the regulations grow, companies sometimes find it difficult to adjust their legacy systems and programs. Although satisfying new requirements can be time-consuming and costly, failing to do that may have grave consequences for regulated entities. If the organisation doesn’t prevent, detect or report illicit activities, they need to prove that it was not due to their poor AML practices. Company is responsible for proving that they were compliant with requirements and that every step to identify, assess and understand the risk was completed.
Consequences of neglecting their AML programs, among others, put organisations at risk of fines. For example: in 2018 Commonwealth Bank of Australia was fined a sum of $700 million by AUSTRAC for serious breaches of anti-money laundering and counter-terrorism financing law. There is also reputational damage which might cause loss of clients.
AML (Anti-Money Laundering) is a very broad term that covers many different regulations issued by governments and international organisations. Those regulations oblige companies to prevent, detect and report crimes related to organised crime, money laundering, and terrorist financing.
The group of regulated entities includes among others:
- Credit unions.
- Financial institutions.
- Gambling sites and casinos.
- Wallet providers and crypto exchanges.
Regulations (like the 5th AMLD) set out a comprehensive framework of measures in order to combat money laundering and terrorist financing. Countries implement those measures accordingly through revisions in laws. As a result of changes in legislation regulated entities must create or adjust their own AML programs.
Companies must care about who they onboard as a client. As part of the AML program KYC compliance plays its role here. KYC (Know-Your-Customer/Client) process starts before any business relationship is established and continues through the whole business relationship. Overall KYC consists of four steps.
The first step of a KYC programme consists of:
- Collecting customer identity data.
- Checking it against trusted independent sources to see if they are not a politically exposed person (PEP) and are not listed on Sanctions Lists.
- Collecting an image of required identity document in order to exclude the possibility of identity theft.
The second step requires an organisation to:
- evaluate how likely it is for a customer to commit crimes involving money laundering and terrorist financing,
- estimate what risk particular customer poses in terms of possible reputational or any other damage,
- assess and, if needed, obtain information on the purpose and intended nature of the business relationship.
Where applicable taking reasonable measures to understand the ownership and control structure of the customer.
The company needs to investigate account activity and transactions undertaken by its existing customers. The goal of such monitoring is to ensure that no suspicious customer behaviour will go unnoticed by the company. It includes:
- Creating the business and risk profile, including where necessary the source of funds
- Ensuring that the documents, data or information held are kept up-to-date.
To sum up, the four steps presented above form CDD (Customer Due Diligence). CDD can be performed as a Simplified Customer Due Diligence (SCDD), or Enhanced Customer Due Diligence (ECDD). Before explaining when the Simplified or Enhanced CDD is applicable it is important to understand what the risk-based approach involves since 4th and 5th AMLD puts special emphasis on this term.
In brief, the risk-based approach to the KYC procedures means focusing on migrating risk. As opposed to treating every new or existing customer according to the same procedures and putting them through the same checks.
Risk is variable in nature. As a result, some situations show a greater danger of money laundering or terrorist financing crimes. When the customer risk is considered lower, the organisation needs to perform only the basic steps of KYC program. When the risk is considered greater, customer must be subject to more accurate checks and rigorous monitoring.
In the face of growing regulatory requirements, the risk-based approach adds flexibility. In general, it can be a great solution to stay compliant and, at the same time, onboard the right customers quickly. For instance, low-risk customers will only need to go through a simple form of KYC procedure and won’t get frustrated by the length of onboarding time. In the meantime, the efforts of organisation’s team can be focused on higher-risk customers, as they require more thorough checks.
Employing innovative technologies can improve customer experience and support an omnichannel onboarding. Increasingly more regulators recognise the reliability, accuracy, and convenience of the online identification when onboarding new customers (like AMLD and more locally: FINMA or BaFin). They encourage financial institutions to incorporate a fully digital onboarding. To summarize, the majority of CDD steps such as identifying the customer and verifying their identity can be reduced to a matter of minutes. Automation (AI, machine learning) can replace repetitive, manual tasks and speed up the KYC process.
As mentioned above, the CDD measures include:
- establishing customers identity,
- predicting, to some extent, the types of transactions and activities customer is likely to be involved in,
- and monitoring account activity.
Ongoing monitoring allows detecting activities that may not be in line with what was predicted at the beginning of the business relationship. When some activity does not match a “normal” pattern, the company must apply more rigorous monitoring and background checks of the unusual transactions. Keeping an eye out, to some extent, on existing customers ensures that no suspicious activity will go unnoticed. This way, in case of a crime, unlawful activities will be detected and reported.
SCDD is performed when a customer, business relationship, or a transaction is considered lower risk. Then the CDD does not have to be as thorough and comprehensive. In this case, ongoing monitoring is applied, but to a reasonable level that is sufficient to guarantee that no unusual activity is completed unnoticed.
A company needs to apply ECDD measures when:
- customer is a politically exposed person,
- customer has an existing business relationship with competitors,
- customer is based or living in a country that is considered a “higher-risk”, where the AML/CTF regulations are less strict
The EU is mandated to identify and list High-Risk Third Countries, and 5th AMLD provides a list of minimum requirements for customers from those countries.
Besides completing the necessary steps of CDD, Enhanced CDD obliges to obtain additional information regarding:
- Customers identity.
- Beneficial owners.
- A source of a customer’s wealth and funds, etc.
- At last, it calls for enhanced, ongoing monitoring of the business relationship.
As regulator’s requirements grow, embedding automated solutions into financial institutions systems becomes crucial. For example, the first step of CDD consists of checking various databases and gathering information about the customer. This step can be reduced to a simple and quick process when using automated systems. Otherwise, it is a laborious task of gathering all the information manually, putting them into spreadsheets and only then analysing them.
In July 2018 the European Parliament adopted the 5th AMLD. The Member States of the EU have time to adopt them by January 2020. The change in legislation will force regulated entities to revise or create their AML programs.
The 5th AMLD includes virtual currency platforms and custodian cryptocurrency wallet providers. They will be obliged to take those regulatory changes into account and create their own AML programs. In particular, requirements that will have a great impact on them are:
- Full user identification,
- Forbidding anonymous transactions,
- Restrictions on the use of prepaid cards.
Setting such a high standard when it comes to AML compliance may have its pros and cons. The more controversial disadvantage will be the prohibition of anonymous accounts, which for some was an important part of cryptocurrency culture. The advantages consist of being less vulnerable to illegal activities and gaining the trust of customers, investors and traditional financial institutions.
For all the obliged entities some changes and revisions will be necessary:
- Taking into consideration the list of High-Risk Third Countries.
- Establishing formalised procedures to gather and update the information on beneficial ownership.
- Applying all the requirements of the ECDD.