KYC in an Hour
Note: This is a transcript of my YouTube walk on KYC.
—
Good morning!
On today’s walk, we’re going to get into the details of a banking process called KYC… which stands for Know Your Clients… K.Y.C. High level: it’s an ongoing process at every bank meant to enforce that they actively know if their customers or potential customers are bad actors– criminals, terrorists, despots, Nicolas Cage. It’s driven by regulation– US, UK, EU, Japan– every place, really… except for international tax havens– like the Bahamas, Fiji, Palau, Panama, Costa Rica, the British Virgin Islands, Marshall Islands– really any place that has nice weather and beaches– because those countries have third-world problems and money laundering is a first world problem… which makes those havens more interested in your money than whether you’re selling drugs or weapons or funding terrorists or crushing democracy with your rose-scented secret police.
As I’m describing the various dimensions of KYC on this walk, I’m also going to try to come at the core problems with my innovative technologist hat on but wary about the effectiveness of that hat because some pretty sophisticated banks and tech companies have tried to solve this problem at the industry level multiple times and failed. And I think it’s because of the operating dynamic of large banks– of the ecosystem itself. All the participants are old-school Ops leaders so they see this as a regulatory mandate– that’s a mindset— instead of the greatest business opportunity since global warming.
But we’ll get into that. And noodle on how to succeed where everyone else (to date) has failed.
As crucial a process as KYC is to the banking industry, it’s also an indictment of how poorly data is managed by every bank, by every industry utility, and definitely by every government on the planet. This is a fixable problem– and don’t mean “with AI.” No. The problem requires “business will”– a change of operating mindset– and/or a wholly different set of regulatory coordination at a global level and fundamentally different regulatory asks at the local level.
Not to get ahead of myself… The basics of KYC simply involve gathering essential information about clients to assess their identity, financial activities, and potential risks… all with the primary aim of preventing money laundering, the financing of terrorism, and other illegal activities. But holy moly, uncovering criminality aside, think about how commercial a global platform for identity would be. That’s all Meta and Google are… really. They don’t use all that identity data to make the world safer. They use it as their product… which is why and how the Metas and the Googles of the world are printing more money than Washington. Not literally. But close. They’re selling your identity– not just your name and email address but the identity you create with every digital choice you make. Just like a culture in a company isn’t what’s marketed by the C-suite but rather the sum of all the decisions that all the employees make every day. Well, that’s the same as identity. You are not your driver’s license or your passport. You are the collective actions– the auditable ones– that you’ve ever taken. You’re all the decisions you’ve made.
Anywho… in that way… the Metas and Googles of the world are selling KYC data– just not calling it that. They’re selling it to data-starved companies and governments… and people who want to run companies and governments.
If you’re the Metas or the Googles of the world, you know your clients (KYC). Not for regulatory reasons but for commercial reasons– because there are trillions to be made.
And we in banking… who pride ourselves on commercial mindedness– on getting blood from stone (commercially) keep running our KYC processes like we have to because the big bad government told us to, rather than as Meta and Google do… because it can print money.
Ok… enough preamble… let’s get the basics out of the way.
In theory, KYC is significant for banks as it helps– or should help them– establish and maintain a strong customer relationship with good people and good institutions. By obtaining accurate client information, banks can better understand those clients' needs and offer appropriate financial products and services. That’s all theory. Because… Banks mostly do KYC to keep the Feds off their backs. They don’t treat the data commercially– like we just talked about– and equally bad, they don’t the data like it’s the magical start of every major, significant, commercial end-to-end client process in every bank. If you don’t believe me, watch a walk I did on this called Automating Client Fee Schedules.
The industry-standard KYC process requires clients to provide various documents– like driver's licenses, passports, utility bills, etc… for human customers… and/or if the potential customer is a company… proof that validates them as a legal entity… filings, details about their ownership structure and their leadership… because all companies are really– what I said earlier– the collective actions– the auditable ones– of their employees– chief among them…. All their chiefs: their chief executive, their chief this-that-the other– their c-suite… and all the decisions– public and private– that they’ve ever made.
All the documents that are gathered during the KYC process– in theory– help banks verify the client's identity, determine their risk profile, and in the process, help banks comply with regulatory requirements around not doing business with bad actors.
I’ll get to why I said “in theory” but first, let’s list through some common documents requested during KYC. Think:
Proof of Identification if you’re a human being– I say that because banks also do KYC on legal entities.
Anyway… Proof of Identification. Think passports, driver's licenses, national ID cards. Something that proves you have an address: like utility bills, bank statements, or a lease agreement. You might have to show proof of income via salary slips– again this is if you’re a human, not a company. What else… tax returns, or bank statements (because that means someone else went through the trouble of KYCing you. You might also have to show regular income deposits. And again, that’s all if you’re a human being.
Once you submit all that, the initial or standard KYC process typically involves:
1. Customer Identification: where the bank verifies the client's identity using the provided documents.
2. Customer Due Diligence: where the bank assesses the client's risk profile and determines the appropriate level of scrutiny that they need to provide…. As we’ll see later in the walk, clients need to be held to stricter standards– and more scrutiny and more regular scrutiny– if they’re “higher risk.”
So… Customer ID, Customer Due Diligence… what else?
3. Monitoring! Banks continuously monitor client transactions and activities to identify any suspicious patterns or behaviors.
It’s banking so there’s always a #4: Risk Management angle. Banks have explicit operating procedures to help them mitigate risks they’ve identified– like… step-by-step guides on how to prevent financial crimes. And they have a ton of different step-by-step guides… which regulators also force them to train ALL employees at the bank on… not just the KYC teams.
What else?
Not just monitoring but #5. Ongoing Monitoring. Banks periodically review client information and update it as necessary to ensure compliance with regulatory standards. How much scrutiny and how often the client gets that attention is all dependent (AGAIN) on whether they’re “higher risk” or recently became “higher risk” because they did something stupid.
In other words… once that initial KYC process is behind you, there are several additional steps that banks take to ensure ongoing compliance and risk mitigation. It’s never once and done.
What’s the jargon for that?
Enhanced Due Diligence (EDD): For higher-risk clients or certain types of transactions, banks have more and better due diligence procedures, like additional background checks or additional risk assessment measures.
Other jargon:
Sanctions Screening: Banks screen clients against various international sanctions lists to ensure their client is not involved in any prohibited activities or associated with sanctioned entities. Like Al Qaeda. Or whoever the brutal dictator of the day is. Or the dictator’s family… who all misbehave. It’s mandatory. If your Dad’s a despot, you’ll inevitably want to please him some atrocity or moral failing.
What else?
Transaction Monitoring: Banks employ sophisticated systems and algorithms to monitor client transactions in real-time– I’m kidding obviously… how sophisticated could a bank possibly be if they still haven’t figured out that all this activity I’m describing is wildly commercial. That said, transaction monitoring– usually cookie-cutter algos bought from a small handful of the same vendors everyone uses. The algos look for any suspicious or unusual activity that may indicate potential money laundering or fraud.
And if you’re a bad actor, and looking for guidance, those algos are commercially available… which defeats the whole point.
What else?
Reporting: Banks have a legal obligation to report any suspicious transactions or activities to the appropriate regulatory authorities.
Periodic Reviews (which I think I mentioned before): Banks conduct regular reviews of client information and documents to ensure they are up-to-date and accurate. This helps maintain compliance with regulatory requirements.
What other dimensions are there for KYC broadly?
There’s Training and Awareness: Banks torture ALL their employees with lame online training to ensure they are knowledgeable about the KYC process, regulatory obligations, and how to identify and handle suspicious activities.
There’s an Internal Controls dimension: Banks establish policies/controls to ensure the effective implementation of the KYC process, including segregation of duties and regular audits. If you’re unfamiliar with the language of controls: a “control” is any action taken by management, the board, and other parties to manage risk and increase the likelihood that– in this case– KYC’s objectives and goals will be done well, not just done.
What other jargon do you need to know?
Collaboration with Regulatory Authorities: Banks work closely with regulators to stay updated on evolving regulations and best practices in KYC and anti-money laundering efforts.
What else?
There’s always a Technology Integration angle to everything– KYC included: so banks leverage 20-year-old tech– they call it artificial intelligence and machine learning– just to make it sound effective– and they use that tech to enhance the efficiency and effectiveness of the KYC process. And I’m making fun of the people, not the tools here– the tools do what you need them to… minimally. They automate data collection, analysis, and risk assessment, reducing (hopefully) manual efforts by the Ops teams and improving accuracy.
What else?
Customer Education: Banks make sure their customers understand the importance of the KYC process, the reasons behind certain requests for information, and how it helps protect both the customer and the institution from financial crimes.
Collaboration with Other Financial Institutions: to share information and enhance everyone’s ability– across the industry– to detect and prevent financial crimes. This includes information-sharing platforms and networks dedicated to combating money laundering and terrorism financing.
And there’s always “Continued Improvement”-- which I always put in quotes. Banks feel compelled to engage in security theater for the regulators– so they’re “continuously reviewing and improving their KYC processes to adapt to changing regulatory requirements and emerging risks. That could mean updating policies and procedures and/or implementing new technologies, and/or conducting regular internal reviews and audits of the end-to-end process.
So that’s the jargon piece of the KYC walk. Every Know Your Client (KYC) process uses the language of being “vital” to establishing strong customer relationships, ensuring compliance with regulations, and mitigating financial risks. But it’s just treated as an operational burden… not a commercial opportunity. Which makes no sense. If you’re collecting and maintaining accurate information about clients… then why are you using it only for risk management (as important as that is)? Why aren’t you leveraging it to better understand their needs and provide appropriate financial services because you know them better? A commercial mindset. Why aren’t you thinking like the Metas and the Googles of the world? It’s certainly not because the regulators are forcing you to be unimaginative.
Anywho… Just know that the KYC process involves various steps, including customer identification, due diligence, ongoing monitoring, and risk management. Banks also employ additional measures such as enhanced due diligence, sanctions screening, transaction monitoring, and reporting to ensure ongoing compliance and risk mitigation. The integration of technology, customer education, collaboration… with regulatory authorities and other financial institutions… and as with all institutions who have lost their mission: continued, continuous improvement forever and ever… lead to an effective KYC process.
Through these measures, banks can– at the absolute minimum– prevent money laundering, fraud, and other financial crimes, and maintain a safe and secure banking environment for their customers and the wider financial system.
Important and sadly underutilized when you apply a commercial mindset.
Okay… enough preaching.
Let’s quickly talk acronyms.
Now… some of you bigger nerds jump straight to this section because you think that the boring intro part is… well… boring. [nods head yes]
So I’ll accommodate you by showering you with what you’re most familiar with: three-letter acronyms (TLAs):
Outside of K…Y…C – the mother of TLAs here– you need to memorize 5 of them for everything else on this walk:
CDD - Client Due Diligence
EDD - Enhanced Due Diligence
PEP - Politically exposed person
CIP - Client Identification Program
AML - Anti Money Laundering
Oh and PR - which isn’t 3 letters– but stands for Periodic Review (PR). Super important.
Quick summary:
CDD - Client Due Diligence– is the vanilla treatment every prospect and client gets as we dig into who they are.
EDD - Enhanced Due Diligence– is the step up from vanilla– the hot fudge… like when customers represent a greater risk than CDD can solve for.
A good example would be a PEP– a politically exposed person– or to extend our ice cream analogy– the nutty nuts- who pose a higher risk than traditional customers to financial institutions. PEPs are given special treatment during screenings because banks have nut allergies… metaphorically.
Some examples of PEPs would be like what I mentioned earlier– the children of despots or any politician really because you can’t play in mud without getting dirty.
So… CDD, EDD, PEP…
CIP - Client Identification Program– that’s a common TLA– three letter acronym– because firms are forced by regulators to conduct Customer Identification Programs (CIP) to verify that customers are who they say they are and are being truthful about the business they are engaged in.
What was the fifth one? AML - Anti Money Laundering… self-explanatory. Because who’s pro-money-laundering? Outside of criminals and all the beautiful island nations that help facilitate it? The Bahamas, Fiji, Palau, Panama, Costa Rica, the British Virgin Islands, Marshall Islands… any vacation destination really… allowing you to combine work and play… if you’re a bad guy.
What other acronyms do you need to know? Well…
Let’s talk regulators.
Before I start spewing their acronyms and institutional missions, it’s important to acknowledge three overarching themes when thinking about KYC.
1. Global compliance - because KYC is a mandate to EVERY financial institution (ex-island retreat). Every land-locked bank– outside of maybe Russia, Iran, North Korea, [insert pariah state]– demands that you comply with global demands for KYC for each of your clients, regardless of your jurisdiction or theirs.
2. Regional compliance - this applies even more KYC requirements based on region, for instance, any of the acronyms we just listed: FINRA, BSA, FinCen, etc., etc., etc.
3. Local compliance - this applies yet another layer of KYC requirements based on jurisdiction, think Luxembourg… which used to be known for its steel manufacturing and delicious Bonnu-schloop… but… after globalization, recast itself as Europe's most powerful investment management region (I’m using their words, not mine… because you know… Switzerland).
Suffice it to say, that every comprehensive KYC program must account for all the various players: global, regional, and local.
Which ones? There are hundreds so… here are the ones that have been burned into my skull:
- FINRA (in the US) – which stands for the Financial Industry Regulatory Authority (FINRA)-- Their mission is —to protect investors and promote market integrity. Each year, they conduct thousands of investigations of potential violations of securities industry rules, regulations, and U.S. securities laws. FINRA.
- BSA/AML (in the US)-- which stands for the Bank Secrecy Act / Anti-Money Laundering (BSA/AML). They’re all about financial transparency and they work to deter and detect those who seek to misuse the U.S. financial system to launder criminal proceeds, finance terrorist acts, or move funds for other illicit purposes. The BSA requires each bank to establish a BSA/AML compliance program.
- FinCen (US) - which stands for the Financial Crimes Enforcement Network under the US Department of the Treasury. Their mission is to enhance U.S. national security, deter and detect criminal activity, and safeguard financial systems from abuse by– again– promoting transparency in the U.S. and international financial systems.
I’ll refrain from commentary on the redundancy between these regulatory institutions because I actually think they’re needed and doing God’s work. Could they do it more efficiently? Yes. But redundancy is better than a void.
And there’s a lot of redundancy because every country or group of countries feels obligated to do their version for their jurisdiction… which is tedious if you’re a bank… but we should quit complaining as an industry because– to our left– big tech isn’t regulated and man, are they creating a mess. Example: the US elections.
Anywho… I won’t list every region/country-specific regulator but some of the more important ones are the HKMA - The Hong Kong Monetary Authority– because the US isn’t who they think they are anymore. The MAS– The Monetary Authority of Singapore. The FCA– the UK’s Financial Conduct Authority… who have so much more to teach the US about not being who they think they are anymore. And the big one: the ECB– the European Central Bank– which is to the UK… what China and Singapore are to the US. The future.
What role does current technology play?
Nothin’ to write home about… which is why right after I do this portion of the walk, I’m going to redo it– step by step– with what role tech ought to play.
In the CIP process-- where Ops identify the client with the relevant documentary evidence, tech is usually a simple workflow (if that) with a document management component. Many times it’s not even a workflow. It’s just an ancient document management system and some operational documentation. Sorry.
In the central KYC process- where clients are risk-weighted– into buckets like high, medium, and low-risk clients… and/or “high risk” vs “higher risk” clients… the evaluation of the client is usually a reference data platform (like a golden source client master) and a simple workflow that allows Ops to dimension a client’s risk based on what’s called a suitability analysis… which is fancy jargon for “what products and services does the client use?” How do they use them? How often? At what scale? In tech terms… the intersection of a client master and a product master.
I used the term dimension… which is needlessly big. Maybe I give you an easier way of understanding what Ops needs for each client’s risk rating. Let’s make a lame consumer banking analogy. A potential client is less risky if the only service they use is 1) a checking account where 2) the only money going into that account is through direct deposit ... because they’re putting their employer’s money into the bank’s hands with zero intermediaries… Conversely… needlessly big word… they’d be more risky (risker) if they’ve taken a loan from the bank– the bank’s money is now in their hands. Apply that in terms of anti-money laundering, and you get lower risk if the product/service is– I don’t know– low-dollar ATM withdrawals and higher risk if it’s high-dollar international money transfers.
I hope that made sense. Risk management is complex.
And every example I used was for human beings as banking customers. The same goes at the institutional level… where companies are the bank’s clients. Publicly traded companies are “lower risk” because they have their financial books regularly audited… and small mom-and-pop shops are higher risk because they’re mostly cash businesses. Because audit-ability is difficult… which gives us a weird world where giant weapons manufacturers are actually less risky from a KYC perspective than say… restaurants, or liquor stores, or cigarette distributors. If you don’t know what I’m talking about, watch the Netflix show Ozark. Actually, even if you know what I’m talking about, watch Ozark. It’s just a good show.
So that’s CIP and KYC. Tech is at best, a database and some rudimentary workflow. Lame.
What about EDD - Enhanced Due Diligence? What role does technology usually play there?
Again… kind of boring. All the additional due diligence that’s defined by a “risk-driven compliance policy”– well, the Ops teams pull the list of higher-risk clients from their databases regularly– hopefully, that database is the Firm’s client master… but it usually isn’t. It’s a local version that grew from the siloed use of that team’s workflow. Many times, it's still just a spreadsheet. And… once that list of higher-risk clients is in front of the Ops person, they repeat the same manual steps for re-verifying that the client is still behaving. You’d think that that set of manual checks would be different from bank to bank but because KYC employees and managers switch banks regularly (for the bump in pay), most banks have a surprisingly similar set of manual processes… some as sophisticated as just Googling the client to see if they’re under investigation or worse. Deeply ironic because banking as an institution– isn’t thinking about its process in commercial terms– and is using Google as a source when Google is thinking about its process in commercial terms.
Where else might tech play a role? Well, someone has to assign each client a Client Risk Rating– determining their risk based on predetermined attributes and weightings. And I wish I could say that banking Ops has that piece automated. But it mostly doesn’t. The Ops folks do that in spreadsheets and use fancy terms like risk modeling but it's usually a much simpler Excel macro. If this value is in column 6 then risky (so review their details once a year). If this value is in column 6, this value is in column 41, and this value is missing in column 78 (in the spreadsheet), then even more risky (so review their details twice a year). Remember the term Periodic Review at the front of the walk… PR? A client’s risk rating is mostly what drives the frequency of a periodic review. Other things can drive it… like if the client is in the news in a bad way… or they sign up for higher-risk services (the difference we talked about between low-dollar ATM withdrawals as a product and higher-risk high-dollar international money transfers as the new product that the client is now using). Or maybe they usually use their account once a quarter and now they’re using it daily. Something’s up. Let’s move up that periodic review.
Both of those are good examples of Ongoing Monitoring– the idea that you need to actively refresh KYC based on risk and compliance policy and on how the client’s behavior is changing.
And from a tech perspective, everyone uses the same vendors: Actimize, Fiserv, Refinitiv– and those vendors offer the same lame pre-build models as each other. If you’re a bad actor with a lot of money– and most bad actors are swimming in money– just hire someone to go to work for one of the big three… and take notes.
Because that’s really the core of AML Monitoring. If you want a high-level understanding of this kind of monitoring, think about it this way: if you stare at current financial activity over some time, some activities in the financial behavior of clients will change. Depending on what changes and how it changes, that’s “suspicious activity” because most of us– including institutions– are creatures of habit. And changes in habit are suspicious… and easily identifiable with tech.
Alright… I’m starting to put myself to sleep.
Let’s end the walk with a simple linear view of what the larger workflow looks like AND just to keep it interesting, let’s put on our innovative technologist hat and explore THE ART OF THE POSSIBLE.
Step 1. There’s CIP - Client Identification Program. It typically involves Ops figuring out who the client is and/or with larger companies… who have controlling interests in that company. In the case of institutions, they’d get a list of all beneficial owners and related parties, and that’s all figured based on the person or the organization’s percentage of controlling interest in that company. Retail CIP– for people like you and me– can usually be automated using ID verification services– which we didn’t get into on this walk– but think… a servicer– a data-focused company– that’s a lot less ambitious and a lot narrower in focus than the Googles and the Metas of the world. Institutional CIP can be more complex given the number of parties involved and there are data vendors who help with that.
What’s the art of the possible with regard to tech here? Well, you might want to watch a previous walk I did called “Digitizing Client Fee Schedules.” But the short answer is: go borderless in what you automate. Don’t start your workflow when you’re handed a client name by your upstream process– sales, for instance. Go and automate the sales process upstream. Think of them as the start of your entire bank’s data supply chain. A ton of data capture should happen there and the controls on the quality of that data should also happen there. And that intake process should be so good that you don’t do what every Ops team in the world does today: which is to manually reconcile the quality of the client data that they’re handed to KYC.
That’s one of the reasons KYC’s tech future is always cloudy: because the owners of that space are different than the owners of the sales process/tech. And both teams operate in siloes. Sales folks ask their tech partners for sales-enhancing improvements. Not, data supply chain enhancing. They don’t care if literally everyone else downstream– which is 99% of the rest of the bank– has to deal with crap data quality.
When companies do bake-offs on sales tools– CRMs, for instance– they’re not holding those tools accountable for getting the start of the data supply chain right.
So if you want to fix your step 15, your step 25, your step 100… think of the whole thing as an end-to-end process and get step 1 right. And step 1 isn’t CIP - Client Identification Program… it’s sales… or even more upstream: prospecting.
Ok… back to lame, bordered thinking… Step 2 in the KYC process: CDD -Client Due Diligence (CDD)– where Ops collects information about the nature and purpose of the business being KYC’d, the jurisdictions of operation, and the types of products and services that a client is interested in order to determine the client risk. Client risk combined with the AML/KYC policy of any bank will determine the steps needed to complete KYC. That might sound a little obvious but each bank has its own unique policies, usually tied to something in their legacy (process legacy, tech legacy) that no one has been willing to challenge. Documentary evidence is typically required at this stage and the nature of that evidence is determined by– again– the company’s risk policy. Most banks typically rely on a combination of industry data sources as well as direct client solicitation. And clients generally hate(exclamation point - HATE) the inconvenience because different functions in a bank won’t talk to each other or coordinate amongst themselves so clients are asked for the thing over and over again… making the bank look incompetent. And we’re never talking about one or two duplicate asks. Every bank I’ve ever worked for has a picture that some senior executive received from a high net worth friend/client where their office desk or their dining room table is filled to here with everything that’s been sent to them and/or been asked of them to send… to the bank… over and over again… by different orgs within the bank. It’s ridiculous.
How can tech– reimagined– change this? First… as I said 50 feet back… automate the larger institutional end-to-end… not just step 33… which you call step 2 in KYC. But also… recognize that there’s no customer out there that doesn’t engage multiple banks. Especially institutional clients. Ever since Lehman went down, people and companies learned that putting your eggs in just one bank is stupid… which means that every bank is doing KYC on the same people and institutions as other banks… many at the exact same time. That’s a commercial opportunity– and not just for some clever startup– but for any bank that realizes their customers would love to NOT have to be repeatedly bothered by multiple banks.
If you’re a bank, you can build– by yourself– what every industry-wide consortium has failed to build: a platform that says to your customers– when other banks ask you for your KYC data and documents– the same data and documents that you already sent us… send your other banks to us for all that crap. Ease your client’s pain, establish yourself– not just as a leader in this industry– but as an identity platform (a whole other industry of Metas and Googles that continue to be unchallenged by people who are already doing the work)-- and stop acting like this process isn’t an amazing commercial opportunity.
So… what comes after our fake step 2? After CDD– Client Due Diligence– comes fake step 3: EDD– Enhanced Due Diligence. So CCD then EDD… begging the question of why there isn’t a DDD. Dad joke. During the EDD step, Ops focuses on clients from certain high-risk industries, high-risk jurisdictions, and high-risk products/services that require additional due diligence. EDD is essentially a kind of step-up CDD with specific requirements driven by the entity, jurisdiction, and/or product. A key tie-in with AML– Anti-Money Laundering– is the ability to capture expected client activity during onboarding. This is monitored periodically against the actual client activity to ensure client behavior is aligned with the firm's expectations and KYC risk profile.
Let’s talk tech for EDD. It’s unreasonable to expect your upstream process to capture 100% of the data you’ll need so EDD is really about extending your sales-driven data model for your client to fully integrate with your product set. In nerd terms, that means integrating your client master with your product master. But before you nod yes– and think we’ve already done that– you haven’t. As Tech, you might have connected your client and product master schemas… but you haven’t automated the business workflows that feed you that integrated data set. The future of tech here is to own that operating model transformation.
The other thing forward tech can do for EDD is to extend an LLM– a large language model– the engine behind generative AI– to do the research that fills in missing client data… and because it's super important to avoid AI hallucinations, to build in tight controls on the workflows that allow KYC Ops people to double-check the LLM’s work. That was a little jargonistic so let me say it again in plain English. Tech should change the role of people sitting in KYC Ops… from “go looking for this client data” to “verify that the AI got the data right.” Just keep telling yourself that at this stage in AI development, it's a co-pilot. A human should still be the pilot.
Step 4: Ongoing Monitoring. Every bank’s compliance policy defines how often their particular KYC/CDD attributes need to be reverified with the client. Usually twice a year… because it’s a ton of manual activity and any more than twice a year and Ops would fall over dead from exhaustion. The whole process is typically driven by the risk profile of the client - lower-risk clients typically can wait longer than high-risk clients in re-validating all their data. And…. High-risk clients typically can wait longer than high(ER)-risk clients in re-validating those same attributes.
It’s a never-ending grind for Ops KYC teams.
And all because they’re 20 years behind in treating the whole process with some commercial ambition…. And the associated tech love that comes with all large commercial ambitions.
With some thoughtful architecture, that mindless, repetitive checking and checking– based on what month of the year it is and/or how long it’s been since the high-risk client was last reviewed– banks can use modern tech to automatically trigger reviews based instead on predefined events or changes to the client profile. It starts with staying on top of your client data in the same way that the Googles and the Metas do… like it can make you money. That’s a good start but not enough. You also need a business operating model transformation that allows you to create a vibrant, living product master… so every new high-risk product or service can auto-magically trigger a change in the risk profile of a client… which in turn would trigger a request to refresh their KYC.
That would mean Banks bring the same kind of rigorous monitoring and pattern detection that they currently employ for AML (anti-money laundering) data to their own business processes– their own operation model for how and when clients move between products and services. The good news is that every bank’s AML efforts are closely linked to their KYC efforts. So it would be relatively easy to point some of that monitoring– currently pointed at client transactions… to also point at the bank’s product consumption/adoption.
Alright… that’s really more than enough on KYC.
Hope you learned something.