The most common area of AML/CFT compliance programmes that organisations struggle with are in relation to KYC reviews, refresh and subsequent remediation work needed to update or patch up existing customer KYC information.
It’s a tough nut to crack.
This month the Jersey Financial Service Commission (“JFSC”) published feedback from its examination of firms required to comply with local AML/CFT regulations. Findings in relation to KYC reviews included:
- In over half of the firms who used reviews to keep their customer KYC up to date, these were triggered on a calendar basis or by a trigger event procedure.
- Instances were observed where these anniversaries or events triggered a review, but then information was not updated, or the review was started but not completed.
A recent case dealt with by the JFSC provides an excellent illustration of the challenges that KYC reviews present and what can go wrong when they’re not effectively undertaken.
2020 Equity Trust Case
In 2015, Equity Trust (“ET”), a regulated trust and corporate services provider, reached a settlement with the JFSC concerning 42 areas of its business where remediation was needed. One of these was customer KYC. Two years’ later, ET commissioned a report from a 3rd party to verify that the remediation was completed and provided it to the JFSC. The matter was then closed.
Sometime in 2019, ET’s Board requested a review that disclosed the KYC problems back in 2015 had not been fully resolved. ET began a second time to try and remediate them. The JFSC, who was notified of this by ET, directed that a different 3rd party undertake sampling to see whether the problems were systemic. The reviewer reported back that they were. The areas of non-compliance went from customer risk assessments, KYC, monitoring to record keeping and the role of the compliance function. The deficiencies were found to be largely historic and could be traced back to books of business ET had acquired over the years.
The JFSC imposed a civil penalty of over £115,000 and issued a public statement detailing the failures and cause of the systemic failures in ET’s KYC review programme.
Reason for KYC Review Failings
The core cause for the failures was directly linked to that 2015 review. It was found by the reviewer and the JFSC to have been “ineffective”, lacking clarity, discipline and established governance principles”. As a result, ET failed to fully investigate how extensive the non-compliance was across its book of business and only remediated a portion of its problematic customer population.
The first problem was in how the remediation was undertaken. To try and remediate customer KYC back in 2015, ET had created a project team that was directed by ET’s compliance department. The team was to undertake retrospective customer risk assessments. However, rather than first determine what KYC deficiencies required remediation, the team undertook these assessments relying on the old KYC held for these customers. Even then, that information was not “sufficiently considered”. And where gaps were identified in the KYC held, no action was taken to resolve them.
The second problem was the KYC review policy itself. ET had established a policy whereby it would undertake a KYC review of its high risk rated customers every year. But the methodology that ET used to risk rate its customers resulted in a significant number of its customers being rated high risk. ET failed to consider what impact this would have on its available resourcing to actually undertake a KYC review and possible refresh for all its high-risk rated customers every year. Sound familiar?
The result? Sporadic reviews were undertaken. In some cases, the annual deadline wasn’t met. Customer risk ratings were not adjusted in a timely way. ET therefore never had an accurate understanding of its overall customer risk landscape.
Importance of Strategic and Tactical KYC Review Planning and Execution
The ET case is not unique. Many financial institutions have struggled to apply the KYC review schedules they have set for themselves, along with collecting new or additional information about their customers. Often, where KYC remediation or reviews are needed, firms will assume that formally diarising them and then throwing bodies at the problem is enough, hoping that it will solve itself.
Reviews, as a compliance control, can be risk creators, as the ET case illustrates. They cannot be undertaken in a vacuum but must be planned and assessed within the context of the firm’s risk appetite and operational resources. They require an honest assessment of how those reviews are being undertaken, whether they are completed as required and most importantly, whether those reviews indicate that the level of customer risk held by the firm, is close to or has already exceeded its risk appetite.
In our recent webinar Jayne Newton, Director of Regulatory Expertise, talked about how this challenge might be further complicated by the new “tax trigger” firms will need to comply with under the 5th Anti-Money Laundering Directive. The results of changes to tax information held about a customer will now need to be woven into the AML KYC review process. This requires that firms consider, at both a strategic and tactical level, how this may impact upon their existing AML compliance programmes in practice. Director of Operations, Jeff Bateman, describes the importance of starting to undertake that assessment before the proposed revisions to the Risk Factor Guidelines are made, to ensure that existing compliance programmes know what challenges they’ll be facing by operationalising this requirement, along with other KYC remediation work already underway.
KYC reviews and remediation will continue to pose a challenge for firms, and regulatory change will further increase those challenges. To mitigate the risks illustrated in the ET case, firms will need to candidly evaluate their existing resources, the extent of any KYC review backlogs they are working through and consider how the new tax trigger will impact upon these. Ongoing monitoring of changes resulting from this new “tax trigger” – especially those that result in raising customer risk ratings to high – will be critical to ensure both that enhanced measures are applied to them and that firms do not operate under a false sense of comfort as to how much AML/CFT risk they have actually taken on.