Preventing Due Diligence Issues with FinTech and RegTech
By Thomas Hook – Pegasystems Inc. for Finextra
Being the subject of an audit or regulatory exam can be a nerve-wracking ordeal. Given most banks disparate systems, inconsistent manual processes, and ever existing human error – there is generally real fear that an issue will be found, despite the best efforts of competent people. Enter FinTech and RegTech. By utilizing these solutions to unify processes and systems, enforce requirements, centralize data, and perform repetitive, manual tasks – auditees can feel more confident as they approach an audit or regulatory exam.
Below I will discuss some high-level common KYC and due diligence issues I encountered during Anti-Money Laundering (AML) audits and how FinTech and RegTech can help prevent them:
Inability to identify due diligence populations
As in any relationship, an audit or regulatory exam starts with first impressions. Along with requesting policies and procedures, one of the first due diligence related requests from an auditor or regulator is for customer populations to sample from. These can include, among others, a complete population of all new customers onboarded during the test period, the current population of high risk and low risk customers, and the population of customers whose due diligence was subject to a periodic or event driven review during the test period. While this sounds basic, I was involved in several audits in which a line of business could not accurately identify their total population of customers, let alone the more granular populations.
There are KYC and due diligence applications that will allow you to orchestrate due diligence centrally. With an enterprise-wide due diligence solution orchestrating all due diligence reviews, whether new customers or periodic and event driven reviews of existing ones, there will be one source of population information. Information can be easily exported and filtered to let a bank identify the specific populations being requested by an auditor or regulator. Manual error is removed and the test can start off on the right foot.
Due diligence documentation and information is provided late, unorganized, or incomplete
Once sample populations are selected for testing, auditors/regulators will typically request specific due diligence documentation (license, passport, articles of incorporation, shareholder list, etc.) and information (name, address, risk rating, occupation/industry, etc.) related to that customer. Being able to provide this documentation and information timely and in an organized manner is often a first hurdle. In my experience, documentation for a particular customer was sometimes provided over a period of weeks, in an unorganized pile from multiple sources, or the day after the draft audit report was delivered and the issue identified. If you use multiple systems to store different due diligence documents or to onboard differentcustomer types – finding this information becomes a monumental task that often involves manual consolidation. The information and documentation may reside in someone’s email, SharePoint sites, or even in someone’s file drawer. Worse yet, you could have multiple versions of the same information/ documentation and not know which one is the most up to date and accurate.
By centralizing your due diligence process and consolidating a customer’s due diligence documentation and information into a single onboarding or KYC application, locating this information is streamlined. KYC and onboarding applications allow you to create master customer profiles to centralize the documentation and information about a customer that relates to meeting due diligence regulations. The information and documentation can be stored in a consistent and organized manner, with a proper audit trail to explain where it came from, when it change, how it changed, who changed it, etc. In a few mouse clicks you can export that information into a report and provide to your auditor or regulator.
Due diligence review not performed timely
With periodic or event driven KYC reviews, timing is everything. These reviews have strict deadlines and timeframes. Keeping track of them is near impossible for most banks who still rely on spreadsheets to track the due diligence expiration dates and don’t have a centralized system to track material changes to customer information. As a result, these reviews usually happen late or worse, not at all.
Using a centralized onboarding and due diligence application allows a financial institution to track when due diligence was completed on each customer and set expiration dates on that due diligence. The more sophisticated applications can not only keep track of timing, but also automatically generate those re-reviews prior to their due date to ensure they are completed on time. By adding case management on top of this, the applications can also track the cases and enforce timelines for their completion, automatically nudging an analyst when a re-review’s due date is approaching. For event driven reviews material information changes can be defined in the KYC application and act as triggers to kick off a new due diligence review once a change occurs. The applications can then track the case to ensure it is completed timely. By increasing automation the applications increase consistency and timeliness.
Day to day execution of due diligence differs from procedural requirements or regulations
Keeping due diligence policies and procedures up to date is one thing, it is a completely different animal to ensure that those policies and procedures are followed during the day to day collection of due diligence on customers. Many banks rely on checklists to inform their analysts of due diligence requirements. Sometimes those checklists are not updated when policies and procedures are updated or the updates take so long to make that they are not made until well after new policies and procedures are in effect. The result is that the due diligence being conducted by analysts is inconsistent with the effective policies and procedures.
Additionally, often the checklists leave some discretion or decision making to the analyst. This creates situations in which analysts make the wrong decisions or inconsistently apply due diligence rules to similarly situated customers.
Changing and updating due diligence rules in your due diligence system should not be a 9-12 month process – something that is a consistent problem in the financial services sector. There are solutions out there that allow a bank’s own compliance experts to make the changes, quickly and easily, without needing to be computer coding experts.
The key to ensuring consistency in due diligence execution is to keep your compliance experts in charge, enforce consistency, and remove as much manual decision making as possible. In order to achieve this, due diligence applications will include intent-led logic in their regulatory rulesets to adjust requirements based on responses provided by analysts. Through this logic, requirements can be simplified or expanded in a consistent manner, allowing for the equal treatment of similarly situated customers regardless of who is doing the work.
Additionally, robotics can be a source of consistency (and speed). Using robotics process automation, manual and repetitive collection of information from internal or external sources can be done consistently and efficiently. This removes human error, creates consistency, and allows analysts to focus on synthesizing the information collected.
Without embracing FinTech and RegTech, banks will be unable to keep pace with demanding due diligence requirements and will continue to have trouble demonstrating the due diligence work that they do. Keeping regulators and auditors happy is only one benefit from using these technologies, banks can also reduce operational costs, reduce time to market, and increase customer satisfaction. All in all, it’s a win for everybody.