What risks and opportunities does periodic reviews pose to the future of your organisation?
Financial regulators require regulated businesses to perform Client Due Diligence (CDD), not only when onboarding new customers but also on a periodic basis throughout the customer lifecycle. This concept, of a periodic review, is not specified by the FCA, but there’s an unspoken acceptance that they need them to be undertaken, as they do specify the need for ongoing monitoring and assessment.
Central to this review process is a risk assessment of a firm’s business, a ‘risk-based approach’ that is sanctioned by the FCA as an appropriate process. This helps with the implementation of prevention procedures, along with continual monitoring and remediation, to ensure client records are kept up-to-date and highlight any problems or suspicious activity.
If firms fall foul of the regulators, due to an identified breach, there are circumstances where mitigation can be considered, based on the firm’s conduct, particularly in regard to the systems and procedures that they have in place to identify risks and ensure clean data. So, if firms do not wish to feel the full wrath of the regulators, introducing robust KYC Onboarding, coupled with monitoring and remediation processes, is a must. Beware if your firm hasn’t got these processes in place, now is the time to act.
When the ‘Full Monty’ is no longer avoidable!
In a regulatory environment that is still ‘relatively young’ (although also swiftly changing), it’s understandable that some companies have struggled to find their feet and get up-to-speed with the full extent of AML processes that are now needed. But with the amount of legislation that is being levied against regulated entities, and the eye-watering level of fines and other sanctions that are being imposed on firms who breach those regulations, those sluggish companies need to get their act together sooner rather than later. And that means ensuring that they have a ‘cradle-to-grave’ approach to CDD.
Over the past few years, much of the attention has been on putting in place robust KYC onboarding processes, to ensure that there is a clear CDD paper trail to satisfy the initial AML scrutiny. Some of this, particularly for larger financial institutions, has been done ‘offline’ or manually, partly because of the perceived issues there may be to integrate any new system with existing ‘legacy’ systems. Although understandable, in many cases, this has been rather short-sighted as it has done nothing more than to park the problem for future resolve. Well, the future starts here!
Using a risk-based approach means that firms focus on outputs and can apply their resources where they will have the biggest impact. As clients are onboarded, their records should be rated as high, medium or low risk, depending on what information is known, or not known, about them. It may be that high risk customers are turned down at source, whilst medium risk customers require further investigation. Subsequent continual monitoring of clients will determine whether they move between risk categories, depending on newly acquired information on them, e.g. information regarding PEPs or Sanctions, which may lead to that customer being dropped, or at least moved to the high-risk category for careful monitoring and further investigation.
Treat Periodic Reviews as a Spring-Cleaning exercise!
Companies that have a robust (and ideally digital) and ongoing monitoring process should have nothing to fear from a Periodic Review, as it should identify that they are performing their AML checks correctly. There is no hard-and-fast rule on when these reviews should be made, but ideally, they will reflect the categories of your risk-based approach, i.e.
– Every 6-12 months for High-Risk clients
– Every 1-2 years for Medium-Risk clients
– Every 2-3 years for Low-Risk clients
Following this approach should give you some cache with the regulator if a breach was to occur. A company cannot be blamed for the behaviour of its clients, or for any actions that ‘bad actors’ perform on erstwhile innocent clients, but they can be blamed for not picking up such activity, or not doing anything about it once the activity has taken place. Robust onboarding, ongoing monitoring and appropriate and swift remediation will not stop attempts at fraudulent activity, but it should reduce instances from a company’s book of business and report it to the appropriate authorities in a timely fashion.
Using a Risk-based Approach to client onboarding and monitoring will help to ensure that these procedures take place. Periodic Reviews will then go on to authenticate a company’s actions and their ability to capture any material change in a customer’s profile (or any suspicious activity that was not detected by their real-time transaction monitoring platforms), whilst also identifying any areas of potential weakness that need to be corrected and strengthened. Such reviews should also confirm that each customer’s assigned risk rating continues to reflect the appropriate AML risk, making any corrections that are identified. In this way, the review will act as a perfect ‘house-keeping’ tool for a company that already has its act together.
In summary
NorthRow understands the financial impacts of introducing digital remediation and have developed a remediation process/framework, that is flexible enough to be used by any company, regardless of their circumstance.