The fight against money laundering and terrorist financing will continue to be a primary area of focus for regulators in 2017. How can firms ensure their KYC compliance procedures meet the challenge?
The message from regulators is clear — the days of box-ticking are over when it comes to compliance with Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT).
Indeed, with a tidal wave of regulatory change heading towards the shores of compliance professionals, it requires a step-change in your Know Your Customer (KYC) approach to ensure the challenge can be met.
This will demand the participation of the entire organization rather than the chosen few in compliance.
Culture starts from the top with leadership engagement and works down through the organization with a properly controlled risk environment, and appropriate, regular training for employees.
In this respect, compliance professionals should take note that an inadequately-trained member of staff, even if they are not front-line compliance, may put the organization and Money Laundering Reporting Officer at financial, reputational, and regulatory risk.
Regulation and more regulation
The burden of regulation has grown significantly since 2008, when the world’s regulators issued approximately 24 alerts per day.
By 2015, the figure exceeded 200 and proved that as criminal and corrupt behavior adapts, so regulation has grown exponentially to keep up.
This year will bring a new raft of significant measures, many of which will have far-reaching effects beyond the borders of the issuing countries and regions.
- The New York State Department of Financial Services’ final rule for transaction monitoring and filtering came into effect on 1 January
- The EU’s 4th Anti-money Laundering Directive will come into force in June, together with an in-progress amendment touted as the 5th Anti-money Laundering Directive
- The EU Funds Transfer Regulation, and the revised Payment Services Directive will also come into effect.
At a national level, regulation and regulatory oversight is also facing an overhaul.
- In the UK for example, the Financial Conduct Authority’s Senior Managers Regime extends further to the Certification Regime
- The UK’s Criminal Finances Bill, which aims to be law by March, will introduce a strict liability crime for failing to prevent tax evasion and a possible new amendment introducing a failure to prevent economic crime, a wider scope that would cover AML and fraud.
Importantly, these changes extend their reach beyond the borders of the UK, thus organizations outside the country should be aware.
Review your regtech
Technology may not yet hold the key to fully automated, low-cost compliance, but investment in the right regtech tools can ensure that exposure to AML/CFT and other risks are minimized or mitigated, and that compliance costs can be appropriately planned and managed.
Nascent technologies like blockchain and artificial intelligence offer promise but it is still too early to reliably call on them in the compliance arena.
In the meantime, ensuring that KYC screening system settings and transaction monitoring rules have been reviewed and optimally adjusted — and indeed that they are being used correctly by compliance staff — can increase the reliability and quality of the compliance effort.
Secure Your Customer
Mention should, of course, be made of the EU General Data Protection Regulation, which is due to come into force in 2018.
There is now an acute focus on protecting your customers’ data, or in other words Secure Your Customer.
Perhaps the three key takeaways from the legislation in this respect are:
- Breaches must be reported within 72 hours
- Systems must encompass ‘security by design’
- Organizations should ensure all of their systems are adequately protected and monitored with evidence to this effect, including KYC and transaction monitoring compliance systems.
There have been numerous reports that 2017 will be the ‘year of cyber security’ and regulators will be taking a keen view to ensuring that organizations adhere to the principles of good data governance throughout their operations.
Now it’s personal
A further key theme this year — and one ignored at your own risk — is personal liability.
Each individual compliance professional must take ownership for their actions and fully assess his or her own personal regulatory risk management strategy to ensure compliance and avoid liability.
Recent enforcement action has shown that compliance officers at companies subject to the Bank Secrecy Act can be held personally responsible for AML failures.
It has also highlighted that regulators will not hesitate to impose the full force of the law and hold individuals to account.
The message is clear: personal liability is here to stay.
Make your voice heard
With new regulation often comes consultation.
Indeed, both the UK and Australian governments have issued several consultations in the past few months that have specific interest to compliance professionals.
Such consultations can and do shape policy, and regular engagement in this way or directly with regulators, can help ensure that legislation is clear, effective, and not unduly onerous.
Finally, going it alone is very often not sufficient in this complex and rapidly-evolving world of compliance regulations.
Risk, compliance and internal audit functions should therefore include outsourcing in all their monitoring plans and consider engaging managed services from an external provider.
KYC, enhanced due diligence, and screening managed services offer a raft of benefits, including:
- Reducing the pressure on often over-stretched internal compliance departments
- Lowering ongoing compliance costs
- Speeding up turn around times, both when onboarding new clients and when refreshing client records
- Providing superior data privacy and protection