The global compliance landscape is becoming increasingly complex which means that effective remediation is rarely simplistic. According to Ihsan Hameed, senior consultant at Lysis Group “Know Your Customer (KYC) remediation is one of the most important processes for the operations of financial institutions. It consists of updating and optimising client data to ensure that financial institutions remain compliant”.
The KYC remediation process is conducted to confirm that each client’s anti-money laundering (AML) risk is assessed, in a timely manner, and that the assigned risk rating is updated regularly based on the changes in KYC compliance regulations.
Remediation can therefore be defined as the process through which firms gather information from their clients through KYC, conduct risk assessments, and create KYC customer profiles. It highlights the highest risk elements associated with each client. Once the initial data is collected, client profiles need to be updated or refreshed periodically to ensure that changes, which are relevant to customer risk assessments, are recorded accurately.
The various levels of customer due diligence (CDD)
Ihsan stated that “Financial institutions, and other related industries in regulated markets, are expected to apply CDD measures to existing clients at various intervals throughout the business relationship as part of the end-to-end remediation process, but there are different levels of CDD”. Simplified due diligence refers to the lowest level of due diligence which is associated with the lowest levels of risk. This level can only be used when there is very little, or no risk of the client or entity being involved in money laundering. There must also be sufficient proof that the client is eligible for simplified due diligence.
Customer due diligence, also referred to as Standard Due Diligence (SDD) is the most common level of due diligence applied during reviews. Standard due diligence requires firms to identify their clients and verify their identities. There is also a requirement to gather information to enable the firm to understand the nature of the business relationship. This level of due diligence should provide firms with the confidence that they know their clients and that the firm’s services or products are not being used as a tool to launder money or to facilitate any other criminal activity. Furthermore, SDD also requires that clients are monitored which will highlight any potential trigger events that could result in further due diligence checks.
Enhanced due diligence (EDD) is a KYC process that provides a greater level of scrutiny of potential business partnerships and highlights risks that cannot be detected by SDD. This level of due diligence goes beyond SDD and looks to establish a higher level of identity assurance by obtaining the client’s identity and address and to evaluate the specific risk category of the client. It is designed to deal with high-risk or high-net worth clients and large transactions. This is because these clients and transactions pose greater risks to the firm and the financial sector. These clients are heavily regulated and monitored to ensure that all their activities and business relationships are verified as legitimate.
Classification of risk
During the due diligence process different levels of risk will emerge. Ihsan indicated that “Generally, firms will classify clients into three categories of risk which include low, medium, and high risk. This is based on the client’s risk score and parameters. When conducting a risk assessment to categorise clients, firms need to ensure that they consider the nature of the client’s business, the jurisdiction where they operate in, their country of origin, the client’s sources of funds/wealth as well as the client’s overall profile”.
Low risk clients normally pose minimal risk to the firm and are usually reviewed every three to five years. Firms will need to identify and verify any individuals or entities that own a 25% or more interest in any business or activities linked to low-risk clients. Medium risk clients generally pose slightly higher levels of risk than average, and firms will need to identify and verify any individuals or entities that own 25% or more interest in any business or activities linked to medium risk clients. These clients are usually reviewed every two to three years unless an event driven review is triggered.
High risk clients pose a significantly high risk to firms and are reviewed on an annual basis. Firms will need to apply enhanced due diligence (EDD) to high-risk clients, ensuring that individuals or entities that own 10% or more interest in any business or activities linked to high-risk clients, are fully identified, and verified. Examples of high-risk clients can include crypto asset firms, oil and gas firms, the adult entertainment industry, the gambling industry, precious metal dealers, military/weapon dealing firms etc.
The importance of a risk-based approach
One of the key components in managing the cost of compliance is to follow a risk-based approach. A risk-based approach refers to having a clear understanding of all the money laundering and terrorist financing risks that exist and to take the appropriate mitigation measures in accordance with the levels of risk that compliant institutions are exposed to. Applying a risk-based approach is very important when conducting reviews on clients as it will allow firms to identify potential risks and help to mitigate certain risks to remain compliant.
Ihsan concluded by saying that “Lysis Group can add immense value to firms by employing experienced staff that have extensive knowledge of financial crime remediation and are able to adapt rapidly to handle both simplistic and complex cases. This can go a long way in helping firms to achieve compliance targets set by global regulators and effectively address any backlogs by providing high quality output to meet firms’ compliance requirements”.