Confronting KYC with less angst

Some financial services companies may be starting to feel like the hurried White Rabbit in the Alice stories as they scurry to meet a variety of regulations containing “know your customer” elements.

Compliance requirements driven by the Know Your Customer (KYC) principle continue to grow, a trend gaining momentum with the 2014 implementation of the U.S. Foreign Account Tax Compliance Act (FATCA). Meanwhile, customers—the heart of KYC—are becoming more mobile and more virtual, making them harder to track as they move, live, and transact across borders. Continuing bank consolidation, both domestic and global, compounds the problem of knowing who customers are, where their money comes from, and where it is going.

Taken together, these developments can leave financial institutions chanting the rabbit’s famous refrain as they struggle to keep up with KYC mandates:

“The hurrier I go, the behinder I get.”

But banks need not go down the rabbit hole of KYC uncertainty, where customer fraud, government scrutiny, serious fines and penalties, and substantial reputational risk can lurk.

Instead, they can use an enterprise approach to fraud and misuse management. This entails applying data analytics to vet, categorize, and isolate potential risks associated with an ever-changing global customer base, as well as to assist with remediation of cases requiring review because of potential KYC violations. The insights that analytics provide can underpin the deployment of policies and procedures to keep track of customers and help prevent bad actors and illegal activities from slipping through the cracks.

KYC: A growing priority

FATCA, which will require reporting on the foreign assets and financial activities of Americans, is one of several government edicts contributing to the KYC imperative. Others playing a role include:

• Foreign Corrupt Practices Act (FCPA), which 1. imposes sanctions on Americans and foreign persons who further corrupt practices, and 2. requires accounting transparency by companies listing securities in the U.S.

• Anti-money laundering (AML) regulations imposed by the U.S. and regulatory bodies and governments across the globe.

• Economic and trade sanctions administered and enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC).

Certainly, banks are working hard to comply with rules and regulations. Still, they can struggle to comply with these strict, at times overlapping requirements, particularly when the institution has grown through mergers and acquisitions. M&A can create an environment in which disparate, siloed data sources and systems exist. Different approaches may be taken to data gathering and management in the legacy organizations, and the sheer size of an institution makes it difficult to gain a view of customers and other businesses and individuals with which an institution has relationships.

Where cracks can occur

Knowing who your customers are can be harder than it might appear, as people crisscross national borders and work in fields, and even countries, that perhaps didn’t exist until recently. Consider these situations:

• A bank discovers that individuals with accounts at the institution are on high-level security watch lists.

• A foreign national purchasing a penthouse apartment in the U.S. is revealed to be the close relative of a politically exposed person being monitored by OFAC.

• A European bank is revealed to be selling securities to foreign nationals living in the United States in violation of U.S. regulations and tax laws.

• A U.S. bank receives government notice of an independent review indicating it has customers who have structured transactions to avoid anti-money laundering laws over a five-year period.

In each of these cases, data analytics potentially could have helped fill information gaps and flag issues before government action. Such capabilities only grow in importance as banks diversify and expand. A bank may acquire other institutions that run different business intelligence systems, trading platforms, and enterprise resource planning (ERP) systems to manage accounts. The systems may not communicate, requiring error-prone manual analysis and reconciliation.

These problems are amplified when M&A activity crosses international boundaries, and new issues arise. For example, a U.S. bank’s anti-money laundering protocols flag transactions above $10,000, but such transactions are not considered problematic in other countries where it operates. Or, the bank may run an application to track individuals by deposit accounts, but the same accounts are known as transactional accounts in an acquired foreign institution. Data cannot be merged and made homogenous without extensive manual effort.

Cultural issues, such as naming conventions, can also arise. A customer may have four names, and depending on the country where he or she seeks to set up an account, use a different one. Or, facilitating payments to public officials, a.k.a. “grease payments,” may be permissible in a particular country, but prohibited under the FCPA or subject to OFAC scrutiny.

Value of enterprise fraud and misuse management

Forward-looking financial services companies are recognizing the potential of advanced technology frameworks, known as Enterprise Fraud and Misuse management (EFM), to help seek out and proactively guard against threats. An EFM program can help financial services firms improve antifraud intelligence, reduce costs, fulfill regulatory obligations, and identify criminal activities that might otherwise go undetected.

Here are five considerations in the development of an EFM program:

1. Adopt an enterprise-wide perspective.

Take a holistic view of fraud and misuse across channels, departments, and functions inside the organization, as well as external threats of criminals, hackers, and fraud rings outside the organization.

2. Work with legacy systems and integrate data.

Integrate antifraud capabilities into existing information systems and technical architectures, without requiring those platforms to be rebuilt or reconfigured. Fuse structured and unstructured data streams from internal operations, accounting, and communications systems, select third-party data providers, and other external data sources to produce enterprise-view insight into transactions, accounts, individuals, and relationships.

3. Apply an analytics suite.

Dissect and understand transactions and events in near-real time by applying sophisticated business rules and advanced analytics including:

• Predictive models to uncover potential fraud patterns and profiles.

• Anomaly detection to flag suspicious behavior.

• Social network analysis to uncover fraud rings.

Calculate fraud risk scores to profile transactions, events, and activity to facilitate downstream review or investigation as necessary. Route the scored results into functional workflow streams, with normal transactions processed in the regular course of business and suspicious transactions channeled to review and investigative teams for follow up inspection.

4. Scale, tailor, and build the solution.

Calibrate the EFM solution to the structure and needs of the organization, including diverse locations and operations. Adapt the solution to specific organizational strategy, priorities, and risk factors. Build the solution incrementally, beginning with pilot project efforts, risk identification exercises, tools assessment, and data source profiling initiatives.

5. Take action.

Protect the organization from identified fraud risk and loss with definitive countermeasures including:

• Blocking fraudulent transactions before assets are compromised.

• Initiating formal investigations and providing evidence for criminal prosecution.

• Negotiating compensation from guilty parties.

• Enhancing internal policies and controls to mitigate future risk.

Optimize business rules, advanced analytics, and scoring models over time by factoring in actual results, newly identified risks and updated intelligence, and changes to organizational strategy, policy, and controls.

Closer look at antifraud analytics capabilities

The requirements to develop analytics capabilities, operate an analytics infrastructure, and review results can exceed what many companies can, or want to commit.

For example, traditional analytics approaches often involve sampling and testing methods that produce a significant amount of “noise” or false positives, which means analysts must sift through thousands of transactions to identify accurate “hits.” Additionally, just keeping up with constantly evolving analytics technology demands a significant time commitment and training. These issues leave many organizations wondering where to begin.

Recent advances in analytics capabilities, tools, and approaches may offer a path forward. New fraud analytics platforms are available to help companies assess their fraud and corruption exposure and help identify the entities, business processes, and transactions with potentially higher risk factors.

These fraud analytics platforms are even available as hosted web services to help companies avoid the costs of building an in-house technology solution. Alternatively, they can serve as an interim infrastructure while in-house capabilities are developed.

Important attributes of a fraud analytics platform include:

• Use of advanced analytics techniques, such as predictive analytics, social network analysis, and geospatial analytics. This can help the bank stay ahead of constantly evolving fraud schemes.

• Assigning and comparing risk scores across multiple risk profiles to determine the leading risk model(s), prioritize transaction and entity reviews, rank transactions and entities according to risk, and focus investigative efforts.

• Adoption of visualization tools that convert raw data, risk scoring, and other information into representations that help discern patterns, trends, anomalies, and other aspects of the data that may not be readily apparent through spreadsheets.

• Implementing text analytics capabilities, such as text matching and text analytics, which allow analysis of complex, unstructured data sets and the profiling of the unstructured text within transactional data.

• Supplementing bank databases through data enrichment through third-party data sources, such as geocoding, address validation, and social security number validation, which can give organizations added context for detecting suspicious events or behaviors.

• Structuring an environment for managing the overall effort, including review, follow up, workflow, and documentation of antifraud-related activities. This step helps an organization mount a coordinated, enterprise-wide fight against fraud, waste, abuse, misuse, and corruption.

With companies collecting increasingly varied amounts and types of data, a fraud analytics platform that has these attributes can help define and address potential fraud and corruption exposures, incidents, and controls.

Build confidence with EFM

Fraud and misuse aren't likely to be eliminated by financial institutions. The challenges merely evolve with time.

However, by taking an EFM approach and integrating a fraud analytics platform, financial institutions can be better equipped to identify and deter potential incidents before they happen, as well as prevent their recurrence if they do.

EFM can also bolster faith among investors and stakeholders that the organization is doing all it can to address fraud threats. It can help keep institutions out of the rabbit hole of KYC uncertainty, where monetary and reputation dangers wait.

About the authors

Dan Krittman is a principal and Tyler Langenkamp is a director in Deloitte Transaction and Business Analytics. Both specialize in analytics services for financial institutions. The authors thank Anthony Brown, formerly of Deloitte, for his contributions to this article.