With demonstrated regulatory tolerance for innovation and a broad array of industry approaches, financial institutions should feel empowered to reassess their legacy controls and define a rightsized KYC refresh model. Doing so requires a clear-eyed view into organizational priorities, capabilities and limitations. Institutions should start by understanding the overlap between their regulatory framework and their products, services, customers and geographies before taking the three-step approach shown below.
1. Determine programmatic outcomes of current KYC refresh model
Organizations should perform a data-driven analysis to evaluate whether KYC refresh reviews are productive (i.e., result in material account updates, increased suspicious activity report filings, changes in customer risk rating) or administrative (i.e., do not result in material account updates or impact downstream anti-money laundering (AML) risk management activities). Often, refresh models that take a check-the-box approach will have a greater concentration of immaterial outputs, indicating that the program contains inefficiencies that are failing to accurately capture AML risks. In these cases, migration to a more risk-based KYC refresh regime may be appropriate. This can take many forms: deployment of an event-driven model, extended refresh cycles, a reduced scope of refresh reviews (data elements and documents) or negative consent for certain customer data points to name a few.
2. Assess core controls to test feasibility of risk-based KYC refresh strategy
If current KYC refresh programs are found to be unproductive, institutions should consider if their broader existing control suite is equipped to support a more risk-based refresh model. Regardless of the form that it takes, institutions should consider their internal operational and technological capabilities to do so, including the following:
- Scope and maturity of control suite: event-driven refresh relies on the ability for institutions to identify, assess, document and incorporate risk events into a holistic customer risk framework. Can adverse media screening results or politically exposed person alerts identified during daily monitoring be investigated and cycled back into the customer risk rating on an ongoing basis? Can out-of-pattern transaction activity or SAR filings feed into KYC refresh routines? Connectivity between traditionally disparate AML processes is a prerequisite to the success of an event-driven refresh model.
- Comprehensive customer view: risk-based refresh programs avoid unnecessary customer outreach. Financial institutions need to have a strategy in place to manage the refresh for customers across the lines of business and assess data fields and documentation requirements against procedures. Regulators are increasingly assessing CDD data quality consistency for higher-risk customers shared across lines of business. The refresh strategy should consider how to identify — and control — potential risk attribute misalignment across lines of business by virtue of executing a refresh.
- Data quality: A refresh program is only as good as the information it captures. Any reliance on an event-driven model requires a robust assessment of available third-party data sources, including origin, reliability and coverage. Overall data quality — including whether systems-level lineage and related controls are mature — should inform the refresh strategy. Crucially, institutions must be able to deduplicate their own customer population across business lines to consolidate refresh efforts.
3. Rightsize KYC refresh models
Depending on the outputs from the programmatic review and control assessment, institutions should rethink their existing refresh model in the context of their customer base and service offering. Where a refresh is found to be more administrative in nature or internal risk management controls prove effective, transition to a more targeted refresh approach may be appropriate. For example, a wealth management business line with dedicated relationship managers and a robust control suite might elect to rely on periodic risk attestations in place of a full refresh routine. A commercial bank with a global refresh team and strong ongoing monitoring processes may decide that customer activity reviews need not be performed on certain customer segments during every refresh as a matter of course. By finding the intersection of the risk and productivity curves, institutions can chart a smarter, leaner KYC refresh strategy.