Recently, a third UK high street bank has embarked on a journey of “KYC” refresh. It is contacting all its business account holders, requesting more data about what their company does in order to comply with Sections 27 and 28 of the Money Laundering Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.  By Rupert Brown at CTO Evidology Systems Ltd

Unlike its competitors, the letter sent to customers is much terser in its wording and contains no hint of any new “branded” customer safeguarding initiative by the institution as a palliative. Clearly, this approach is intended to strike a level of fear in its customer base and to elicit a prompt response. It would be interesting to know what has caused this sudden need to play catch-up with its high street peers — might some more significant fines be on their way?

The recent assassination of Al-Qaeda’s leader Ayman al-Zawahiri in a CIA drone strike on the villa where he was sheltering in Kabul serves as a timely reminder as to why there is a continuous battle between governments’ designated financial authorities, who wish to restrict access to sources of funds and prevent their use for malfeasance, and terrorist organisations.

Now, reading back through the above paragraphs, a clear air gap becomes visible between the terms “continuous battle” and “KYC refresh”. The strategic global battle is a continuous one, however, commercial banks around the world are acting in a piecemeal fashion. Their efforts are supported by legislative amendments as they try to collect nuggets of data about their customers’ activities in refresh initiatives, rather than working co-operatively with customers for fear of “tipping off” about what information they might have that is raising suspicion.

Moving from a sporadic “refresh” approach to a continuous KYC engagement and analysis process now needs to be the norm. This transition requires major investment and the appropriate use of technology.

The mystery at the heart of all of this is: who has regulatory responsibility to make sure everyone completes the process in a timely and accurate fashion but also has the powers to intervene and remediate systems that are broken?   

Regulators appear to have done little to check that customer online banking platforms are fit for purpose to enable timely KYC data updates. We should note that it has taken five years from the enactment of the legislative amendment in 2017 to instigating this particular “refresh” activity.

Specifically, there needs to be detailed scrutiny into how many customers have been “bullied” into filling manual PDF (or even Microsoft Word) documents as a last resort because their bank’s web facing systems cannot capture the necessary data. What use is there in filling in a form that might be out of date as soon as it is returned because of some new business opportunity that might be spotted on a foreign holiday or a Google search?

Let’s stop and think about this for a moment.  

When HSBC was fined at the end of 2021 for money laundering, one of the factors in the judgement against it was the failure to use its existing account surveillance software correctly, i.e. banks should already know who their customers trade with, in which currencies, and the normal operating cycles (monthly, quarterly etc). Nowadays, these basic operational hygiene statistics tend to be dressed up with some glossy coating of “magic” AI as if they have only just been invented.

Moving from the reactive “refresh” approach to one of continuous analysis, therefore, renders most of the new questions irrelevant in most business cases and should enable KYC related anti-money laundering (AML) surveillance to focus purely on the outlier accounts that behave erratically.

There is, of course, the libertarian view that companies and individuals should have far fewer surveillance systems imposed on their behaviour — especially when there is the ever-present suspicion of an Orwellian “deep state” seeking to find every opportunity to control and tax “deviant” behaviour.

The reference data boundary between the state and commercial banking sector is part of the problem here: should banks need to collect data about company structures and shareholdings at all when application programming interfaces (APIs) exist to connect to the official national registry?

The challenger banks in the UK have invested time and effort into harnessing the Companies House API specifically to facilitate new business account opening. Why should a company that has submitted its accounts and annual return to the statutory regulatory body (and paid for the privilege) need to do it more than once?

Perhaps the most “meaningless” question being asked by the banks in this current round of KYC “refresh” questionnaires are those that ask customers to estimate what their company’s turnover will be over the next 12 months. This question is being posed in a world where no economist is currently prepared to make that call and inflation could well mean a 20% plus spike in apparent turnover, even though the level of underlying economic activity will do well to remain flat.

One final area ripe for further investigation is how many of these “refresh” programmes are being conducted in-house by full-time bank employees, and how many banks have chosen to contract out this work, treating it as non-core and a one-time activity.

AML legislation is supported by many draconian powers of enforcement against the perpetrators, and for good reason given the sums involved and the social damage that is done. Similar enforcement is needed against poor KYC processing which is, in most cases, the root cause of facilitation.

The Financial Times would like to sponsor your first month’s subscription to Global Risk Regulator. To start your ‘no obligation’ trial please contact: ella.jacob@ft.com