KYC Backlogs and the Risks
Reassessing and reverifying customer data remain a costly task in many financial institutes. Technology developments in screening and data analysis aside, it is important to understand the logic across processes.
If your KYC data is inadequate or outdated, for obvious reasons the customer risk classification process will not produce a fair view, and, you will fail to properly monitor customer behaviour. The cost of compliance and outsourcing are top of mind currently. Most organizations are well aware of this nowadays, but it is a complex issue to address. It is not uncommon to miscalculate how long time processing a KYC backlog actually takes
Lars von Ehrenheim, Director at FCG Financial Crime Prevention-team.
As periodical reporting became a legal requirement for financial companies under supervision of the FSA, quality of KYC data emerged as an area of concern. Many banks discovered that their data was incomplete or inadequate. According to Lars von Ehrenheim, poor systems for automatic updating, poor data quality or simply historically missing data from the start are common causes for backlogs.
One also has to consider that inadequate KYC data is automatically high risk. Well-established financial services providers have become much better at risk classification of their customers. Low risk customers should not be excluded in the context either, even though updating may only be necessary every fifth year according to the industry standards. The process for requesting and obtaining information can be long, time passes quickly and eventually the backlog builds up. In particular, processing high risk customers where more comprehensive documentation such as salary slips should be submitted is cumbersome including dealing with customers that fail to respond or complex legal structures.
We frequently see that quite junior and inexperienced resources are deployed to resolve backlogs. It is not value-creating, it is monotonous and not a good challenge for skilled and educated resources. It is important to have capabilities in order to acknowledge when data is not logical, understand what needs to be in place in a structured process. Effectively, it is systems aside a human process considering competence and quality assurance.
Lars von Ehrenheim
By way of example, it is completely unlikely that a bank would approve credit application without sufficient and validated customer information. With the latent probability that an account can be misused for money laundering however, the situation has apparently been different.
The older the legacy systems, the heavier are the backlogs to resolve and close the gap to the current real risk environment. Lead times are long and programmers must firstly be available and secondly understand and technically resolve the needs.
Generally, since 2020, it is foremost medium-sized and smaller financial institutes that may face warnings or sanctions due to non-compliance with regulatory requirements. In niche financial services segments, some companies may even need to reconsider that they do have “customers” that should be subject to KYC.
It is inevitable that the FSA will want to look more closely at this issue area in future, and challenge why certain customers are not offboarded.
Efficient KYC backlog management requires a balanced combination of qualitative and quantitative controls, where the Compliance function and internal audit, or quality assurance functions where such are included in the organization, have an important role in testing systems and assessing results. According to Lars von Ehrenheim, they should be involved at an early stage of the process to provide assurance, as possible, that parameters are right from the start.