KYC Process – A Primer for FinTechs
February 14, 2020
Organizations that are offering some form of financial services are (most likely) required to comply with anti-money laundering (AML) regulations. There are several aspects that are key to comply with AML (e.g. AML pillars). One of them is a program to understand the customer you are dealing with, what risk they pose to your business, and whether you are allowed to deal with that customer or not. There are several forms in which these kyc process requirements are expressed in the literature: Customer Identification Program (CIP), Know Your Customer (KYC), Enhanced Due Diligence (EDD), Customer Due Diligence (CDD), Ultimate Beneficiary Ownership (UBO). These are not the same thing, and there are nuances and context that are appropriate to each one of these terms. However, in general, most of the compliance operational teams referred to it as their “KYC operations”.
About the KYC Process:
What is it? Why is it important? What are the general components?
This article is about how FinTechs design, implement and execute their KYC operations; and how they drive efficiencies in that KYC process. The KYC process is, in general terms, the process of evaluating the risk of a potential client during the onboarding and through its lifetime. A robust KYC process is important because, well, first is the law and you don’t want to be fined. Second, because you don’t want to expose your organization to financial and reputational risk. And last, but not least, and perhaps the most important, you want to protect the financial system from being abused by nefarious actors. We can think about the KYC process in three steps or components: 1) Customer Due Diligence: what you do during onboarding for all clients. In essence you evaluate the risk by performing a combination of activities that include identity validation, fraud analysis, and sanctions/PEP screening. 2) Enhanced Due Diligence: If the risk of the individual or business is considered high-risk then you have to perform a deeper analysis on the client. This includes adverse media, negative news, source of wealth and funds, etc. 3) Monitor: there are two reasons why you monitor, first, high-risk clients must be monitored and this is part of the EDD program. Second, client’s risk profile may change over time, their accounts may be compromised through Account Takeover, and others risk, so it is important to understand these changes and adjust your policies. Supporting these steps or areas of the KYC process are documentation and reporting. All activities must be properly documented, during audits and exams you’ll be asked to explain all (a sample) of the decisions you made and show evidence that supports those decisions. And, you may need to file Suspicious Activity Reports (SARs) or the equivalent within your jurisdiction(s) when suspicious activities are detected and there is reasonable data to support it. In this article we unveil some of the results of a survey we conducted on our current client base using our KYC platform for at least 1,000 monthly onboards. A total of 20 clients responded to the survey.
Team Size & Structure
FinTech organizations under 1,000 employees have KYC teams as part of their overall compliance team. Their compliance operations are staffed up to 10 employees between Analysts, Compliance Managers and Officers roles. Identity Proofing and Reporting features are the more important to drive efficiencies, and their challenges are in continuing to achieve greater automation and reduce the time for manual reviews during the enhanced due diligence kyc process flow.
Depending on the size of your business and your KYC procedure, your team structure may be different. Small organizations rely on a knowledgeable compliance officer and employ a couple of analysts, while larger organizations can have multiple roles including analysts, senior analysts, compliance managers and compliance officers. In general, as you would expect, the size of the company is relative to the size of the team. However there seems to be interesting scaling as the company gets bigger. Companies over 50 all have teams of 7 – 10, while companies under 50 employees split the same percentage between teams of 1 to 3, and 4 to 6.
While there seems to be a minimum reasonable team size, the growth of the team is predicated on how many new clients come onboard on a monthly basis, and the size of the overall client base. The more new clients are being onboarded and the bigger the client base, the more time spent in EDD processes.
There are many classes of technologies that may play a role in supporting KYC operations. While there is not necessarily a unique agreed taxonomy, I am borrowing from how our clients refer to them. We asked our clients to choose what features drive efficiencies in their KYC operations and kyc process flow. For presenting results we have aggregated them into three categories: Identity Proofing, Workflow, and Regulatory Reporting. (All of these features are available within the IdentityMind Platform) Identity Proofing
- Dynamic risk categorization. Enables calculating the appropriate risk profile to evaluate a user or transaction based on the real-time customized risk matrix.
- Integrated third-party vendor solutions. Ability to access data and technology providers within the same platform.
- Integrated risk and fraud. Inform the KYC process with risk assessment and fraud prevention.
- Integrated sanctions/PEP screening. Ability to integrate sanctions and PEP screening into the workflow process.
- Operational workflow support. Ability to create users and roles, and define escalations within the platform that facilitate communication across users and decisioning for the KYC process.
- Case management. Functionality to take alerts, and exceptions into proper cases, that can be analyzed, reviewed, and reported if necessary.
- Analyst performance report. A report that quantifies analysts activities and compares it to the overall team statistics.
- Open API for workflow management. Manage queues and cases through APIs to allow external systems to move operations along.
- Multi-jurisdiction process management. Record and enforce different timelines for alert resolution and reporting based on each configured jurisdiction.
- Integrated corporate email. Connect with corporate email system to create templates of communication to customers to support record keeping and collection of documents.
- Integrated SAR filing (or equivalent). Produced well-formatted SARs (and equivalent in other jurisdictions) and enable tracking and electronic filing as allowed by the regulatory entities.
- Reports for auditors. Specific workflows and views into the system data to facilitate and support regulatory and internal audits.
Many clients that knock on our doors (virtually and in one case literally) start out with a discussion about how they are looking for an individual point solution to address their KYC process needs. These conversations may start with questions about automated document verification (e.g. evaluating automatically the validity of a passport, a driver’s license, any government-issued form of identification and extracting the data in it), or identity data verification (like comparing name and address to a credit bureau). The more sophisticated and experienced clients know that, in all likelihood, they need several identity verification technologies. And they know that their KYC programs require to cover multiple dimensions: data verification, document validation, data analytics that leverages their internal data, and risk and fraud prevention techniques. These classes of solutions are referred to as Corroboration Hubs (Gartner) and/or Orchestration Hubs (AITE Group). There are important economic benefits to having all these functions integrated, and there seems to be an appetite from firms in moving in this direction. In the recent report from AITE Group “Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility”, the IdentityMind platform ranks at the top of their maturity level model. It aligns well with our clients’ results (see KYC Efficiency Feature Set graph above) when 90% chose integrated third party vendors, 80% integrated Sanction/PEP screening, and 70% integrated Fraud.
Clients can develop their own home-grown hub of solutions, and some do, to perhaps later realize that they are hard to maintain and the cost of dealing with multiple vendors skyrockets as new requirements come into play (e.g. geographic expansion, risk profile diversity).
No matter how automated your client online onboarding process is, and assuming you are a normal KYC operation, your team performs manual reviews and operations as part of your program. If that is the case you need the KYC process flow, and the tools and technology to support these reviews. For our average fintech client, manual reviews represent between 5% and 10% of their total volume. Compliance teams spend roughly between 4 and 6 minutes reviewing an application that has failed the automated portions of the onboarding process. While there are many disparate reasons why the automation may not have worked, the ones we most see are:
- Sanctions/PEP screening matches
- Poor image quality when taking government-issued identification pictures
- Potential identity fraud
You can access the following resources to learn more about these three issues and how to address them:
- Sanctions/PEP screening. Case Study: Why Getting 6,000 Sanctions Screening Matches is a Good Thing
- Image Quality. Document Verification with the IdentityMind Platform
- Identity Fraud. Addressing Account Takeover With the IdentityMind Platform
Regardless of the size of your operation you need KYC process steps and you must record what you did and the reasons to take those actions. EDD and UBO processes also require you to have specific manual processes that need to be registered and audited. These processes are triggered because the risk profile of your clients is high, or because you need to establish source of funds or wealth, or uncover a complex scenario of ownership of shell companies to identify the actual beneficiary of an account. These KYC processes require document collection and these documents and everything you did has to be available for regulators when going through regulatory audits. Many (small) teams start out by using shared spreadsheets and documents. We have talked about the challenges of these solutions before. As your operations grow, and likely your team also, you will look for better solutions like ticket or case management systems, where you can automatically create and manage queues, roles, etc. Solutions offering these features are usually better at detailed reporting and analytics, that allow you to have more efficient monitoring of your team’s performance. For example, by using our performance analysis report, one of our clients was able to quickly identify which team members needed additional training, while another was able to identify which team members needed to be transitioned out for below average performance.
Very few solutions in the market provide clients with integrated regulatory reporting. The specifics of the reports you need depend on the jurisdiction you are in. For example, suspicious activity reports (SARs) in the United States need to be filed to FinCEN, and to the National Crime Agency (NCA) in the United Kingdom, suspicious transactions reports (STRs) to FINTRAC in Canada, and reportes de actividades relevantes y sospechosas to the Comisión Nacional Bancaria y de Valores (CNBV) in Mexico. These regulatory entities have or are moving towards electronic filing. Platforms like ours can then integrate the forms and the filing process to the regulatory entities. Most of these reports have very similar implementation requirements:
- They need to be tracked
- There is a time they need to be filed
- There are restrictions as to which team members can execute them
- You need to provide evidence of your processes to regulators
From the user’s perspective, one of the major benefits is the guidance on how to file the SARs (or equivalent) forms and to leverage the information gathered during the investigation to populate those forms. Technology in general is moving towards even facilitating the free narrative description to file the SARs to further expedite the process.
Growth & The Need for Efficiencies
There can be many challenges for FinTech firms to adequately grow their business, these challenges are intertwined with the needs of compliance teams, and they most certainly impact overall KYC operations. As these firms grow their client base, and some of them experience explosive growth, the key is to achieve a high degree of automation. Our average FinTech clients achieves between 90% and 95% automation in the onboarding process. And yet 80% of the respondents still believe that their top challenge is automation.
This is reasonable when we look at the next two challenges: Manual Reviews/EDD (at 60%) and lack of technical resources (at 40%). Most EDD processes are highly manual. They may require long cycles from the operations team. Depending on the CIP program they may require involvement from different team members. Even though some of the tools may be available, compliance teams may not have access to the technical resources needed to integrate them into their daily operations backend along with the internal data sources that may be required for better automation.
KYC compliance operations are fundamental, and regulatory requirements for FinTechs are no different than for traditional financial institutions. What changes between one and the other is how compliance teams are structured and how they scale. FinTech’s ability (and willingness) to adopt newer technologies gives them an edge in how much their compliance teams can execute and how many clients they can manage at a lower cost. The availability in the market of orchestration and corroboration hubs platforms comes at a great time to fulfill identity proofing needs, which can be further enhanced with strong workflow operations support and regulatory reporting. The IdentityMind platform continues to push the envelope in all of these three areas driving efficiencies in its large FinTech client base. Take Our KYC Efficiencies Survey: