The amount of money laundering that occurs each year is equivalent to as much as 5 percent of global GDP, according to the United Nations Office on Drugs and Crime (UNODC).1 The vast majority of these illicit funds pass through the financial system. This creates a challenge for financial institutions in knowing the sources of client funds over the full period of the client relationship. Banks are therefore relying increasingly on periodic know-your-customer (KYC) reviews (as part of ongoing due diligence) in compliance frameworks. However, the KYC process often remains highly manual, which makes it expensive and prone to errors.
Banks typically employ around 10 percent of the workforce in financial-crime-related activities.2 KYC reviews are often the costliest activity. They can be undertaken annually; three- and five-year reviews are also common, with event-driven actions prompting additional reviews. In addition to the frequency, the required resources for outreach, identification, verification, and risk processes all add to the cost.
While most banks have automated some aspects of reviews, few have adopted end-to-end straight-through processing (STP), which can make a significant difference in efficiency. To do this, banks can adopt a strategic mindset and acquire or develop needed technical and organizational capabilities. Implementation and scaling of STP can be a complex undertaking, but leading banks have shown that STP can significantly boost review effectiveness, improve customer service, and enable closer alignment with regulatory obligations.
KYC-review challenges
In conducting KYC reviews, the most common pain points relate to data collection, transaction analysis, and determination of sources of wealth:
- Customer data collection. At many institutions, the collection and documentation of key customer data is done through outreach. Banks manually send emails or even rely on letters sent by case handlers. Data are then copied over into KYC workflow tools. These tasks are often seen as low value, an attitude that leads to institutional inattention—which tends to increase the chance of errors.
- Transaction analysis. More or less half of KYC-review time is spent on transaction analysis. The reasons for the outsize expenditure of time can be diverse. The scope of the exercise can be ill defined, taking between six months and three years. Appropriate tools might be inadequate, such as raw Excel data requiring manual analysis. Descriptive statistics, which can offer a quick view of customer-transaction profiles and red-flag transactions, may be unavailable.
- Sources of wealth. Determining the customer’s source of wealth is another challenge. Case handlers often lack targeted insights—they are unable to categorize data into types of income (salary, investment, rental, and so forth) and do not have access to descriptive statistics for transaction groups. In addition, guidelines on the scope of the investigation and documentation requirements often are not sufficiently detailed.
Banks can address these pain points with a clear, step-by-step workflow, requirements for risk differentiation, standardized ways of working, and automated processes. The degree to which they already do this determines average handling times (Exhibit 1). While many banks have started to automate individual process steps, only a few have implemented end-to-end STP solutions.
STP solutions: Value at stake
Leading organizations have addressed the key pain points in the review process. In doing so, they have been able to reduce case-handling times for mainly low-risk retail-customer portfolios to 20 or 30 percent of the time spent by competitors. In our benchmark analysis, average periodic reviews for low-risk customers can take 100 minutes to complete; for organizations in the best-performing quartile, the reviews are completed in 30 minutes on average, through an approach blending automation and targeted intervention.
To achieve a 30-minute average review time across the low-risk segment, organizations need to be able to use a blend of STP (no handling time) and manual handling (60 to 90 minutes). Experience indicates that the 30-minute average is achievable when 50 to 65 percent of the customer file population is subject to STP.
Complete customer data are essential to success, for both manual and automated case handling. This means that data are collected and validated before the review. Digital tools are critical in this endeavor. Once the data are in good shape, an STP solution or manual case handler can perform a risk assessment without time-consuming and costly outreach.
Through increased automation and shorter case-handling times, leading banks are able to realize a number of benefits:
- Significantly lower KYC operating costs. Depending on the scale of automated reviews and share of customers subject to those processes, banks have been able to streamline KYC work by 20 to 30 percent. As banks move from periodic and event-driven reviews, process automation helps them manage the shift.
- Better-quality KYC reviews. Automating case reviews leads to more standardized, more predictable, and better quality-assurance results. Assuming that standardization and coding of rules is performed correctly, quality can be improved significantly (by a range of 15 to 40 percent, experience indicates). Manual errors are reduced, and the identification and documentation of risks are improved. Rework loops can be shortened as well, as “first time right” ratios and regulatory targets are met more quickly. And the faster institutions are able to scale up KYC capabilities, the sooner they will benefit from quality improvements.
- Improved customer experience. Automating the review process often goes hand in hand with automating the outreach process. Customer-experience scores typically improve, given more streamlined and targeted digital interactions. Banks that are able to ask KYC questions as a natural part of the digital journey, including follow-ups and reminders, tend to achieve high levels of customer satisfaction.
- Higher levels of employee satisfaction. Automation frees up employees from tedious tasks, such as checking for completion, and allows them to spend more time on judgment-focused activities. With end-to-end STP, KYC-operations staff often find their workflows more efficient, their jobs enriched, and their career paths more interesting.
Core components of an STP solution
Building an STP solution requires four distinct steps: defining criteria for automation, determining requirements for data completeness, establishing rules for reviews, and defining review completion and documentation.
Defining the criteria for automation
Banks should assign cases either to STP review, human oversight (targeted review), or full manual review. The total composition will primarily depend on the risk appetite of the individual institution. Some common entry criteria for STP are as follows:
- Specific segments, such as private-wealth customers or retail businesses; the latter could include certain small and medium-size enterprises, such as owner-operated businesses.
- Risk classes, especially low- or medium-risk customers in the retail segment; most banks start their STP journeys here and scale up in a second phase.
- Other common characteristics, such as customers living in a certain geographical location or using accounts for a specific purpose.
Usually excluded from STP review are complex business customers, high-risk segments, and nonstandard accounts. The restriction of STP to low-risk customers only is, however, a common pitfall. In truth, if applied skillfully, STP can eventually be used with customers in higher-risk segments.
Determining requirements for data completeness
An STP approach to KYC reviews can only be undertaken after customer data fields are made complete and up to date. Depending on the bank’s customer risk-rating model, common data fields for low-risk retail customers include the following:
- Static fields, such as name, ID, address, citizenship, date of birth, social-security number, tax eligibility, gender, status as a politically exposed person (PEP), products and services, justified reasons, and roles.
- Behavioral fields, such as (incoming and outgoing) foreign transfers, domestic transfers, source of funds, and cash deposits.
Financial institutions first set the minimum number of data fields required for STP review, categorized by risk rating and segment. For a low-risk retail-banking customer, typically, 20 to 30 data fields are used. Institutions then determine whether data fields are complete (blank or not blank) and up to date. Customer segments that are complete are eligible for STP. The bank should also check whether the data have been validated recently.
Establishing rules for reviews
Institutions need to set the rules for automated review, including drop-off criteria (when customers are dropped from the STP solution) and reintegration possibilities (when customers are restored to STP). How do banks distinguish usual and unusual behavior across the different data fields? Many financial institutions use definitions in their standard operating procedures and case-handling guidelines. However, these definitions can require case-handler judgment and would therefore be insufficiently specific to enable encoding into an STP solution.
To establish the STP rules engine, rules may have to be specified through segmentation analysis or machine-learning patterns. Thresholds could include these examples: no cash deposits in the past 12 months, no foreign transactions in the past 12 months, source of funds limited to a certain value, unknown transactions limited to 20 percent of total volume, or account-turnover maximum at a certain value. An algorithm can be used to check these variables. Where the conditions are not met, the customer would drop off the STP solution.
Depending on the reasons for the drop-off and whether the issue is easily remedied (such as misclassified data or transactions that can be identified and explained), the case could be reintegrated into the STP flow after a targeted human intervention. If the issue is more complex, additional human control will be needed. Unusual cases can be channeled into focused handling or fully manual handling. The exercise of defining these criteria for STP review should start with the bank’s risk appetite and internal standards and be refined into detailed requirements for the STP solution (Exhibit 2).
The criteria for the type of review to be deployed (STP, focused, or fully manual) usually encompass hard behavioral thresholds, in line with the banks’ customer risk-rating model, and anomaly detection or peer-group modeling, designed to identify additional suspicious behavior that may lead to risk reclassifications or offboarding (Exhibit 3). Banks should periodically review the criteria and adjust for new regulation as required.
Defining review completion and documentation
Once all the analyses are completed, a case assessment is generated. Most leading banks choose a concise standard conclusion, including the type of customer reviewed, the type of controls performed, assessment findings (such as no transactions outside determined limits), and risk implications.
An approach to developing an STP solution quickly (“minimum viable product” or MVP) can take between four and nine months. Banks can speed the process by augmenting internal capabilities with third-party components for such activities as customer outreach, data validation, risk rating, and assessment.
Would you like to learn more about our Risk Practice?
Key success factors
The banks that successfully enhanced KYC reviews through STP solutions have commonly done five things right in design and implementation:
- Close up-front stakeholder alignment. Successful projects align stakeholders first, detailing risk requirements across the three lines of defense. Additionally, they often inform regulators in advance about the proposed approach to testing, validation, and quality control.
- An agile, cross-functional team. The team includes representatives from business, operations, IT, and data analytics, as well as engineers, compliance professionals, and those from any other department involved in KYC activities or strategy. The team is ideally ring-fenced to ensure sufficient focus and short feedback loops.
- Testing and validation. Once the STP solution is developed, banks undertake a thorough testing and validation process. After they go live, a continuous quality-control agenda is necessary for cases in the STP flow.
- Clearly defined ownership. The responsibilities for documenting, maintaining, and developing the solution are made clear, and the clarity should extend to the underlying logic for dropping cases from STP into either targeted or full review. Ownership should be unambiguously embedded within the bank’s governance framework, consistent with the division of roles and responsibilities for other (detection) engines and models.
- Focus on data-quality management. Given the importance of automated, upfront data collection, a thorough data-quality management approach is required. The approach includes quality definitions, measurement (including dashboards), and controls.
Moving from highly manual KYC reviews to STP is a challenging task requiring considerable commitment and resources. Banks capable of astute decision making and effective implementation, however, have generated significant benefits. They have become more efficient and effective in combating money laundering and financial crime, improved regulatory compliance, and enhanced their customer and employee experience. You couldn’t ask for more from an operational improvement.