Customer onboarding can be overshadowed by other aspects of an organization’s compliance program, often viewed as a “check-the-box exercise” that doesn’t necessarily make the headlines. However, customer onboarding is not only a foundation to any sound program as the first line of defense against risk but also is a cornerstone of compliance. Information obtained during onboarding is not static, but dynamic, used to better understand a customer’s purpose and relationship and to help mitigate financial crime risks. This data can inform the entire customer life cycle, including risk assessments, identification of beneficial owners, periodic reviews, politically exposed person (PEP) and sanctions screening, transaction monitoring and fraud prevention.
This information can be used to mitigate risks or even detect unusual behavior, especially in light of how improper or incomplete beneficial ownership information can be used to obscure corporate structures. Additionally, obtaining beneficial ownership is crucial to being compliant with sanctions concerns, ensuring that sanctioned companies or individuals do not lie within a complex ownership structure or utilize a shell company to launder money.
Information Cannot Exist in a Vacuum
Customer identification and documentation obtained at the onboarding stage is an integral first step to protecting against financial crime risks. A know your customer (KYC) program is a best practice for most companies and a requirement for financial institutions (FIs). This begins at customer onboarding and requires FIs to collect appropriate information and verify their customers through obtaining the correct information as required. In addition to obtaining personal information to verify their customers, FIs should conduct customer due diligence (CDD) to obtain additional information on the customer. This is important to not only be compliant with financial regulations but also protect FIs against financial crime risks.
The information collected during this process is essential to knowing the customer, understanding the expected transactional activity and identifying any jurisdictional risks. Collecting appropriate information is also crucial in providing an accurate risk rating and ensuring that the correct level of due diligence is conducted on higher-risk customers. The information is the first step to knowing who your customer is and to identify any red flags in the transactional activity or customer documentation.
This information continues to be useful for the second line of defense. Investigations into customer activity, such as a review of transactional activity, may use CDD information such as an individual’s occupation or a business’ profile to determine if the activity is unusual. Additionally, expected transactional activity entered at onboarding can help the second line of defense address issues should there be sudden changes in the amount and type of activity. Since customer onboarding is an important step to ensuring institutions know their customers, help institutions identify any suspect activity and protect FIs from financial crime risks, it is imperative for institutions to have a robust and efficient onboarding process.
Remote Onboarding: The New Normal
The COVID-19 pandemic likely contributed to the rapid increase in the use of remote onboarding. Our survey results certainly indicate that remote onboarding has a favorable view in the industry, especially in highly regulated industries. Despite this overwhelmingly positive view, the chances of bad actors exploiting the institution by engaging in illicit activity increases, especially if there are faults in the technology, or if those using it on the compliance side of the organization are not trained appropriately. As much as remote onboarding can help move business along, there remains the human element of reviewing this data and making determinations about its accuracy and risk. As stated earlier, a well- implemented onboarding process is a way to address these concerns and is the best first line of defense.
Onboarding information can be used throughout the client lifecycle. However, if the data is inaccurate, out of date or missing, this wave of bad data flows through subsequent ongoing monitoring processes, making it less reliable for other users.
Another notable aspect of the survey was that 6% of survey takers stated that remote onboarding either “somewhat” or “significantly” worsened timing and efficiency of customer onboarding. Although outliers compared to others surveyed in their jurisdictions, it is intriguing that some countries would express a concern about efficiency. Is it due to being in highly regulated regimes? Or is it because their own companies require more onerous procedures when remote onboarding is involved?
Overall, our survey results indicate that highly regulated industries have embraced remote onboarding technology with 70% of global respondents confirming it improves the timing and efficiency of the process. Technology and its use are clearly being encouraged by regulators, governments and industry bodies. But how does this affect the onboarding and monitoring aspect of a compliance program? Remote onboarding, which does not require any form of in-person verification, is open to many opportunities for fraud. Because of this, remote onboarding may trigger additional verification and monitoring steps, which fall on the institution to absorb.
Interestingly, most of those individuals surveyed by Kroll utilize a host of compliance tools, including 91% using fraud monitoring, 87% using customer identification and verification databases and 86% using AML transaction (AML TM) monitoring. Even the lowest response within the survey was 50%, where survey respondents indicated they are currently using liveness/facial recognition systems. Half of the respondents saying they utilize facial recognition technology is surprising as this technology is continually evolving and relatively new compared to other data tools. Additionally, none of those taking the survey stated that they do not use any of these tools. This is not surprising due to the amount and breadth of technology admittedly used, at least among the larger regulated industries that were surveyed.
However, if these systems are used in a vacuum, not only in terms of the systems themselves but also between different compliance departments, it brings into question whether they are being used in the most effective manner. Is integrating them a solution?
Integration as the Future
It is an all-too-familiar scene across every industry: the employee who has five different systems open on their computer screen (or multiple computer screens) at the same time, trying to use, review and reconcile all data while performing their work duties. The employee then has to save the information to a specific location for audit and regulatory purposes. Issues may still arise if they don’t have access to a particular software program or database and cannot get the information themselves. They may have to go to another employee, which then opens additional issues regarding access, privacy concerns and the sheer organizational red tape that may be present.
As seen in the survey, internal integration of surveillance tools has either occurred or will occur within the next year, according to the majority of the survey takers, including 93% for fraud monitoring and 90% for PEP, enforcement and adverse media screening. Integration between internal systems at an institution would seemingly be a positive development in terms of work efficiency and in data quality and accuracy. Certain internal data sources may have more data than others and may also contain more detailed or even conflicting information that warrants additional review. However, does integration aid in the ongoing fight against financial crime? Is this a reflection of regulatory pressure or pure innovation on the part of these surveyed institutions?
Internal systems alone can provide a wealth of data and should be used across the organization to help address financial crime and fraud issues. However, as good as integration is, a human reviewer, trained to use and to interpret how the information fits together will be needed. Application programming interfaces (APIs) between internal systems can greatly increase efficiency and accuracy of data. Should this also be considered in terms of interfacing between external systems, SaaS products and government systems?
In the area of KYC and CDD, an item becoming more frequently discussed is the concept of “perpetual KYC” or “dynamic KYC.” When compared to the more traditional approach, perpetual or dynamic KYC information is continually refreshed, reviewed, interpreted and integrated into other systems based on information obtained throughout the client’s life cycle, whether it be from transaction monitoring or other screening sources. It is not static data that is refreshed manually every few years, as has been the case with traditional KYC. This ensures more accurate information is on file, which then trickles down to the other lines of defense.
The concept of data integration works between other systems as well. An example would be KYC information being used to assist in the sanctions screening, transaction monitoring and fraud detection processes. Sanctions alerts could trigger a review of a customer’s transactions and vice versa. However, none of these integrations are helpful if the individuals reviewing the data don’t understand what they’re looking at or how to interpret the data.
Overall, systems integration can be a key component to a financial crime compliance program, but it is only as good as the data itself, as well as the people who are using it. It comes down to communication between different lines of an organization, breaking down groups that are siloed, and training compliance and business lines so that each knows what the other is doing. In the long run, this organizational direction will greatly help in the fight against financial crime.
This article was also contributed to by Holly Noonan.