Regulators globally have shown financial institutions that violate tough post-crisis compliance rules no mercy and are now, increasingly, showing a determination to also punish corporates that don’t toe the line when it comes to know your customer, anti-money laundering and sanctions.
A decade on from the collapse of Lehman Brothers, regulators across the United States, Europe, Asia Pacific and the Middle East have levied an eye-watering US$26bn in monetary penalties against institutions for KYC, AML and sanctions violations, according to one of the most comprehensive studies of its kind since the financial crisis.
The research by US-based Fenergo, a provider of regulatory and compliance solution to banks and corporates, says inadequate customer due diligence procedures and the lack of cohesive, global KYC and AML compliance programmes were the most common charges levelled at penalised institutions. On the sanctions front, penalties were mostly handed out for screening processes that intentionally ignored the status of sanctioned entities.
Published in October, the Fenergo study draws on analyses of ten years of AML and KYC fines and found that at the regional level, the US accounted for over 90% or US$23.5bn of all global AML, KYC and sanctions-related fines between 2008 and 2018.
Europe followed with US$1.7bn issued in fines over the ten-year period. The current year however has already become a record year for AML fines across the region, with a total of US$903m levied, including the highest European AML fine of the past decade, totalling US$900m and levied by Dutch authorities.
Across APAC, AML-related fines totalling US$609m have been issued in the last ten years. As with Europe, fines across the region this year already amount to a new ten-year record, US$540m in penalties issued over the first eight months of the year. “There is a notably intensified appetite from Singapore and Hong Kong financial regulators to safeguard their respective financial systems by bolstering AML, KYC efforts,” says the report.
In the Middle East, meanwhile, regulators are starting to find their regulatory bite in an attempt to fix a global perception of a ‘light touch’ regulatory regime within the region. The Dubai Financial Services Authority (DFSA) has been the most active regulator in the area, levying five fines totalling US$9.5m for AML contraventions.
As for sanctions violations, they accounted for 20% of the US$26bn issued in enforcement penalties globally on financial firms.
With the implementation of new regulations, including EU’s MiFID II and GDPR; and US Treasury’s FinCEN Final Rule relating to customer due diligence (CDD) over the past year alone, the expectation across the financial industry is that regulators will continue to flex their enforcement muscles. Accenture’s 2018 Compliance Risk Study found that nearly 90% of 150 compliance officers surveyed across banking, capital markets and insurance are anticipating their organisations will boost investment in compliance over the next two years.
Warning for corporates
While both the Fenergo and Accenture studies are focused very much on financial institutions, their findings are a powerful signal to corporates that as clients of financial services firms they too will, inevitably, come under greater scrutiny under KYC, AML and sanctions rules.
The sanctions space has been especially lively this year thanks to US President Trump’s willingness to slap new rules on not just countries like Iran, Syria, Russia and North Korea but organisations and individuals as well. Data gathered by US law firm Gibson Dunn earlier this year shows that across the full range of US sanctions programmes, nearly new 1,000 entities and individuals were blacklisted during 2017. That represented a near 30% increase over the number added during President Obama’s last year in office, and a nearly three-fold increase over the number added during Obama’s first year in office.
A notable recent instance of a corporate being snared by US sanctions is Chinese telecom equipment maker ZTE, which was charged with “egregious” violations of rules on Iran and North Korea. In May the company was allowed to resume operating in the US but only after paying a US$1.3bn fine. It also had to change its management and board, hire American compliance officers and provide “high-level security guarantees”.
With sanctions rules there is no room for ignorance. Last year PayPal was fined over US$7m for breaking the US Weapons of Mass Destruction Proliferators Sanctions Regulations after unwittingly processing payments for a sanctioned individual. Elsewhere, US medical company Alcon Labs has been fined more than US$7m for selling medical equipment to customers in Iran and Sudan, and the PanAmerican Seed Company had to cough up US$4.3m for selling flower seeds to Iranian distributors.
Parth Desai, founder and CEO of payment compliance platform Pelican, says that, increasingly, personal executives are being held to account and individually fined by regulators following corporate non-compliance. The negative impact on business reputations of being shamed can be even more significant than the direct financial penalties imposed, he says.
“Despite these risks, there is still a reluctance among some companies to onboard proper sanctions screening processes, with many erroneously believing it is enough for their banks to do all screening,” says Desai. “As many companies have learnt the hard way, there is no excuse the regulators will accept for a failure to put in place adequate systems and processes to ensure all relevant sanctions obligations are adhered to.”
Desai says that while many companies around the world are either planning, implementing or already using sanctions screening and fraud prevention solutions, others are facing either compliance disaster or fraud exposure.
How companies handle their data is no longer simply about compliance – it is a competitive differentiator. Firms that fail to have a cohesive strategy and programme in place will struggle to succeed at best, or create a ticking time bomb at worst, Desai warns, adding: “Action is better than inaction – and complacency can lead to disaster.”
The KYC challenge
Corporates face many challenges on the KYC front too. A Thomson Reuters global survey of 1,122 decision makers, including treasurers and finance directors in non-financial corporations, found that banks are looking to alleviate some of the regulatory pressure on them by increasing the volume of KYC information they require from companies. An indication of the much tougher regulatory climate for banks is that, according to Fenergo, between 2009 and 2012 alone, more than 50,000 regulations were published across the G20 group of countries, with almost 50,000 regulatory updates rolled out over 2015. Not surprisingly, major financial institutions are spending between US$900m and US$1.3bn a year on financial crime compliance.
The Thomson Reuters study, which surveyed firms in countries including Singapore, Hong Kong, USA, UK, France and Germany, also found that the KYC burden on companies is being magnified by their high number of banking relationships. On average, each corporate surveyed had ten global banking relationships, with bigger organisations having more banking relationships, as many as 14 in some cases. Such multiple banking relationships make managing the provision of KYC documentation to financial counterparties significantly more time-consuming and complex for corporates.
The research furthermore reveals that banks were taking longer to onboard corporate clients who in turn were not passing on a significant proportion of material changes needed for KYC processing. As a result, senior managers within corporates were spending valuable time responding to multiple requests for compliance-related information.
One of the biggest bugbears for corporates is financial institutions’ lack of common KYC standards. As a result, document requests vary by bank and geography, making it difficult for corporates to predict exactly what will be required. Institutions and regulators have shown they are committed to moving towards standardised KYC requirements but there is still an awful long way to go.
As many companies have learnt the hard way, there is no excuse the regulators will accept for a failure to put in place adequate systems and processes to ensure all relevant sanctions obligations are adhered to.
Parth Desai, founder and CEO, Pelican
Not surprisingly, third-party providers have spotted an opportunity to provide KYC solutions that address the needs of all parties. SWIFT was one of the first to spot the opening. Its KYC Registry provides banks with information on their correspondent and downstream relationships in a shared platform that manages and exchanges standardised KYC data. Other managed service providers offer more than a repository, tailoring in-depth due diligence for banks, investment managers and corporates.
Yet the Holy Grail of standardised, automated KYC, is still some way off. One reason is that banks still have their own on-boarding methods. David Fleet, Managing Director, Client On-boarding and Management at Standard Chartered Bank in Singapore explains: “There are still requirements for additional data over and above what the utility collects.”
And banks cling to their own practices because ultimate KYC responsibility remains with them. “The danger is that if the provider gets it wrong, the bank remains on the hook. Banks can’t outsource their responsibility,” says Tom Devlin, Partner at law firm Stephen Platt & Associates. Competition amongst banks is also a factor impeding collaboration. Similarly, the proliferation of competitive KYC services chasing the same segment reduces the chance of industry-wide standards.
Some experts believe that only when regulators deliberately specify clear KYC parameters and requirements, will shared platforms or ‘one-stop-shops’ really work. “Regulators refuse to tell banks what constitutes adequate KYC and banks continue to dream up more and more ridiculous KYC criteria for their clients,” says David Blair, Managing Director of Singapore-based Acarate Consulting.
Blockchain to the rescue?
With little sign of a resolution any time soon to the conflicting demands and priorities of financial institutions and corporates when it comes to KYC, interest is growing in blockchain technology as a potential solution. As an immutable shared digital ledger of transactions maintained by a network of computers rather than a centralised authority, blockchain could be used to safely store and share validated data such as KYC documentation amongst banks. Such a facility could help remove the need for duplication of information and enable updates to client details on the KYC ledger to be made available to all banks in close to real time. The ledger could also provide a historical record of all documents shared and compliance activities undertaken for each client, addressing the needs of the regulator.
Efforts to explore the application of blockchain to KYC have intensified over the last two years. And while any commercial exploitation of the technology for KYC remains some way off, there have been some notable advances. Last year, for instance, the R3 blockchain consortium reported that more than three dozen of its members – including BNP Paribas, China Merchants Bank and Deutsche Bank – had carried out a global trial of a KYC application built on a blockchain platform.
The four-day trial saw 39 firms carry out over 300 transactions in 19 countries across eight time zones. Banks were able to request access to customer KYC test data, whilst customers could approve requests and revoke access. Customers were also able to update their test data which was then automatically updated for all banks with permission to access it.
R3 says the system reduces duplication and costs by eliminating the need for each institution to individually attest and update KYC records. And, because only those with a need to see data have access to it, there are no data privacy and security issues.
Elsewhere, KPMG in Singapore has worked with a consortium of three banks in Singapore – HSBC, OCBC, and Mitsubishi UFJ Financial Group – as well as the Singaporean regulator Info-communications Media Development Authority to develop a proof-of-concept KYC utility on a blockchain platform. The prototype successfully passed the Monetary Authority of Singapore’s test scenarios. In addition to stability, efficiency and security, the platform could, says KPMG, result in estimated cost savings of 25%-50% by reducing duplication and providing a clear audit trail.
IT giant IBM meanwhile has been working with banks around the world on early stage shared KYC projects based on blockchain. Earlier this year it announced successful completion of a proof of concept KYC blockchain platform in collaboration with Deutsche Bank and HSBC.
Although the cost of KYC is a huge part of the motivation for sharing KYC information across banks securely, for IBM the customer experience is an even bigger factor: “Banking clients are constantly asked to provide the same information, over and over again. For corporations,this can be very tedious, given the amount of certified information and documents they need to provide. By sharing KYC information across banks,the burden can be reduced, translating to faster onboarding and less work for customers.”
IBM believes one of the key aspects of blockchain that fits well with these objectives is its ability to allow the customer – individual or corporate – to dictate with whom they want to share information and for what purpose, without needing the banks to be involved in the middle. Those types of capabilities are very difficult to achieve without using blockchain technology, it says.