Are we relying too much on KYC?

If you look around in the AML/CFT compliance space, you may have noticed there has been a lot of emphasis on the KYC part lately. Banks are staffing this process very heavily, as if by solving the KYC problem, half of the worries will just vanish! Being a professional who has been in this line of work for over 16 years, I see this as an alarming trend. KYC is just a part of the larger checks and balance and not the only major one. Please allow me to elaborate.

Current situation - KYC is not something new. It is one of the key and important aspects in our fight against criminal elements. This gives us first hand possibility to classify/check customers based on the risk appetite of the bank. If you notice the first few paragraphs of any regulatory fine (across the world) you will notice a heavy emphasis on the KYC part. Recently a major Dutch Bank (ABN AMRO) got penalized. One of the key reasons was a default classification (00-neutral) to their mass retail clients where the regulator pointed out improper/incomplete KYC. All this makes sense because this, as I stated earlier, is the first check. If you don’t even know your customer, all the follow-up processes (risk classification, periodic monitoring, transaction monitoring etc.) will be impacted down the line and for long!

The challenge - The issue I want to raise is the over enthusiasm of banks in putting too much focus on just the KYC part. For example ING (as per Trouw) hired as many as 4000 professionals after a fine of EUR 775 million was imposed on them. I think we are not playing smart, at least as smart as the criminals are. They know very well there are good enough checks and balances in banks at the entrance to have them flagged. Let’s be honest, even though we have smart machine learning/AI (the usual jargons in the market for any fancy solution) to help assist in KYC, banks still rely heavily on the documentary proof provided by clients. This approach allows almost every smart criminal pass the KYC checks with flying colors, moving the risk down the chain (Transaction Monitoring / Investigations). Let me explain this with two basic examples:

1. A criminal who wants to launder via money mules, will get all neat and clean customers (pensioners, students etc.) to get on boarded as clients. With nothing on any screening list and good enough documentation to support their occupation, these customers will get on boarded, with probably “low risk” and then continue on their supposedly good deeds. KYC process will not flag them as everything is in order.

2. This is another example for small businesses who get on boarded quite often. A smart criminal may open a company for the crime to be committed in future. With clean papers, good extracts from Chamber of Commerce and no bad press etc., this company will pass all the KYC checks and get on boarded with a “low risk” again. If the company may changes their line of business, their business activity etc., all will most probably go unnoticed unless Transaction Monitoring or Investigation teams pick up any usual red flags. Guess what, this did happen in the ABN AMRO fine case where a client owned more than 400+ companies and went unnoticed! Even during the pandemic, a lot of focus was on the “fraud aspect” of newly formed companies. However the real risk was around companies who were dormant (or with low activity) and then gradually started trading quite well (selling fake face masks for example).

The point I am making here is that banks are living in a utopia nowadays that solving their KYC process will help them keeping away criminal elements and have them stop “all cracks”. The discussions I have had, the news I read and the fines I have assessed point to this sad reality (too much emphasis on KYC). The truth is that (1) the smart ones will bypass all the checks and balances of KYC check and (2) the ones who are kicked out (or put on heightened supervision) will find another weaker bank to channel their activity through.

It may sound like a doomsday scenario, but in not so distant future we may have to find out the hard way, that banks are still heavily exposed, even though they had the best in class KYC processes!

Way forward - Of course there are so many things we can do. I would like to cite a good article I read on Forbes (The case against the Money Laundering Rules). I like the idea of allowing everyone to get on-boarded in your bank. If you get your Post fact monitoring (Transaction Monitoring, Investigations, Adverse media check etc.) checks robust, you can keep much better eye on criminal elements. There is a saying, keep your friends close and enemies even closer 😉.

If you are aware of the classical customer lifecycle, I see the shift moving towards Transaction Monitoring / Investigations in the near future. All these resources which have been putting off the fire in KYC will be moved as “investigators” trying to find/investigate/assess smart criminals. We will have to be prepared for the shift and think about this upcoming challenge.

I would like to summarize the KYC problem by relating to a blind date... Imagine you go on a blind date, meet the person ask for their passport copy, their salary slip, profession etc. (of course you won’t do, but think for a second). Even after assuring yourself that this person is a genuine person, there is no guarantee this person may not rob you at a dark ally while walking back home after a lovely dinner 😉.