In the ever-evolving world of anti-money laundering firms are under more pressure and scrutiny than ever before, especially when it comes to verifying the identity of customers. In this blog, we will consider the regulator’s increased focus on KYC verification and examine scenarios where verifying an individual or entity may pose greater difficulty.
Surely we aren’t still talking about KYC?
We are now in the digital age of financial services and the idea of 'knowing your customer' is nothing new. The marketplace for 'smart-KYC', biometric verification and faster account opening is exciting, and there is already a highly competitive marketplace, but as an auditor, I am still yet to see a perfect score when testing KYC files on-site.
You only need to look at the news to see that despite major advances in KYC technology, there are more issues than ever before. Regulators are more active and are paying closer attention to firms’ customer due diligence (CDD) policies and procedures and more specifically, how they are followed. Taking the FinCrime risk out of the equation, we are setting ourselves up to fall if we aren't even following our own documented approach.
To me, it doesn't matter if you have straightforward processes, a fixed customer demographic and a perceived 'low-risk client base', you will still come across unusual opportunities, posing challenging onboarding scenarios. Let's be honest though, most firms have complex processes and a global client base operating in the borderless world of financial services.
Increasing regulatory focus: Standard Chartered fine.
In February this year, Standard Chartered was ordered to pay $1.1 Billion by the UK and US regulators for 'poor AML controls'. The fine centred around serious and sustained shortcomings in Standard Chartered’s customer due diligence and ongoing monitoring processes. Dissecting this further, the fine was for significant failures in the verification of client information. In one such case, an account was opened with 3 million UAE Dirham in cash handed over in a suitcase. There was little information captured on the high-risk individual in question and little to no source (origin) of funds requested. This combined with no trigger events when potential sanctions breaches were identified, or red flags regarding the deposit of a vast amount of cash, there really is no surprise that enforcement action was taken.
So, what made this such a tricky verification? The high-risk nature of this client type and non-standard forms of documentation makes the verification process that more complex. Add in cultural differences in the Middle East and a reluctance to ask high net worth individuals about their assets, and an AML regime that is still evolving, therein lies the crux of a major bank failing to fulfil its regulatory obligations.
Increasing regulatory focus: Danske Bank scandal, ongoing.
There is a lot of information out there regarding Danske Bank, but looking closer at some of the findings to date, it highlights the widespread problems most firms have when verifying corporate customers. There are hundreds of cases here where the use of Scottish Limited Partnerships (SLPs) were used as a front laundering funds. SLPs represent a unique form of business class and under such arrangements, a firm can appoint offshore corporations as the ultimate beneficial owners (UBOs). Coupled with these ‘corporate UBOs’ being structured in jurisdictions that permit anonymity of ownership, but operating with a UK registered address, these innocent looking entity types provide an obvious vehicle for money launderers.
These complex ownership structures are prevalent in the Danske Bank scandal with UBOs of many SLPs discovered to be domiciled in the likes of Argentina, Belize, and the British Virgin Islands. Verifying these entities can prove extremely tricky and thus, led to the biggest money-laundering scandal in history, where c.€230 Billion was laundered through the Estonian branch of Danske Bank. We are only now learning that the true underlying ‘persons of significant control’ have strong links to Russian Oligarchs, and the deliberately opaque ownership models of these SLPs were a great way to take advantage of and circumvent inadequate CDD procedures.
Financial inclusion, financial services for everyone?
As highlighted by the Joint Money Laundering Steering Group (JMLSG), some customers may not be able to produce what we often refer to as ‘standard evidence of identity’.
For example, this can be a common occurrence when dealing with migrant workers and students. Individuals that don't have an established electronic footprint and foreign language identity documents often don't pass electronic means of verification.
There is an increased focus on the inclusionary nature of financial services and as such, the FCA has adopted a broader view on what it considers financial inclusion to be. Firms are expected to ensure that where people cannot reasonably produce standard forms of identity evidence, they should not be automatically denied access to financial services.
Firms are therefore expected to be more agile in accepting non-standard documents for verification, ensuring they are taking reasonable steps not to exclude an entire population of consumers. The tricky part here is the extra reliance, and ultimately added cost, of third party vendors that are able to use translation services and biometrics to verify a wider demographic, though there is very little in terms of regulation and guidance out there that confirms this approach is truly compliant.
In truth, these are only a few examples that come to mind. The real tricky part is figuring out how we gather enough information to satisfy CDD regulation whilst remaining customer-centric, competitive and without ultimately bombarding customers with requests for documentation. Even when we get documentation, does it really reduce the risk of money-laundering or does it just give us the green light to open accounts? We're told to verify a customer's identity from an 'independent and reliable source' but to my knowledge, no such source exists?
Ultimately, to me, it all boils down to one thing. Understanding the true nature and purpose of the account. KYC, KYB, CDD and all the terms used for onboarding customers are wide-ranging, but it all falls under the first line of defence to money laundering and terrorist financing. If something doesn't seem right or makes sense at the outset of a customer relationship, then it probably never will!
All that being said, my view is often to meet all of the mandatory KYC requirements and if there are no true red flags, onboard the customer and use your transaction monitoring to see what they actually do. If they tell us one thing at onboarding and do something entirely different in reality, then we have reasonable grounds for suspicion, and we have something of substance to submit to the authorities.
This is of course assuming our people, processes and technology are appropriate, effective and reliable.
For a more in-depth understanding of tricky verifications, join fscom’s Regbite on 21st November 2019 where we will debate how to deal with all of the above, walk through many practical examples of verifying non-standard documentation, and provide clarification on exactly what is expected of firms from both a regulatory and law enforcement perspective.