Irrespective of geography and industry, there are a few basic elements to any robust KYC programme.
Stage 1 – Collecting integrity information
Organisations must gain information about a potential customer’s integrity in order to assess the risk that selling to that customer (or buying from that customer as a retailer or agent) presents. Identifying information includes basic profile records such as name and location, but also information on the purpose and intended nature of the business relationship, and, in the case of entity customers, information such as ownership and control structure.
Collecting integrity information is important for a variety of reasons. It helps to determine who the customer is and why they want to enter a particular business relationship, but is also a starting point for further, more complex enquiries. By gaining basic profile information on a customer, such as name and ownership, a company can undertake checks to determine the integrity status of the customer and its owners, through database reviews of key risk areas, a media analysis, or other checks that may reveal more information about their integrity and propensity to commit future crimes or misconduct.
While customer integrity can be vetted using a variety of screening processes, the gathering of such information is usually conducted through some form of questionnaire or web form. The best solution is to use the data collected during the sales or relationship-building process, such as names, contact information, registration information, and so on. Most organisations collect this type of information before entering into a business relationship with a customer, through a membership form, website registration for the purchase of goods, passenger-detail form when buying a flight or booking travel, or other documents completed by the customer. In most cases, there is no need to have a separate ‘integrity questionnaire’; rather, it is more practical to have a series of questions that are embedded in a ‘business’ document and less likely to be seen as a compliance-related collection engine.
Once the baseline data has been gathered, additional checks can be undertaken, most of which should be done automatically without any human intervention at all.
Stage 2 – Integrity-based screening
After acquiring the customer name and other key information (including identifying key principals, if the customer is an entity) in Stage 1, the organisation can begin integrity-based screening. There are several best-practice screening solutions available, from watchlist screening to enhanced due diligence such as media review, litigation searches and even reputational screening. Based on the type of organisation, industry and business being conducted, particular solutions will need to be utilised. For example, a website offering the services of third-party tradesmen for engagement by customers would want to conduct litigation checks on these tradesmen to ensure they don’t have a criminal history. They may also want to conduct employment screening to ensure that any licenses or professional certifications held are indeed valid. An online marketplace that intends to sell products to end-users through third-party sellers should conduct reputational checks on these third-party sellers to determine if there are any concerns regarding their products, such as safety or quality concerns.
One process that almost all organisations should use in the KYC screening effort is checking against an integrity screening database. The main advantage of running pertinent information against a database is that it can be done almost instantaneously after the screening information is acquired (through the web forms and documents mentioned in Step 1). Screening the names against an integrity screening database can help determine if the potential customer has been blacklisted, sanctioned or involved in integrity issues across key risk areas. In addition, by collecting the customer’s location and countries of activity, organisations can determine whether the customer operates in a sanctioned country or in territories where additional export-controls regulations may apply.
It is important to check integrity information against a database that has the data to support the various risk areas that might exist in your customer base or are otherwise relevant to the organisation’s industry. Simply checking against government watchlists will only show whether customer companies or people are subject to sanctions and would miss almost every other risk that is actually relevant to a company not classified as a financial institution. The IntegraWatch® | Compliance Screening database is a dataset of over 2.5 million people and companies involved in compliance-related issues, including sanctions, politically-exposed persons and those with other government connections, fraud, environmental infractions, criminal activity and grey-market selling. Referring to the examples set out earlier, an airline company could run passenger names against the database immediately after a customer has bought a ticket through a travel site or the airline’s direct website to determine if any intended passenger is on a no-fly list or sanctions list that would prevent them from travelling to certain regions. An organisation selling to cooperatives, where the end-user customer is unclear, can screen these cooperatives to determine if they have grey-market links. These are the datasets that organisations should review and check against to ensure that customer risks are being managed properly. While checking against these lists is useful at the customer acquisition stage, it is important to review the results periodically – preferably daily. This concept of ongoing monitoring is covered in more detail in the next section.
In order to make integrity screening a simple exercise, organisations need to have a few things in place. Ideally the database should be connected (via an API) to the web form or application that is collecting the information in Stage 1 and screening pertinent information against the database as soon as it is acquired. This connection is essential to remove the human element of the screening process and enables organisations to literally screen millions of records a day.
The checking is the first step. The second step is reading the results and acting on them when there is an issue. This requires someone to validate a potential ‘hit’ and conduct some form of false-positive analysis. In most situations this will need to be done almost immediately, so organisations will need to think about which resources are available to conduct this work and which tools they will need to make available for conducting further analysis.
Organisations should not fear utilising screening because of a lack of resources to follow up on potential findings. Instead, they should limit the datasets within the database to those lists and media articles that cover the most relevant risks to them. For example, a chemicals organisation that is concerned about how customers might make use of its raw chemical products will want to screen potential buyers against media articles to see if the buyers have a poor reputation or have been involved in environmental breaches. The chemicals organisation should remove certain non-applicable lists, such as money laundering, anti-competitive behaviour and privacy breaches, from the database, as these are not high-priority risks. Likewise, an online marketplace should screen purchasers to ensure they are not on a money-laundering or fraud list. Should the buyer’s name appear on a money-laundering or fraud list, or if the buyer is attempting to make a purchase from a country where additional export-control requirements apply, it might be necessary to place a hold on the purchase and refer the potential customer to a help service. Then more information can be obtained from the potential buyer before allowing them to complete the purchase.
Stage 3 – Transactional and reputational monitoring
After initial screening has been conducted on customers and any third parties servicing customers, the next essential step in the KYC process is transactional and reputational monitoring: the process of continually reviewing the relationship with the customer to look for suspicious activity.
Transactional monitoring is key to determining whether any future transaction (assuming the customer was screened successfully in the first place) contains any red flags. This monitoring can be very complex but is almost always done by technological means, requiring human intervention only when a red flag or other warning sign warrants an additional review. It requires a complex set of analyses placed across the live streaming of transactional data, where key risks can be highlighted in real time. These risk areas have typically been identified in advance, and organisations should look for a series of events or actions that give rise to potentially non-compliant transactions where an integrity risk is raised.
One example where transactional monitoring comes into play is when a person uses a bank-issued credit card and makes suspicious transactions. The bank should review all transactions made via cards it has issued, immediately instituting holds on suspicious transactions and conducting additional transactional reviews when red flags arise. Similarly, an online marketplace should screen existing customers with the same scrutiny.
This sort of real-time analysis can be done with support from live-streaming transactional-analysis tools. The IntegraAnalytics® | Compliance Transaction Screening tools are ideal for organisations to constantly monitor transactions to identify compliance risks.
The final piece of the monitoring stage relates to ongoing monitoring of the customer’s reputation (and the reputations of the third parties that service the customers). A company or individual’s reputation can change quickly, and it typically only takes one negative incident to cause permanent damage to not only the customer, but to the organisations entering business relationships with it.
Ongoing reputational screening is most effectively conducted through a blend of database monitoring and use of an alerts service (such as the IntegrAlert™ service) that provides notice to organisations when there is a negative finding for a particular party. An alert service can be set up by conducting enhanced due diligence on a customer at the outset, and then setting up continuous monitoring over the customer as the business relationship progresses. Screening against the database allows organisations to find out if the customer’s name appears on any lists that could cause damage to the customer’s reputation or, by extension, to the organisation itself. Lists of particular importance will pertain to the customer’s reputation and standing in the community (or communities) where it operates, financial solvency, and involvement with other third parties (such as governments, politically-exposed persons and downstream customers). The alert service will identify new red flags or other causes of concern through ongoing review of a customer, usually in the form of periodic media research for a certain span of time (normally three years).
While organisations may be hesitant to spend extra resources after initially screening a third party, transaction and reputation monitoring will help identify which customers an organisation can continue to safely do business with, and help form the impetus to strengthen relationships with certain customers. A consistent customer base is a more reliable source of revenue and should help cover the costs associated with ongoing monitoring and ease the burden of constantly needing to find new customers.
Hilti Asia’s Hong Kong-based Asia Pacific head of legal and compliance Stanley Lui advises companies to start small when screening their customers. “Does the customer even have a proper and professional looking email address? You should be a bit concerned if a customer shows you a gmail or hotmail account.”
He adds: “Ask around … talk to peers as well as to other suppliers of the customer … it never hurts. And conduct site visits as seeing is believing.”
Implementing a cutting-edge KYC programme is another added challenge for companies. While organisations can rationalise channel-partner or supplier due diligence on the fact that global regulations require a certain modicum of third-party screening, it is harder to justify spending resources on screening the sources of revenue: customers. However, associating with the wrong customers bears a strong reputational risk and, if it results in actual reputational damage, can be difficult to recover from. Diageo’s Singapore-based regional counsel for Southeast Asian emerging markets and key accounts Derek Chang says: “Better understanding customers helps to prevent legal and compliance risks.”
Organisations can spend decades building a strong reputation and earning public goodwill only to permanently damage such assets by associating with the wrong customer. Instead, organisations should take some simple steps to begin screening their customers, and work to deepen relationships with customers that meet their own high standards.