Introduction
Achieving robust compliance has become an absolute necessity. Amidst heightened regulatory scrutiny and an increasing focus on consumer protection, financial institutions must ensure adherence to complex regulations. A well-known mantra: “Prevention is better than cure,” truly applies when complying with standards and regulations by understanding the role of risk management principles, says Dr. Sriram Rajagopalan, Inflectra’s Global Head of Agile Strategy & Transformation. Among these regulations, the Know Your Customer (KYC) requirements hold particular significance in the financial industry, supporting this thought process and serving as a cornerstone of compliance efforts.
The KYC regulations aim to combat financial crimes such as money laundering, terrorist financing, and fraud by requiring financial institutions to identify, verify, and understand their customers. The impetus for this regulation became strong after the 9/11 terrorist attacks in the United States, where several corrective and preventive actions surfaced as part of the lessons learned in not adequately identifying the true identity of the customers or exercising appropriate due diligence. However, the KYC regulations are more than just US-based; many countries have defined and refined their own guidelines. Consequently, through rigorous KYC-guided processes, financial institutions can mitigate risks associated with illicit activities, protect their reputation, and foster a culture of integrity.
Understanding the importance of KYC regulations is not merely a matter of regulatory compliance; it is a strategic imperative that safeguards the integrity of financial systems and promotes trust among customers and stakeholders. Financial institutions can demonstrate their commitment to transparency, ethical conduct, and the highest customer service standards by embracing KYC requirements.
Stages of KYC Regulations
Every organization implements its own set of guidelines and guardrails in managing any work done within that organization. Such guidelines and guardrails are called the Organizational Processes Assets (OPA) and involve policies, processes, and procedures governing how people comply with developing or managing products, services, and operations. In understanding the differences among these policies, processes, and procedures (Rajagopalan, 2019), every organization can benefit from incorporating the elements of these standards.
Hence, when an organization adapts the set of good practices commonly accepted within the industry, such as encrypting the password in storage, such practices become the "de facto" standard. However, when an organization is obligated to follow certain practices mandated by law, such as seeking explicit permission to send text messages to a mobile number as part of the CAN-SPAM act, such requirements become the "de jure" regulations they must comply with.
Consequently, incorporating the five stages of KYC regulations is paramount in drafting organizational process assets for compliance. The five stages of KYC include customer identification, customer due diligence, risk management, ongoing monitoring, and reporting of suspicious activities.
Figure 1: Five Stages of KYC Regulations
Customer Identification
This stage involves collecting basic customer information, such as their name, address, date of birth, and government-issued identification documents. It is essential to use only the government-approved list of identification documents and validate the customer's identity accordingly. As innocuous as it may seem, the customer identification process has also become complex in today's world of sophisticated digital technology and access to financial products, from opening an account online to buying stocks and cryptocurrencies.
For instance, customer identification may not be limited to verifying an identity document such as the driver’s license given. It can extend to one or more biometric identifications as well as a secondary form of identification, such as utility bills or an alternate government or authenticated institutional identification. From an auditability perspective, the proof of evidence on the documents used for verification may have to be tracked as part of communication management, outside of the product development activities (Project Management Institute, 2017). In such cases, additional considerations are warranted on how these documents and any further information about these documents are collected, stored, retrieved, and disposed of. Often, informational assets such as the documents used for the customer identification or customer due diligence may be stored in systems that are secured under appropriate classification levels to protect against information spillage. These details are often captured in the OPAs mentioned earlier but may also be additionally explained in supporting technical processes related to confidentiality, integrity, availability, and non-repudiation.
Customer Due Diligence
Customer due diligence is the process of gathering additional information about customers to assess their risk profile. This information may include the customer's source of wealth, source of funds, and business activities. Customer due diligence aims to understand the customer's business and the potential risks associated with the customer relationship. This stage extends the customer identification process one step further.
Before opening a mortgage account, financial institutions also validate the customer's financial track record against the files from the financial credit bureaus. A similar process is extended where the customer’s identity has been placed on any government-sanctioned list, such as the Politically Exposed Persons (PEP) sanctions list. Similar to the process of hiring employees or consultants involving such due diligence to determine whether they are on any sanctions lists or PEP (Politically Exposed Persons) lists, this stage aims to establish the customer's identity for the nature of the relationship required and subsequently.
Risk Assessment
The risk assessment is not a stand-alone stage. It involves evaluating the customer's risk profile based on the information gathered during customer identification and due diligence. At the same time, it should also promote the ongoing monitoring of transactional activities within the account for any misuse or abuse of the financial institution’s resources. For instance, the initial risk assessment process should consider factors such as the customer's country of residence and the nature of the customer's business to allow opening a banking account. However, suppose the customer's address moved to a different country, or the transactions involve sending or receiving money from questionable sources. In that case, such activities may have to be monitored and evaluated.
Ongoing Monitoring
Ongoing monitoring is the process of monitoring customer accounts for suspicious activities. This may involve reviewing customer transactions, account balances, and other account activity. For extreme cases, it may also involve some unusual login patterns from a place not usually logged in from or frequent attempts to request credit line increases. Either freezing the account or engaging in fraudulent dispute discussions and documenting discussions may further be required. Such ongoing monitoring aims to detect suspicious activities that may indicate money laundering, terrorist financing, or other financial crimes.
Reporting of Suspicious Activities
If a financial institution detects suspicious activities, it is required to report them to the appropriate authorities. Depending on the nature of the activity, the list of such authorities may be regional or global. The Suspicious Activity Report (SAR) should include information about the customer, the suspicious activities, and the financial institution's risk assessment.
Implementing KYC Compliance Using Spira
One simple good practice in implementing KYC compliance is to embed the compliance considerations as part of the project delivery processes. This involves starting with requirements gathering processes, task breakdown, test case development, defect triage process, documentation, and training considerations. Throughout these processes, incorporating risk management principles brings KYC considerations to the forefront so that the project delivery team can uphold the "Compliance By Design" thoughts, emphasizes Dr. Sriram Rajagopalan.
Components: Business View to Requirements
Spira allows you to connect a business lens using the standard “Components” field. Then, it is possible to identify requirements associated with the components.
Requirements Management
This approach to defining the components allows the agile project delivery team to evaluate if critical requirements for any component of the KYC are left out during backlog refinement and if they are sufficiently detailed as part of the “Definition of Ready.” Subsequently, when the project team refines the features into user stories or prioritizes the user stories for sprint planning, a balanced view of the requirements meeting all the KYC stages are adequately factored in. In predictive projects, the project manager or the business analyst can consult the subject matter experts to ensure a good, balanced view of deliverables is incorporated into the work breakdown structure.
Task Association with Requirements
In agile projects, the tasks frequently represent the “Definition of Done." Since the requirements do not always represent the development activities and can also include the management, infrastructure, and other activities, Spira allows task types to be categorized and associated with requirements as needed.
In predictive projects, the tasks represent the activities in the Work Breakdown Structure. The deliverable is ready for the next testing phase as tasks are completed. The list of activities identified can indicate if the work packages are prepared for testing to begin.
Therefore, Spira tasks allow the project delivery team to proactively associate the increments or deliverables created with the KYC regulational context to promote ongoing adherence.
Test Case Management
If tasks represent the “definition of done,” the acceptance criteria in agile projects represent whether the product increment meets the requirements. In predictive projects, the project manager promotes the need to ensure test cases are developed to verify conformance to stated requirements as well as non-functional requirements such as performance, portability, reliability, documentation, and training. The delivery team can then list one or more test criteria to ensure adequate test coverage. This ability for the team to cross-pollinate their skills to cover for the compliance considerations is part of the enhanced ideas towards the pair programming, DevOps mindset, T-shaped skills that are part of the collective accountability in the system development engineers in testing (SDET), and Agile/Scrum commitments notions as well.
Risk Management
The KYC regulation, just like many standards and regulations, is based on risk management principles. Unlike other tools that do not have risk management as a separate artifact that can be used for risk-based prioritization and risk-based testing, Spira provides the risk management artifact in its SpiraTeam and SpiraPlan editions. Therefore, the risks can be qualitatively assessed using discrete scales for probability and impact assessment independently, and the impact on the project can be evaluated separately. As risks are identified by everyone on the team, Spira promotes this thought transparency in risk management.
Summary
The Know Your Customer (KYC) regulations are a set of requirements that financial institutions must follow to identify and verify the identity of their customers. Since it aims to prevent money laundering, terrorist financing, and other financial crimes, the KYC regulations are product- and process-oriented. Understanding the customer identification and customer due diligence stages of KYC regulations require that the team collectively owns the responsibility for the features released but also the processes required to support the ongoing compliance. Similarly, the knowledge of the ongoing monitoring and reporting of suspicious activities require a combination of technical considerations while developing the product to flag fraudulent or suspicious activities and management processes involving the mandatory reporting needs.
The implementation of the regulations varies from one country to another, and the complexity of the implementation and the penalty for non-conformance varies. It is, therefore, necessary for the product and management teams to focus on:
- Incorporating KYC requirements into the software development processes
- Incorporating KYC processes and policies into the management processes
- Using the tools to facilitate KYC transparency, traceability, and auditability
- Training development and management teams on the KYC requirements
- Incorporating robust testing strategies to support KYC regulations
- Reviewing and updating the procedures to be aligned with KYC needs
References
Project Management Institute (2017). The Standard for Program Management. Pennsylvania, PA: Project Management Institute.
Rajagopalan, S. (2019). OPA: Differences among policies, processes, and procedures. Retrieved from https://agilesriram.blogspot.com/2020/04/opa-differences-among-policy-processes.html
Disclaimer
The information provided on this website is to be used for informational purposes only. The information should not be relied upon or construed as legal or compliance advice or opinions. The information is not comprehensive and will not guarantee compliance with any regulation or industry standard. You must not rely on the information found on this website as an alternative to seeking professional advice from your attorney and/or compliance professional.