AML regulation and KYC compliance is challenging, but well-prepared banks can rise to the occasion
Organizations spent 1.4 billion on Anti-money laundering (AML) and know your customer (KYC) services, with AML regulation and KYC requirement mishaps costing banks millions alone in 2021. In some cases, fines totaled hundreds of millions of dollars. These fines are just the overhead for poor compliance practices. The hit to brand reputation after sanctions will likely lead to lost customers. This is especially true if the KYC process has added unnecessary friction making the customer onboarding process unpleasant for customers to begin with. The opportunity cost associated with customer churn can amount to millions more dollars on top of the initial fine.
The cost of noncompliance with AML and KYC regulations is something banks and other businesses can’t afford. Unfortunately, compliance is also complicated, especially in places where many jurisdictions, each with its own regulatory requirement, live side by side, like Europe, or U.S. states.
The complex and ever-evolving compliance landscape
KYC regulatory compliance and AML compliance is so hard to achieve because those processes are governed by a legislative patchwork of identity verification regulations in the U.S. and a combination of regulations, directives, decisions and recommendations in the EU.
In the U.S., The Patriot Act, Bank Secrecy Act, CFR Chapter X, FIDO Alliance Certification and various state-level regulations govern identity verification practices for KYC and AML compliance. Along with forthcoming proposed regulations, these laws ensure financial institutions take a reasonable approach to verifying customer identity.
In Europe, directives instruct member states as they make their own laws. They’re designed to establish and uphold a standard of quality and safety of products in all member states. Regulations are the most powerful of the European Commission and Parliament’s tools. Regulations take effect in every member state as written.
Directive (EU) 2015/849 instructs member states in the creation of laws “for the purposes of money laundering or terrorist financing.” Under that umbrella, countries have enacted their own anti money laundering and KYC legislation. Every financial institution must therefore contend with different regulators, customer identity verification procedures and KYC requirements in each jurisdiction.
The benefit of federal laws in the U.S. and EU-wide directives is that they standardize KYC and AML compliance practices to some degree. The downside is that such a complicated network of regulations might limit innovations on top of saddling regulated entities with high compliance costs.
Third-party service providers may soon receive greater regulatory scrutiny
For banks and other financial institutions, the threat of looming sanctions grows with each new regulatory requirement. It is incumbent upon them to perform a risk assessment and amend AML compliance programs according to each regulation. In some cases, banks turn to third-party vendors to help fulfill KYC obligations and AML policy considerations to limit risk and avoid sanctions. However, a new draft regulation may further complicate things.
If passed, the Digital Operational Resilience Act (DORA) represents a large-scale change to the way AML and KYC regulations work in the EU. DORA proposes a regulatory compliance framework for “critical third parties which provide information communication technologies-related services” to financial institutions and banks. Included in this group are vendors that provide risk profile assessments, suspicious activity or criminal activity monitoring and AML or KYC compliance services.
The long and the short of this is that, as complex as the current regulatory compliance landscape is, it is ever evolving, and banks must take the steps necessary to ensure both they and their third-party partners are compliant.
Banks can lean into three practices for creating strong, scalable compliance programs
Financial institutions are already heavily guarded against money laundering and terrorism financing activities. But with a dynamic regulatory landscape, they need to programmatically prepare themselves for any and all future changes to KYC regulations and AML laws. Unfortunately, even this preparation requires overhead costs. But up-front costs for implementing automated KYC software to shore up customer identification programs and enhanced due diligence processes pale in comparison to potential sanctions, reputation damage and customer loss should a breach occur. Building a robust program includes the following activities.
1. Digitize identity verification processes, audit trails, and customer experience
Banks have invested plenty in digitizing their identity verification processes. However, many banks still revert to manual processes once digital systems identify a high-risk transaction or account. Financial institutions should continue to modernize customer identification technology, which should provide a number of benefits.
Digitized operations help reduce the number of in-branch customer identity verifications and improve in-branch verifications when necessary. Leveraging intelligent platforms minimizes the risk of human error and allows bank employees to focus on the customer experience.
With digitized audit processes, banks can turn their literal paper trail into a digital one. This transformation helps avoid inefficiencies and is more reliable against mistakes than manual audits.
Finally, digitized operations help streamline the customer experience. With digitized customer's identity verification solutions, banks, financial institutions and financial services firms can place KYC processes at optimal places in the customer journey. This helps reduce customer churn while simultaneously fortifying anti-money laundering safeguards.
2. Train employees in the art of meeting KYC requirements
Despite the power of digitized identity verification and other AML tools, there will be some instances that remain in the manual domain. For example, students and immigrants and people on different temporary visas will not often be able to provide legally acceptable evidence of long-term in-country residency. In these cases, bank branch employees must complete KYC processes in person. Maintaining carefully compiled evidence of these checks can be costly, yes, but is crucial to maintaining compliance.
For these manual processes to fit within a programmable AML compliance program, banks must train employees accordingly. Ensuring training is consistent across branch networks and keeping employees apprised of changes to compliance requirements will likely be cornerstones of training programs.
Regulated entities like financial institutions are obligated to maintain enhanced customer due diligence practices, such as transaction monitoring for suspicious activity and responding to changes in customer’s circumstances. The combination of trained staff and digitized KYC processes can ensure these practices are scalable and applicable in a dynamic regulatory environment.
3. Leverage external resources to bolster KYC verification processes
To further complement digitized KYC processes and employee training, banks can leverage external resources. They’ll need everything from credit bureau information to background data sources to develop reference points for any customer identity verification program. The challenge with external resources is that, like KYC regulations, their availability varies in different countries.
Credit bureaus are often a source of data that can help identify the consumers for KYC and AML requirements within a given geography. However, bureaus in different regions have varying market coverage and are often blind to the younger or non-active credit consumers leaving them with a large blind spot.
Financial institutions must build scalable compliance programs today
With money laundering incidents on the rise and KYC regulations tightening, banks and other financial institutions find themselves between a rock and a hard place. Adding to their burden is a complex and dynamic regulatory landscape that will likely soon affect third-party KYC service providers. The good news is that banks have many tools at their disposal to develop robust customer identity verification and anti-money laundering programs.
By digitizing processes, such as risk assessment, internal audit, and illegal activity monitoring; ramping up employee training; and leveraging external resources, banks can shore up their AML and KYC verification approaches. More importantly, with the right combination of these resources, institutions can develop compliance programs that scale and adapt to future regulatory changes. Sorting out compliance and risk programs in this environment is challenging, but firms that build a cohesive strategy today will have a much easier time tomorrow.