Your Guide to KYC and AML Compliance
As technology has connected businesses and consumers across the traditional barriers of language and distance, it has created a world of unprecedented economic opportunity. But in doing so, it has also significantly increased the risk and complexity of doing business across Europe and the rest of the world.
Organisations are under growing pressure to identify, analyse and understand exactly who they’re doing business with — specifically to abate the international threat of terrorism and financial crime. This pressure manifests itself as Know Your Customer (KYC) regulation, as well as various Anti-Money Laundering (AML) directives.
While specific legislation varies from region to region, core compliance requirements are fairly uniform across the international business environment under the FATF requirements and recommendations. Any organisation that does business internationally also needs the agility and foresight to meet the KYC compliance standards of each client’s respective jurisdiction.
Table of Contents
What is KYC?
In its simplest terms, KYC means being able to tell the difference between favourable and unfavourable clients. Specifically, “unfavourable” means anyone with political or criminal connections, or with a history that otherwise deems them to be high risk for your company.
Sourcing high-quality KYC information has historically been a tedious, difficult and unreliable task.
Even so, financial institutions around the world have been required to do this for over the last few decades. After all, lending money to or servicing a person who presents a high risk of default, or who may be involved in illegal activities, can be incredibly damaging for any bank or financial institution.
Many other industries are only now facing the reality of international business and introducing measures to ensure widespread KYC compliance. Unfortunately, this is an entirely new activity for many organisations, leaving them unsure of how to acquire, collate and analyse the right information.
It will be your organisation’s responsibility to prove its KYC compliance and that everyone involved has done their part. This involves documenting and keeping relevant records on all clients, including their business type, the nature and size of their transactions, as well as the source of their funds and the reason of the existing business relationship. Failure to do so brings with it significant risk in terms of financial cost, reputational damage and potential judiciary consequences.
At a minimum, organisations are generally required to document clients’ business type, their source of funds and wealth, the purpose of specific transactions, and the expected nature and level of transactions.
There are four primary objectives when gathering KYC information, using a risk-based approach:
- Identify the customer
- Verify the client’s true identity
- Understand the customer’s activities and source of funding
- Monitor the customer’s activities
While there are a number of high-quality free sources of information, such as search engines or public databases, finding exactly what you need from this vast range of resources is incredibly time-consuming. This simply isn’t a feasible long-term approach for any business that values speed, efficiency and scalability. It’s also absolutely essential that all sources are verifiable and trustworthy.
The 3 steps of a KYC compliance framework
1. Customer Identification
Before checking a customer’s identification documents, it’s necessary to verify their and scrutinise all available information for any inconsistencies. You need to be sure that your potential customer is not on any of the Sanction Lists (such as the OFAC or Interpol Lists).
You also want to be informed if your prospective customer is Politically Exposed, as it is deemed at international level that a PEP (Politically Exposed Person) is more susceptible to corruption, hence such customers should be considered as high risk and subject to specific mitigation measures.
2. Customer Due Diligence (CDD)
Due diligence measures should include collecting all available data on the customer from trusted sources, determining the purpose, intended nature and key beneficiaries of the relationship, as well as maintaining ongoing monitoring of the relationship to ensure all activity is consistent with recorded customer information.
3. Enhanced Due Diligence (EDD)
If the customer is deemed to be higher risk than expected, enhanced due diligence measures are required.
High-risk customers include those with political exposure (PEP), an existing relationship with competitors, or anyone whose country of origin is on the “High-Risk Third Countries” list, as outlined in Article 18 of the 4AMLD. Enhanced due diligence measures usually include more intense monitoring of the customer relationship and deeper investigative research.
The most efficient way to become KYC compliant is to build the gathering and analysis of information into existing processes, such as client onboarding. That being said, it can be difficult and time-consuming to execute these processes consistently at scale. To address these issues, automation plays an increasingly large role in KYC compliance.
Take Customer Identification, for instance. It’s both quicker and more reliable for a computer to cross-reference and verify a person’s identity documents than it is for a human to make a copy of those documents, put them on file and manually check for inconsistencies. This is especially unreliable when tools like Photoshop can easily be used to manipulate pictures. A computer system which is designed to detect counterfeit documents is also far more likely than a human to spot a fraudulent document.
What is AML?
AML is a blanket term for the constantly evolving laws and regulations that are in place to prevent money laundering and other related financial crimes. AML compliance is a lot more comprehensive and actually includes KYC compliance as one of its requirements.
AML legislation in Europe is currently defined by the 4th Anti-Money Laundering Directive (4AMLD), which covers everything from KYC requirements and virtual currencies to internal company policies that specifically address money laundering and terrorist financing.
The upcoming 5th AML Directive was successfully voted on in April 2018 and will be rolled out across member states within the next 18 months. The 5th Directive will build on the requirements of the 4th, but with a stronger focus on a few specific activities linked to virtual currencies and other new technologies.
4 quick tips for AML compliance
1. Stay informed
As AML legislation and regulations are always evolving, it’s vital to be aware of new developments and ensure they’re understood and followed across your organisation. Always be on the lookout for new developments and for great information resources — the KYC3 blog is a good place to start.
2. Know your customer
A comprehensive KYC compliance framework that includes detailed procedures for Customer Identification & Verification, Customer Due Diligence and Enhanced Due Diligence is essential.
3. Build a responsible organisational culture
As AML compliance requires policies and processes that are applied consistently across the organisation, it’s important to have a culture of ethical practice that’s communicated from the top down. Regular training for all people in the company with strong involvement of the Top Management, including Board Members, is essential.
4. Assess and quantify risks more broadly
Take a more comprehensive approach to risk assessment and quantification based on your jurisdiction, the country of residence of your customers, but also the technical features of your products or services. Your risk based-approach, the generally named Risk Matrix, should take into account your policy towards affiliate businesses and partnerships.
Exposure to risk needs to account for these third parties, their respective connections, as well as their products. It is also a good idea to tailor risk assessment for each unique jurisdiction, as well as to proactively gauge the inherent risk of existing and future regulations in the considered jurisdiction.
Does this affect my organisation?
The short answer is: yes. Even if your industry has not traditionally required it, widespread KYC and AML compliance is quickly becoming the norm on the international business stage. Whether you are an obliged entity or not, a tool like KYC3 can help you address all of your KYC and AML compliance needs in line with the points outlined above.
With the guidance and support of KYC3, you can enjoy the following benefits:
- Make faster KYC decisions for each prospective customer or partner organisation.
- Automate your KYC processes by defining the conditions for accepting or declining prospects.
- Be one step ahead of the regulations by knowing how to prove your KYC compliance correctly.
If you’d like to learn more about how your organisation will be affected by regulation in Europe and the rest of the world, get in touch with the KYC3 team and we’d be happy to help.