Defining your KYC requirements – five top tips by Ascertus
In partnership with Phil Ayton, Director, Sysero, we explore how to define your KYC software requirements.
Changing KYC regulations
Staying on top of Know Your Customer (KYC) compliance can be a daunting task for many organisations, given the ever-increasing scrutiny of regulators, the numerous KYC regulations, and the need for the utmost detail to demonstrate that every effort has been made to fulfil the obligations of the legislation. With KYC requirements within organisations and the adoption of disparate systems, it’s easy for cracks to form in the compliance framework, potentially leading to non-compliance breaches, financial penalties, reputational damage, and even the closure of business. The latter happens more often than we think. Many a time, when firms merge, the underlying cause is legal non-compliance.
Here are five top tips to help develop a solution that can help organisations to navigate KYC compliance with confidence:
A holistic approach to KYC processes
A fundamental mistake many organisations make is to try and solve KYC problems with point solutions – identity verification, client onboarding, sources of funds, and so forth. This approach results in the adoption of numerous point solutions, a significant investment in time and money, and yet offers nowhere near the capability needed to meet compliance standards. In reality, it’s the process and workflow problems that need resolution, which in turn requires a holistic and structured approach to compliance so that the organisation can convincingly prove that it diligently undertakes measures to comply. Map out the full KYC workflow – from client onboarding to ongoing monitoring – across departments, looking for ways to standardise and connect each step.
Tailor your KYC procedure
Generic KYC compliance controls don’t cut it. Take the time to define policies and procedures that are tailored to the organisation’s client base, risk profile, and operational needs.
If the firm does commercial real estate, potentially the chance of money laundering is high, so define stringent rules to minimise the possibility of oversight. Simply searching for an individual, and claiming the KYC compliance was fulfilled, won’t hold water with regulators. The organisation must be able to illustrate with a fair degree of detail, what searches it conducted, which searches it didn’t, why it took the decisions it took, and so on.
Likewise, if a firm offers tax audit services, then from a KYC perspective, identity verification poses a higher risk than money laundering.
The power of KYC automation
Many manual KYC tasks, from data gathering to screening, can be streamlined through automated KYC solutions. This not only improves efficiency but also helps eliminate human error and creates a more consistent, scalable, and defensible process. Take a strategic approach, identifying bottlenecks and pain points in existing processes, and create custom policies and workflows using automation tools to then integrate them seamlessly into the organisation’s infrastructure.
Here’s an example of such an approach and the end result. A firm creates a digital client intake solution, incorporating a built-in risk matrix to automatically assess new clients against the Money Laundering Act (AML) requirements. The client information is automatically checked against various public registers and information databases and their identity is authenticated through their Bank Identifier Code. All client data is stored (and deleted) in compliance with GDPR legislation. Any clients or cases that fall outside the requirements are automatically routed to a simplified workflow for further assessment to ensure compliance. Once approved, the cases are automatically created in the firm’s integrated internal systems. Every step of the process is documented for internal quality control and compliance protection. Voila!
KYC audit – ready at all times
Having compliance processes in place isn’t enough. Ensure an audit trail. An organisation needs to capture every decision point, with supporting evidence, so that when regulators come knocking, an audit trail can be generated to demonstrate the processes that were followed, the available information then, and therefore the decisions that were taken.
An audit log is key for internal audits too. It allows organisations to have visibility of who did what activity and when, what matters are stuck in the respective processes, and why, alongside providing the ability to easily report on all of them. Consider this common scenario in law firms. Typically, there is a time lag between when a new matter comes and when the assigned lawyer can start work. This is to accommodate the initial KYC checks and due diligence processes. Say, due to an individual being on holiday, the matter is unduly held in process. This means that the lawyer either waits until the due process is complete, which could be a few days, in turn delaying the work – or initiates legal activity without all the KYC checks being completed. Neither option is satisfactory. Embedding the right processes that clearly evidence and record all the decision-making and activity makes it much easier to do business.
Dynamic KYC software
The regulatory landscape is continuously changing, and therefore ‘deploy and forget’ type solutions are inadequate. Organisations must be able to make changes routinely by deploying scalable KYC software in tune with business needs and growth. Ensure that the software deployed for KYC is flexible and agile enough to be continuously adapted to evolving regulatory obligations.
The biggest and perhaps the most obvious tip is always to remain legally compliant. Adopting the right technology is essential. There are of course many KYC solutions available on the market, but adopting one that is built on low-code technology offers the best capability for developing and maintaining a future-proof approach to KYC compliance. By adopting low-code technology, organisations have the best of both worlds – they are not dependent on technology vendors and implementation partners to evolve the KYC solution on a routine basis, but at the same time should they need assistance, they can always tap into the expertise of these external parties.