How to choose KYC software
Forgive your enemies, but never forget their names (John F. Kennedy)
Last week, I walked into a bank in Miami to open an account when the customer representative held up a little hand-held camera and took a picture of my face. He then asked me for my social security number. Within seconds, a green light and a risk rating of "3" appeared on his screen, giving the account clearance. This number was based on a profile he kindly showed to me. It revealed my complete personal information, such as date and place of birth, current and previous addresses, names of my parents, siblings, their spouses and children, my current and previous employers, involvement with charitable organizations, the last ten countries visited, value of property owned, average monthly transactions over the last 36 months, and results of cross-checks with app. 300 governmental lists like OFAC, FBI, Interpol and the DEA. He explained to me that this was the bank's new state-of-the-art Customer Identification Program, using iris recognition as the key to the identification process.
When I asked the clerk for the name of the software vendor for this product, I unfortunately woke up and found myself back in today's KYC reality.
KYC reality is that many financial institutions already have AML and KYC procedures in place. However, the USA Patriot Act increases both the number and scope of regulations. Altogether, there are eight new required regulations and six discretionary regulations in 10 sections of Title III. The law also codifies Basel Committee requirements that systematic customer due diligence becomes a key component of a bank's risk management procedures. In light of these new requirements, AML and KYC procedures should now be revisited, and in most cases updated and strengthened. This article is meant to help you with this difficult task and provide you with a market insight about solutions available today.
Compliance as a tool of risk management
Traditionally, compliance was categorized as a defensive tactic focused on complying with check-list requirements of mandatory reporting and other regulations. Nowadays, compliance solutions are moving to center stage as a key tool to ensure the quality of a bank's reputation and integrity in the market. Virtually every Anti-Money-Laundering conference emphasizes the importance of recognizing compliance as a risk management tool and taking a risk-based approach to money laundering and terrorism financing.
This paradigm shift sounds easier than it is as such a risk-based approach requires a two-step process; and both steps prove to be equally difficult. First, a financial institution needs to identify vulnerabilities and high-risk areas. Second, it requires the choice of the right compliance tools to minimize those vulnerabilities, the focus of this article.
A wide variety of Anti-Money Laundering products are available today. At a baseline level, AML systems automate mandatory legal and regulatory compliance requirements and support the necessary enhanced due diligence and Know Your Customer policies. They must provide reasonable methods to identify suspicious transactions, as well as provide scanning and filtering technology that searches for black-listed clients as well as senior political figures. Consequently, there are three major types of AML solutions in the US market today:
- Case Management or Record-Keeping Systems,
- Transaction Monitoring Systems,
- KYC or Customer Identification Solutions.
All three are essential parts of any AML system and, in an ideal world, work embedded in an information management system as an integrated solution; nevertheless we will mainly focus on the KYC solutions.
Case Management or Record-keeping
Products are designed to track information and report it to regulators or other national authorities. Case Management products are "after-the fact" products that meet several mandated BSA requirements and can be helpful in investigations. Selected vendors include Atchley Systems or Syfact.
These solutions come in two forms; rule-based products and intelligent systems. Rule-based products detect transactions that are outside the expected and pre-defined norm for an account. Intelligent systems use approaches like risk scoring, neural networks to identify suspicious activities. Typically, those systems look at a transaction in its context rather than the individual transaction. In light of the recent penalties against Broadway Bank, New York and Banco Popular, Puerto Rico, every financial institution should look at transaction-monitoring systems.
Prime Associates Intelligent Systems
ACI WorldwideHnc/Fair Isaac
Customer Identification/Know Your Customer
International legislation requires financial institutions to "determine whether a customer appears on any list of known or suspected terrorist organizations". Furthermore it asks for "additional due diligence" (for) "Politically Exposed Persons". The USA PATRIOT Act establishes bribery of a foreign public official or the misappropriation, theft or embezzlement of public funds by or for the benefit of a foreign public official as a specified unlawful activity predicate for the crime of money laundering.
Thus, the market offers two different solutions. First, you will find products which identify individuals or companies that have been black-listed by governments and secondly, there are products that identify Senior Political Figures. The majority of vendors offer solutions for identifying black listed clients; only few vendors have touched the problematic area of identifying senior political figures. Selected vendors include:
OFAC Filters and Trackers
WorldCompliance Senior Political Figures
The final regulations for section 326, as well as section 312, USA PATRIOT Act are expected in the first quarter of 2003, thus every financial institution should start reviewing these solutions now to be able to decide quickly on the appropriate solution once the final regulations are issued.
How to choose the right solution
To find the right solution means to select the vendor which offers the best product for the budget and risk profile of your financial institution. In terms of budget, you will find solutions that start at a few thousand dollars when used via the Internet, and you may find products that cost above US$ 100,000 when the software is purchased for integration into the system. In reference to risk, - apart from the reputational risk - you are facing risk in a number of categories with three very specific areas in today's market environment.
a) terrorism and narcotic trafficking
b) money laundering and fraud
All three categories inherit significant risks. Involvement in terrorism and narcotic trafficking is certainly the most threatening of all three, with criminal investigations and severe monetary penalties being likely - apart from potentially fatal reputational damages. Money Laundering is treated as a criminal offense by the PATRIOT Act and thus will lead to similar consequences (see Hamilton Bank, Miami). Furthermore, for a foreign financial institution operating in the US, any willful involvement in terrorism financing or money laundering might lead to the death penalty; the cancellation of the banking license. The inadvertent participation in fraud is potentially dangerous and costly, as Bank of Bermuda learned last year. For their affiliation with the fraudulent Cash for Titles scheme, the bank settled a lawsuit for in excess of USD 67m. Currently, the US broker Bear Stearns finds itself as a plaintiff in a lawsuit seeking damages of USD 200 Million. Bear Stearns, in its function as the custodian to the fraudulent Evergreen Security mutual fund, is accused of not performing adequate due diligence about the fund, which was operating without a license and is now defunct. The third category is probably the most prominent one so far. Many Swiss Banks learned the negative consequences first hand after Politically Exposed Persons like Vladimiro Montesinos or Sani Abacha used them to deposit corrupt funds.
All risks identified - terrorism and drug trafficking, money laundering and fraud as well as corruption - pose the danger of an undesirable outcome. The market today offers solutions protecting you in different segments; certain products address certain risks as the following chart displays.
Since the PATRIOT Act focuses on terrorism, you will find that many products concentrate on lists that contain names of terrorists or criminals, such as OFAC, FBI, Interpol, World Bank, EU Terrorists, UN Terrorists to name the most important ones. Thus, those products mainly protect you from the risk of inadvertently financing terrorist activities. This represents the baseline approach to risk management. The next level of risk requires the consideration of lists that are specialized on money laundering or fraud. Examples would be the SEC, CFTC, NASD, UK FSA, Bank of England, Commission desvaleurs mobili?res du Qu?bec, Argentina Comisi?n Nacional de Valores, Bolsa de Valores de Lima, to name but a few. On a global scale, there are more than 400 major governmental lists that reveal money laundering and fraud. Naturally, the more lists you consult during your due diligence before accepting a new client, the less your risk of doing business with a black-listed individual/company.
So, how can you determine which software solution is right for your institution? Due to the youth of the market, there is no standard that allows for an easy comparison of the different products. Marketing material is in many cases misleading and it often highlights questionable accomplishments. Therefore, any comparison is difficult and requires a guideline which will now be recommended.
- Determine which risk you want to combat
This has to be the first step for any risk-based approach. Depending on the risk you feel is most important, you will narrow down the search for a possible vendor. For example, if you want to minimize your involvement in money laundering, an OFAC filter will not help you significantly, as this list focuses on terrorism.
- Do your due diligence on the due diligence provider.
Research who is behind the company and what his/her expertise in the field of banking and compliance is. Remember, you are relying on his/her expertise. Any KYC product is only as good as the entries in the system.
- Question the marketing material and ask for specifics
Read the marketing material carefully. Last year, the Associated Press stated that a vendor had "15 of the nineteen terrorist hijackers in its database prior to September 11". As we all know, statements that sound too good to be true usually are. Another vendor states in its material that its search combines information from over 400 million files/records. You might want to ask how many of these sources really relate to fraud or money laundering.
- Request transparency about the sources
"The secret to creativity is knowing how to hide your sources" (Albert Einstein)
You need to know exactly what kinds of lists are included in your product. At least, request a list of the databases for your own records. Just imagine, a regulator asks you about your KYC solution and you have to give him a vague statement about the coverage. A statement like, our system monitors several thousand web pages does not contain the information needed. These could be official governmental sources, newspaper articles, or privately maintained newsgroups. The type of source determines the quality of the database, that's why you need to know.
- Ask for specifics on the number of entries
Another criterion to compare vendors is to look at the number of black-listed individuals/companies. For example, a package of OFAC, FBI, EU Terrorists, UN Terrorists, typically lists less than 50,000 names of unwanted customers. Obviously, the more names of terrorists, money launderers and fraudsters your solutions hosts, the less the risk of doing business with people that pursue those activities.
- Determine how often the database is being updated and verify this statement
You want to make sure that the database is updated on a frequent and regular basis. A gap of 48 hours between the change to the underlying source (e.g. FBI Most Wanted) and the vendor's database seems to be market standard and should be sufficient. You can test such a quality statement by looking for the latest change of the OFAC list and then verify when this name was added to the vendor's list.
- Request a demo
It is very common to receive a fully functional demo prior to the purchase. Test the system for usability, presentation and reliability. Ideally you have several demos at the same time and compare features and content.
- Check a prepared list of names
Prepare your own list of app. 30 known terrorists, money launderers, fraudsters and use it as a sample to test the products. This allows you to quickly identify strengths and weaknesses in the vendor's product.
When following these eight recommendations, your challenge of selecting the right solution for your KYC program becomes much easier. As a result, compliance will find a new position in your financial institution in which it becomes part of risk management on a total enterprise basis.
There are a number of reasons for a risk-based approach; here are three really convincing ones:
- 5 Million USD Fine for Broadway Bank, New York in November 2002
- 4 Million GBP fine (app. 7mUSD) for Royal Bank of Scotland, London in December 2002
- 21.6 Million USD fine for Banco Popular, Puerto Rico in January 2003
While these penalties were issued due to failure to comply with certain regulations of the Anti Money Laundering laws, the investigations into the US Banks were criminal investigations emphasizing the importance of risk considerations for AML programs.
So, how far away are we from the vision of an automated due diligence solution that verifies the identity as well as the past of a potential client? Unfortunately, reality is that we are not very close to this vision, since different countries have different privacy laws. While the USA has a social security number, which allows a central gateway to personal information, many countries do not have a comparable system. This is why it will always be a challenge to determine whether J. Doe, who was charged with money laundering in Bermuda, is the same J. Doe who attempts to open an account with your branch in Miami.
In fact, every institution will have to make a decision about the tolerance of False Positives and False Negatives. A False Positive is the issuance of a red flag due to two individuals having the same name, one being black-listed the other being your client A False Negative is the lack of a red flag; meaning an oversight of the system causing you to have a black-listed client. False Positives and False Negatives are negatively correlated, meaning if one is low the other one is automatically high. This is illustrated by the following chart.
From a risk perspective, it is not the False Positive to be concerned about; it is the False Negative. The False Positive requires additional research but the False Negative might trigger an investigation, penalties, legal fees and reputational damage. Thus, every financial institution needs to determine how much risk of accepting a black-listed client (a False Negative) it wants to accept.
Due to the negative correlation, no system is going to be able to eliminate False Positives and the necessary manual research. Any financial institution, therefore, needs trained compliance personnel, capable of reviewing the findings of a KYC software solution, rather than searching for the silver bullet. After completing this assessment, an automated or manual screening of the client database can lead to the desired level of protection and support the daily operations rather than make them more difficult.
"There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction". (J.F. Kennedy)
First published on BankersOnline.com 08/18/03
First published on 08/18/2003