KYC Risk Rating

Under strict Anti-Money Laundering (AML) regulations put in place by national governments, the European Union (EU), the Financial Action Task Force (FATF), and the United Nations (UN), all financial institutions and many types of companies are required to closely monitor their clients’ accounts and report any suspicious activity. These legal requirements often take the form of Know Your Customer (KYC) policies and KYC risk ratings, which are essential in preventing and reducing financial crime.

Excluded from the general test are “standard small customers” who do not wish to undertake particularly extensive or extraordinary business transactions and who have been classified by your rating system in advance in a correspondingly safe risk class. Nevertheless, the origin of funds and assets must generally be clarified. The details of the planned customer relationship such as scope and payment transactions must be rated and recorded.

KYC risk ratings are also important from the perspective of a variety of anti-terrorism and compliance laws and regulations. In particular, various national laws and regulations by international organizations prohibit doing business with certain persons and countries. For example, failure to comply with United States special regulations threatens financial penalties, from fines for executives to the removal of all business licenses in the United States. In addition, the reputational risk that can result from negative headlines in the absence of control is not to be underestimated.

In financial institutions characterized by limited resources and siloed solutions, the response to this has very often been to throw people at the effort. However, this has only added cost and complexity to the process and is not a long-term, sustainable solution. Therefore, there is a need in most organizations for a single, integrated technology platform that efficiently manages all KYC policies and regulatory compliance requirements from initial take-on right through the entire client lifecycle, including regular, ad-hoc and event-triggered reviews, as well as data and documentation refreshes.

All kinds of ratings can be affected, from credit ratings to sustainability ratings.

With a requirement to ensure lifecycle compliance to KYC regulations both on a local and global level, financial institutions and many other companies are necessitated to perform regular client reviews based on assigned risk ratings. KYC touches on the process you put customers through to engage with your business. KYC is considered as the future of the client onboarding process since an efficient identity verification solution helps institutions meet regulations, generate new revenue streams, and reduce risks and costs.

Global regulations highlight KYC as fundamental to a strong AML compliance program. With an appropriate KYC risk rating tool you are gathering the data you need to effectively structure your AML program and take a risk-based approach, comply with regulations and prevent financial crime. Ratings serve as the backbone of global anti-money laundering efforts.

Conducting KYC checks is a process that takes place at onboarding, i.e. identifying your customer and verifying that identity. KYC risk ratings help since KYC is an ongoing process to help you comply with requirements and continuously feed back into risk management and business strategy. You need to ensure that you know who your customer is, what activity you should expect from him, and the overall risk he presents to your organizaiton. KYC risk ratings enable you to monitor that risk and mitigate it.

In the case of legal persons, the type of company, activity, industry, sector code, number of employees, ownership and corporate structure, as well as the most important (expected) financial ratios must be recorded.

In the case of natural persons, in particular the nature of the profession and the purpose of the business relationship must be recorded. In the case of Politically Exposed Persons (PEP), the function and the place of exercise must also be recorded.

Take the System for Award Management (SAM) for an example. Both current and potential government vendors are required to register in SAM in order to be awarded contracts by the Government. In the United States of America, vendors are required to complete a one-time registration to provide basic information relevant to procurement and financial transactions. Vendors must update or renew their registration annually to maintain an active status. SAM allows Government agencies and contractors to search for your company based on your ability, size, location, experience, ownership, and more. In this way, fulfillment of KYC requirements becomes a marketing tool.

The exact meaning of KYC and related acronyms can change across geographies, with some regulators preferring one set of terminology over another.

• US regulators refer to Customer Identification Program (CIP) when it comes to a check against relevant sanctions lists and gathering basic customer information (name, address, date of birth for an individual and an ID number) to form a „reasonable“ belief that the true identity of the customer is known.
• Identity Verification (IDV) tools can be used to verify the identity of a customer, usually by using electronic and non-documentary means to do this.
• A Customer Due Diligence (CDD) is said to provide more information regarding the individual or entity, the line of business they are in or more details about their management or corporate structure and whether there is an politically exposed person (PEP).
• An Enhanced Due Diligence (EDD) is specifically designed for dealing with high-risk or high-net worth customers and large transactions. Because these customers and transactions pose greater risks to the financial sector, they are heavily regulated and monitored in order to ensure that everything is above board. Companies and financial institutions were first compelled to conduct EDD by the USA PATRIOT Act in 2001, a provision which is still in effect today. The Patriot Act also requires that offshore banking institutions, private banking organisations, and correspondent accounts abide by EDD regulations and laws. There are several characteristics that distinguish regular KYC policies from EDD policies. EDD policies are considered to be “rigorous and robust”, meaning that they require significantly more evidence and detailed information to be collected. The entire process of EDD must be documented in detail, and regulators should be able to have immediate access to the data. Professionals are often hired in order to analyse data that is collected regarding clients, and the reliability of information sources is of utmost importance.

By setting transaction monitoring scenarios accordingly, a rating helps to react to the expected activity from that client, for example, the volume, value, and frequency of payments across an account. Throughout the relationship, when those thresholds are breached, rating upgrades or downgrades alert you about

• where this unusual behavior is coming from,
• report it if suspicious, and
• realign expectations if this is to be a new normal for that customer.

All persons involved in the creation of the KYC and subsequent changes to the KYC master document must also be logged.

Key to achieving a reasonable assurance in KYC discovery is acknowledging that, no matter the quality of information used or effort spent on research, it is impossible to be certain that any customer is entirely free from risk. It is always a matter of grades as expressed in ordinal rating scales.

Realising that 100% certainty is not attainable forces compliance officers to take realistic, risk-based approaches to KYC consideration. The prevention of financial crime is a matter of probabilities. By acknowledging that risk can never be eliminated entirely, you can craft anti-money laundering policies by using rating technologies that are both as effective and as unburdensome as possible.

Even when using rating technologies you must still periodically check up on low-risk clients and accounts to ensure that nothing is unusual or out of place. You need to be aware that the risk of criminal financial activity cannot be entirely eliminated.

Reasonable Assurance

A “reasonable” assurance varies depending on various factors, including different national anti-money laundering legislations and the type of financial institution involved, and pertains to how much information should be collected about a customer. Rating whether or not particular customers are high risk and which processes or investigations must be completed if they are, allows a financial institution a reasonable assurance. They must then decide how much is an appropriate amount of information to gather. A good rating allows the financial institution to determine how much time they should spend monitoring the customer’s account, if any.

KYC Remediation

The different ways to go about KYC remediation are pivotal for preventing your company from getting involved in corruption, the terrorist financing, and money laundering. A rating-based KYC remediation tactic could be to screen, verify, and identify customers according to its KYC risk rating. There are many rating products that a company can use to accomplish this efficiently, and it may also be done manually. The remediation process is where they clear up any contradictory data, organize the information they have acquired, and determine what else is left for them to find out about the client.

If a client might be able to launder money or partake in other corrupt activities without any red flags being raised by your rating system your company could get in serious legal trouble down the line, possibly leading to fines and even jail time for employees. Because of their central role in the financial sector, financial institutions are most strictly regulated in regards to appropriate rating systems. They have the responsibility of reporting suspicious activity and helping the government to ensure that money laundering does not occur. Being fully aware of what is going on with your clients’ ratings is the first step towards being protected against backlash from illegal transactions.

As soon as the KYC remediation has been successfully completed, the company can then determine the risk that the client poses and continue to add to their portfolio. This step helps to decide whether the company or financial institution must report the client to authorities for suspicious activity or potential corruption.

KYC Risk Rating

A KYC risk rating is simply a calculation of risk: either that posed by a specific customer or that which an institution faces based on its entire client portfolio. It makes sense to calculate both of these risk ratings as each of them is equally important.

KYC risk ratings might take the following data into account:

• Global sanction lists
• Narrative sanctions
• Indirect bans
• Politically Exposed Persons (PEP)
• Family members and related persons
• State-owned or publicly-owned enterprises
• Global law enforcement lists
• Negative reporting
• Iranian economic interest
• Ship information
• System for Award Management (SAM)

Institutions gather as much data as they can about their customers, and they then compile this into a portfolio. Once the portfolio is completed, they closely analyse the information that they have obtained, and they determine the KYC risk rating of that specific client. If the risk rating is high, that client will be consistently and closely monitored. If the risk rating is low, the client will still be monitored, but not as diligently.

Millions of transactions occur every day throughout the world, meaning that institutions constantly receive vast amounts of data that need to be analyzed in rating systems. KYC risk ratings allow for institutions to quickly and efficiently sift through this information. Many of the KYC risk rating tools are technology-based and at least partly automatized, as manually organizing large quantities of data is ineffective and takes far too long.

A KYC risk rating is also essential for another important reason: it allows institutions to make a evidence-based prediction of what they believe a client’s account should look like in the future. A KYC risk rating is useful for determining whether something is unusual, out of place or suspicious. If a client’s transactions begin to diverge significantly from the institution’s predictions, you will be notified and will be able to further analyze the transactions for suspicious behavior.

If you wish to keep your company free from involvement with corruption and money laundering, it is vital that your KYC risk rating system consistently calculates the KYC risk rating of all your customers. Assigning rating symbols is the surest way to determine which clients present a higher risk to your company, thus allowing you to avoid liability and ensure that these clients are monitored appropriately.

Relevant Adverse Information

Relevant adverse information is simply any information that may cause officials to suspect an individual of being involved in a financial crime and can be acquired from any source. Although one source may appear to be more valid than another, all pieces of information may be looked at. Common sources include the Internet, the media, and other assorted databases. Specific individuals may even provide authorities with relevant adverse information such as proof of previous crimes, drug smuggling, fraud, scams, embezzlement, and theft, or evidence that a person is currently involved in tax evasion or even terrorist financing. Even if the information does not appear to be directly related to the scheme or suspect that is under evaluation, it can still certainly be relevant adverse information. Relevant adverse information does not need to necessarily be proven true, and it can include suspicions.

All relevant adverse information must be taken into consideration by financial institutions and governments when they are trying to track down financial crime and those who are responsible for it. While one piece of information may not seem as important as another, it can still wind up being the key for arresting money launderers and terrorist financers. Because of this fact, many financial institutions that are heavily regulated by KYC policies are required to constantly be on the look out for relevant adverse information in order to discover any hints or tip offs that may aid their investigations.

One of the most common types of relevant adverse information is the past criminal activity of an individual. If it is suspected that a person may be involved in financial crime, and authorities discover that that person has been previously caught for committing another crime, this gives authorities even more reason to suspect that individual to be involved. In contrast, if a person has no criminal history and is not known for associating with individuals who do, they are then at a much lower risk of being involved in something such as a money laundering scheme.

Another type of relevant adverse information that individuals oftentimes look at is if a person is on a sanction watch list. KYC risk ratings would go done since chances are that it is not for a good reason, and that authorities should be on the lookout for them being involved in any financial crime.

Find Help

Meet the legal requirements and make informed decisions to prevent financial crime and corruption in your company:

• Rate the size of risk presented to your institution from a financial, regulatory and reputational perspective
• Achieve top compliance ratings with evolving legislation and ensure a timely and efficient client onboarding
• Implement a rules-driven, evidence-based rating approach to KYC compliance that efficiently focuses resources on higher risk clients
• Automate risk-scoring processes throughout the lifetime of the client, minimizing overall risk to your institution
• Understand the true nature and purpose of the account being set up, investigate sources of wealth and define ultimate beneficial ownership
• Lower the cost of ownership with a flexible solution that can be adapted to respond to a changing regulatory environment
• Make use of a standalone module or a fully integrated one with your client lifecycle management solution
• Have access to a sophisticated rules engines which automatically puts your clients into low, medium or high risk rating categories to gain a clear view of the size of risk presented to your institution from a financial, regulatory and reputational perspective

There is a world-check risk intelligence database which provides accurate and reliable information for substantiated decision-making. Hundreds of specialist analysts around the world gather information from trusted sources such as watchlists, government sources and trusted media. Strict research guidelines are followed.

With our possible partners we are glad to help you find an out-of-the-box, rules-driven solution for all Know Your Customer policy requirements to support regulatory needs across multiple jurisdictions and business lines.

Simplify your business partner screening process with state-of-the-art technology combined with expert knowledge. The world check data is completely structured, aggregated and deduplicated. With flexible deployment methods, you can easily integrate data into a wide variety of in-house screening platforms, cloud-based, or other third-party solutions.

Let us help you with our relevant partners determine all of the client and counterparty data and documentation that is required to support the KYC and regulatory compliance obligations. Make use of dynamic decision tree intelligence to determine the regulatory journey of the client including all the regulations, KYC questionnaires, classifications and risk assessments that need to be adhered to and performed.