KYC: A Process Ripe for Automation

AML and KYC
12.07.2018 12:50 pm

To automate is human

Making tools that improve our lives is an impetus we can trace back to prehistoric times when we tamed the destructive force of fire and learned to fashion cutting blades from flint. In its 2017 report, “A Future That Works: Automation, Employment, and Productivity”, McKinsey Global Institute make a strong case for our continuing to innovate with technology to improve performance of our economies: “Automation of activities can enable businesses to improve performance, by reducing errors and improving quality and speed, and in some cases achieving outcomes that go beyond human capabilities… Based on our scenario modeling, we estimate automation could raise productivity growth globally by 0.8 to 1.4 percent annually”.

Process redesign and automation

According to Klaus Schwab, Founder and Executive Chairman of the World Economic Forum, the Fourth Industrial Revolution is “characterized by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres”: this requires companies to redesign processes in such a way that people collaborate with new technologies and hand over operational control where automation can substitute for their labour. And inversely, within a redesigned process, technology alerts humans to re-take control when their judgment and problem-solving skills are needed to complete a task.

Process redesign involves mapping out constituent activities and the flow of control from activity to activity, and then analysing each activity to determine the appropriate level of automation, if any. Activities characterised by David Autor, Professor of Economics at Massachusetts Institute of Technology, as involving rote repetition and adherence to rules are immediate candidates for automation, while abstract tasks that “require problem-solving capabilities, intuition, creativity, and persuasion” are best left to those in professional, technical, and managerial occupations.

Robotic Process Automation (RPA)

RPA is a technology of the Fourth Industrial Revolution “designed to reduce the burden of repetitive, simple tasks on employees”. The robotic component of RPA is software programmed to automate rule-based and highly structured tasks. RPA can be viewed as a control function spanning multiple systems, including databases and other information sources. RPA offers a clear interface, such that a process being automated appears as familiar and simple to operate by anyone already familiar with the work. The impact of RPA is to improve productivity, which is measured by comparing output per time unit achieved in the new process design with that achieved in the previous pattern of work.

Artificial Intelligence (AI)

According to Technopedia, “Artificial intelligence (AI) is an area of computer science that emphasizes the creation of intelligent machines that work and react like humans”. Critical components of AI include machine learning, involving computer algorithms that continually learn from experience in order to improve themselves, and natural language processing, which is the ability for computers to read and comprehend human language. AI has been adopted successfully in many areas of business, and use cases continue to emerge. In a recent study conducted by Boston Consulting Group and MIT Sloan Management Review, 84% of respondents say AI will enable them to obtain or sustain a competitive advantage.

Know Your Customer (KYC): a process ready for RPA and AI

Highly valued by the corporate world, digital technologies are also exploited by sophisticated criminals who operate internationally to move and launder money. Guided by international bodies such as the Financial Action Task Force (FATF), nations are enacting increasingly stringent regulations that guard their economies against financial crime. Assessing risk through due diligence in the form of KYC and keeping records of these checks form the foundation of these defences.

The UK’s Money Laundering Regulations 2017 (MLR2017) legislation extends the requirement to undertake risk-based KYC to firms beyond the finance sector to those providing professional services, including the legal and accounting sectors. Many of these firms rely on KYC processes that combine manual tasks with electronic communications, such as use of email attachments. Such processes make proving compliance to regulators difficult and they tend to be slow to complete and expensive to operate.

Assessing the KYC process for redesign and automation

Automating business processes creates opportunities for optimisation by assessing each activity’s potential for redesign based on current and emerging technologies. The activities involved in a general KYC process are reviewed in the table below:

Activity	Description	Potential for automation
Define KYC policy	A KYC policy prescribes how a firm conducts KYC. Its definition includes the independent, reliable sources of information that the company will use in due diligence. A KYC policy is defined once and then applied multiple times as each new customer is considered for on-boarding.	Low - requires expertise and judgement of a senior compliance professional.
Request identifying documents from customer	For corporate customers this includes requests for articles of association / incorporation.	High - although certain sectors, for example legal and accounting firms, prefer face-to-face contact with prospective customers.
Validate documents and formally identify customer	Check the validity of documents and ensure they match the entity requesting a business relationship.	High - involves validating electronic and physical security features of documents to establish proof of identity.
Verify customer identity and beneficial owners	Regulations such as the UK’s MLR2017 instruct firms to use independent, reliable sources of information to investigate corporate structure, directors, shareholders and beneficial owner(s).	High - sources are available as digital information and published via APIs (application programming interfaces). Due to the number of sources that need to be consulted, manual processes are time-consuming and prone to error.
Assess risk and assign risk rating	New customers are typically scored as Low or High risk.	Medium - based on facts discovered in screening, risk ratings are automatically assigned. Regulated firms can be assigned a low rating while PEPs (politically exposed persons) are considered high risk.
EDD (enhanced due diligence) screening	Customers assessed as high risk must be subject to ongoing monitoring.	High - sources of information on PEPs, sanctions lists and incidents of adverse media are digitised and published via APIs.
Approve client for onboarding	Customers scored as Low risk, or those High risk but who satisfy EDD screening, are approved for onboarding.	Medium - penetrating customer due diligence creates sufficient knowledge of customers to allow automation.

As shown in the table above, many activities of a typical KYC process are candidates for automation. This is consistent with findings published in the June 2017 edition of McKinsey Quarterly: “McKinsey Global Institute (MGI) research suggests that companies can automate at least 30 percent of the activities in about 60 percent of all occupations by using technologies available today”.

Redesigning and automating the KYC process with RPA and AI

In a redesigned and automated process, RPA and AI are applied to those activities identified above as having high potential for automation, and the new activity of “Codify KYC policy” is added. In the old process, KYC policies exist as business rules captured in paper or electronic documents which guide the work of KYC operations. In practice, this approach creates risk to the firm as the senior risk professionals responsible for creating policies can only be certain these are consistently applied through constant oversight: however, such policing proves impossible to maintain, degrading to staff morale and expensive.

In the new process, KYC policies defined by the firm’s senior risk professionals are expressed in a new form, one that is readily understood by KYC professionals and by regulators, but also codified as a set of instructions to program a software robot. As well as automating tasks, this approach ensures that a KYC policy can be defined once and consistently enforced for every new customer. Additionally, policies are easy to amend, so the firm can respond with agility as regulations change.

The work of Customer Due Diligence (CDD) requires a KYC analyst to download information from multiple sources, compare facts on companies, shareholders and beneficial owners gleaned from each source and build an understanding that is comprehensive, consistent and accurate. This can be difficult, as each new information source requires the analysts to reassess and re-document their understanding. In the new process, RPA automates this work by extracting information in real time from multiple sources via APIs, and then analyses and merges multiple instances of the same legal entity (people and companies) represented in different data sources. Automation of this activity alone lifts the productivity of KYC analysts as due diligence work that previously consumed many hours is completed in just minutes by a software robot.

KYC remediation

Evolving criminal threats continue to drive new, increasingly stringent regulations. Firms operating in regulated industries are obliged to promptly update the KYC profiles of all existing customers in line with new requirements. Until this remediation is complete, firms are exposed to regulatory risk as their records reflect outdated or incomplete information. For a time, and in a bid to simplify the remediation challenge, rather than spend the time and money needed for penetrating KYC across their customer book, financial institutions chose to de-risk entire industry sectors considered to be high-risk by wholesale termination of relationships. Regulators sought to curtail this trend, which had a particularly severe impact on the FinTech sector, where it threatened to stifle the innovation so promising to banks looking to improve processes and drive efficiency. When RPA is applied to KYC processes, remediation is simplified and its costs dramatically reduced as hundreds or thousands of existing customers can be checked against the requirements of the new regulation as a single task.

Summary of benefits

The Fourth Industrial Revolution has created the conditions for automation of much of the work of KYC. RPA and AI reduce costs and improves productivity of activities involving rote repetition and adherence to rules while freeing human experts to apply their experience and judgment to accelerate customer onboarding while protecting firms against the risk of being used by criminals intent on money laundering.