Sponsored by ?

This article was paid for by a contributing third party.More Information.

The client onboarding challenge: Getting to grips with 2016’s AML and KYC compliance risks

A webinar convened by Operational Risk and sponsored by Thomson Reuters addresses the evolving challenges faced by financial firms in the area of client onboarding. Our panel explores the compliance and operational risks that anti-money laundering (AML) and know-your-customer (KYC) regulation will create for organisations in the coming year.

To investigate suspicious financial activity, authorities need access to timely, accurate data. This requires the involvement of banks and other financial institutions. But having to cope with myriad rules in areas such as AML and KYC means that the cost of compliance is rising amid diminishing profitability and high capital requirements under Basel III. The temptation for some firms is to retreat from whole geographies or client segments entirely, a phenomenon known as ‘de-risking’. 

Elsewhere, financial institutions must roll up their sleeves, work out how best to respond to those myriad changing requirements and attempt to organise themselves to onboard clients quickly and efficiently. Achieving this is easier said than done, but there are many practical steps firms can take that will help. Doing it well and efficiently can help differentiate firms and provide for a much smoother client experience. 

THE PANEL

  • Billy Evans, Managing Director of Operations, Barclays Africa
  • Roland Guennou, Industry expert, KYC and client onboarding
  • Steve Pulley, Managing Director, Client On-boarding and KYC Solutions, Thomson Reuters

Operational Risk: What are the major regulatory requirements in areas such as AML and KYC that affect the task of onboarding clients for firms like yours? 

Billy Evans: The major aspects here today are money laundering and KYC. The challenges here – particularly if you are a multijurisdictional financial institution – are the proliferation of regulations to get your head around, which contain many inconsistencies and perhaps even incongruities. The key aspect for me, particularly around these regulatory requirements from a commercial point of view, is that this is pre-deal. You cannot do deals or conduct trade finance, for example, without having these things in place. So the regulatory requirements really do affect the life cycle of a trade. 

The requirements that we have to fulfil are extremely onerous, and the consequences of not fulfilling them accumulate on a daily basis. Finally, the world we are in now demands this is a completely dynamic process throughout the life of the relationship with your client. This is not just a ‘tick-box’ exercise, this is a new way of working.

Roland Guennou: It absolutely is a new way of working, and one of the key challenges institutions face in terms of client onboarding is achieving that subtle equilibrium between adequate risk management, operational effectiveness in the face of rising requirements and customer experience. 

Some of the enquiries performed around customer due diligence and KYC are definitely seen as intrusive by certain customers. The effectiveness and the experience that customers gain through client onboarding is also becoming a major differentiation and competitive factor for firms in the competitive landscape.

Operational Risk: With your experience of working with many different firms on issues around onboarding, what do you see as the most important requirement they face in this area?

Steve Pulley: The world has changed considerably; there is so much regulatory focus now on preventing money laundering. And it has evolved from what could have been a tick-box exercise to fulfil a set of obligations and demonstrate that you’ve done enough, to a world where you’re really expected to know your client – not just when you onboard them, but every day that you’re dealing with them. The most important component is with the 2012 Financial Action Task Force principles, and this has increased the onus on knowing your customer at all times. It’s actually having the processes, procedures and tools in place to achieve that.

Operational Risk: Most firms say that onboarding a client typically takes several weeks – does this result surprise you at all?

Steve Pulley: A little, but, in our experience, several weeks sounds reasonable. 

One of the reasons for the time it takes to onboard a client is if that client is of a particular risk profile, then that requires you to actively engage them, seek and have them provide documentation and then react to that. That can sometimes take a while. Clients don’t necessarily send the documents back the next day, for example. You also have financial institutions out there with backlogs to get through; even if the documents came back the next day, unless there was a real noise coming from the front office, you can see how that can take longer. 

Billy Evans: There are so many factors that can shorten or draw out your timeline. There is certain information that is public, but it’s the non-public information that can take quite a bit of time. 

roland-gennouRoland Guennou (left): I would certainly echo everything that has been said, especially the diversity of factors that may impact the timeline of a client onboarding. There are probably two more factors I would add from a client onboarding perspective. One is the completeness and quality of customer due-diligence standards and how they support clear customer due-diligence requirements. The second is around the quality of the client outreach. 

Operational Risk: When it can take several weeks or up to a month to get a client onboarded, what are the practical steps that are taking place?

Roland Guennou: Focusing on the AML side of onboarding and the customer due-diligence discipline associated with them, the process would usually start with identifying the relevant client type or entity type that the customer falls into. And that would drive a first level of calibration of the customer due-diligence check – determining whether a customer is a regulated financial institution, as opposed to a corporate or a trust. This is often combined with a first estimate of the degree of risk of that customer based on jurisdiction and the nature of the business. Then, gathering customer information across identity and registration details, the nature of the customer’s business activities and geographical footprint, and then moving on to understanding the nature of the business relationship and source of funds coming into that relationship. Further enquiries would then be made into ownership, beneficial ownership and control structure, to understand not only who the customer is, but who is behind the customer and who controls the affairs of the customer. 

Once these data points have been identified, the firm would screen the various parties identified against sanctions, politically exposed persons and adverse media to uncover any subsequent risk factors behind those parties. Enquiries around source of wealth might also be performed around either the customer itself or its beneficial owners. As a final step, the risk assessment would be completed based on the discovery of the relevant risk factors, usually crystallised in a risk rating or risk classification of the customer. 

Operational Risk: How much around the process of regulation and de-risking, and the intensity of what it takes to onboard clients, is about regulation versus other factors such as risk management?

Billy Evans: I personally don’t believe that the AML and KYC side of things that we’re talking about here drive a significant portion of de-risking. From a commercial point of view, if it makes sense to be in a certain jurisdiction, a certain geography or line of business, commercial factors will be the first determinants as to whether or not institutions want to play in that space. Once these risk elements start to act against those commercial elements, that is where the reasons we’re speaking about here might contribute. But I would hesitate to say that it is a major factor. And, if it is deemed a major factor, that raises instant questions because the pure concept of really knowing your client and avoiding money laundering is a community-based responsibility. If you find that a major deterrent, then that starts to raise some other questions in terms of company culture as well.

Operational Risk: One thing we’re hearing often, particularly from the operational risk space, is how regulatory uncertainty is a huge cause of concern, with so many confusing, overlapping and complex requirements. Clients are some of the most important stakeholders for any business. When you think about onboarding, how do you think about the client experience, and what would be your desired outcomes in terms of client experience?

Billy Evans: We absolutely think about it, and any operational area worth its salt needs to put this at the forefront of their thinking and processes. One thing we need to realise is that this is equally complicated for clients. Clients are not out there doing this as a business; they’re out there buying and selling, creating business, and so forth, so they want to move through this as quickly and with as little effort as possible. So the concept of effortless client service really comes into play here. 

Depending on the different kinds of operating models the different institutions may have, I think what is key is to ensure there is a degree of specialisation in the topic. That interacts directly with the client to avoid an iterative approach of “sorry, we have the wrong document, and so forth”. And it is often that first contact with the client that gives a first taste of what it is going to be like to work with or develop a relationship with this particular bank. 

Secondly, when you are doing follow-ups to obtain more documentation or clarification, again, it’s the succinctness of that discussion and the effort involved in resolving it that can really make or break a client relationship. 

Roland Guennou: There is also the issue related to that of different onboarding processes across KYC – credit, legal or operational set-up of accounts, for example, and different regulatory obligations, creating multiple and often excessive touch points with the client that are also quite deeply affecting the client experience. Customers are probably legitimately asking why they have to provide more of the same information at several points in the process, and to several different parties.

Steve Pulley: Over and above that, imagine for a second you’re a client operating in a higher-risk jurisdiction or higher-risk industry. By extension, your banks will be refreshing their KYC probably annually, and they’re not doing that in unison. So, you’re in the business of whatever it is that you’re doing, and your treasury and company secretarial function is having to field the same but slightly varying asks asks from multiple providers consistently throughout the year. 

From the perspective of the end-clients, the [to date] limited industry standardisation around this has posed a real challenge for them. Clients see this as just the entry ticket to being able to do business. Essentially, it is an administrative activity that should be straightforward. And why wouldn’t compliance officers from all the banks see regulation through the same lens, and make the same conclusions around what information is and isn’t required? It’s those differences that drive them crazy.

Operational Risk: With rules in this area changing over time and with clients that have already gone through the onboarding process, how does that affect your stance towards them, especially when you have to consider the new clients that are coming in at the same time?

billy-evansBilly Evans (left): In today’s world, regulations are changing on a monthly or even weekly basis. It’s a fact of life that one has to just get their head around this very quickly. This is the way you have to adapt in order to continue. 

Again, consistency is key here. That experience you have with your clients, in terms of when you initially onboard them, should be the same type of experience as when you’re reaching out to them to obtain further documentation, or whatever it may be, because regulations have changed. And you have the obligation to make yourself more familiar with certain aspects of the business. 

What is key here is taking some time to explain to clients why this is actually happening, the necessity for it and the greater good of it. I’m not sure that we, as a financial industry, do a great job of this. I think we need to take a little more time and opportunity to get that across to clients. 

Operational Risk: Customer communication is always very important and people don’t often turn down business from new and existing clients on the basis of AML and KYC regulation. Do you agree?

Billy Evans: I think it is accurate. The topic of KYC has been around for a decade, so you’re probably talking about very established relationships. You have to go a long way to start exiting clients. I think banks and financial institutions are quite selective about the profile of the customers that they actually want to do business with.

Operational Risk: A lot of this comes down to technology. As somebody with experience of working with lots of different clients in this area, what strategies and solutions can you recommend firms employ to ease the burden of onboarding?

Steve Pulley: There is a range of solutions. At the lower-value end, yet still mission-critical, you have established solutions that have been around, typically data and content solutions that plug in to the financial institution’s workflow. And financial institutions continue to go about their business of collecting, validating and screening their clients themselves. 

In the middle are the platform solutions, workflow solutions that streamline the client onboarding process with all the links into legal, credit and other areas of the bank, or the asset manager that requires sign-off before the client is good to transact or good to invest. 

At the very top end – what we’re seeing coming from the vendor industry now – is the emergence of managed service and utility solutions, Thomson Reuters being an example of this. 

These industry utility and managed services solutions, like the one we operate, are able to go and collect that KYC information on behalf of the industry and organise it from public sources, from private sources and from the clients themselves. They do the work of pulling the KYC file together, including the screening of the officers, the directors and the beneficial owners, and essentially package up the information for the financial institution to then take its view on that client, and maybe even decide it needs to do more enhanced due diligence to really understand who they are. 

But the beauty of the industry utilities coming out is that you are contacting the client as an industry considerably less frequently. If the KYC record already exists in the utility, your time to onboard is going to reduce by 90% or more. Even if there are specific nuances of information that your particular firm needs over and above the industry standard, it is still going to massively accelerate the time to trade. You’re going to trouble clients less for additional information. Everybody is going to benefit from the most recent refresh. There are lots of community-wide benefits that come from that. 

We’re just beginning to see the emergence of these solutions and the financial industry dipping its toe in the water. It is trialling these in the belief that there is the potential for considerably improved client experience, but also some real reduction in operating costs as a result of moving some of this redundancy of doing the same work multiple times over on the same sets of clients across the industry.

Roland Guennou: The major players in this field have now achieved the position where standards have been agreed across their members or participants. And I think we are at the stage where trialling is now beginning. 

One of the current challenges is the education process of customers, who are being invited to contribute data and documentary evidence to this process. This represents quite a shift in practice and, even though the benefits are clear, it will probably take a little time for firms to sign up and become completely involved in this new concept.

Operational Risk: Is it a question of critical mass?

Billy Evans: The appetite for this is growing for a couple of reasons. For one, I think it’s becoming clear that the cost of this is very much fixed in nature. It is becoming more onerous. It’s not going away and it’s starting to draw down on investment spend that companies or financial institutions have as well. The realisation that, as an industry, we are throwing money at doing exactly the same thing is becoming very clear. So I think the appetite to start engaging and exploring this kind of thing is growing.

Operational Risk: What do you think firms must consider when looking at potentially getting third parties to help them with this process? Are there any particular risks that firms have to be attuned to and do they vary, depending on the scale of the involvement of third parties? 

Roland Guennou: One of the things that firms would want to contemplate is where to put the dial in terms of when they rely on third-party providers versus the disciplines that they keep in-house. I think the increasing regulatory expectation is for firms to demonstrate that they have systems and controls in place where they can gauge the acceptability of their customer relationships, based on the complete and thorough assessment of the risk of those relationships. 

I think what the utilities landscape is going to offer is an opportunity for firms to redirect their internal resources more towards the risk assessment part of their process, as opposed to the collection of the additional information and documentation that provides the data in support of that risk assessment. 

An interesting area in this field is screening. One could argue that the screening for sanctions, politically exposed persons and media is somehow a data-gathering exercise. But it is also a qualitative risk management exercise, and we are seeing different offerings from different utilities in this space. 

Steve Pulley: You do see differences in opinion as to the extent of that being a core competency. Right now, the financial industry is fundamentally resourced for yesterday’s KYC challenge, not tomorrow’s. So, there is this ongoing monitoring, looking at all of the regulatory sites, doing daily screening, looking at adverse media for whether anybody that is a related party to their clients has been in the news or associated with bribery or corruption, or otherwise. The industry isn’t really doing a great job of monitoring its clients for change, and important change through time, and those resources are not in place today. That is a core part of the value proposition for a firm such as ours. 

The majority of AML and KYC regulation was written before the digital age, around 2000. What we’re going to see over the next five years is this profound change as people begin to look at digital sources/footprints for other pieces of information.

Operational Risk: In terms of the use of third parties and how they can help make the onboarding process smoother, what is the cost of these?

Steve Pulley: I can tell you how we approach this. And we look at life on a per-entity or per-client basis. Not all clients are the same. The high-risk entity in a high-risk jurisdiction that has a lot of ownership complexity is a very different proposition to build a KYC file on and unwrap the ownership structure of, than a London-listed FTSE 100-regulated bank, for example. There is just a very different level of work and a very different level of validation that is required there. 

Pricing schedules have a range in them, depending on the complexity of the entity. That’s certainly how we look at life. But the advantage to the consumer of these is it’s an ‘eat what you consume’ type model, rather than having to pay a minimum or an ‘all you can eat’ kind of licence model. So you cannot put a single number on it – you could be in tens to hundreds of dollars, depending on what that client actually is and the work entailed. 

As for the policy standards that the client wants you to go to, some firms want to go to 10% beneficial ownership on everything. Others are happy going down to 25% and, again, if you’re going to 10%, there is a lot more work. So I think, with all of these client engagements, there is a level of mutual due diligence that gets done upfront. 

The banks have to do their own homework but the bottom line of it is that we have enough examples now where clients are achieving run-rate benefits of 20% to 40% to even 50% savings. There is a compelling economic case before you even layer in regulatory conformity and client experience.

Operational Risk: How do you embed a culture of strong, efficient onboarding within your organisation, and ensure you continue to deliver efficient onboarding processes over time? How do you stay ahead of the curve?

Roland Guennou: To summarise, it is to make sure you have people in onboarding and KYC functions that understand what they are there to do, and the outcomes they are pursuing. We still see many organisations where KYC customer due-diligence onboarding is seen very much as an operations area, similar to settlements and, therefore, driving quite a box-ticking approach to fulfilling requirements. 

A lot of the relevance and efficiency of this process depends on how people doing the job are able to have an intelligent conversation about a specific case – with their front office, the customer or both based on clearly understood outcomes of customer due-diligence and technical proficiency. Having specialists with a strong degree of proficiency in the various disciplines associated with client onboarding is key. It is something that can no longer be relegated to just a box-ticking exercise.

Operational Risk: What does it take in terms of your firm’s infrastructure? What is your attitude to how you constantly improve in KYC onboarding?

Billy Evans: I completely agree with what Roland said. From our perspective and, I believe, from others’ as well, this is turning into more and more of an investment. It’s about the technical proficiency, but the type of individual that is actually standing out in this space now has great communication skills, because you’re fundamentally either interacting with your front office or the client, depending on the model. And you need a strong client service ethic that is not a box-ticking exercise, it is about constant investment. 

We are, as an industry, really resourced, financed and invested for KYC as of yesterday. And that comes back to why 40% don’t see the benefit. What is sometimes difficult to understand is that it’s not necessarily about the cost base that you have now, but the cost base you are going to have in two years’ time to keep up with the growing demands.

Operational Risk: Staff retention is tremendously important. Do you think it’s important to hold on to people who are good at this stuff?

Steve Pulley: Yes, absolutely. With AML, the tone has to be set at the top of the house. If the executive committee or chief executive officer are not 100% behind this, that’s a real problem. It doesn’t cost anything to get that right, that’s just communication and fortitude. 

Looking at training and competency, there are a few pillars – learning and development are a key part of this. Training and ensuring that administrators are refreshed and that you embed a continuous learning culture, a lot of that is on the job, but it is supplemented with courses and specific investments that we make in our people. I think language comes into it as well. We’ve done KYC on entities from more than 140 countries and have translated more than 50 languages back into English. We have real programmes, not just around AML literacy, but also around language. 

There is knowledge management, so that you build a real repository across ops, policy, technology, and so you can leverage the collective knowledge that you’re building. And there is talent management. Our staff are bright, they want to build and develop their skills. If you can put real planning into that, with reward and recognition, with continued investment in skills as part of career development, then you can reduce your attrition rates profoundly. 

Operational Risk: What are we doing as an industry to make the customer experience more ‘pleasant’, without compromising on money-laundering rules? Are there any points we can make, specifically in relation to customer experience? 

Billy Evans: Communication is key, and it is completely up to the industry to solve this client experience problem. It’s about consistency and standardisation and we, as an industry, are the only ones that can solve that – it is up to us as banks to collaborate, to come up with a consistent approach that we can follow, so where we should really be competing is our products, not about how we onboard clients.

Steve Pulley: Our experience of whiteboarding and blueprinting the service with banking participants involves significant process mapping around how and when you touch the client, who touches the client and what they are expecting from the client. Why do we need that step in the process? What would we give up if we didn’t have that step in the process? 

Then we have natural tension between compliance and the front office. Compliance is appropriately setting the rules and ensuring that the banks are accountable to a regime that is going to protect the firm and the clients. The front office, on the other hand, is asking “how do we make this as streamlined as possible?” So those exercises are certainly taking place. 

Again, our experience where we work in a particular market with all of the major players suggests you can reduce the number of touch points on these clients by a factor of three-quarters quite easily. It just requires the investment in time from people as an industry.

Read/download the article in PDF format

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here