This article will cover:

• What it takes to implement an effective AML customer screening process.
• The most common issues businesses face when devising screening procedures.
• How technology can help businesses screen customers more effectively and efficiently.

What is customer screening in AML?

Customer screening in AML is the process of identifying and assessing the risk profiles of new and existing customers so that financial institutions (FIs) know exactly who they are dealing with. This involves checking customers against various databases, such as sanctions lists, politically exposed persons (PEP) lists, and adverse media sources, to detect any potential involvement in illegal activities. 

The goal is to ensure compliance with regulatory requirements and prevent the institution from being exploited for money laundering, terrorism financing, or other financial crimes.

Why is client screening important?

Financial businesses worldwide are required by regulations to implement effective customer screening policies and procedures. These are crucial because they ensure criminals cannot exploit legitimate financial services for nefarious purposes.

However, customer screening processes also have a significant impact on businesses themselves.

If the screening and monitoring procedures aren’t effective at identifying criminals, businesses are exposed to severe reputational damage and regulatory penalties. At the same time, if these processes aren’t conducted efficiently enough, they cost the business time and money every time a new customer is onboarded.

These costs add up quickly. Every additional minute it takes a business to screen a legitimate customer is an extra minute the customer has to wait to get the service they would like to use. So, in practice, customer screening processes directly impact the customer experience, the business’ reputation, and its bottom line.

AML regulations governing customer screening

Customer screening practices are mandated by know your customer (KYC) protocols, AML laws, and global anti-terrorism measures enforced by governments.

In the US, customer screening is mandated by the Unifying and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA Patriot Act), which was implemented in the wake of the September 11 attacks. The US Financial Crimes Enforcement Network (FinCEN) enforces this regulation in accordance with the Financial Industry Regulatory Authority’s (FINRA) Rules 2090 and 2111.

In the EU, all member states are required to implement the ‘new’ 6th Anti-Money Laundering Directive, which sets out ‘mechanisms…for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.’

In the UK, the Money Laundering Regulations of 2017 set out the rules for KYC and customer screening based additionally on guidance provided by the European Joint Money Laundering Steering Group and the Financial Conduct Authority (FCA).

This guidance is laid out clearly in the recommendations put forward by the Financial Action Task Force (FATF) and implemented globally by organizations such as The Middle East and North Africa Financial Action Task Force (MENAFATF) and the Financial Action Task Force of Latin America (GAFILAT). Specifically, the recommendations state:

Financial institutions should develop programmes against money laundering and terrorist financing. These programmes should include:

1. The development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees.
2. An ongoing employee training programme.
3. An audit function to test the system.

Source: The FATF Recommendations, updated November 2023

The key components of an effective AML client screening process

Businesses implementing customer screening processes typically involve at least six distinct procedural components.

1. Customer due diligence (CDD): Before a commercial relationship is established, businesses are required to conduct due diligence processes to verify the information customers provide, including their names, dates of birth, addresses, and account information. All customers are subject to this scrutiny, so businesses need to be able to take these steps promptly and efficiently.
2. Enhanced due diligence (EDD): If the information provided is discrepant or the business uncovers any reason to subject the customer to additional scrutiny, the customer must undergo EDD. This involves a more thorough investigation into the customer’s details, businesses, and transactions and typically takes longer.
3. Sanctions screening: An integral part of any customer screening program is cross-referencing the customer name against the publicly available lists of individuals, businesses, and countries that are subject to sanctions globally. Should a customer be implicated directly or by association on such a list, the business will need to subject them to the additional scrutiny of EDD procedures.
4. PEP screening: Businesses also need to determine if the customer in question is listed as a PEP. This might be due to their direct involvement in political activity, such as their job or title, but may also be due to their association with someone holding political office. Notably, businesses need to keep checking such lists as changes in political circumstances around the world may change a customer’s status at any time.  
5. Adverse media screening: Besides checking publicly available sanctions and PEP lists, businesses also need to routinely screen customers against negative or adverse news stories published worldwide as they may implicate customers in criminal activity. This kind of screening needs to be conducted routinely to keep up with world events. It’s also crucial for businesses to track news events in different languages.
6. Ongoing monitoring: It is not enough for businesses to screen customers and their names before they begin transacting with them. An integral part of appropriate customer screening is the ongoing monitoring of all customers over the course of the commercial relationship to ensure that businesses are prepared for changes in the customers’ circumstances, emerging news, and updates to global lists.

Common challenges when implementing customer screening

Customer screening is a critical layer of defense in ensuring criminals aren’t able to use their resources to exploit legitimate businesses. At the same time, businesses must use their own resources to implement these processes, raising several key challenges for them. Chief amongst them are:

• Data quality issues: To effectively screen customer information against multiple lists from around the world, businesses need to ensure they have access to reliable data sources. If the data doesn’t update frequently enough or is incorrect in any way, it could lead to false positives and negatives. False positives make screening processes take longer, wasting time and frustrating customers. False negatives expose businesses to reputational damage and regulatory fines.
• Employee productivity issues: At an operational level, compliance and customer onboarding teams must be able to screen customers thoroughly and efficiently. If employees need to access multiple systems and screens to do this, it slows them down and keeps customers waiting. Crucially, it makes it more expensive for businesses to then scale these processes as they grow.
• Customer experience issues: While customer screening processes are necessary to help businesses manage risk, they also mean it takes customers longer to get what they’re paying for. The longer it takes a business to verify a legitimate customer, the more frustrated that customer is likely to become. In an intensely competitive landscape, this can often affect how likely a customer is to work with a given business in the future.

Best practices for effective customer screening

Given the complexity and inter-connectedness of the challenges businesses face when implementing customer screening, it’s worth considering the following best practices:

• Implement a risk-based approach: Businesses should implement customer screening processes based on a deliberate risk-based approach that accounts for the degrees of risks they are willing to take. That might mean lighter screening procedures for some customers and enhanced processes for others. The important thing is to detail these specifics in terms of policies and implement procedures based on this thorough analysis.
• Use automation to gain leverage: To ensure employees can screen customers quickly and confidently, businesses can use software and automation to traverse the vast data of global lists and dynamically update client risk scores based on new information. This ensures processes move at a faster pace, and new employees can be added to compliance teams with less friction.
• Prioritize staff training: Technology can help businesses screen customers more efficiently, but ultimately, these processes rely on the judgment and intuition of employees. By investing time and effort in improving documentation and employee education, businesses can ensure their screening procedures are implemented with the appropriate care and discretion each customer requires.
• Conduct routine audits: Once implemented, every customer screening program needs to be rigorously tested and scrutinized objectively. Under the pressure of meeting quarterly benchmarks, it’s easy to overlook the issues that might emerge when processes are actually applied. So, it’s vital to routinely audit the program, looking for weaknesses, inefficiencies, and opportunities for improvement.

Market-leading AML customer screening software

Financial businesses of all sizes use ComplyAdvantage to balance the efficiency and effectiveness of their customer screening programs at scale. Here’s how it makes a difference:

• By streamlining the onboarding process, businesses utilize advanced AI technology to screen new customers against a variety of risk factors, including sanctions, PEPs, watchlists, adverse media, and enforcement data. 
• ComplyAdvantage enables access to complete customer profiles conveniently on a single screen. This simplifies the automation of risk assessments, allowing businesses to focus on prioritizing customers who pose the highest risk.
• The platform also offers capabilities to analyze the team’s screening workload easily and maintains a comprehensive record of all case decisions in one centralized location. This functionality is critical to ensuring compliance teams are always prepared for an external audit.

BigPay improves analyst efficiency with integrated customer screening

Award-winning FinTech BigPay experienced these benefits first-hand when it decided to partner with ComplyAdvantage for customer screening to replace its manual, ad hoc processes. The firm needed a flexible, unified platform that could scale across multiple markets and handle volume spikes during periods of peak demand. Furthermore, BigPay needed a solution to automate workflow processes for name screening and adverse media searches, freeing up analyst time for more in-depth investigations. With ComplyAdvantage, BigPay was able to custom-build a single proprietary interface connecting multiple tools, trackers, and databases via a single API. The financial services firm also set up unique screening profiles for its individual markets, providing proportional controls for different products and transaction types – such as remittance and e-money. Accessible search profile configuration and fuzziness fine-tuning streamlined the process of aligning with new regulations.

“We now have the benefit of researching sanctions, PEPs, and adverse media all at the same time from a large number of sources rather than using multiple tools and databases. The time saved comes from only having to research the alerts, rather than wasting time looking for them.”

Ashwin Nazareth, FinCrime Operations & Disputes Principal, BigPay

The post What is customer screening & why is it important for AML? appeared first on ComplyAdvantage.

It’s certainly an essential component in know your customer (KYC) and anti-money laundering (AML) regulations.

But without an efficient, scalable, and reliable way to continuously detect hidden risks in customer activity, it would be almost impossible to prevent financial crime from taking advantage of legitimate financial services.

This article will look at:

• Why ongoing monitoring is so important.
• What it takes to successfully monitor customers.
•  How automation and software can help.

What is ongoing monitoring in AML?

Ongoing monitoring is the process of routinely assessing customers and their transactions for risks for criminal activity such as money laundering or terrorist financing.

Unlike the screening processes at the start of a new customer relationship, an ongoing monitoring program is a continuous effort to verify that customers are who they say they are and that their transactions are legal and compliant.

Why is ongoing monitoring important in AML

Ongoing monitoring is a critical layer in a company’s overall AML efforts because it tracks and verifies both customers and their activities over a long period of time. This is crucial for three reasons:

1. Customers may not be participating in criminal activity when they first start transacting with a financial business. But they might start doing so later on. Without an ongoing approach to detecting risk, the business would be none the wiser and yet completely exposed.
2. Financial criminals go through great efforts to present as legitimate actors, often posing as legal businesses or even manipulating legal businesses to transact on their behalf. But while these efforts might be enough to bypass initial screening procedures, the more they transact the harder it becomes for them to continue fooling a robust AML operation.
3. Even if a customer isn’t participating in illicit activities, their risk levels may change over time. For instance, the outcomes of elections in foreign countries may mean certain customers are now considered politically exposed persons (PEPs), new stories may emerge about their involvement in other criminal activities, and the ultimate beneficial ownership of their businesses may change hands. All these changes merit further investigation as they emerge.

This is why the ongoing monitoring program is so important to ensuring FIs can protect themselves from the regulatory penalties and reputational damage that can result from failing to detect criminal activity.

The AML regulations and requirements for ongoing monitoring

Given its critical role in detecting criminal activity, ongoing monitoring is now a central requirement of every major KYC and AML regulation around the world.

• The UK’s Money Laundering Regulations of 2017 require firms to “conduct ongoing monitoring of a business relationship, including—(a)scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile; (b)undertaking reviews of existing records and keeping the documents or information obtained for the purpose of applying customer due diligence measures up-to-date.”
• Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) require all reporting entities to comply with ongoing monitoring requirements as of 2021.
• The Australian Transaction Reports and Analytic Center (AUSTRAC) mandates ongoing customer due diligence with a view to identify, mitigate, and manage the risk of reporting entities being involved in or facilitating money laundering or terrorist financing.
• The Reserve Bank of India (RBI) recently updated its AML and CTF requirements to mandate closer ongoing monitoring of transactions in customer accounts.
• The US’ Financial Crimes Enforcement Network (FinCEN) enforces ongoing monitoring to identify and report suspicious transactions as part of its customer due diligence (CDD) rule.
• The Financial Action Task Force includes ongoing due diligence as part of its International standards for combating money laundering and terrorist financing.

Penalties for non-compliance

Financial institutions have been fined severely and repeatedly for AML-related infractions, amounting to more than $50 billion since the global financial crisis of 2008.

Violations that receive the biggest penalties typically involve a failure to effectively calibrate AML measures with a firm’s risk profile, including deficient customer due diligence processes and a failure to monitor PEPs and high-risk entities.

For instance, in 2022, a European bank received one of the largest fines of the year for insufficient transaction monitoring of high-risk customers and inadequate measures for enhanced due diligence, even though it had claimed its AML systems were effective.

The main components of the ongoing monitoring process

Ongoing monitoring is an essential aspect of a company’s overall efforts to conduct due diligence on its clients and identify any risks of money laundering or terrorist financing activity.

Based on the business’ risk-based assessment, ongoing monitoring will be conducted as part of both standard customer due diligence (CDD) and enhanced due diligence (EDD).

It’s made up of several component processes that typically include:

• Transaction monitoring: To routinely observe and report on the nature of client transactions and whether they’re in line with the client’s stated objectives, historical patterns and within the scope of legitimate transactions of that nature.
• Ultimate Beneficial Ownership (UBO): To maintain an ongoing understanding of the client’s source of funds as well as keeping tabs on the individuals or entities who ultimately gain from the client’s activities.
• Sanctions checks: To regularly consult sanctions lists from all around the globe in the event that anyone representing the client or their business should be subject to additional layers of scrutiny as identified by governments and authorities.
• Adverse media: To continuously monitor media and publications around the world for any indication that anyone representing the client or their business is implicated in nefarious activity that might warrant additional due diligence and controls.
• PEP checks: To regularly determine whether or not the status of anyone representing the client or their business should be updated to highlight their political exposure and therefore require an increase in scrutiny or change in policy.

Ongoing monitoring best practices

Globally, AML regulations expect reporting businesses to continuously monitor their clients’ activity with general requirements around reporting suspicious behavior and maintaining documentation on policies and controls.

But the onus is still on businesses to implement a system of ongoing monitoring that is both effective at detecting risks and efficient enough to run sustainably. Some best practices that can help businesses on this path include:

• Prioritize an ongoing approach to risk scoring: Some businesses only implement risk scoring for their clients as part of a single spreadsheet-based exercise. While it might seem to reduce the effort required from compliance teams, this leaves businesses exposed to inevitable changes in the client’s circumstances and patterns. For ongoing monitoring to effectively detect risk, businesses need risk scoring to be constantly updated.
• Leverage automation to scale efficiently: Machine learning can have a sizable impact on a business’ ability to monitor all of its clients on an ongoing basis successfully. With the right integrations and interfaces, it can dynamically update risk scoring and proactively collect new information on clients from sanctions lists and adverse media to ensure compliance teams can reliably detect risk at scale.
• Documentation cannot be an afterthought: A constant audit trail of every decision, policy and control is absolutely essential to ensuring that regulators have the information they need while also ensuring internal audit teams have everything they need to assess processes. This documentation needs to be an innate, ideally automatic part of the AML process rather than an additional step to be manually implemented after decisions are made.

Automated ongoing monitoring solutions

Financial institutions around the world rely on ComplyAdvantage’s ongoing monitoring solution to run more efficient, effective AML processes. They’re able to combine:

• An easy-to-use, highly configurable platform that intuitively presents data from multiple sources so analysts can get the full picture faster.
• Market-leading proprietary data that leverages machine learning to dynamically update profiles based on adverse media, PEP lists, and sanction lists globally.
• A process that includes fewer false positives, a faster way to manage alerts, and a constant auditable trail of every decision and action taken.

Investment company Freetrade experienced this firsthand when the company determined it needed to implement more rigorous ongoing monitoring. Freetrade selected ComplyAdvantage as a partner that could deliver ongoing screening and monitoring alongside the flexibility to configure the lists it screened against. 

“The quality of data we get through ComplyAdvantage is really important to us. Through ComplyAdvantage, we have comfort that we’re screening and identifying high-level PEPs and all the way down to local councilors.” 

Rob O’Sullivan, Director, Financial Crime Compliance and MLRO, Freetrade

The post What is the point of ongoing monitoring in AML? appeared first on ComplyAdvantage.

The post Mythbusting AI for AML: Efficiency, explainability, and regulation appeared first on ComplyAdvantage.

They’re an integral part of a bank’s overall anti-money laundering (AML) efforts.

This article will look at:

• What KYC processes are in banking;
• Why they matter; and
• What banks can do to conduct these processes more efficiently and effectively.

Why does KYC in banking matter?

KYC processes play a vital role in the banking industry because they serve to protect both banks and the clients they serve. For banks, KYC processes represent a legal requirement to create and maintain records on the profile of every client (as well as those who may operate on their behalf) so that the bank knows who they’re working with and can report any suspicious activity should it arise.

In this way, it reduces the bank’s exposure to the risk of criminal activity, such as money laundering and terrorist financing, while simultaneously giving crime enforcement authorities the ability and notice necessary to prevent criminal behavior.

For clients, KYC processes ensure that the bank they’re working with is only making recommendations that are suitable for their specific financial situation and needs. They ensure banks are aware of the client’s existing financial standing before suggesting a sale, purchase, or investment of any kind.

In this way, they protect clients from predatory behavior and untoward practices that might threaten their overall financial health.

KYC regulations for banks

Banks are subject to KYC regulations and standards all over the world, though there are some differences in when different countries first enacted these requirements as well as in what they precisely stipulate.

Some notable examples of KYC regulations for the banking industry include:

• The Australian Transaction Reports and Analytic Center (AUSTRAC) first established KYC requirements in 1989 with the Anti-Money Laundering and Counter-Terrorism Financial Rules Instrument amending those prescriptions in 2007.
• The Financial Transactions and Reports Analysis Center of Canada (FINTRAC) established itself as Canada’s financial intelligence unit in 2000 and then updated its regulations in 2016 to enact new methods for client identification that comply with new AML requirements.
• The Reserve Bank of India (India’s central bank) introduced KYC guidelines and standards for the first time in 2002 with a particular focus on anti-money laundering compliance.
• Banca d’Italia (Italy’s central bank) set KYC requirements for banks in 2007 and oversees the regulation of all banks and financial institutions operating on Italian soil.
• The UK’s Money Laundering Regulations of 2017 are the latest underlying rules for KYC, with further guidance provided for banks by both the European Joint Money Laundering Steering Group and The Financial Conduct Authority (FCA).
• The US’ Financial Crimes Enforcement Network (FinCEN) enforces the Financial Industry Regulation Authority’s (FINRA) Rule 2090 around Know Your Customer and Rule 2111 around Suitability.
• The Financial Action Task Force of Latin America (GAFILAT) oversees the implementation of AML and CFT requirements for KYC processes in 17 Latin American countries across south, central, and North America.
• The Middle East and North Africa Financial Action Task Force (MENAFATF) oversees the implementation of FATF recommendations for KYC, AML, and CFT all across the region.

Penalties for Non-Compliance

Altogether, banks worldwide have been fined billions of dollars for failing to comply with KYC, AML, and CFT requirements over the past few years. In addition to these financial penalties, banks have also had to contend with severe reputational damage, threats to their charters, and sanctions that ‘blacklist’ them around the world. 

The three phases of KYC in banking

Around the world, regulations and guidelines for KYC in banking stipulate the need for three components, steps, or phases of vigilance. They are:

1. A robust customer identification program (CIP)

The need for KYC in banking starts when the relationship with the client starts. The first objective is to verifiably determine whether or not the client is who they say they are. This applies to all clients and, in the case of corporate clients, extends to the individuals identified as beneficial owners of the client business.

The documents and identity details required for this step include the client’s name, address, date of birth, and government-issued identification numbers found in passports and/or driving licenses. For corporate clients, this includes business licenses, articles of incorporation, partnership agreements, and financial statements.

Regulators need to be able to see that banks can promptly acquire and verify all this information using well-documented procedures that all staff are trained in.

2. A risk-based approach to customer due diligence (CDD)

The purpose of customer due diligence is to understand the extent to which any given client can be trusted. It’s about determining the degree of risk a bank should assign to their client so firms can administer the appropriate approach for different clients and circumstances.

To that end, most CDD programs are comprised of three distinct levels, each requiring greater diligence than the last.

• Basic (or standard) due diligence is what all clients will be subjected to and often includes steps to determine where the client is and what their typical patterns of transactions look like.
• Simplified due diligence (SDD) is for clients deemed to be of low-level risk. For these clients, banks need only undertake some of their diligence practices as long as they continue to monitor the client’s risk level over the course of the relationship.
• Enhanced due diligence (EDD) is reserved for clients deemed to pose a higher risk of criminal activity like money laundering or terrorist financing. It typically involves the need for more information from clients, external checks against publicly available data and internal investigations into the client’s accounts and transactions.

3. A continuous system for ongoing monitoring

The final phase of KYC in banking is arguably its most critical – the ongoing monitoring of all clients throughout the course of their relationship with the bank. The goal is to keep track of whether or not a client’s risk profile needs to be adjusted based on their activity. Banks are free to determine how frequently these checks are made as well as how many resources need to be dedicated to this.

However, regulators require banks to track changes in the frequency, location, type, and pattern of transactions they’re clients are part of. Banks also need to monitor whether or not there are notable changes in the client’s status. For instance, whether there has been adverse media coverage of them should adjust their risk level. Or if they’re included in publicly available politically exposed person (PEP) lists and sanctions lists.

Common KYC challenges for banks

Banks face a number of issues when trying to implement effective KYC programs. Chief amongst these are three common challenges with wide-ranging effects:

• The customer experience suffers. The longer it takes a bank to verify a customer’s identity and risk status, the longer a customer has to wait to achieve their own goals. This friction can motivate banks to take shortcuts in these critical processes, but it can also motivate criminals to try and abuse those very shortcuts.
• The workload is hard to scale. Because of the amount of analysis and investigation required to accurately determine what any given client’s risk level should be, compliance officers are often slowed down by convoluted workflow for false positives. Banks need to constantly improve the rate at which they’re able to conduct checks.
• The diversity of regulations can be overwhelming. Banks operating in multiple jurisdictions need to adopt divergent practices depending on the local regulations that govern them. Compliance teams often struggle to keep up with both the changes in these regulations and the complexity of clients operating in multiple places.

The influence of AI and machine learning on KYC for banks

Automation plays a crucial role in helping compliance teams at banks overcome all these challenges. AI and machine learning help teams by:

• Speeding up customer onboarding: Allowing compliance teams to complete more thorough checks more rapidly by traversing a vast number of data sources and flagging issues based on the bank’s specific risk-based approach.
• Replacing manual tasks: Allowing compliance officers to spend more time on exceptions and less time validating false positives by automating the processing of multiple cases more accurately and more promptly.
• Simplifying regulatory complexity: Allowing banks to deploy procedures and processes in new jurisdictions while still following their specific risk-based approach by ingesting more relevant data sources and adapting to local laws more quickly.  

Leading AML & KYC solutions for banks

Banks require intelligent solutions that can handle the complexity and scale of efficient AML and KYC processes. When evaluating vendors for KYC solutions, it’s important to consider the following key benefits: 

• Automation of ongoing monitoring, which delivers sanction updates up to seven hours earlier than official source emails, allowing compliance teams to identify critical changes in risk earlier.
• Seamless integration with a RESTful API that triggers immediate alerts and webhooks, enabling straight-through processing and the ability to instantly freeze any flagged transaction.
• Streamlined customer onboarding by reducing false positives and improving alert quality, based on a global and dynamic database of sanctions and watchlists.

The post What is the KYC process in banking? appeared first on ComplyAdvantage.

But what are these requirements, and how can firms ensure compliance to help safeguard the integrity of Australia’s financial system? This article explores the nuances of Australia’s KYC requirements, offering compliance professionals guidance on mitigating the risk of non-compliance and improving their firm’s onboarding protocols.

What is KYC, and why is it important? 

KYC is the process of verifying a customer’s identity before facilitating their transactions. By law, Australian firms must identify both individual customers and corporate entities by verifying their personal and company information using official documentation. Firms must also assess the risks of facilitating transactions on behalf of these clients or entities.

KYC is important for several reasons:

• Preventing financial crime: KYC checks help mitigate the risk of financial crimes such as money laundering, terrorist financing, fraud, and identity theft. By verifying the identity of customers, firms can reduce the risk of these illegal activities occurring with their systems.
• Regulatory compliance: Australia’s AML/CTF laws require regulated firms to implement KYC procedures. Failure to comply with these regulations can result in several penalties, including fines and legal consequences. 
• Risk mitigation: KYC allows FIs to assess the risk associated with each customer. Customers with higher-risk profiles, such as politically exposed persons (PEPs) or those from high-risk jurisdictions, may require more extensive due diligence to ensure they are not involved in illicit activities. 
• Enhanced security: Verifying customers’ identities helps protect businesses and legitimate customers from fraud and unauthorized transactions. It adds an additional layer of security to transactions and reduces the likelihood of account takeover or unauthorized access. 
• Collaborating with law enforcement: In situations where financial crimes do occur, KYC records can be invaluable for law enforcement agencies – in Australia’s case, the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission (ACIC), and the National Anti-Corruption Commission (NACC) to name a few. Theses agencies can use the information to investigate and prosecute individuals or business entities involved in illegal activities. 

AML & KYC regulations in Australia

The AML/CFT Act 2006

The Anti-Money Laundering Counter-Terrorism Financing (AML/CFT) Act 2006 outlines Australia’s framework for combatting money laundering and the financing of terrorism. It details expectations, regulations, and penalties for non-compliance. The Act applies to a wide range of businesses and professions, called reporting entities, including:

• Banks.
• Financial institutions.
• Casinos.
• Cryptocurrency exchanges.
• Bullion dealers.
• And more.

Under the legislation, reporting entities are required to conduct customer due diligence (CDD) procedures. They must also report any suspicious activity or large cash transactions to the Australian Transaction Reports and Analysis Centre (AUSTRAC). Additionally, firms are required to keep records of customer information for at least seven years after the provision of any designated services has ceased. 

The Privacy Act

Additional KYC legislation applicable for Australian firms includes the country’s Privacy Act, which covers all personal information that is collected and verified during the customer identity verification process. Since this type of information is considered sensitive, companies should consider storing the data with a higher level of privacy protection, according to the Australian Privacy Principles.

Chapter 11 of the Australian Privacy Principles outlines the steps that reporting entities should take to ensure the security of personal information gathered throughout the KYC process. These steps involve: 

• Implementing a culture of data governance.
• Maintaining the culture through regular training. 
• Employing data handling practices, procedures, and systems across business models.
• Ensuring robust IT and access security.
• Developing internal strategies in case of data breaches.
• Identifying a process for the destruction and de-identification in certain circumstances.

Australia’s financial regulators

Including AUSTRAC, there are three main financial regulators in Australia:

• AUSTRAC provides tools, AML/CTF guidance, and enforcement measures for entities under its supervision. The regulator was also instrumental in helping update Australia’s framework for combating money laundering.
• The Australian Securities and Investments Commission (ASIC) monitors institutions and markets to make sure they operate ethically and fairly. It regulates individual and institutional conduct and advocates for customers.
• The Australian Prudential Regulation Authority (APRA) oversees Australian financial institutions. It focuses on stability and safety in the financial system.
  

Components of the KYC process 

There are three core components of every KYC process, including:

1. A customer identification program (CIP).
2. Customer due diligence (CDD).
3. Ongoing due diligence. 

Click here to learn more about each stage of the KYC process.

What are the KYC compliance requirements in Australia?

In light of the core components of KYC listed above, Australian firms are required to:

1. Verify a customer’s identity.
2. Identify and verify a customer’s SoF and SoW.
3. Conduct customer risk assessments.
4. Maintain records of customer identification history and all transactions.
5. Report suspicious transactions to AUSTRAC. 

1. Customer identity verification

Under KYC requirements in Australia, firms must verify a customer’s identity before allowing them to onboard and make transactions. That is, they must be sure the customer is who they say they claim to be. Customers are asked to provide documents such as a passport, driver’s license, proof of address, or other government-issued documentation. A big KYC challenge facing FIs and other reporting entities (REs) is matching the proof of identity to the client. Using trusted providers, many firms are moving towards a biometric model of KYC identity verification.

Firms must also be certain of the true owner or owners (also known as beneficial owner) of any non-individual customers or entities. This means the person or persons who ultimately own or control the entity.

Companies are required to provide:

• Full company name.
• Whether the company is registered with ASIC as a public or proprietary company.
• The company’s Australian Company Number (ACN) or Australian Registered Body Number (ARBN).

2. SoF and SoW verification

Under the Privacy Act, Australian reporting entities are required to identify and verify SoF and SoW as part of their KYC processes. When developing SoF and SoW processes, AUSTRAC recommends firms ask the following questions to ensure all procedures align with their risk appetite: 

• Can the customer’s SoF or SoW be easily explained through their occupation, investments, or inheritance?
• Is the customer’s background consistent with their former, current, or planned business activity and turnover?
• Do the explanations for SoF and SoW match the information gathered through EDD and open-source checks?
• Do high-risk customers require the same level of verification for establishing their SoF and SoW?
• Should higher thresholds for “reasonable measures” be applied when dealing with a foreign PEP as a customer or beneficial owner?

According to AUSTRAC, “reasonable measures” means what is practical and necessary in line with the firm’s identified money laundering and terrorist financing risks.

3. Customer risk assessment

As part of the KYC process, Australian firms are required to carry out a risk assessment for their customers. This assessment takes into account the likelihood of the customer “being involved in money laundering or terrorism financing, based on factors such as the size, nature, and complexity of their operations.” Since every customer risk assessment is unique, there is no one-size-fits-all approach. To ensure compliance with regulations, firms must create a flexible AML program that is tailored to their individual customer’s profile, needs, and risks. Depending on the alerts raised or concerns identified during the risk-based approach, KYC procedures may need to be adjusted accordingly.

4. Record keeping

FIs are required to maintain records of customer identification history and all transactions for a set time period. In Australia, this is for the duration of the business relationship and seven years afterwards. Under KYC compliance in Australia, firms must keep a record of how they verified a customer’s identy and what information they presented. 

Firms must keep robust records for independent audits, regulator spot-checks, and any future fraud enquiries.

5. Reporting suspicious activity

Firms are required by law to report suspicious transactions or activity to AUSTRAC as part of their role in investigating and preventing financial crime and terrorist financing. Reasons for suspicion may include larger or more frequent transactions, payments to/from an individual on a sanctions list, or several transactions just below the reporting threshold – which may indicate structuring.

In Australia, these reports are called suspicious matter reports (SMRs). In other jurisdictions, these are called suspicious activity reports (SARs).

The benefits of being KYC compliant

Some key advantages of being KYC compliant include:

• Risk mitigation: KYC procedures enable FIs to assess the risk associated with each customer. By verifying the identity and background of customers, they can categorize them based on risk profiles. This risk-based approach helps firms allocate resources and monitoring efforts more efficiently to high-risk customers, reducing the likelihood of fraud, defaults, or other financial losses.
• Regulatory compliance: Regulatory authorities impose strict KYC requirements on FIs to combat money laundering, terrorism financing, and other financial crimes. Compliance with these regulations is critical to avoid fines, sanctions, or even the loss of a banking license.
• Enhanced reputation: Maintaining robust KYC standards builds a reputation for trust and integrity. Customers are more likely to entrust their assets to FIs that demonstrate a commitment to security and transparency, thereby attracting and retaining clientele.
• Operational efficiency: KYC compliance streamlines customer onboarding processes. With verified customer data readily available, firms can open accounts and offer services more efficiently, reducing administrative costs and speeding up time-to-market for new products.
• Fraud prevention: KYC procedures help identify and prevent fraud. By ensuring that customers are who they claim to be, institutions can detect and block unauthorized transactions and protect themselves and their customers from various forms of fraud.
• Cross-border operations: For firms looking to expand internationally, KYC compliance is crucial. It ensures adherence to various countries’ regulations, facilitating cross-border transactions and partnerships. Additionally, it enables institutions to understand the specific risks associated with different regions and adjust their strategies accordingly.
• Monitoring and reporting: KYC procedures include ongoing due diligence, which allows FIs to monitor customer transactions for suspicious activity. Early detection and reporting of unusual transactions to regulatory authorities can help in preventing money laundering and other illicit financial activities.

Penalties for non-compliance with KYC requirements in Australia

Non-compliance with KYC requirements in Australia can result in significant penalties and legal consequences. The penalties for non-compliance are enforced by AUSTRAC and may include the following:

• Civil penalties: AUSTRAC can impose civil penalties on reporting entities that fail to meet their AML/CTF obligations. These penalties can range from fines, which can be quite substantial, depending on the severity of the non-compliance.
• Criminal prosecution: In more severe cases of non-compliance, criminal prosecution may be pursued against individuals and organizations. This could lead to fines, imprisonment, or both, especially if non-compliance is intentional or part of a broader criminal scheme.
• Enforceable undertakings: AUSTRAC can also enter into enforceable undertakings with reporting entities, which are legally binding agreements that outline specific actions the entity must take to rectify non-compliance issues.
• License suspension or revocation: AUSTRAC has the authority to suspend or revoke the operating licenses of financial institutions or other reporting entities that repeatedly or egregiously fail to comply with AML/CTF requirements.
• Reputation damage: Non-compliance can result in significant damage to an organization’s reputation, which can lead to a loss of customers and business opportunities.

Meet KYC compliance in Australia using advanced solutions

It’s crucial for organizations subject to AML/CTF regulations in Australia to take KYC requirements seriously, establish robust compliance programs, and regularly update their policies and procedures to remain in compliance with the law. As new risks emerge and the AML/CFT landscape evolves, FIs need innovative software partners who understand the challenges of KYC. ComplyAdvantage’s automated KYC software utilizes a proprietary, consolidated risk database for automated screening and monitoring. Customizable matching technology means faster and more accurate KYC, enhancing customer experience and reducing onboarding time.

The post A guide to KYC requirements in Australia appeared first on ComplyAdvantage.

What are KYB and KYC?

KYC and KYB form part of a firm’s customer due diligence (CDD) process. Depending on the level of risk identified during KYC and KYB checks, firms will perform varying levels of ongoing monitoring throughout the business relationship.   

What is KYB?

KYB is a verification process used when one business engages with another – as opposed to a business engaging with an individual. It plays a similar role to KYC in helping establish and verify customer identities. It can also accurately assess the level of risk involved in starting a business relationship with the entity in question. KYB helps businesses investigate and determine whether an entity is a genuine organization or whether the business owners have set it up as a front for illicit activity of some kind – i.e., a shell company. 

Once the legitimacy of a business has been verified, the business’ ownership structure must also be established, including the company’s directors and ultimate beneficial owner (UBO). Identifying these individuals can help shed light on whether the business is legitimate, whether there are links to illegal activity, and whether there are anonymous parties in play. 

At the same time, KYB can help businesses assess risk by determining whether the entity under scrutiny or its employees have been sanctioned, received criminal convictions, or attracted negative news coverage attached to previous activities.

What is KYC?

KYC is a procedure for verifying a customer’s identity and monitoring their financial behavior. It is carried out when a business onboards a new customer and continues throughout the business relationship on an ongoing basis. A number of territories require KYC to be carried out by law to help prevent money laundering and the financing of terrorism. 

Regulated industries include financial services, such as banks or investment platforms, and other services, such as insurance or gambling. These industries are considered more susceptible to identity fraud than others, so it becomes very important to check that a customer is who they say they are. KYC also plays a role in helping businesses assess the risk of lending to a customer by understanding their background and history. 

What is the difference between KYB vs KYC?

The difference between KYC and KYB is that the former focuses on conducting business with individuals, whereas KYB relates to building trusted relationships with corporate customers. While KYC procedures gather information about an individual, a KYB check involves collecting and screening information about a company. 

KYB and KYC regulations

KYC and KYB requirements vary by jurisdiction, but there is a framework of 40 recommendations for KYC set out by the Financial Action Task Force (FATF) that member states must adhere to. These recommendations provide overarching standards for FATF member countries in their shared global effort to prevent and combat financial crime. Jurisdictions can use these recommendations to establish and maintain a robust KYC system for their economies.

United States KYB/KYC regulations

KYC laws first came into existence with the 2001 US Patriot Act, set up to combat terrorist activity in the United States and other countries. The act strengthened existing requirements around CDD and anti-money laundering (AML), and also introduced special measures such as additional record keeping and UBO identification. In 2016, American KYB laws were strengthened with the addition of the CDD Final Rule, or Customer Due Diligence Requirements for Financial Institutions.  

EU KYB/KYC regulations

In the EU, member states set their own KYC and AML rules, although the EU itself has set up some directives and regulations to govern what these should entail. One important piece of legislation in this region is the General Data Protection Regulation (GDPR), which requires high standards of data privacy and record keeping. In 2021, the EU proposed a unified AML/CFT rulebook and the creation of a new EU Anti-Money Laundering Authority (AMLA). This is due to come into force by 2024. 

UK KYB/KYC regulations

The UK’s approach to KYC and KYB is similar to the EU, including GDPR. In 2020, its AML regime was updated to move from the EU directive to FATF standards. However, the UK’s exit from the EU in 2021 created turbulence and a spike in scam activity. Among other changes, the EU’s identity verification system is no longer accessible to British and Northern Irish institutions. 

What are the key requirements for KYB and KYC compliance?

Although regulations and procedures vary worldwide, the processes for KYC vs KYB can be generalized based on the requirements common to all or most jurisdictions. 

KYB verification process

• Collect basic identifying information, such as company address, registration or incorporation documents, and the identities of key people in the business.
• Verify the legitimacy of the collected information.
• Identify the UBO.
• Screen against sanctions lists and available government registries in relation to the company and individuals within it.
• Monitor transactions on an ongoing basis to identify suspicious patterns of activity, or other red flags.
• Screen for politically exposed person (PEP) status.
• Monitor for adverse media coverage and social media/online sources.

KYC verification process

• Collect basic information such as name, date of birth, address, and nationality, along with any former names or aliases used.
• Verify identity using personal documents.
• Check against government registers, global watch lists, and sanction lists.
• Screen for PEP status.
• Gather information on background and financial history for risk assessment, in the case of risk-based KYC.

The challenges and benefits of KYB and KYC

KYC and KYB offer obvious benefits in protecting businesses and mitigating threats to national security. They also provide crucial decision-making information for businesses when assessing risk before lending to someone. 

Additional benefits that highlight the importance of KYB and KYC screening include:

• Mitigating the risk of onboarding illegal or illegitimate companies.
• Identifying ownership structures.
• Ensuring sanctioned entities are not onboarded or are swiftyly offboarded/subject to an asset freeze if a customer is designated.
• Increasing efficiency by leveraging an automated screening solution.
• Creating a holistic overview of the customer.
  

However, traditional KYC and KYB processes that use manual procedures can be time-consuming and absorb a lot of resources. Such practices can introduce delays and complications to new business relationships, requiring both parties to wait for verification or gather documentation which must be securely moved between one physical place and another. 

Advanced KYB and KYC solutions 

To effectively tackle the challenge of KYC/KYB compliance while maintaining a positive customer experience, firms must adopt advanced technological solutions. In recent years, KYC and KYB procedures have been transformed by the introduction of online and digital solutions including virtual verification and automated KYC and KYB checks. Electronic KYC, also known as eKYC, means that KYC checks can be carried out without either party having to physically meet or send documentation. 

The advantages of automated solutions like these include:

• Enhanced efficiency: By implementing automated KYC/KYB solutions, businesses can manage a higher volume of KYC/KYB checks in a shorter time, expediting the onboarding process and reducing the time taken for alert remediation.
• Improved accuracy: Automated KYC/KYB verification checks significantly minimize the risk of human error. Through the use of automated algorithms and real-time data, businesses can ensure consistent and reliable results, leading to more precise decision-making and reducing the likelihood of data entry mistakes or oversights in the remediation process.
• Scalability: Manual KYC/KYB screening processes can be time-consuming and overwhelming, especially during periods of high demand or when handling numerous customer applications. Automated solutions offer scalability, allowing businesses to handle increased workloads without compromising efficiency or accuracy, thus maintaining a smooth and consistent screening process.
• Risk mitigation: Automated KYC/KYB functionalities, such as dynamic risk scoring, are crucial for firms focused on mitigating risks related to onboarding or conducting enhanced due diligence (EDD). These features assist in identifying potential risks and preventing unauthorized access to financial systems.

The post KYB vs KYC: What is the difference? appeared first on ComplyAdvantage.

Onboarding rules and regulations for businesses have evolved significantly in recent years. The KYC process must now not only identify and prevent financial crime, but meet changing customer expectations. eKYC presents a solution, utilizing technology to offer businesses a more agile, scalable, and reliable method of carrying out KYC. 

eKYC vs KYC

KYC is a standard procedure of identity verification carried out as part of a transaction in a regulated industry or before and during a financial relationship, either between two businesses or between a business and an individual. These checks are an important aspect of several industries, including financial services. They are mandated by law in a number of world markets, including the US, the EU, and the UK. 

KYC might come into play when a person or legal entity opens a bank account, takes out a loan, opens accounts to trade securities, buys insurance, uses online gambling services, or applies for a credit card, among other scenarios. KYC enables financial institutions to check if a client is who they say they are. It also provides background information that will help to indicate that individual or company’s level of risk and give context about their previous and concurrent financial activity. Additionally, KYC plays an important role in anti-money laundering (AML) due diligence. 

Where KYC and electronic KYC differ is in the collection and checking of customer or client information. While KYC may involve offline procedures such as requesting and checking physical documents, eKYC uses digital technology to achieve the same ends. With eKYC, compliance risk assessment can be carried out without either party having to meet physically or exchange physical documents. It’s the next evolutionary step forward in an important process that protects both businesses and society from fraud, terrorism, and other illegal activity.

What are the benefits of using electronic know your customer processes?

According to Statista, e-commerce transactions will grow 11 percent globally by 2027. And figures from the World Bank indicate that the pandemic has boosted digital payments, further accelerating the digitization of everyday life.

In that context, traditional KYC methods are often slower and more complex than other aspects of customer onboarding. Unlike many financial services consumers access day-to-days which are designed for ease and speed – such as online banking or e-commerce – traditional KYC may require significantly more effort from both customer and institution to collate and present documents than to scan, upload, and manually check them. 

Steps such as physically presenting identity documents or proof of address slow down the process, add friction for customers, and present a potential point of failure for transactions and agreements. They also create the possibility of human error. For some customers, the effort involved in KYC may even be a barrier to inclusion that prevents their use of financial services.

Therefore, some of the benefits of using eKYC include:

• eKYC is fast and simple, as it uses automated systems to speed up the KYC process so that it takes a matter of minutes or hours, rather than days or weeks, to complete. 
• eKYC can present significant opportunities for businesses to save time and money and to offer customers a more streamlined and low-effort experience.
• Firms can exceed the minimum standards required to comply with KYC laws, providing additional customer screening and monitoring through real-time online and database checks. 

How does the eKYC process work?

eKYC implementations may involve a wide range of methods and technologies, including: 

• Biometrics – Biometric data such as facial recognition or voice recognition is convenient for customers as they are not required to remember security information. The ability of most smartphones to take high-quality photos means there’s no need for additional equipment.
• Document recognition – Digital uploads of official documentation such as passports, birth certificates, and certificates of incorporation can be done via a smartphone camera. Facial recognition software can be used to check the customer’s selfie photo matches their photo ID.
• Two-factor authentication and multi-factor authentication – This is a security layer that involves asking a customer to verify a transaction using a second hardware token or across multiple channels to which they have access, reducing the likelihood of identity fraud.  
• Digital breadcrumbs – Digital breadcrumbs are characteristic identifiers that result from an individual’s online meta-information, including their IP address, browser settings, email address, and typing speed. They can be used to help verify identity online. 
• One-time passwords (OTP) – Whereas traditional static passwords are generally no longer secure enough for compliance requirements, one-time passwords provide extra security against identity theft since they become invalid after a single use. 
• Trusted data sources – Electronic identity verification (EIV) can automatically check the individual or entity against government registries and databases, whitelists, and official sanction lists. It can also use online data such as news stories and social media profiles. 

What are the limitations of electronic know your customer?

While eKYC is an important alternative to manual checks and authentication, it can also introduce perceived security concerns for some customers. Providing communications that clearly explain the security measures in place and dispel any concerns is important when implementing eKYC. 

Another potential stumbling block is a lack of providers who can implement the eKYC solution a business needs, both for its specific business needs and the type of financial compliance required. In a new and rapidly evolving field, it’s important to choose a provider that not only offers what is needed in the present but can partner with a business over time to maintain a best-in-class eKYC solution. 

How can companies implement eKYC? 

For companies looking to upgrade from manual KYC to eKYC, one of the first things to consider is which technologies or combination of technologies to employ. It’s important to weigh up business requirements with compliance requirements, information security, the ease of onboarding for customers, and of course available budget. 

When considering an all-in-one eKYC package, it makes sense to look for one that can:

• Integrate with existing systems, such as Customer Relationship Management (CRM) and data feeds.
• Reduce the friction in customer experiences.
• Meet and/or exceed regulatory requirements for all relevant regions.
• Provide real-time screening against trusted information sources.
• Evolve and adapt to a changing fraud landscape using machine learning. 
• Prove its value with certification such as International Organization for Standardization (ISO) 27001. 

The post What is eKYC (electronic know your customer)? appeared first on ComplyAdvantage.

But what elements should firms consider as part of an AML customer risk assessment? And how do they determine what to prioritize? 

What is a customer risk assessment?

In order to understand the money laundering risks each customer poses, a customer risk assessment should consider a number of factors.  These include verifying the identity of a customer, considering how to engage with them – the products and services they access, the type of transactions they carry out, and how often – and the geographical locations to which the customer is linked. 

In addition, firms should ensure they comply with national and global sanctions by screening customer and beneficial owner names against United Nations and other relevant sanctions lists.

Firms will have different levels of risk appetite regarding the customers they are willing to work with. However, it is important that a consistent customer risk assessment methodology is implemented, setting out the criteria for customer risk scoring weighting mechanisms, and the rationale behind these.

The main purpose of the assessment is to identify the risks to which a firm may be exposed, either in the course of a business relationship, or for an occasional transaction. The more complex this interaction is, the more rigorous a customer risk assessment needs to be. 

By being well informed, firms will be better placed to determine the correct level of customer due diligence (CDD). Ongoing reviews should be completed, particularly if a customer starts to act in a manner that deviates from their risk profile. The Financial Action Task Force (FATF) recommends that where firms cannot apply the appropriate level of CDD, they should not enter into the business relationship, or should terminate the business relationship.

What factors should be included in a customer due diligence risk assessment?

There are four main pillars to consider in a customer risk assessment: 

In the US, the Financial Crimes Enforcement Network’s (FinCEN) CDD Final Rule clarifies and strengthens customer due diligence requirements. It requires applicable financial institutions to establish and maintain written policies and procedures that are designed to:

• Identify and verify the identity of customers
• Identify and verify the identity of the beneficial owners of companies opening accounts
• Understand the nature and purpose of customer relationships to develop customer risk profiles
• Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

Dynamic AML customer risk assessment

Ongoing due diligence of customers is needed to help firms mitigate money laundering risk, but what is suspicious for one customer won’t be for another. 

Some general behaviors that may raise a red flag, or prompt a re-evaluation of a customer risk assessment include: 

• Changing banks a number of times in a short space of time 
• Attempts to disguise the real owner of the business
• Requests for short-cuts or unusual speed in transactions
• Involvement of a third-party funder with no connection to the business 
• A large amount of private funding from an individual running a cash-intensive business
• False or suspicious documents used
• A large amount of cash transactions inconsistent with the profile of the customer
• Business transactions involve countries with a high risk of money laundering and/or funding of terrorism
• Overly complicated ownership structures
• Inconsistent level of business activity

Firms need to more accurately flag suspicious actors and activities. To do so, they need to understand the importance of dynamic risk assessments and have the data and technology to enable this.

Misclassification of low-risk customers as high risk, and inaccurate or insubstantial KYC information gathering, can dilute the effectiveness of AML measures – and a wholly manual and complex process may not be enough to guarantee the results needed.

Firms should consider simplifying the architecture of their risk models and introducing statistical analysis to complement expert judgment. Machine learning algorithms can improve the quality of data and help continuously update customer profiles, while considering behavior and additional factors.

The post Customer risk assessment: What you need to know appeared first on ComplyAdvantage.