Improving your KYC policy: feedback loops result in automation
As KYC analysts, we have worked our way through dozens of files to detect sanctioned parties, money laundering, and terrorism financing. This gave us deeper insights into the current know-your-customer-processes at Dutch financial institutions. In this blog we elaborate on the various KYC policies, the operational procedures and business processes following these KYC policies. Further, we discuss the room for interpretation that these policies leave. Lastly, we elaborate on ways to enable standardization and smart automation by starting from the core – policies and taking into account operational executability.
Know your customer
Current KYC processes of financial institutions often consist of customer onboarding, customer due diligence, and monitoring. All financial institutions are obligated to comply with European and National laws and regulations. In addition, other regulations may be applicable depending on the institution’s field of operation.
Nonetheless, every financial institution needs to know their clients and know about their transactional behavior and intentions to ensure compliance with, for example, the anti-money laundering Directive. Knowing your customer involves yearly monitoring of clients with transactions and activities in sanctioned countries, activities with a high risk of money laundering and illegal activities. Since rules and regulations can be complex, financial institutions write their own overarching policies to ensure compliance. These policies can consist of multiple layers of rules, each more ambiguous and open for interpretation. During our work, we experienced this firsthand. It causes challenges when reviewing and writing client reports and is one of the main reasons for inconsistency, compliance risks and inefficiency and related high cost.
The complexity of compliance
The complexity of compliance stems partly from interpretability of laws and regulations. European laws and regulations to prevent the use of the financial system for money laundering or terrorism financing can be interpreted in different ways, because most laws and rules are written in a European Directive rather than a European Regulation. A “Regulation” is a binding legislative act. It must be applied in its entirety across the EU. A “Directive” is a binding legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.
An example of a European Directive is the EU Fifth anti-money laundering Directive. This Directive is devised in the Dutch law as Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) (Anti-Money Laundering and Anti-Terrorist Financing Act), which entered into force on August 1, 2008 of which the last legislative amendment came into effect in 2020. The Dutch legislator interpreted the EU fifth anti-money laundering Directive to create the Wwft to meet the requirements set by the EU legislator.
Such interpretation leaves room for ambiguity. However, this is not the only contributing factor. In addition, financial institutions have their own risk-based approach which they describe in their own policies. What’s more, financial institutions can also apply supplementary laws and policies if they are of interest to their business. This results in three layers of “rules”: national law and regulation, rules and policies regarding financial institutions’ specific business interests, and financial institution-specific policies. These layers of rules make compliance increasingly complex. While working through customer files, we saw that a client can breach a financial institution’s additional policy without breaching national laws and regulations.
An example of such a breach is when a customer is not allowed to perform transactions with a sanctioned entity under the institution’s additional policy, whereas national laws and regulations do not prohibit this.
This creates the complex situation in which the financial institutions operate and makes it difficult for them to do so in a standardized way. Also, it is one of the reasons why current KYC processes are often manually executed by analysts. If the complexity in compliance is reduced with smart policies, opportunities for smart automation of KYC processes arise. Smart policies are policies which take into account applicable legislation and regulation, the client perspective and operational executability.
The road towards automation
The policies defined by the financial institutions are the first step towards a better and more streamlined process to follow protocol. Nevertheless, these additional policies are often open for interpretation and written from a law and regulation point of view. Yet, we can also use these policies as a starting point for automating the KYC process. This requires writing them in a smarter and more precise way. By keeping possibilities for automation in mind when creating policies, the KYC process is formed in a way that allows for automation and thereby makes automation an important field of focus. This has the added benefit of less ambiguity, even when the policies are not automated. The following technologies are ways to achieve automation within a KYC process:
- Robotic process automation – The KYC process often includes sets of data and strict rules. RPA can be used to collect these sets of data, analyze them, and even provide output to a specific analyst. For example, within banks, customers’ transaction data is collected, sorted, and filtered according to high-risk topics such as “money transfers.” RPA is used to collect these data sets and filter them based on specific high-risk topics or analyze activities, such as cash deposits and withdrawals. The analyst receives the RPA output and uses this as the base of the review.
- Templates – Reviews are often written by an analyst without making use of standardized sentences or templates. The introduction of general standardized sentences and templates can decrease throughput time significantly. In our experience this can result into a decrease up to 30%. However, standardized text fragments always need to be adapted to the specific context and case.
- Algorithms – Algorithms are already being used, at this moment mostly within transaction detection. By enhancing these algorithms and analyzing the first specifics of a transaction, throughput time can be decreased, and the file forwarded to the right analyst instantly. For example, algorithms can be enhanced by AI using behavioral and networking patterns. For instance, AI can be used to detect whether a customer is using the bank’s products differently and define how. This can be done by looking for periods without activity or the use of a bank account with the customer’s name at another bank.
- Utility services – Currently, every financial institution handles their own KYC process. This is often done for the same business or client. Each client that works with multiple financial institutions needs to provide KYC data, multiple times to multiple parties. The introduction of a KYC utility can unburden clients and enable financial institutions to gather and verify KYC data in a cooperative and cost-efficient way. By doing so, double work and double costs for clients and themselves can be prevented. Distributed ledger technology is an example of a technology that can enable these utility services. It enables the secure data exchange of high quality and verified KYC-data.
To enable automated processes, process descriptions must be streamlined. However, more importantly, operational executability and smart automation need to be considered when drafting internal policies. Currently, these are only focused on interpreting laws and regulations correctly from a legal point of view. Therefore, we need to explore how these laws and regulations can be translated into strict rules, smart criteria and binary code instead of leaving them open to interpretation for every separate case wherever possible. We can then use technology to enhance consistency and efficiency in the interpretation of laws and regulations through these rules. To establish this, collaboration between different departments is essential.
In real life, automating an entire KYC process is hard to imagine. Therefore, the first step is towards hybrid automation rather than full automation. This implies finding a process where most routine tasks can be done by processing power, leaving the task of drawing the final conclusions for the analyst. This means considering a technology-led approach where we identify all the current tasks and test if they can be automated. In doing so, skilled professionals can focus on those tasks that still require human reasoning, such as shaping policies and making risk profiles, while the repetitive information-gathering tasks are left to automation.
As Capgemini Invent, we can help you bringing to life what’s next in the KYC domain. We can offer you an approach that starts with rationalization of policies from an operational executability and smart automation perspective and that ends with smart automated compliant and cost-efficient KYC processes. We combine our extensive experience in compliance, digital transformation, data science and smart automation in a customized approach to optimize your KYC practice. To discover more, please take a look at how to lower processing costs and increase efficiency. If you would like to learn more, please reach out.
Please reach out to our expert Casper Stam if you would like to know more about the KYC domain.