Banking & Securities matters

Making your KYC remediation efforts risk and value-based

Banks are sitting on large know-your-customer (KYC) and due diligence backlogs. Four steps can cut them quickly and improve the customer experience by ensuring remediation efforts are better aligned with business value and the potential risks each customer poses.
 Mette Gade

Serves clients in the financial and pharmaceuticals sectors on large-scale digital and agile transformations with a focus on navigating heavily regulated environments effectively.

 Daniel Mikkelsen

Senior partner in our Financial Services, McKinsey Sustainability, and Risk & Resilience Practices; heads McKinsey Sustainability’s financial work, and works extensively in financial services, risk and compliance, and digital and analytics

Dan Williams
 Dan Williams

Brings hands-on risk-management expertise in the financial-services sector, helping companies transform programs and functions to reduce risk while increasing value

Risk

Banks worldwide have paid over $30 billion in penalties since 2009 for failing to crack down on financial crime. Add to that the reputational cost of getting embroiled in money laundering scandals and it’s not hard to see why banks are so keen to meet anti-money laundering (AML) requirements. Yet many are overwhelmed by the very first steps of the process, finding themselves sitting on large know-your-customer (KYC) and due diligence backlogs.

Why? Firstly because of the scale of the task. Collecting, validating and continually updating data for millions of customers is time consuming, and frequently changing requirements means that approaches to KYC needs to be rethought. In addition, there are plenty of inefficiencies in the process, which remains largely manual to this day. Previously-recorded information is buried in various paper or electronic files, proving hard to access and aggregate. Queries ping pong back and forth between customers, frontline and back-office staff. Customer insights and lessons learned during due diligence aren’t taken into account in monitoring activities or when setting controls.

It needn’t be like this. The same ‘digital first’ approach that has transformed banks’ commercial and operational performance with digital technology and agile methodologies can similarly transform KYC and due diligence. Here are four steps that can quickly cut the backlog, improve the customer experience and, importantly, shift the focus to optimizing value while mitigating risks.

Four steps to ensure a risk-based KYC and due diligence remediation

  1. To manage both risk and value, segment customers more finely. Most banks expend disproportionate effort on customers who pose very little or no risk.
  2. Deploy self-service solutions that are risk-sensitive and carry minimal execution costs. Self-service should be the default option for customers providing KYC information. By automatically posing more questions to customers whose responses suggest higher risk, the burden on less-risky customers is kept to a minimum.
  3. Tailor and track remediation efforts at the individual customer level. This will inform required actions and provide operations, the board and regulators a clear view of how remediation efforts are faring.
  4. To quicken progress, make use of third-party data, external providers and artificial intelligence (AI). There are plenty of off-the-shelf solutions and data providers that can help quickly stitch together an integrated solution. AI can then accelerate learnings from these outputs.

1. To manage both risk and value, segment customers more finely

Existing AML customer risk-rating models will likely identify between 0 and 5 percent of customers as potentially high risk-although in some banking segments this proportion can be higher. These customers are prioritized and undergo enhanced due diligence. The remaining 90-plus percent, however, are grouped into two or three segments, or occasionally only one. As a result most customers undergo similar or barely differentiated levels of KYC and due diligence, with banks often devoting unnecessary resources on the majority of their customers posing minimal or no risk.

A model that segments customers more finely – perhaps into as many as 10 to 30 categories – can ensure remediation efforts are aligned with the level of risk. Building one takes time, however. In the interim, consider a pragmatic approach in keeping with agile principles that strive for incremental improvements and fast learning, using available customer information. For example, customers who only have a deposit account, have pension products, whose transactions are below a certain threshold or whose accounts are inactive, typically pose limited risks. As many as 75 percent of customers may fall into this category. On the other hand, customers who use a range of digital channels or have used a digital channel for onboarding and lack in-person identity verification would fall into a higher priority category.

Often, in-house customer data can be supplemented with external data. Take, for example, knowledge that a customer is a student. One bank used public records on the average wealth of university students in different regions to understand “normal” wealth and banking activity for these customers, enabling IT to categorize most into a lower-risk category.  

This finer segmentation can be used to set appropriate remediation activities, choosing between proactive or reactive contact with customers, for example, and determining various monitoring procedures and controls, such as an automatic alert if a customer moves into a riskier category. Segmentation can also address some regulatory priorities, such as understanding the expected banking activity and source of wealth of a customer, using available data, without the need to ask the customer.

2. Deploy self-service solutions that are risk sensitive and carry minimal execution costs

To lighten banks’ workload, a full self-service solution should be the default option for customers undergoing KYC and due diligence in high volume segments – that is, retail banking, small corporates and, potentially, high wealth customers. Self-service can reduce marginal execution costs to near zero. Because some customers will need assistance, the solution should be configured so that staff can access it as well, whether to help customers  stuck on a certain question or requesting full assistance. Alternatively, staff can contact customers to gather preliminary information, then ask them to complete the process online.

Importantly, self-service solutions should be risk-sensitive, automatically increasing the number of questions proportionate to  a customer profile’s implied risk.  This eases the burden on low-risk customers, ensures the proper information is collected for higher risk customers, and quickly highlights areas where manual intervention may be required.   

Self-service solutions will not be perfect from the outset – which is why they must be  configured so that improvements can be rapidly implemented. One bank found customers stumbled over a question requiring a tax identification number. Quick rewording solved the problem in minutes – something that would have taken a month or more in a typical IT release process.

For customers who prefer to visit a branch or speak on the phone to complete the KYC process, bear in mind that the necessary conversations around spending patterns and sources of wealth also provide an opportunity to offer advice on other products and services, such as investment planning, pension products, and mortgage re-financing.

3. Tailor and track the remediation efforts at the individual customer-level

Remediation efforts will be more powerful if teams follow the approach used by digital marketers. Would-be customers’ online progress is digitally tracked through a “sales funnel”, helping marketers learn where and how best to intervene to keep them moving from the initial consideration of a purchase through to a sale.

In the same way, banks can track each customer’s progress though the KYC and due diligence process, determining appropriate actions at each stage depending on the customer’s preferences, behavioral profile and risk categorization. In marketing language, each customer is a segment of one. For example, an automated pop-up reminder to submit information in a mobile banking app might suffice for many customers. But some may need a second message emphasizing the importance of countering financial crime, and still others a third notifying them that their account has been blocked until the information is submitted. Banks may discover that certain customers respond better to a call than an email, or a better time of day at which to reach them.

It will, of course, take time for banks to clear remediation backlogs and become fully compliant. But an agile approach ensures continuous improvement. Therefore, tracking the remediation status of each segment, expected completion of the remediation and required escalations and sanctions is essential. Make sure progress in meeting timelines and any lessons learned are clear to all. Only then will teams be able to improve the remediation process, and executive management gain comfort with it. Importantly, this transparency also broadens discussions with boards and regulators from a singular focus on whether deadlines have been met to one that also considers whether the highest risks are being appropriately addressed.

4. To quicken progress, make use of third-party data, external providers and artificial intelligence (AI)

In addition to using the vast amount of internal data for pre-population or validation, plenty of help is available for getting the data you need. RegTechs and other providers can provide lists of beneficial owners, politically-exposed persons (PEPs), or those who feature negatively in media coverage. Public registries and utilities can, in some countries, supply tax and salary records. And don’t overlook data generated from customers’ digital footprints, if local regulations allow and customers consent, or location data that can verify a customer’s presence close to a given address.

AI, meanwhile, will not only speed the KYC and due diligence process, but help to improve it continuously. Optical character recognition (OCR), for example, can extract information from old customer records for validation or pre-population. Fuzzy logic can reduce the number of false positives generated when customers or colleagues make typing errors. AI can also ensure that learnings from transaction monitoring or false positives are used to refine initial KYC questions, optimizing not just the KYC process but the full AML value chain.

While the mindset should shift to “digital first,” some manual intervention will still be needed. Make good use of smart workflow tools to ease case handling, as their numbers are growing. The best AML value chains are typically those that stitch together the best platform providers and efficient AI engines for continuous learning loops. No single vendor provides everything you need.

Ultimately, the most important AML value chains may prove to be those established by banks and financial institutions to pool their resources in an AML utility. The aim is not only to share technology costs, but to derive more powerful insights from collective data and crack down harder on financial crime.