A few days ago, the OCCRP made a shattering revelation that over 18000 accounts maintained by European banking giant Credit Suisse were linked to criminals, sanctioned individuals and those accused of bribery, corruption, money laundering among other financial crimes! In the recent past, several other leading European banks have been fined by the EU Regulators, for deficiencies in their KYC CDD compliance measures. The list includes Danske Bank, Deutsche Bank, ING, ABN Amro, DNB, Commerzbank and a few others. All these banks have since spent tremendous effort and resources in transforming their KYC CDD systems and processes towards enhanced compliance.
The European Commission (EC) has issued robust customer due diligence (CDD) directives through the EU MLDs (4th, 5th and 6th ) in the past 5 years alone, which provide far-reaching holistic and effective rules to fight against financial crimes. However, the challenge has been in their differing interpretation and application across the members states. The KYC frameworks and processes followed by financial institutions (FIs) across the EU member states are not standardized, creating loopholes for criminals to exploit.
Índice
KYC & Customer Due Diligence in EU: Requirements vs Current State
Requirements
Due diligence of customers – individuals and entities – by financial institutions extends beyond the initial KYC covering customer identification and onboarding. The EU MLDs require an ongoing due diligence through regular screening of customers for Sanctions and PEP, adverse media scans, beneficial owner identification and due diligence, periodic reviews and risk assessments among others. While a simplified CDD is sufficient for low and medium risk customers, every high risk customer must be subject to enhanced due diligence (EDD). Digital identification and verification (IDV) tools are encouraged in the due diligence process wherever possible.
Current state
The EU member states are in varying levels of maturity in compliance of the KYC rules as per the EU MLDs 4/5/6, as well as interpretation and application of the MLDs. Some examples are the variations around CDD requirements, PEP and adverse media screening, internal controls and customer risk assessments, reporting requirements and so on. Poland for example does not mandate periodic review of customers. Hungary requires to check only for self-PEP, not for relatives or close associates. Roles applicable as PEP, and duration post stepping down from that role for consideration as PEP (the MLD requirement being minimum 12 months) vary widely among EU member states.
Same goes for determination of beneficial owner as one who holds more than 25% of ownership or control, with criteria and calculations differing across EU states. While Spain uses the >25% rule, others like Austria and Finland use >25% rule. Several countries are yet to make their Corporate Registries public, which was a requirement of MLD4. In some countries like Norway and Netherlands, Bisnode and KVK respectively (which currently function as national Registries) are being utilized for BO verification and review by FIs in these countries. Meanwhile, 6 banks in 4 Nordic countries, i.e. Sweden, Denmark, Norway and Finland have jointly created the Invidem, a shared KYC utility in the region with standardized KYC data, documentation and processes for due diligence of corporate customers.
Steps to Achieve Effective KYC Compliance by EU Financial Institutions
The EC announced in July 2021 the implementation of a Single EU AML Authority, and a Single EU Rulebook to apply common standards of KYC and AML across EU. This will take effect from 2024, and harmonize differences that exist in application of customer due diligence rules, among others. In order to strengthen the current KYC CDD frameworks, and to prepare for the common rulebook implementation, FIs can assess the following areas and initiate remediation/transformation accordingly:
- Digital onboarding using smart IDV – Leveraging biometric and AI enabled tools for digital identification and verification during onboarding, customer data remediation and periodic reviews.
- Risk based review of all customers – Periodic review as required under the current MLDs must be conducted based on the risk level of customers. For example, review high risk customers every 1 year, medium risk in 3 years and low risk in 5 years at a minimum.
- Automated adverse media screening – Replacing traditional web based manual search with AI powered intelligent solutions for negative news and adverse media information on customers and BOs, integrating them with onboarding and ongoing due diligence workflows, and conducting EDD where red flags are identified.
- Beneficial ownership verification from Corporate Registries – In countries where corporate Registries are functional, e.g. Sweden, Spain, Luxembourg and several others, FIs must verify the BO information of their corporate customers from this source. They must also notify the Registry in case they notice any discrepancy while conducting their own due diligence.
- EDD triggers for material changes and high risk events – Conducting EDD on customers irrespective of their risk levels, whenever a high risk event is discovered in their transaction or account behaviour, e.g. adverse news, change in industry, change in source of wealth, change in BO, SAR filed and so on.
FIs must undertake a thorough risk assessment of their KYC and AML frameworks covering all the 22 predicate crimes. They must evaluate the effectiveness of existing controls for inherent risks and define mitigations for the residual risks as benchmarked against the current MLDs.
About the author
Sujata Dasgupta – Global Head of Financial Crime Compliance Advisory at Tata Consultancy Services. Follow her on Linkedin