With changing regulation, increasing market competition and consolidation—especially within the context of the current financial crises, banks and other financial institutions need to better manage risk, reduce cost and increase revenues.
Know Your Customer (KYC) is a niche business process and is often costly and inefficient. The real direct and indirect people costs are high and continue to increase. KYC is also a non-core competency requiring the continuous retraining of a wide range of senior staff and reinvestments in non-revenue-generating policy, procedure and process definition. As an often inefficient and infrequently performed non-core activity, quality and morale can suffer, leading to audit issues such as incomplete or out-of-date files and AML customer events going unrecorded or non-investigated. Furthermore, KYC is also a great source of client dissatisfaction with regular annoyance caused by inexperienced or distracted account managers failing to complete client on-boarding and periodic reviews in a timely or efficient manner, with particular client irritation caused by confusion and numerous follow-up requests for clarifications, alternative or additional documents etc.
KYC process improvement needs to directly address these cost, efficiency, core, quality and satisfaction issues by so doing, improve risk management, reduce costs and support front office staff in their efforts to concentrate more on revenue generating activity.
Process: Lessons Learned
Cost, efficiency, core, quality and satisfaction issues are also common problems in many other business process areas.
With the goal of improving KYC processes, insight can be gained by referring to a number of common IT, engineering and production quality frameworks. These include:
- CMM — Capability Maturity Model
- ITIL — the Information Technology Infrastructure Library for Service Management
- COSO and COBIT — financial and IT control frameworks
- Lean (often associated with The Toyota Way production model) which helps drive organizational (and process) learning
- Agile, an iterative IT development methodology that guarantees the time and the cost and maximises the scope
- Six-Sigma — a data driven approach to measurement and defect reduction
- Balanced Scorecards — a commonly used strategic performance management (and reporting) approach that usually covers a range of financial, operational, customer and organizational health measurements
It is encouraging to note that according to the Carnegie Mellon Software Engineering Institute (SEI)1, home to the CMM(I) model, great benefit can be achieved through process improvement. Cost and in-efficiency, non-core, quality and client dissatisfaction issues can all be addressed and mitigated through improved processes.
The KYC maturity model described in this article is intended to serve as a resource and technology agnostic directional roadmap to improved KYC processes.
Levels 1 and 2—From Chaotic to Reactive
The KYC maturity model is based on the typical five levels of a standard Capability Maturity Model.
These levels are typically described as Initial, Repeatable, Defined, Managed and Optimized and have very strict meanings. For the purposes of this article, the KYC maturity levels have been somewhat renamed for easier understanding and are depicted below:
Few organizations would be happy to find themselves at Level 1, the Chaotic level. But the one good thing about this level is that the path out of this level is quite clear. The Chaotic attributes—ad-hoc activities, undefined responsibilities, undocumented processes, unpredictable demand, no central control, little systems support and no formal communication—can all be relatively easily addressed and each small improvement will make a quick and real difference.
One common initial step is to implement a "tool." While tools can be useful, they are seldom the only answer. Implementing a "tool" in a Chaotic process will usually result in the creation of a large (but, at least now, defined) backlog of work to do and may help to move the process maturity level from chaotic to Reactive. But Reactive is still rough going — fighting fires, continuous distraction, always running behind the ball.
At some stage, the team needs to really start to think about process definition, engineering and reengineering. Process engineering and reengineering starts with an initial process definition—this can be very basic, but until it is written down or depicted, improvement will be difficult. It is important that all of the various players (the customer, the front-office and the compliance and (front/mid/ back-office) KYC analysts) are identified and role-defined and all activities (task assignment and re-assignment, escalation and Quality Assurance checks and review steps, signoff etc.) are identified.
Such a process definition may already exist, but may not be followed; or may be planned for implementation, but without any enforcement mechanism.
It is not enough to just DEFINE the process. In order to become Proactive, one also needs to ensure that it is being REPEATED and—a big step forward—MEASURED.
Workflow tools can help with enforcing a process—and there are many good workflow tools on the market. While workflow can ensure that a process is being repeated, it is also extremely important that the workflow can support reporting and process inspection and continuous change. Change is, after all, inevitable — and experimentation should be welcomed.
With some level of a defined and improved process in place one can start trying to get ahead of the curve. Now that the process is not only Defined (what you want to happen) but is being Repeated with some degree of regularity and rigor, it can be better Measured.
The Six-Sigma methodology can be very helpful in any attempt to effectively and efficiently measure. The Six-Sigma DMAIC methodology with its Define, Measure, Analyze, Improve and Control stages can be mapped to various KYC process touch points and can help drive improvement by uncovering process variances. (See the supplemental white paper at the end of this article for more detail).
The process is now Defined, Repeatable and Measured. The process maturity can be said to be Level 3 (Proactive). The defined process is being analyzed, thresholds are being set and some level of predictability is in place.
Level 4—Service Managed
Level 4 (Service Management) takes the defined process and the proactive approach to a whole new level of professionalism. This is where some of the formal ITIL principles (for Service Delivery and Management), some Lean and Agile (process and planning disciplines) lessons and Balanced Scorecard reporting can come in useful. (See the supplemental white paper at the end of this article for more detail on ITIL, Lean, Agile and Balanced Scorecards).
With balanced, lean and agile services agreed and in place, a KYC operation can start to better integrate into other business processes. The team can also plan to handle peaks in demand by flexing capacity within pre-defined parameters to continue to maximize (prioritized) on-time delivery.
The process improvement journey leads from DEFINED to REPEATABLE and MEASURED and then to PREDICTABLE, PLANNED, BALANCED and PRICED (COSTED). Continued process improvement and optimization over a period can lead to Level 5—Value Management.
Level 5—Value Management
Level 5 is "managing KYC as a business" — a goal worth aiming for in any other internal or external organization.
The goal here is true integration with the business
The Value Management level is where one has not just identified and minimized the COST of KYC but has also identified, captured and shared the VALUE of KYC — and indeed, created value through KYC.
As part of integrating KYC into other business processes as mentioned earlier, one can look to close the loop on, for example, "commercial information:"
- information of a potentially commercially-actionable nature that is discovered during KYC analysis can be fed back to the master Customer Relationship Management system
- parent tree information, specifically key directors and persons-of-influence can be communicated back as possible new leads, contacts or influencers
- any media-monitoring put in place to trap "significant AML-relevant events" (e.g., M&As, board changes, new business activities) can be widened to also identify commercially-relevant events (e.g., new deals, partnerships, international expansions etc.)
Likewise, one can also try to close the loop on operational risk information, market and product trend information through various business intelligence reports etc.
The goal here is true integration with the business — as fast as the business can handle, as smart as can be managed and as cost-effective as possible.
That's it, that's the model. It is intended to be as simple and practical as possible — as a way of quickly identifying one's current state and as a simple roadmap to further process improvement.
The Right Mix
Implementing this simple model can be done with a few simple principles in mind — these principles concern the right mix of people, process and technology.
KYC is all about people. Many enhanced due diligence activities cannot be automated — no tool can analyse and verify parent trees, sift through false-positive PEPs and really understand bad press. Only people can do that. People are not cheap and people get distracted. A good resourcing model can maximize morale and limit cost. A professional environment with a focus on experimentation and improvement is also important.
Great processes supported by good technology are important. Not necessarily great technology and good processes, but great processes and good technology. The process should always drive the technology choices. What are great processes? Above all they are capable of Continuous Process Improvement. And what is good technology? Basically, it needs to be "enabling" and open to change. Secure is a must; flexibility should be built in — intuitive is helpful.
Now, more than ever, KYC is necessary and is growing in importance and in cost. Now is the time to improve our processes, adopt service and business value approaches to KYC to better manage risk, reduce costs and free-up resources to generate more revenue.