December 19, 2018

Based on the INDUSTRY BANKING KYC UTILITY PROJECT AFTER-ACTION REPORT issued by the Association of Banks in Singapore.

The idea of a KYC utility is not new. A bank I worked for – of which I will not mention the name -centralized trade operations for close to 50 other banks at a point in time; so why could that not be done for the CDD process? Moreover, i-KYC as an organization and undersigned as an individual have years and years of experience in the execution of AML/CFT processes. We hubbed process steps, off-shored and on-shored processes, set up hubs, moved hubs, relocated hubs and closed hubs. Setting up and operating a KYC utility is not undoable, it seems like a good idea and the report gives valuable insights; so allow me to add some practical remarks.

The Compliance function should not lead the AML/CFT program

Under point 4., the report rightly states that “KYC remains an industry-wide pain point from the perspective of regulatory risk, operational cost and customer experience”. Any CDD effort needs to balance good, cheap and fast. By default, a compliance team will focus on meeting regulatory requirements and will have very little interest in cost and customer experience. Having an AML/CFT program lead by the 2nd Line-of-Defense is therefore a sure recipe for failure. The business, the 1st Line-of-Defense, needs to lead the program and needs to oversee all 3 aspects, of course with support from the Compliance Team.

It is not about the regulation or policies,it is about the power to execute and about the ability to deliver. Just a policy will not achieve operational compliance, a KYC utility will need to be setup and managed by operational CDD experts.

Policy harmonization will never materialize

The project involved the MAS and tried to harmonize regulations; definitively a worthy cause. However, this is not enough: regulators are willing to cooperate, negotiate and harmonize regulations but business and industry practices, legal frameworks and political imperatives are different from country to country. Full harmonization across countries is therefore hardly imaginable. Even more so if political and economic factors are taken into account. Moreover, harmonization of regulations will need to be an ongoing effort; insights change over time.

As an example, this will imply that the requirements to perform KYC for one and the same legal entity in let’s say Hong Kong, Singapore and Indonesia will lead to 3 sets of CDD procedures. A KYC utility will have to deal with that reality.

Policy harmonization is inherently impossible

It all starts with regulation. Right? Maybe not: even if there were no legal framework or central bank regulations,financial institutions would still have internal rules and regulations. Organizations in general and banks more specifically have a distinct risk appetite which needs to be defined, shared and embedded. That definition drives policy and drives process design and execution. Moreover, this complex of risk appetite,policies, processes and procedures changes over time.

Any shared service provider will have to accept that standardization will only be possible to a certain extent.Financial institutions will have different desires and expectations of the services that the utility can provide; a utility will need to see itself as a service provider with financial institutions as clients and will need to accept that every client is different.

CDD differs per type of client

The project excluded certain client groups and although – from a practical point of view – I can agree with most of the decisions, let me share some experiences. Private clients are usually low in numbers and the process focuses on decision making, not on the actual CDD work. CDD for larger companies, MNCs and listed entities is usually relatively straightforward and often involves medium or low risk entities. CDD for private individuals is in most banks a bulk process, embedded in the account opening process with very little enhanced due diligence required. The issues in CDD usually arise with family owned, commercial clients operating in less known jurisdictions.In the teams that we worked with, clients in this segment accounted for well over half of the workload even though their number was below 20%.

Like in many instances the 80/20 rule applies; a KYC utility should focus on the major pain points which will often occur in CDD of commercial clients, often family owned and often operating in less developed jurisdictions.

A utility makes the process – by definition – more complicated

Assuming an individual financial institution has an optimized, well run CDD process, there is little to be gained with the introduction of a third-party utility. The adage of standardize,centralize, off-shore, outsource is still valid. The last step, or better the last 2 steps, usually don’t add a lot of value because the process will need to be broken first in order to improve it thereafter. That is – based on experience – not always a success and never easy.

Creating a utility could be the remedy for the pain, but progress is made in small steps, so start with these small steps along the lines of standardization and optimization.

Conclusion

Hopefully the above mentioned points indicate even more – practical – pitfalls in setting up a KYC Utility than already mentioned in the report. It is no surprise the project was put on hold;many other similar and often simpler projects failed before.Perhaps we should not look at the possibility to setup a utility but more at creating facilities to make CDD easier and the use of distributed ledger technology to bring CDD back to the customer. After all:should it be the responsibility of a financial institution to assess a client or should the onus be on the client to prove he or she is bankable?