Perpetual KYC vs. traditional risk monitoring

Management of KYC processes continues to evolve to deal with changing threats and to leverage new regtech. Now, firms are moving to a perpetual KYC model, but what is perpetual KYC and how is it different from a traditional approach to risk monitoring?

Know your customer - or KYC - is a compliance process that regulated firms (and many non-regulated firms) use to understand their customer base. They perform an assessment to look for risks associated with a customer. Institutions build risk profiles as part of their anti-money laundering (AML) compliance programs and to mitigate exposure to risk. Completing a KYC process protects customers and institutions from financial crime.

Businesses perform due diligence on an individual or an organization structure before they are onboarded as a customer. Then they will monitor accounts at set intervals to assess whether anything in the risk profile has changed over time. These firms are trying to mitigate the risk of onboarding or retaining customers involved in financial crime such as fraud or money laundering. 

Institutions will traditionally define what constitutes a low, medium, and high risk customer profile. Then the firm will look at the characteristics of each customer and use various datasets to compile their risk rating and categorize them accordingly. Factors that might inform a customer’s risk profile could include anything from where they live to whether they are a politically exposed person (PEP) or the subject of adverse media, other factors such as source of funds might also be considered. 

Once an institution has completed its due diligence and built a risk profile – categorizing the customer as low, medium, or high risk – they can then decide what to do next. If a customer is considered too high risk – they are subject to sanctions for example – they may be off-boarded immediately. If a customer is onboarded, then they will be monitored at set intervals according to their risk rating. This monitoring process is used to assess if there have been any material changes that would influence the original assessment and change the customer’s risk score.

As long as a firm is compliant, how KYC is completed is up to them

In a nutshell, this is traditional KYC. However, firms choose different ways to execute their KYC processes. Some still use manual methods of research and scanning passports and reviewing utility bills. Others use automation to perform KYC checks, integrated to global online datasets. 

As long as a regulated firm is compliant with their regional AML regulations, they can set their own KYC standards – 

  • Some will have a strict global standard that needs to be met that is simply tweaked for different jurisdictions to meet compliance with local regulations.

  • Others will have a minimum standard, and regional compliance officers or money laundering reporting officers (MLROs) are empowered to define the KYC process for their jurisdiction or line of business.

Each company will have its own appetite for risk too. Some businesses that need to win new customers may lower their risk threshold to win new business. Others will be very risk averse and set higher risk thresholds to limit their exposure.

The thing about KYC and risk profiling is that it’s rarely straightforward. That’s because knowing customers and monitoring all of them on an ongoing basis can be complex and difficult, especially in the world of corporate ownership and control. 

Risk factors change all the time, not according to set timescales

Many institutions will set an annual review for a high risk account, a 2 year review for a medium risk account, and a 3 year review for a low risk account. This doesn’t consider the fast pace at which things change in company structures or in people’s lives. 

Take, for instance, a local election that leads to a new representative voted into power. The day before the election, this person was medium to low risk, today they are a PEP. Businesses can’t afford to let a factor like this wait up to 3 years to filter through its KYC monitoring processes. 

This is where perpetual KYC comes into effect. The process of perpetual KYC is removing the issue of looking at risk associated with an individual or corporate customer in a snapshot in time. This is important given materially significant risk factors can change overnight and over time.

Traditionally, KYC and its approach to risk monitoring has been rigid, with hard timelines for ongoing reviews. Perpetual KYC looks for material changes in circumstances all the time. For example, with a corporate customer the trigger for due diligence to take place might be a company reincorporating or changing locations, or adding new shareholders, or making changes to the board.  

The review is not driven by whether the account is high risk – it's driven by materially significant factors. There may be no changes to the high risk customer’s circumstances over a year, so why spend time and money reviewing them? Whereas there could be a low risk account that has had a change of ownership and when that’s uncovered it’s found the new owner is a PEP and that radically alters the risk profile of the account. 

Perpetual KYC supported by Regtech

Perpetual KYC is about using automation to look at potential sources of risk all of the time – moving away from set review periods. To some extent, it also involves moving away from the low, medium, and high risk categorization to one that’s driven by material changes that raise red flags and trigger reviews. 

Integrated into the right workflow technology with access to accurate data, perpetual KYC can be efficient and cost effective for businesses and support the sustainability of a compliance function. It can also create better experiences for customers who aren’t asked for additional KYC compliance information unnecessarily. 

If a business is able to know its whole customer population through the onboarding process, then it understands where potential risks lie. Using Regtech, firms can integrate automated risk policies with accurate datasets to produce triggers on accounts where there have been material changes that affect risk, so appropriate action can be taken immediately.

Get in touch

PassFort is a Moody's Analytics company. Our KYC solutions give you the confidence to know your customers and to know you are conducting business responsibly.

We bring together the data and automated workflow solutions to help you onboard customers and perform perpetual KYC to ensure you operate the most effective and efficient risk management and compliance program for your business - all the time.

Please get in touch to discuss your KYC requirements – we would love to help.