How Long does "Being Effective" take?

KYC & CDD Article written by

Julie Sefton Dip AML (MICA)

As a KYC Analyst, have you ever raised a SAR? Do you know how to raise one or have you seen one being done? Finding that needle in a haystack, reporting a suspicion, raising a SAR, catching the criminals – that buzz of satisfaction which justifies all that research work does in fact pay off.

We all know and are fully aware that in some organisations there is substantial pressure to hit delivery targets and move onto the next case – a bit like a conveyor belt routine work, but do we ever stop to think “what value is being added, and are you actually being effective…”

The Financial Action Task Force (FATF) perspective is that ‘…the purpose of implementing anti-money laundering and counter-terrorist financing (AML/CFT) measures is to stop criminals and terrorists from abusing the financial system…Through effective implementation of these measures, countries can help trace and stop the financial flows linked to serious crime and terrorism, and make society safer…’

This ideology is transposed within countries around the world whose prime effort in the fight against financial crime is the development and implementation of sound laws, rules and regulations. The enforcement of such initiative is exemplified and derived from the execution of high level objectives within competent and effective AMLCTF Frameworks. How effective an institutions financial crime preventative measures are is anyone’s guess – Lets take a look at this scenario.

It was recently claimed by a certain ‘challenger bank’ that a customer can open an account in five (5) minutes. Well, that actually doesn’t seem to (or) should suggest that KYC Risk Assessment and the full onboarding process takes minutes, does it, because the only thing you can really do in that time frame is boil an egg, or make a good cup of tea, right!

Turning back the clock

I’ve been in the business of KYC and AML for a long time, right through the days when risk assessment files were paper-based, and the internet did not exist. Things were much simpler back then. There were no distractions, no fake news, no social media, no Google. God, I missed those days!

You just had to read the Financial Times and speak to the sales person for a client opinion. Relationships were face to face. The Bank manager invited the customer into his office – walking through the deep pile carpet to be served a shot (or two) of whisky from the secret cupboard behind his desk. At one point, I was a Foreign Exchange cashier, dealing with currency, cheque negotiations, telegraphic transfers, and Letters of Credit. The highlight of the week was serving famous people like Trevor Macdonald from the News at Ten to the likes of Ron Dennis from McLaren!

As a Corporate Managers Assistant, I had a portfolio of 100 clients, I knew their account numbers by heart, and their voices as soon as I answered the phone. They sent gifts to us at Christmas time to say thank you for our good service, which were appreciated. No gifts and entertainment policy back then either, come to think of it!

Working in the City in 2001, I found myself in the role of a KYC Analyst, and on one occasion, I recall on one occasion, I had to call a customer to ask for his Annual Report. What I didn’t realise back then; but I do now, was that this gentleman was a well-known tax evader, and number 1 on the Top Ten Most Wanted List! Well, a week later, he did send me his Annual Report, and it was also audited by one of the big auditing firms!

As an experienced KYC /AML Practitioner, you become clued-up, intuitive and effective at your job when your expertise shines through your sheer knowledge, skill and experience of the situation rather than over reliance on software tools. Your ability to conduct good old fashion research, awareness of the issues and concerns and what you know you cannot find leads to you asking the right questions. So, how do you keep up to date with what is going on?

The use of Tools

The use of tools and services in better understanding your client is achieved through the adaptation of a balanced approach. This occurs by assessing what we have about the prospect client; provided by the said prospect, and what we use at our end to either corroborating or perform further checks to paint a better, more accurate picture of who the prospect client is in order to understand the risk profile and likelihood of our engagement with them. The tools I use to keep me up to date include the likes of KYC 360, KYC and AML Leaders, LinkedIn, Google Alerts, Transparency International, Global Witness, ICIJ, UK Finance, Kharon, ACAMS, ICA, Mr Watchlist, FCA, IMLPO and Themis.

Life is like a box of chocolates. You never really know what you are going to get! Knowing Your Customer (KYC) is a holistic process and customer risk changes over time. In my view and from experience, it is really not about collecting the data to go into the data fields, but rather knowing what you are looking for, asking the right questions and properly risk assessing the situation.

Think about the client as your ‘best friend’. How would you describe them to someone else – can you describe them? Conflicting scenarios and information need to be considered and ironed out when comparing the documents with the available data on a website for instance. So, how should you as a KYC Analyst think when carrying out your role?

The thought process of a good KYC Analyst

A seasoned professional KYC Analyst needs to agile, up to date, methodical and focussed. He or she needs to be able to determine what is relevant and what is not, be able to discern reality from perception.

A KYC Analyst should be able to conduct preliminary risk assessments and determine the risk levels of the client before performing a full due diligence check.

They should be able to look at a legal entity type such as an LP (Limited Partnership) and discern whether or not it is a fund or a private company – the trick being a firm might appear to be a ‘Private Company’ but in reality, it is a ‘Private Investment Vehicle”.

Going further into the due diligence process, the KYC Analysts should be able to look at a client’s name and determine if this is a full legal name, which type of entity or legal form it is, which jurisdiction it is registered in and trading from, did they have a previous name, who is (or) are in charge of the ‘day to day’ decision making in the company’s affairs, who sits behind the company, what are their full names, do they have dual nationality, are they on a sanctions list, are they PEP’s or do they have negative adverse media that might be of concern to the organisation?

With the use of appropriate tools, the KYC Analysts should be able to analyse screening results and discern what is a true match and what is a false positive. All these variables bring about the thought process within the minds of a seasoned KYC Analysts – they trigger possibilities, concerns, red flags. So, what are these concerns?

Red Flags and what they constitute

The term ‘red flags’ are a reference to signs or signals of non compliance behaviour. They serve as triggers or risk indicators that point to an event, action or circumstances which suggest to the KYC Analyst reviewing the situation that some illegal or improper conduct or suspicion has or may occur which could affect the overall risk assessment of a potential or existing client of an organisation. Let us take a look at a few instances in which this may occur:

Getting a feel of who your prospect client is starts from the basic style questioning of who, what, why, where, when and how. Determining red flag incidents comes with analyzing client, product and geographic risk elements such as:

Understanding the entity: who are they, what do they do, do they have a website, does the information simplicity or complexity of their website justify what they claim they do, where are they registered, do they have a physical presence so we can erase the possibility of shell/shelf company presence, how often have there been change of corporate names or directorship information so we can eliminate the potential of tax evasion, litigation concerns etc.

– Nature & Purpose of the Relationship: does it make sense and is it plausible and logical. Do the preliminary meetings and interviews with the Relationship Manager justify why company X.Y,Z wishes to open a particular type of account for a particular product?

– Size and Nature of the Transaction: What are we going to be accepting as ‘normal’ for Transaction Monitoring purposes? An unexpected or undocumented spike in transactional activity will trigger a block and raise suspicion – clearly a red flag incident that something unexpected has occurred and requires further investigation, verification and perhaps an update to activity trends if deemed genuine.

– Website Presence: In today’s world, almost everyone or every entity has a web presence, advertising who they are and what they do. Having a fake presence, misrepresented or hyperinflated presence is nothing surprising but a clear red flag incident which requires you asking the following – who is the client? What do they do? Who with? Where? Is the website recently updated? Are there real human beings visible on the website, with phone numbers to call, and addresses to visit?

– Annual reports: Often associated with Listed entities i.e Plc or LLP’s and LLC’s, annual reports are an encyclopaedia of information about a company and “yes” they do have to be read as they contain a plethora of evidence and information such as Legal name, trading name, registered number, directors, nature of business, ownership, controllers, source of funds, financials, revenues, addresses, biographies, Sanctions, even adverse news. The question is can they always be a trusted source and relied upon. Remember the likes of Enron and Bernard L. Madoff Securities LLC. Their Annual Reports and figures did look professional and detailed afterall but knowing what we know now, issues like checking who the lawyers, auditors, accountants are can very well paint a picture between what is normal and what is suspicious and an incident for review.

One of the main pillars of the European Union’s legislation on combatting Money Laundering and Terrorist Financing; EU Directive 2015/849 implores banks and other gatekeepers under article 18a of the said directive to apply enhanced vigilance and control measures and perform extra due diligence in business relationships and transactions involving high-risk third countries; examples of which include the likes of Afghanistan, DPRK, Iran, Iraq, Pakistan, Syria, Trinidad & Tobago, Uganda, Vanuatu and the Yemen.

One of the key red flags is in the type, nature and complexity of a prospect or existing clients business activity. The nature of the goods or services delivered or performed are intrinsically tied to their source of income and wealth and if the source of earnings is classed as high risk and of concern then there may be consequences from an operational, legal, regulatory and reputational standpoint. Examples of such activities include but are not limited to the likes of mining activities, dealing in cryptocurrency trading, oil & gas extraction and production, dealing in dual use goods – your queries then get directed to issues such as – what does the client do, with whom, where, how and why?

Often both terms being misunderstood, the source of funds point to regular income coming in at regular intervals from the business activity. It could also signify capital for starting up a business or intermittent cash injections into the business. Source of wealth on the other hand points to the overall collective assessment of a client’s net worth overtime. Both require an understanding of the veracity and satisfactory plausibility of its source or region of origin. Any indication that funds are illegal, illicit or tainted raises a concern or red flag scenario.

The socio-political and economic might that sanctions from OFAC, HMT, EU and UN pose on due diligence is often heavily understated. Entities, individuals, groups, countries or vessels that have one form of economic, financial trade embargo listing in any of the above main sanction listings create a cause for concern. The 50% OFAC rule is clear example of the complexities of unwrapping direct and indirect ownership and understanding the principles of dilution in determining who owns what and how a freeze can be applied by the regulators to X,Y.Z property or chattels owned by persons on the OFAC SDN listings. A classic example is when Sberbank bought Turkish Denizbank in June of 2012. Being a blocked entity of concern by OFAC in 2014, its more than 50% ownership of a Turkish entity drew the attention of the regulators.

How much do we know of the people who control the day to day activities of the company? Are they actually the persons pulling the string, are they actually working for a Corporate Trust Service Provider (CTSP) in some remote island, if so, who is really calling the shots? These issues are more connote the importance of identifying the right people and conducting checks on directors, settlors/trustees/designated members who allegedly control the affairs of a company.

In much the same fashion as understanding persons who control the activities of companies, we also need to know the people who allegedly own the company; often referred to as beneficial owners. Hiding illicit funds, beclouding the identity of the ‘true owner’ and distancing oneself are characteristic features around money laundering which are intertwined with the identity of the UBO. Where clarity, transparency and certainty in identifying ownership proves difficult and unclear, there is bound to be a red flag incident. Problems we encounter include capturing true ownership behind ‘usufruct ownership, bearer share instruments, complex ownership structure charts, circular ownerships, ownership by proxy situations etc

By far one of the most interest problems for a KYC Analysts or Compliance Officer but gold dust to the frontline staff members because of the wealth, power, information and influence that individuals within the PEP category possess. Issues that may pose concern, raise an eyebrow and signify a red flag incident include having a PEP in your ownership or control structure, discerning the risks from RCA’s (Relatives & Close Associates), the sleeper PEP identity crisis, determining how you assess risk between a good PEP and a bad PEP etc. You cannot achieve your goal until you understand your firms PEP policy, interpret industry standards i.e. 5th & 6th EU AML directives, conduct robust PEP checks and avoid over reliance on 3rd party tools. Corroborate evidence from search engines, 3rd party tools and good old common sense investigations.

As the saying goes, “timing, is everything”. Part of the job that comes with experience is knowing when and why a prospect is approaching your organisation for business engagement. You tend to question the timing and see if it makes sense, is it plausible and whether or not the prospects intentions are transparent and genuine. Examples of red flag concerns linger on thoughts such as – why now, what’s the purpose of opening the account, where there any banks before ours, is the request for the account / transaction coming to the Salesperson just before a busy time, such as Easter, Christmas, or a festival where staff numbers are low or stretched? Are dubious characters opening accounts in regions with lax laws and regulations at a time when the world is experiencing a pandemic?

Today’s Problems – scalability & risk management:

With an increase in population, globalisation and expansion in the numbers of people gaining access to funds, credit and business opportunities, there is a realistic expectation that account opening possess an operational risk management nightmare.

Staff have to cope with opening account and performing effective due diligence checks. So how do you plan for the volumes, to ensure workload is spread evenly at account opening, due diligence and at periodic reviews?

(1) Speed of Onboarding:

The formation of a robust KYC Risk Management framework, access to highly skilled staff and the use of relevant and able tools for KYC, screening and document search can assist with speeding the process.

(2) Use of technology:

The JMLSG guidance makes it clear that firms can use electronic sources to verify a customer’s identity, provided that they have both –

(a) verified that the customer; and where appropriate, the beneficial owner, exists; and

(b) satisfied themselves that the applicant seeking the business relationship is, in fact, that customer (or beneficial owner)

The latter point is particularly important in order to mitigate impersonation fraud, which is of significant concern when the issue of positive identification is at stake such as engagement with non-face-to-face customers.

On the issue of using technology to speed up the risk assessment, verification and onboarding process, it is clearly evident that firms will have to consider the specific risks posed by their customers. As they use alternate modern technological ways of proving identity such as the use of electronic biometric verification of government issued documents and customer use of “selfies” or “videos”. In instances where some firms do not possess or have access to this functionality, or where it would not be appropriate, the FCA has also identified the following additional measures:

(i) accept scanned documentation sent by email, preferably as a PDF;

(ii) place reliance on due diligence carried out by others, such as the client’s primary bank account provider, where appropriate agreements are in place to provide access to data;

(iii) use commercial providers who triangulate data sources to verify documentation provided;

(iv) gather and analyse additional data to triangulate the evidence provided by the client, such as geolocation, IP addresses, verifiable phone numbers;

(v) verify phone numbers, emails and/or physical addresses by sending codes to the client’s address to validate access to accounts; and

(vi) seek additional verification once restrictions on movement are lifted for the relevant client group

A combination of these measures will probably need to be implemented in order to adequately verify an individual customer or UBO. Well, that’s it from me, from my desk in the UK, at home during lockdown.

I guess it’s now time for a cup of tea…!