KYC & CDD, a year in review

By Michelle Bailey

KYC & CDD, a year in review – what have we seen and what questions need to be asked?

Setting the scene

According to the FCA ‘The Senior Managers and Certification Regime (SM&CR) aims to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence’. Since its implementation we have seen a shift towards a focus on individual accountability as well as the firm as a whole. The frequency of Governance and Accountability Skilled Persons Reviews is likely to go up too.

I’ve spent many years in various compliance roles, and this got me thinking, what if we threw out the rulebook and made every person involved in the onboarding process accountable for their actions, everyone from the front office, business managers, compliance, management, and senior management. Would this change attitudes towards onboarding and the risk ratings associated with their clients? Are firms currently doing enough to ensure that everyone understands the importance of their own conduct?

Who’s responsibility is it anyway?

Last year I wrote a blog about knowing your customer and whose responsibility this was https://www.shapesfirst.com/insights/know-your-customer. In it I wrote ‘the term Know Your Customer (KYC) forms part of a firms Customer Due Diligence (CDD) process. It implies that we need to know who our customer is, such as where they are based, why they want to open an account with us and also the nature of the business they will be conducting and likely transactions. Knowing your customer isn’t just about documentation gathering, it’s about having an understanding of the customer themselves…when the front line attest to the fact that it is their responsibility to know their customer and that all CDD documentation will be gathered in line with their firm’s risk appetite, there are likely to be better outcomes’. A year on we are still seeing accountability for this laying heavily on the onboarding team’s shoulders rather than with the individuals in the front office who are client facing. Onboarding is still predominantly viewed as a compliance function and therefore presumed that this is where liability lies.

What have we seen?

However, we have observed the FCA taking a more direct approach, interviewing the front office if any KYC or anti money laundering (AML) matters arise, so it is evident that the FCA no longer see this as just a Compliance issue. As such, should front office be given more education in this area? We have also observed that the FCA are focussing more on the importance of Enhanced Due Diligence (EDD) and being able to identify when it is appropriate, and a spotlight on firms not simply relying on Simplified Due Diligence (SDD) as a default for regulated entities. Is the front office being educated as to what the difference is and why?

Are Front-Office staff given enough internal information?

If the front office is accountable for KYC, should they also have relevant training provided related to what happens to their client’s information once it is passed on to the onboarding team? It is our experience that there is often a push from the front office, desk heads and business managers to get onboarding completed in a timely manner, but do they understand the ramifications if this is rushed and completed incorrectly? Would these staff be more cautious about onboarding if they knew that their client was high risk, and that responsibility could also lay with them if something went wrong?

EDD and SDD - are firms getting it right?

If the FCA are placing more emphasis on EDD and the justifications for SDD, are firms actually doing enough in general? Are business and senior managers asking questions about whether their firm is adequately documenting a rationale for all clients they risk rate as Low risk/SDD? Are firms ensuring that the business they themselves conduct allows for SDD to even be applicable? I also wrote a blog about ‘How should you classify Cryptoasset firms for Anti-Money Laundering and Customer Due Diligence?’, where I mentioned that ‘we understand that the FCA won’t accept that a cryptoasset firm can fall into a lower risk/simplified due diligence category’ https://www.shapesfirst.com/insights/anti-money-laundering. Are firms taking this risk appetite into consideration when looking at their own business model? Do internal procedures do enough to separate out and distinguish the difference between their medium and high risk clients? Are senior management educated to understand different risk levels associated with the firms’ clients? Are firms ensuring that they are following formal and documented EDD procedures which are comprehensive and thorough, but aren’t just a tick box exercise? Are procedures signed off by relevant senior managers within the business who are also skilled in onboarding? Do/should the front office have oversight of these procedures? Do firms adequately document all decision making processes and do they keep easily accessible records of a client’s risk rating. With a shift in the FCAs focus over the last year, firms need to be ensuring that every individual is accountable for their own conduct.

Do automated screening tools pick everything up? Could and should individuals be doing more?

Amongst a firms EDD process there is more emphasis on the screening practices involved for these clients. Do firms understand their screening process and why it is necessary? Have firms considered the importance of adverse media screening? Is anyone other than the onboarding team even aware that this process exists? Although adverse media hits don’t necessarily mean anything nefarious is taking place or indeed that there are any grounds for law enforcement or regulatory sanction, it should prompt a discussion, and could lead to a client needing their risk rating increased or closer monitoring. Is the business aware of this? It is our experience that in many cases they are not. If someone in the front office themselves saw something adverse about one of their clients in the media, would they think to report this internally or would they just rely on the fact that the onboarding team most likely have automated systems? Is the front office even notified of the risk ratings given to their clients? If they were aware that their clients were high risk would this make them more focused on monitoring their clients and looking out for any changes? We have observed this as an area that requires development and feel that this could be a gap in the business process if this is not in place. Client changes like new directors, ownership and address changes aren’t always captured in a firms automated system, yet these things could change a client’s risk rating and therefore it is vital that the front office are checking in with their clients on a regular basis to ensure that they are keeping up to date with their clients onboarding profile.

And finally…

This blog asks a lot of questions, and it is my belief that firms may be doing a lot of the things I’ve asked, but likely not all of them, that over the last year potentially more gaps in processes have become evident as the FCA place more emphasis on different areas of onboarding. I believe that if everyone were accountable for the onboarding of a new client, or at least that front-office responsibilities were more precisely documented, that the process would run more smoothly, and more care and attention would be applied. I feel that employees, front and back could improve their own individual conduct risk profiles, which would in turn improve the conduct risk profile of the firm. The FCA it would seem are certainly not viewing onboarding as simple a compliance issue anymore, therefore all areas of the business need to be educated in this field. At Shapes First we work with firms to review their Anti Money Laundering risk assessments, look at what the firms may be failing to do and areas that can be strengthened. We also work with firms to ensure that their processes and procedures are sufficient and tailored to the business that they are conducting and can tailor training to firms and their products and services.