AML KYC data collection brings benefits as well as challenges

As banks and financial institutions collapsed one after another in the disastrous second half of 2008, their peers – and their regulators – realised they had one thing in common: none of them had a truly clear picture of their exposure to a defaulting counterparty. Over the past two years, industry efforts towards a system of common legal entity identifiers (LEIs) for derivatives counterparties have begun to bear fruit, driven by new regulatory requirements for trade data reporting and repositories. The Financial Stability Board (FSB), itself a product of the crisis, cited a lack of proper data as a key reason for the regulators’ inability to see the crisis coming or to react properly once it began. The US Commodity Futures Trading Commission’s Interim Compliant Identifier project and the FSB’s global legal identifier represent attacks on this problem.

The people responsible for detecting and preventing financial crime – bribery, tax evasion, money laundering and terrorism financing – are now facing a similar challenge, with identification once again at the centre. While a lot of attention has been paid to individual laws such as the US Foreign Account Tax Compliance Act (Fatca), the problem of customer and client identification is far wider in scope.

“There are two big regulatory bow waves happening now,” says Dave Hoffman, co-leader of PwC’s banking technology and operations group in New York. “You have Fatca and other tax evasion and bribery regulations, and the other one is the wave of know-your-customer (KYC) and anti-money laundering (AML) enforcement – one started five to seven years ago, and a second one started about 18 months ago. The amount of regulatory scrutiny around it has definitely increased.”

The latest wave of regulatory attention goes back to February 2012, when the Financial Action Task Force (FATF) – the intergovernmental organisation charged with combating money laundering – released a revised set of recommendations for national AML rules. This year, FATF has stepped up the pressure on national governments to implement the standards, with particular emphasis on the identification of ultimate beneficial ownership (UBO) of corporate customers. In a new round of country evaluations starting in December 2013, FATF has promised to focus in particular on the disclosure of beneficial ownership, and on national rules to restrict corporate structures designed to obscure the real beneficiary of a transaction or shareholding.

And governments have responded: in a discussion paper in July, the UK government laid out proposed rules for clarifying UBO in UK companies, including a central registry of ownership and the abolition of bearer shares, and a possible ban on the appointment of companies rather than individuals as directors.

The challenge of uniquely identifying participants is far greater in the AML context than in the over-the-counter derivatives market and, while an LEI system is on the cards for derivatives as part of enhanced trade reporting standards, few market participants see any hope of a common system of identifiers in the wider market.

“It would be nice if there was one single set of LEIs,” Hoffman admits, “but that doesn’t exist. We have no social security number or taxpayer ID. As a result, a lot of banks are trying to do that for themselves.” He adds: “There have been some discussions with larger organisations to create industry utilities. You’ve seen consortia in the past – some have been successful but many have not. Doing LEIs with a successful one like Swift might be the way to go – they’re successful and arguably connected here.”

Other industry executives have condemned the lack of collaboration in the past, but admit that a common effort could be difficult. In April, RBS’ head of international banking, John Owen, called banks’ determination to develop separate systems “pig-headed” , but admitted that bringing disparate DNB lists together would not be easy.

Unlike the problem of swap participant LEIs, AML LEI monitoring schemes are three-dimensional in scope. A single institutional customer may have a corporate structure composed of many separate legal entities; the bank itself may also have a complex corporate structure; and there is also a variety of possible interactions between the two sides (brokerage, investment management and so on). 

“I don’t think that, as an industry, we’ve successfully tackled that problem yet. Once a bank finally reaches a director at the top of the pyramid who is the beneficial owner, it can turn out that he’s a director of thousands of different companies. There’s work to do there still,” says Jeroen Dekker, head of AML for software provider Fiserv in The Hague.

If determining UBO addresses the first issue of financial crime – who am I dealing with? – it’s as important to answer the second, which is, roughly, “should I be dealing with them?” The challenge of building a comprehensive, up-to-date and reliable do-not-bank (DNB) list is not a trivial one. Even for sanctions compliance purposes alone, drawing up a comprehensive list of sanctioned entities is not a trivial challenge; multiple authorities at national and international level impose sanctions, and update their own lists frequently, and banks must do their best to reconcile these, including accounting for variations in names and spelling. The problems are multiplied once the requirement is added to identify high-risk customers, such as politically exposed persons – either to block them, or to ensure they are subject to heightened scrutiny.

Large banks face a particular challenge, Hoffman says. “Most banks have operational DNB lists, usually more than one, and they have to maintain them. What we’ve seen again is smaller institutions facing up to the impact, but multiplier impacts for larger ones, which is why they have to spend so much. Not that smaller banks aren’t also feeling it, but there is a real multiplier effect at larger ones because some of them have multiple DNB lists and maintaining those is an operational challenge.”

Fenergo chief executive Marc Murphy points out that a properly maintained list needs to draw on as many sources of information as possible – corporate events or news stories may trigger a change in risk status or a review, as might transaction-level analysis of existing customers.

Problems with retail customers
Gathering customer information, though, is not cost-free, and full compliance may be particularly difficult to obtain from retail customers. “On the institutional side, you’re dealing with trained professionals on the client side, so the challenges just become operational challenges. But the experience for an individual customer of dealing with that situation is onerous.” There’s also an issue of scaling – the number of employees who need to be trained to deal with improved KYC and data collection is far larger in the retail sector, where accounts could be opened at any of thousands of branches or even online. And increased collection of data for AML or any other purpose could put banks into jeopardy with regard to local data protection rules, if the data is then transferred to other jurisdictions or shared with foreign regulators or financial intelligence units – though such sharing is one of the main reasons for gathering it in the first place, Fiserv’s Dekker says.

“There is a lot of room for us to work together – between banks and also between different units within a bank for a holistic view of the customer, and also institutions. Why not share lists of people, pool that information so you can benefit from data that others have contributed?”

But banks are, increasingly, not being given the choice – regulatory pressure to act against mis-selling has led to improved KYC and onboarding precautions, not only in the UK but also around the world.

Increasingly, the boundaries between AML, anti-bribery, fraud prevention, tax compliance and counter-terrorism are being eroded, with the common solution to all being seen as improved KYC, increased data collection and advanced analysis. “It’s all related and all coming together,” says Dekker. “Whether its financial crime, AML, anti-bribery, fraud, sanctions violation, it’s all interrelated, and from our perspective the solutions are also interrelated.”

At the client onboarding stage, new tax regulations such as Fatca require the bank to record a list of signs of US citizenship, known as indicia, and it’s likely that the growing network of reciprocal intergovernmental agreements will require this list to include indicia of citizenship elsewhere as well. But, Dekker says, there are many advantages to going beyond the bare bones of the indicia list: “What we are seeing is that the institutions are expanding their systems to capture more data at account opening. So they ask for nationality. They might also ask if you have a second nationality. And you can look at how many addresses you can capture for a client – a business might have a corporate address and an administration address, and that can be important in determining its identity. You need that for practical reasons like Fatca compliance – but it also helps for money laundering as well.”

Additional information, such as location of mobile devices used for banking, may not be included on the list of Fatca indicia, but it could still be useful in determining compliance – and also in other areas such as fraud detection and sanctions enforcement, he adds.

And there are other potential bonuses to the new regime of increased AML/KYC data collection as well, Hoffman argues. In particular, greater use of behaviour analysis has uses beyond financial crime prevention: “Some of the biggest organisations already have this capability in–house, and they are using it for marketing purposes, in understanding consumer behaviour to tailor and price products.  The same underlying skill sets are relevant in the compliance aspect.”

With the emphasis on conduct risk – especially in the UK, where mis-selling of products such as payment protection insurance has landed banks with 11-figure compensation costs – the data gathered can also be used to tailor sales efforts, he adds.

“There are so many areas where you are investing in compliance analytics and marketing analytics – bringing those together and working across them is a leading practice. We’ve done projects to combine compliance analytics and marketing, and it has been really well received.  Analytics around unstructured data can really mine some interesting information about customer experience, and whether you need to do things from a consumer financial protection perspective. You can get value beyond the pure compliance component.”