BuckleySandler hosted a webinar, Best Practices in Customer Due Diligence and Know-Your-Customer, on May 21, 2015 as part of their ongoing FinCrimes Webinar Series. Panelists included Eric Arciniega, Senior Manager, BSA/AML Due Diligence Operations at First Republic Bank; Janice Mandac, Global Head of KYC at Goldman Sachs; and Nagib Touma, Director Global AML/KYC at Citi. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler LLP, and key take-aways you can implement in your company.
Best Practice Tips and Take-Aways:
- Establishing company-wide/global standards for your company’s customer due diligence and KYC program will help to ensure consistency throughout the organization. But, for global institutions, you must also be able to accommodate jurisdictions with requirements that are more stringent than the global standards.
- Be aware of data privacy standards in the countries where you operate. These standards pose a particular challenge to operating a centralized customer due diligence and KYC program.
- Regulators’ recent focus on model risk management extends to your customer risk rating model. Ensure that your model is being tested and tuned rigorously.
Balancing Globalization with Regional Variations
The panelists began the session by discussing how to take advantage of the benefits of a globalized customer due diligence and KYC program while accounting for jurisdictional variations in legal requirements. The panelists observed that a good approach is to first create baseline standards that apply globally and then append local requirements onto the global standards. Panelists felt that it was best to integrate any local requirements into the centralized customer due diligence and KYC system rather than create separate systems for regions with more stringent requirements. To make this possible, the centralized AML function must have ongoing communication with local teams that are on the ground in these jurisdictions.
The panelists discussed the challenges posed by jurisdictions with data privacy requirements that make it impossible to house customers’ information in a centralized database. In Switzerland for example, one panelist explained that the company has created a separate incidence of the customer due diligence and KYC system with firewalls to ensure that the data privacy requirements are fulfilled. Other jurisdictions’ requirements could lead a company to create a duplicate record of a customer’s information for use outside the jurisdiction. The panelists suggested categorizing jurisdictions into buckets based on how open or private they are to create controls that prevent unauthorized access.
The panelists stressed the value of leveraging your company’s technology to acquire a consistent set of information about new customers during the onboarding process. When a customer has one record across the company, that information can be used by different lines of business and different applications can be run off of the database. This same principle applies when a company implements a global case management tool for AML cases.
Effective Customer Risk Rating Models
The panelists identified many different factors that an effective customer risk rating model should take into account. These included:
- The kinds of business the customer is engaged in;
- Locations in which the customer operates;
- Whether the customer maintains custodial accounts;
- Reputational risk associated with the customer;
- Negative news reports on the customer; and
- SARs filed on the customer.
Here, too, the panelists noted the challenge of incorporating jurisdictional variation in requirements, such as a country requiring certain industries to be rated high-risk, into a globalized system. But again, the panelists felt that the best approach was to establish a global model and incorporate jurisdictional-specific requirements. One panelist described a peer-grouping function that compares a customer to similar customers within the company’s portfolio to see if the customer is operating much differently than similar customers.
The panelists observed that regulators have placed particular emphasis on models in general, including customer risk rating models. Accordingly, the panelists stressed the importance of the Supervisory Guidance on Model Risk Management released by the OCC in April 2011 when testing and tuning your customer risk rating model. The panelists generally agreed that testing and tuning the customer risk rating model should be an ongoing process with enhancements made to the model on a regular basis; perhaps annually or quarterly. A regular review should also be conducted to look for new factors that should be considered in the model.
The panelists concluded the session by discussing what issues related to customer due diligence and KYC they anticipated being especially important in the upcoming year. Several panelists mentioned the anticipated beneficial ownership rules. The panelists said that they are beginning to have internal discussions about the costs and changes that will need to be made to comply with the new requirements. The panelists also mentioned that meeting regulatory expectations for their customer risk rating models will also be an important issue.