The burdens faced by financial institutions in meeting know-your-customer (KYC) regulations are only headed in one direction. Banks and investment managers are on the front line when it comes to fighting money laundering, terrorism financing and tax avoidance, and the financial and reputational penalties for getting it wrong are potentially vast.
"The size of the KYC challenge for the financial industry, and the collective headcount working on this, is enormous," says Steve Pulley, London-based global managing director of client on-boarding and KYC solutions at Thomson Reuters. "There is huge opportunity to help clients with that endeavour."
The information giant's response to this problem is its Org ID KYC managed service, which it launched in March 2014. The goal is straightforward: to ease the burden of KYC data collection and management and to continue that KYC process on an ongoing, real-time basis.
To build each customer profile report, Thomson Reuters draws on publicly available information, its own proprietary databases, and the client itself. That information is assembled and validated against other approved sources. The next stage involves what Pulley describes as "unwrapping" the entity involved – identifying the directors, officers and beneficial owners.
This information can then be screened against a Thomson Reuters database of sanctions-listed countries, individuals and "politically exposed persons". "This is a Thomson Reuters core competency," notes Pulley. "It's one of the reasons we're in this business."
Since the launch of Org ID, Thomson Reuters has created some 10,000 complete, unique KYC profiles and 25,000 related records. These profiles draw upon information from 140 countries in 50 languages – including, in one case, Swahili. These initial reports are provided to the client as PDF files or as an application program interface, or API, which allows the client to feed the data directly into their own systems.
These initial KYC reports are just part of the story, however. "Our clients tell us that this piece solves maybe 20% of the industry's problem," says Pulley. "It's not just about knowing your customer at on-boarding or at the three-year refresh. Companies are obliged to know their clients every day. The real value, and what differentiates the service, is the screening and ongoing monitoring."
The Org ID system scans the Reuters news service and around 1,000 other news sources to track changes in the risk posed by any of its screened companies. In particular, it looks for any negative news flow – for example, the appearance of a director in an article about fraud. If such a risk emerges, the client is alerted, allowing it to take action. "The service enables its users to point their compliance resources at the high-value end of the problem – at the risk decision, rather than at the grunt-work of collecting information," explains Pulley.
This aspect of the service has proven attractive to clients such as BlackRock, which was revealed to have signed up to the service in April. "We have very robust counterparty due diligence processes in place and have selected the Thomson Reuters Org ID service to further augment the screening and ongoing monitoring of trading counterparties," said Robert Goldstein, the New York-based asset manager's chief operating officer, in a statement at the time.
The challenge for compliance departments is not just collecting KYC data. They are also required to keep abreast of a growing number of KYC demands at local, national and regional level. The Org ID service uses Thomson Reuters' regulatory intelligence news feed and an advisory panel of 22 senior compliance officers at client firms to stay up to date with evolving compliance needs, Pulley says.
Data security is, of course, a high priority for Org ID's customers. "We use secure encryption, UK-domiciled data centres, we comply with the most globally strict data privacy laws, and carry out penetration testing on a very, very frequent basis," Pulley says. PwC carries out a twice-yearly audit to ensure that the Org ID team operates in accordance with its controls framework and the process has also been certified under ISAE 3000 – the assurance standard for sustainability and outsourcing.
Thomson Reuters typically offers Org ID as a subscription service. The cost for each client varies according to the level of work involved, perhaps by a factor of 10. "There's a huge difference in building up a profile of a London- or New York-listed public company, versus a complex private company operating in an African country, in a high-risk business like mining, and with a web of trust structures above it," says Pulley.
Pulley declines to be drawn on the details of its pricing, although he asserts that using the product is cheaper than doing the work in-house. He adds that there are other benefits as well as cost savings: using Org ID tends to be less onerous than making ad hoc requests for KYC information; and the managed service helps prevent firms from misinterpreting the rules. "There is less potential for interpreting regulations differently from your peers, and getting tripped up that way," he says.
Users should remember that the cost of non-compliance might be measured in lives, not dollars, suggests Pulley. "This is not just a data collection and normalisation process. It's about anti-money laundering, and not dealing with terrorists and financing them," he says. "It's a serious issue, and it's got to be done right."
The week on Risk.net, July 14–20, 2017Receive this by email