What do banks need to know about their customers, but don’t?
Banks know many things about their customers.
They know these things for three reasons. The first is that they have to, writes Steve Goldstein. There are many regulations that require a bank to know its customers, primarily to prevent money-laundering and combat the financing of terrorism.
The second reason is to assess risk. Banks need to know about their customers to determine whether the product the customer needs from the bank is suitable and if the return outweighs the risk.
The final reason is that they want to: the information banks collect about their customers helps them cross-sell different products to the same customer.
At the time of onboarding, different types of customers need to provide banks with different types of information. A residential mortgage applicant, for example, will need to provide information about the property they’re buying and a significant amount of personal financial information. The bank will run consumer credit checks and perhaps civil and criminal record checks. This happens thousands of times a day.
The borrower of a multi-million dollar project finance loan will not only need to provide information about themselves, but will also need to provide information on everyone associated with the project. Anyone whose financial or legal status might jeopardise the repayment of the project’s financing will come under scrutiny. In almost all cases, banks are supposed to use a “risk-based approach” when collecting due diligence information to meet know-your-customer regulations
I suspect that somewhere in the world there are rigorous, very demanding, regulators who can think of dozens of things banks really need to know about their customers, but currently don’t. My view is that the things that banks need to know about their customers but don’t fall into two categories – additional information that should be collected at the time of onboarding and changes to that information which occur during the life of the banking relationship.
The key set of data that is only partially complete at the time of onboarding is beneficial ownership information. Who actually owns and controls the entity on the other side of the banking relationship? Requirements to obtain beneficial ownership information vary by jurisdiction. A bank’s ability to verify this information is often very limited, or indeed non-existent, and frequently cost-prohibitive. This is such a significant issue that improving beneficial ownership collection is a critical part of the EU’s Fourth Anti-Money Laundering Directive as well a recent FinCEN Notice of Advanced Rulemaking. The gathering of this information will be costly for banks and will lengthen the time it takes from initial contact with a customer to revenue generation.
One proposal to deal with the beneficial ownership issue in the UK is to create a central registry of beneficial owners that is open to the public. Just recently UK Labour Party leader Ed Miliband threatened that if Labour wins the next election, overseas territories such as Bermuda, Guernsey and Jersey will be blacklisted if they don’t become more transparent. In the US, the FinCEN requirement will be to know and verify the identity of the ultimate beneficial owners (anyone owning more than 25%) of their entity customers.
While these proposals make sense in theory, in practice their value may be limited. With regard to a beneficial ownership registry, to the extent it was strictly enforced, new companies who did not want to share their ownership information might decide to register in less rigorous jurisdictions. And the FinCEN requirement is only for newly established banking relationship entities. Financial institutions practically rebelled at the suggestion they would have to collect beneficial ownership information from existing customers.
Let’s assume that regulators were successful in their quest for greater transparency across a majority of jurisdictions. The challenge then becomes keeping the information up-to-date. A wide range of events can cause a low-risk, fully transparent banking relationship to change without the bank being aware. These can range from the simple – a change in the customer’s domicile – to the complicated – a significant ownership interest in the bank’s customer has been sold or transferred to another entity that did not go through the required KYC checks at the time of onboarding.
As a rule-of-thumb low-risk entities get a periodic review every three years, medium-risk every two years, and high-risk every year. But changes can happen quickly (especially in a criminal enterprise), leaving the bank vulnerable.
What can be done? In addition to stricter KYC requirements, financial institutions should consider two things. First, more comprehensive monitoring of basic KYC and reference data information. Banks should be looking for domicile changes, changes in regulatory status, adverse news and changes in PEP status of principals, officers and directors on a regular basis. Second, they should consider sharing basic reference data and due diligence information that is non-competitive. Regulators have started such an initiative with the Legal Entity Identifier but the information available is limited and it is only updated once a year. More data and more frequent updates would allow banks to better know their customers.