Regulatory and reputational drivers for KYC and customer remediation
When we talk about remediation, in very basic terms we are talking about cleaning up old, inaccurate and incomplete client data – something that financial institutions inadvertently neglected for many years. After the crash in 2010, regulators started to get very concerned about financial crime, money laundering, and terrorist financing, and consequently a number of banks found themselves under the microscope. Suddenly, KYC, which had probably not been given due attention historically, became a hot topic and bringing measures up to scratch became a top priority for all financial institutions.
However, since 2010, numerous other regulations have been introduced into the industry, many of which have also required updates to client data in order to comprehensively evaluate a wider range of risk, such as tax evasion. This has therefore added to firms’ need to remediate and optimise their KYC files, which are no longer fit for purpose.
Remediation challenge number one: Over promising, under-delivering
A few years ago, there was a rush to satisfy regulatory needs by undertaking large-scale KYC remediation projects, and firms were making commitments to regulators that they couldn’t keep. However, as we have all seen, it's a complex problem that requires a lot of thought, preparation, planning, and resource to actually solve. Invariably, firms started off trying to solve it themselves, thinking that it was relatively straightforward: people put a plan together very quickly and made the commitments to regulators before realising the plan wasn't going to work. They then had to backtrack, reset, and start again - I’ve heard of firms that have reset the process five times. However, it’s understandable as it’s a complex problem to solve and firms really do need to take the time to think it through and plan it properly.
You need to be realistic and not heroic. It is a lot of effort and will take a long time. You have to acknowledge you're not going to remediate 50,000 clients in 12 months, it simply isn’t possible. Most regulators understand that so when you’re putting your programmes together, be realistic and point out that everybody's learnt the hard way that this is a long slog. This needs to be communicated to important stakeholders outside the organization, as well as inside.
Remediation challenge number two: Outdated processes
For too long, many firms were happy to continue with their existing processes, technologies and solutions, not looking at what was out there to make life easier. While this has certainly improved in recent years, in the early days many companies were poorly informed and carried on with the same, often broken, process that they were using historically.
Similarly, the policies and underlying risk methodologies that people use to determine the level of due diligence required were often not given enough attention and it was assumed that the policies were adequate, when in fact they didn’t even meet current - let alone future - expectations from regulators. This has resulted in some firms carrying out multiple remediations because the policy gaps have had to subsequently be remediated themselves.
In many cases, staff were not sufficiently trained and didn’t actually know what they were doing, meaning that the same people were carrying out the same outdated processes, coming up with the same results.
It sounds very obvious but compliance departments need to make sure policies are up to date, along with the corresponding risk methodologies that determine the overall due diligence that's required for a particular client. If you're trading on a multi-jurisdictional basis, you need to ensure that you not only satisfy your home regulator but also those within each jurisdiction. With MLD4 and 5 coming down the tracks, you should make sure that any process you are implementing is updated accordingly so that any remediation being done now is in line with these new standards.
You've also got to take a long, hard look at your remediation process and ensure that it is efficient, has good tooling and data sources, and that it works end-to-end. If it doesn't, get out there and look at the new solutions that are available, but make sure you choose wisely: make sure the provider in question really does have the experience and the capability, don't just take their word for it. Test the product, see that it works, and that way you won't be disappointed.
Remediation challenge number three: Bad data
The process of cleaning up the data within a financial institution is absolutely huge, particularly in banks, where client data might not necessarily feed off one central system and could be held on tens, if not hundreds, of different systems. This means that multiple instances of the same client record would exist across an organisation, making the opportunity for duplication, error and inconsistency enormous. A number of firms have not deployed an active offboarding program, so clients which were brought on many years ago still exist in their records, even if there is no longer any business relationship there.
Quite simply, you need to have a process in place to offboard those clients that either fail to meet the KYC standards or are not generating sufficient, if any, revenue, so that you’re not carrying the liability and the responsibility of having to refresh their KYC in the future.
Remediation challenge number four: Lack of firm-wide cohesion
Many firms have learnt the hard way that KYC is not just an operational or compliance problem to solve, it's firm-wide. Consequently, there hasn’t been enough capacity created within the sales and relationship manager (RM) functions on the front end of the business to support a large remediation effort. They are the people who hold responsibility for client outreach and client relationships so they have an important role to play, but this has not always been fully understood. I personally believe this has been a massive contributing factor as to why firms haven’t progressed at the pace they would have liked.
Account ownership is also very important to the remediation process, as ultimately somebody in your firm will need to sign off that a client is good to do business with. However, it can often be a challenge to find somebody who is actually willing to take ownership of an account and of a client relationship – as I can attest to from past roles.
It’s critical that firms have got senior and board level sponsorship because if the problem doesn't get fixed the consequences are significant, including losing the firm’s license to operate. But it is a long, tough and expensive journey so you need to make sure that you've got buy-in from the very top.
This is a front-to-back problem and the sales teams and RMs need to be organised: they need to be clear on what their roles and responsibilities are just as much as all the people working in operations, data and compliance. Everybody's got a role to play and they need to be clear on what that is and be suitably resourced to be able to do it.
We all acknowledge that client outreach is a lot of effort, generally falling to the sales force and the RMs, but there needs to be an organised process around it. The compliance team will also have to be able to cope with the onslaught of escalations and reviews that they will need to perform to support a large remediation program.
Finally, it’s crucial that account ownership is established and individuals are very clear on which clients they own and the consequences of that. This is what regulators expect, but it’s not easy to implement. That has to change, which once again means you need that board level support to get it mandated.