Shatter the hourglass: strategies to implement ongoing due diligence

Replacing scheduled refresh risk management, ongoing due diligence uses natural touch points and monitoring to decide when to refresh.

In brief

• Both companies and customers can benefit from ongoing due diligence programs that are less burdensome and costly.
• By defining the right triggers and appropriate risk tolerance, companies can tailor their risk management programs to be a better fit.
• Below are examples, benefits and concepts for consideration when designing and adopting ongoing due diligence programs.

Financial institutions should move now to adopt ongoing due diligence as the next wave of know-your-customer (KYC) refresh risk management. Ongoing due diligence refers to a risk-based approach, based upon risk events and triggers, for maintaining KYC information that replaces traditional scheduled periodic refresh. Ongoing due diligence uses natural client touch points and ongoing monitoring to determine when refresh is necessary, and it targets refreshes that focus on triggering events rather than a full, administrative-laden refresh. For most institutions, ongoing due diligence means a hybrid approach to refreshing customer files leveraging both trigger-based and scheduled reviews for customers representing the highest risk.

While this strategy is transformative, the underlying concepts are not new: monitoring for elevated risk rating change, an adverse media hit and new politically exposed person (PEP) exposure are common elements of refresh programs. Transformation will require investment in technology, data and people strategies; thoughtful leadership; and buy-in from multiple functions across operations, risk, compliance and audit. Transformation should be a “walk, don’t run” approach, with a focus on defining, enabling and proving a concept that is specific to each institution. Financial institutions that successfully move to an ongoing due diligence program will benefit from more effective risk management at lower costs: Because large KYC program costs are significant, the resulting cost savings opportunities are equally significant.

Executing scheduled periodic refresh programs is an onerous and constant challenge for most financial institutions. Given the large operational footprint and impact on customers, significant financial and operational resources are allocated to perform scheduled periodic refresh programs, many of which require direct customer outreach. Based on our experience supporting financial institutions and industry feedback, nearly all scheduled reviews are administrative in nature and do not result in differentiated risk management activities by elevating a risk rating, determining a need to perform enhanced due diligence, spurring an unusual activity report filing, or resulting in termination or exit of a customer relationship. Some financial institutions have expressed to EY that less than 0.1% of scheduled periodic reviews resulted in differentiated risk management. Additionally, refresh activities are frustrating for customers; they are typically asked multiple times for information or documentation, and the process can drag on for months. The employee experience is equally low, and manual, cumbersome processes challenge financial institutions to complete large refresh volumes on time.

Most refresh programs are not built to perform event-driven assessments of customer risk. The resulting status quo is scheduled evaluation of all customer information, which results in imbalanced risk management. The example below illustrates how a scheduled refresh fails to capitalize on an opportunity to customize risk management:

• ABC Restaurant, LLC located in Charlotte, North Carolina
  • Product usage: 10-year term loan opened in 2019
  • No adverse media hits, PEP or sanctions exposure, or transaction monitoring alerts
  • Customer risk rating: low
  • Scheduled refresh in 2024

• XYZ Restaurant, LLC located in Charlotte, North Carolina
  • Product usage: 10-year term loan, demand deposit account and cash vault all opened in 2019
  • No adverse media hits or PEP or sanctions exposure
  • Three transaction monitoring alerts reflecting material cash vault usage variances in 2020
  • Customer risk rating: medium
  • Scheduled refresh in 2022

Scheduled refresh programs differentiate the above customers in one way: timing. Both customers would receive a full refresh, but XYZ would refresh earlier and with more frequency than ABC on the basis of the customer risk scoring. Customized risk management would differentiate their refreshes by (1) refreshing XYZ to review the customer’s increased cash vault usage and assess whether the nature and purpose of account can be reasonably understood and adjusted (e.g., did XYZ benefit from favorable food-critic reviews and enjoy a corresponding uptick in business, or are the observed activities apparently atypical?) and (2) reducing refresh frequency for ABC until there’s a reason to assess the customer’s risk or KYC data (e.g., customer requests to add account signer while stating that there has been a change in beneficial ownership).

While the problem statements are widely understood, the question persists: Will regulators expect scheduled periodic refresh as part of a risk-based anti-money laundering (AML) program? Over the last several years, the Financial Crimes Enforcement Network (FinCEN) has acknowledged that ongoing due diligence can be an effective risk management model:

• May 2018: The Customer Due Diligence Requirements for Financial Institutions rule (CDD Rule) was issued. It states that the requirement to update customer information is risk-based and occurs as a result of “normal monitoring.”¹
• May 2019: FinCEN launched an “innovation hours” initiative to support financial institutions presenting their innovative products, services and approaches that are designed to enhance AML and counter the financing of terrorism efforts.²
• August 2020: FinCEN, in consultation with the federal functional regulators, issued an FAQ document in response to three FAQs regarding customer due diligence requirements. Among the FAQ responses: “There is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule. The requirement to update customer information is risk-based and occurs as a result of normal monitoring.”³
• September 2020: A FinCEN Advanced Notice of Proposed Rulemaking sought “to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”⁴