Laws and regulations across various jurisdictions have required banks, insurance companies and other financial institutions to develop strong KYC processes. These laws are in place because financial institutions face several risks, including money laundering and terrorist financing.
While there are regulatory requirements for banks and insurance companies to ‘know’ their customers, there is generally no legal obligation for non-financial organisations to conduct integrity screening or due diligence on customers.
KYC checks are now entering the mainstream, and commercial organisations involved in various industries, such as retail, manufacturing and services, need to build customer checks into their screening processes. A robust KYC process involves more than just screening end-user-type customers; it also extends to the companies organisations engage to provide goods or services to the end customer (for example, retailers and online marketplaces that sell products on behalf of third-party sellers to end customers should screen those third-party sellers before agreeing to sell their products). Non-financial organisations may not always be legally required to screen customers, but the reputational damage that could result from engaging or associating with a high-risk customer underscores the need for an effective KYC process.
Hilti Asia’s Hong Kong-based Asia Pacific head of legal and compliance Stanley Lui says: “Multinational corporations are increasingly aware of the risk landscape and are proactively addressing this issue. They are setting up regional compliance departments in their Asian hub to look for and eliminate risk exposure, educate local staff members on the importance of compliance, and create and implement viable compliant work processes.”
But Lui says that although many MNCs are willing to allocate resources to conduct screening of their third parties, “their focus is not on the veracity of the data gathered but rather on whether the screening has been conducted in a locally compliant manner”.
In February 2015, a driver for ride-sharing company Uber was accused of sexually assaulting a passenger. The driver, Duncan Eric Burton, did not have the required permit to drive a passenger service in the city of Houston and had previously served 14 years in federal prison for drug-related charges. There is no indication as to what background screening Uber had conducted on Burton, or whether it knew about his lack of credentials and sizeable criminal history. Pressure has been exerted upon Uber and other ride-sharing services to amplify their screening efforts on drivers. Certain members of the United States Congress delivered a letter to these ride-sharing companies demanding the utilisation of extended background checks. In California, a proposed legislation titled Assembly Bill 24 would require ride-share drivers to undertake fingerprint checks and further screening before acquiring driver permits. While Uber has defended the safety measures it currently has in place, additional incidents by drivers against customers (for example in India) have added to the pressures the company faces.
In a similar example, HomeAdvisor, one of the many websites that allows customers to find contractors and handyman-type services, claimed to only list licensed contractors on its site, and affirmed that it pre-screens contractors to ensure they are licensed and trustworthy. However, recent events suggest that the website’s screening may be inadequate and that it possibly lists unlicensed contractors. One recent user of the site claimed that she thought she was hiring a licensed contractor, when in reality the contractor was actually unlicensed and had a criminal record related to four counts of unlicensed contracting.
Retailer chains Target and Home Depot recently suffered extensive data-privacy breaches. In the case of Target, the company acknowledged that hackers had stolen the credit- and debit-card information of close to 40 million customers. It is now facing lawsuits from customers whose data was taken. The Home Depot data breach, on the other hand, left approximately 56 million credit and debit cards exposed. Both breaches were executed by instalments of malware on the companies’ point-of-sale systems. While Home Depot did not lose business in the wake of its data breach, the costs were massive, with the company spending close to $43 million in investigation and remediation expenses during the third quarter of 2014 alone. Notification to affected individuals was time-consuming, and likely cost the company another $27 million dollars.
Airlines have always faced the prospect of terrorist acts by their direct customers (the passengers), or the prospect of carrying individuals who are either on sanctioned lists or who have travelled to sanctioned countries. Efforts by the actual airlines to screen customers for these concerns have been lacking, with airlines often relying on airport institutions and immigration departments, or, in the United States, the Transportation Security Administration (TSA) to do the screening for them. However, a recent report by the Department of Homeland Security revealed weaknesses in the TSA’s screening process for airport workers, showing that the TSA allowed 73 individuals with possible links to terrorism or ‘terrorism-related’ information to access high-security areas within airports. If the TSA cannot properly screen airport employees, then its ability to properly screen airline customers (the passengers) should be questioned, and should spur airlines to conduct their own screening.
These modern-day examples demonstrate the reputational damage that can be caused by customers or the third parties that an organisation engages to provide goods or services to customers, and highlight the need to properly screen these parties before further interaction.
Diageo’s Singapore-based regional counsel for Southeast Asian emerging markets and key accounts Derek Chang cautions that companies may inadvertently expose themselves to reputational risks if they fail to adequately screen their customers. “This is because the external view may be that the company is potentially engaging in misconduct, while it could also create an opportunity for employees to conduct fraudulent activities with high risk customers.”
In addition, the actual costs of remedying these issues can be significant, and regaining the public trust is even harder. By comparison, the costs of implementing a screening process are minimal, and much of the information gained about a customer during the sales or relationship-building process can be used as a starting point for conducting more detailed customer screening.