Many compliance professionals, especially in non-banking businesses, are struggling with the enormous volume of data and documentation that they are nowadays required to retain on their clients.
Add the introduction of FATCA and responsibility for reporting to senior managers, regulators and financial reporting units in multiple formats, and for some the workload can quickly become overwhelming.
The problem is compounded by the fact that many compliance departments in regulated businesses, especially smaller ones, have limited resources to enable them to accomplish their tasks.
While a lucky few may enjoy the luxury of customized (or even semi-customized) AML software programs, most still have to work with the same office tools as those used by their general support staff colleagues.
For example, many compliance professionals are still trying to capture their KYC and due diligence analysis on Excel spreadsheets, while others are wrestling with software designed for another purpose, such as marketing or billing, which has been tweaked by their IT colleagues, with varying degrees of success, to try to capture KYC data.
These home-grown “solutions,” developed piecemeal and in-house because nothing better ever seems available on the market, often come nowhere near the specialist bespoke solution needed by compliance departments to meet today’s regulatory demands.
Although for obvious reasons businesses like to persuade themselves that they meet their requirements, and in particular satisfy their regulatory obligations, too often they are vulnerable, unwieldy compromises which do no such thing and could leave them exposed to sanction or worse.
To ask compliance professionals to navigate regulatory requirements with tools that are not specifically designed to enable them to do so will inevitably make them struggle to meet their employers’ compliance responsibilities. Spreadsheets which have not been designed for KYC capture can be difficult to manage, and compliance-specific reports are often hard to generate on non-KYC focused software.
That can make meeting regulatory audit requirements difficult at best and impossible at worst.
Part of the problem is that many businesses, while understanding and acknowledging the harmful consequences of non-compliance, still tend to view AML compliance as little more than a cost of business, and KYC data as something simply to collect, store away, and then forget about – unless or until the regulators demand it, when hopefully it’ll still be in a condition to present to them.
In other words, it’s still seen as a box-ticking exercise. Not until it’s time to monitor the client is the data is ever looked at again – and even then just to make sure that all is in order.
Thus, when an audit suddenly looms, panic tends to arise: senior compliance officers and MLROs, and possibly management too, are likely to make frantic efforts, under unanticipated (and therefore unbudgeted) time pressure, to prepare reports and provide statistics. This is inefficient, and because of the obvious issues that can arise on audit of sub-standard records, highly risky.
So what should be done? Well, the answer is surprisingly simple and intuitive: management should stop regarding KYC and client due diligence as a hindrance and start seeing them as potential repositories and generators of valuable data.
To begin with, they should identify those aspects of KYC that can add value to their business and determine how to use it.
Collaboration among different departments within a business is essential for this to happen. Compliance departments often hold information that could be useful not only to marketing and business development but also to financial managers in accounts and billing departments. Compliance data can help financial managers analyse client credit risk and bad debt.
A client with a previous history of bankruptcy or in administration will probably be spotted during a routine monitoring of clients for AML purposes. But if this information is not shared among other departments, it can slip through the cracks – to the detriment of the business as a whole. It’s a left-hand, right-hand thing: obvious enough perhaps, but how many businesses actually do it?
As mentioned, compliance data can also be useful to business development and marketing departments. Does your business ask new clients to confirm they have onshore tax advice? If so, collect that data and use it to market your business to those tax advisors. Is your business development team traveling to meet potential new clients? Compliance staff could do some preliminary background checks on those targets, which could help with winning the business or, alternatively, avoid the costs of seeking out clients that have risky histories.
At present, in many businesses, compliance and other business departments do not share such information. Apart from internal turf disputes, which are more common than is generally acknowledged and need to be confronted by management, the reasons for this are likely two-fold.
First, in larger businesses the systems being used to collect KYC may be overwhelmingly complicated for most non-compliance users. Worse, if a centralized compliance team is used, then the marketing, business development and financial teams may even prefer to avoid compliance altogether, seeing it as something done only once clients have been won.
Secondly, most non-compliance users never know what compliance knows, so they don’t seek compliance input and do not put the compliance “investigative” skills to use. It’s a waste of valuable talent, time and money trying to win new businesses and then blame compliance teams later when elements of risk are uncovered that your business would prefer not to take on.
It’s only through mutual collaboration by business departments that those problems can be solved, and this would be made easier if non-compliance departments can access compliance systems. The ideal KYC software solution should give non-compliance users as much ability to exploit its data as their compliance colleagues and to do that it should be as intuitive and user-friendly as possible for the occasional user.
It should include easily-generated reports and, where possible, even visuals, all with a view to inducing non-compliance users to start getting into the habit of using it. And it should give management meaningful, minute-by-minute feedback as to how their business matches up to the regulatory environment it is subject to. Such software takes time and money to build, as I can attest.
Its developer must seek feedback not only from the usual suspects – compliance and IT professionals – but also from other stakeholders throughout the business, indeed, throughout the industry: management, client-facing professionals, secretarial staff and, yes, even regulators. Only then can it determine exactly what features it needs to persuade everyone across the business to begin to use the software on a regular basis.
Once the business departments start collaborating and key KYC data is identified, the next step is developing a data-capturing and reporting system that everyone can use.
Unfortunately, this is where the progress tends to grind to a halt. Some business managers see the challenges of introducing a specific KYC data-capturing application as just too overwhelming and, for that reason alone, shy away from it. Cost and IT talent are the two most often-cited reasons for not moving forward. And, of course, the fact that “we’ve got a perfectly good system in place already.” But, as I’ve already pointed out, it might not be as good as they want to persuade themselves it is.
Management may indeed see implementing a new system as “just another compliance cost.” But if they choose to shift their viewpoint and regard implementation of a KYC-related system as something that benefits several business departments – and helps the business’s bottom line – then a more convincing argument emerges for assuming the cost.
Besides identifying exactly what KYC data to capture and how to display it, businesses also have to find the right talent capable of working with new technologies and interpreting the KYC to identify and recognize meaningful business insights. Additionally, they must always be mindful that the tech landscape is forever evolving, sometimes at a bewildering pace.
A business’s IT infrastructure needs to be flexible and its IT professionals must be able to advise of new technologies and solutions that will increase efficiencies. A good example is a client relationship manager who travels frequently to visit clients and uses a tablet when on the road. Ideally, the right KYC solution should remain accessible on that tablet so he or she can stay on top of compliance responsibilities, make notes about on-site visits directly into the KYC software, and maybe even capture and upload client due diligence on the spot.
The manager uses that particular KYC solution differently than the data entry staff member sitting back in the office or the MLRO preparing for a regulatory audit, so again this is where a responsive IT team, in collaboration with the different business departments, can create an array of solutions for the business as a whole.
In addition, the regulatory landscape keeps shifting and regulatory reporting requirements increase every year. This means that no KYC software solution can remain static – and indeed, that a lot of software out there already is no longer fit for purpose – and that IT talent needs to be responsive to making changes when necessary.
Any KYC system must be designed to be able to incorporate new reports and allow current reports to be amended as the need arises. For example, reports designed five years ago to be generated on PEPs are no longer likely to include all of the information that the regulators want today.
Finally, connectivity and access can be an obstacle and, within a business, client data is often fragmented. Too often, billing departments capture the data they require on clients in their systems, while marketing departments have their own data and systems, and compliance departments maintain another completely different set of data. The obstacle can be even more daunting for a larger firm with offices in different jurisdictions, client data on different servers and different privacy regulations.
Connecting these data points into one system often is seen as too difficult and costly, especially if viewed as “another compliance-related cost.” But if viewed as a means to make a stronger foundation of the entire business, the task can create huge economic value.
So, with a properly-developed, specialist AML data capture, storage and retrieval software program, the necessary cooperation between business departments, including compliance, and the right IT talent, lasting solutions can be found to exploit the enormous amount of KYC data that the business has collected – to its overall incalculable benefit.
[Kimberly Smith has spent two years investigating AML data storage and retrieval difficulties and developing SILO to meet them. The above issues are just some of those she encountered on the way].