How high? Re-setting the KYC bar
2013 has been a busy year for both rule-makers and financial institutions as far as KYC requirements go. Aside from the finalisation of a vast array of trading rules (Dodd-Frank, EMIR etc.), the FATCA final rules were released in January. This was closely followed by the proposal for the 4th Anti-Money Laundering Directive. And in the US, FinCEN is still in the process of updating its CDD rules. The result of all this, for many institutions, will be a vastly expanded client base now requiring new documentation, checks and screening with a variety of new and enhanced control requirements. Regulators are setting the bar high.
New EU proposals – such as the Bank Account Directive, Network and Information Security Directive, and Eurocrime Directive – will all have a significant impact on the way firms manage their customer data in 2014. In addition, the consequences of non-compliance are much, much higher. A move toward the competition law standard for sanctions means firms can expect to be fined up to 5% of their global, worldwide turnover for both AML and data protection breaches.
Coming off the back of a year of unprecedented fines, it is guaranteed that regulators will be keeping a close eye on firms’ compliance with the new requirements. The FCA are beginning their thematic review of the UK financial services industry’s anti-money laundering (as well as anti-bribery) systems and controls in the second half of this year.
Taken in isolation, complying with each new rule that focuses on financial crime is not an impossible task. New standards, processes, systems and training will have to be put in place, all of which can be achieved with time and money. However, if a piecemeal, regulation-by-regulation approach is taken to managing client data, firms will be forced to collect a vast array of information manually (i.e. directly from the customer) on a case-by-case basis (e.g. ‘I need this information for AML, that information for FATCA and this information for MiFID’) all of which will lead to an increase in costs, suboptimal solutions and annoyance for the customer.
Many are hoping that new vendor software will be able to provide the solutions. However, the potential that new technology and systems can provide is not always possible without huge budgets and extended implementation timelines. The complexity of legacy systems across disparate silos means building an integrated view of KYC data across a global bank is a long and arduous task. The sheer scale of the new requirements means that it is increasingly difficult to align work streams across these regulations, forcing a continual, iterative approach to KYC compliance. Without a clear idea of which requirement affects what system, process or data set, isolating problem areas and aligning internal objectives becomes that much harder.
Known unknowns
- Can regulations with similar KYC demands be addressed by the same implementation programme?
- What will it take to create industry guidance and technical solutions to shared customer data challenges?
- How can we resolve conflicts between the need to protect personal data and still identify money launderers?
Themes
- Lack of implementation guidance means firms are forced into fragmented and isolated approaches
- Huge fines are a key factor in driving AML compliance and EU legislation is making non-compliance even more expensive
- There is tension between KYC requirements and new data protection regulation that will make implementation difficult
AMLD IV’s draft status provides an excellent opportunity to align regulatory due diligence and customer data requirements across the various use-cases. An obvious example is the requirement to collect beneficial ownership information. AMLD IV defines the threshold at 25%, FATCA at 10%, whilst FinCEN is creating a new standard that subtly alters the underlying definition.
Another example is at policy level. AMLD IV has explicitly mandated tax evasion as a predicate offence for money laundering, meaning that firms now have an increased obligation to identify tax evaders. Given that FATCA was created to serve that very purpose (for U.S account holders), it remains to be seen just how different AMLD IV’s approach will be. This type of problem is compounded by the new Data Protection Regulation, which, as it currently stands, has the potential to hugely complicate matters through its restrictions on cross-border personal information transfer, or its dislike of ‘profiling’ (very much necessary for AML purposes).
At the end of the day, firms are bilaterally collecting the same information on their customers and counterparties as their peers, for the same ultimate purposes. John Owen, RBS’s Chief Executive for International Banking, told a London conference: “We’re essentially transacting with the same entities around the world and yet we are all building [databases] at very great costs … It would make an enormous amount of sense for the industry to try and find some central utility function around that particular area.”
With the first deadline for FATCA in January, 2014, the timeline to solve these problems is shortening at a fast pace. This is a global problem, and given the depth and breadth of the challenges involved, this is going to be an unprecedented exercise in standard setting. With no new guidance to implement these requirements from regulators, it is up to the industry to find a collaborative solution. In short, with the KYC bar reset, the industry will have to decide how high to jump.