Banks struggle to meet know-your-customer requirements

Not knowing who you are doing business with can be costly if you happen to be a bank. BNP Paribas is facing $9 billion worth of reasons to know your customer (KYC) as US authorities close in on alleged sanction-busting with clients in Sudan between 2002 and 2009, and other European banks are looking nervously over their shoulders, according to one Hong Kong-based executive.

BNP Paribas is the latest in a long list of institutions to have fallen foul of US sanctions rules. At the end of 2012, HSBC had to pay a record $1.9 billion to US authorities for allowing itself to be used to launder drug money out of Mexico. Earlier that year, the authorities hit Standard Chartered Bank with a fine of $340 million for allowing its customers to trade with Iran, which is under US sanctions.

As a result of the move against BNP Paribas, European banks are poring over their back books to see if they could be in the firing line. "It's a question of who they are going to come after next," says the Hong Kong executive.

In the UK, penalties are being imposed on banks that fail to properly safeguard against criminal activity. In January, the Financial Conduct Authority fined Standard Bank £7.6 million for "serious weaknesses" in its internal anti-money laundering (AML) policy.

Financial institutions in Asia look at the fines being imposed in Europe and the US with a certain amount of trepidation, wondering what this might mean for them. For the Hong Kong-based executive it means turning down deals, in the short term at least. In the case of that particular firm, it declined $300,000 worth of business with a China-based corporate because it was impossible to carry out all the due diligence on its ownership structure in the time available to complete the deal.

"With potential multibillion dollar fines on the table for dealing with the wrong firms, it's simply much easier not to do the business," says the executive.

It isn't only Asian corporates with uncertain provenance that are feeling the impact of the emphasis on KYC, says Michael Dawson, Washington-based managing director of consultancy Promontory Financial Group.

"We've had banks in Asia come to us and say they've lost their clearing relationship with the US, and to get it back they need to demonstrate [to their US counterparty] they have enhanced their controls. The banks in Asia know this can happen to them and so they are, in my experience, taking this seriously."

The US, and to a lesser extent the UK, are not the only jurisdictions taking a hard look at KYC. Asian countries are starting to come up with their own flavour of regulation, complete with punitive sanctions.

In June 2013, the Reserve Bank of India (RBI) fined three regional banks – ICICI, HDFC and Axis – for KYC lapses. None of these institutions were prepared to talk to Asia Risk about the steps they were taking to address the failings highlighted by the RBI, in common with the eight or so global banks that declined to go on the record about the issue. A month after inflicting this initial penalty, the RBI fined a further 22 banks for a slew of regulatory failings, including the violation of KYC rules.

Other regulators in Asia have yet to levy any such fines, but some believe the first may be on the way in Hong Kong or Singapore, two jurisdictions where stringent rules on AML and KYC have been drawn up recently.

Regulatory scrutiny

It is not only the possibility of being fined that worries banks. There is also a great deal of concern about increased regulatory scrutiny which is likely to follow any KYC failings. In March 2013, the US Federal Reserve stopped short of fining Citigroup for lacking effective controls over money laundering, but it did instruct the firm to get its house in order.

"Banks are keen to demonstrate good and robust adherence to AML procedures, for fear of attracting greater scrutiny by alerting regulators to possible deficiencies in their practices and having to deal with the associated fallout," says Hugo Williamson, the London-based managing director of Risk Resolution Group, a consultancy.

When JP Morgan agreed to pay $2.6 billion to settle civil and criminal charges for ignoring warnings about the fraudulent activities of investment adviser Bernard Madoff, the main concern was not the size of the payment but the additional scrutiny its transactions might face. Williamson says the cost of reviewing thousands of historical transactions in order to show regulators they are not tainted by the same level of bribery and corruption can be huge, and may result in expenditure far exceeding the original payout.

"[KYC compliance] is of grave concern to financial organisations in India," says Vimala Jose, head of compliance at Geojit BNP Paribas, based in the Indian town of Kochi. "Non-compliance can attract penalties and lead to reputational damage. If the case relates to other incidents, such as money laundering, the penalty could be determined on a case-by-case basis and the reputational damage could be huge."

Banks in the region have been exploring ways of tightening up their KYC and AML procedures. "The market regulator has given very clear guidelines on what is expected from an intermediary... to identify the client and to ensure the authenticity of the documents provided by the client," says Jose. "By putting processes in place, we ensure the guidelines are complied with and identification is done as per requirement."

But, doing everything required to comply with the emerging raft of KYC legislation is proving a challenge for many financial institutions in Asia.

Yasmeen Jaffer, director, European product manager at Markit, a financial information provider, says: "Regulators are becoming far more prescriptive about how banks identify clients and maintain client data. Those that have fallen short have faced heavy fines and today unless a bank is fully confident in its KYC process, there can be an element of doubt in starting to trade with new clients."

One of the key issues is that the data needed for efficient compliance is not always easy to dig up.

"Very often, clients do not provide or are unable to provide the documents required by the regulator, which leads to a lot of time and effort being spent, both by the intermediary and the investor, before an account is opened," says Jose. "While the Securities and Exchange Board of India (Sebi) has initiated some measures to simplify the process, ensuring KYC compliance is still a tedious and expensive process for the intermediaries and investor."

Sebi has made it mandatory for those opening an account to provide a permanent account number (Pan) card, identifying them as a taxpayer. But the problem, says Jose, is that only a very small percentage of people on the subcontinent have such a card.

A similar issue exists in Indonesia, where more than 20% of customers in rural areas lack any kind of formal ID, according to Michael Joyce, a KYC consultant based in the country. "You have to give a lot of thought to the operational implications of how you design your customer-onboarding KYC process. What looks good on paper might not work in the field," he says. Indonesia is often regarded as higher risk for money laundering, which means many regional and international banks operating in the country will need to perform extra due diligence where their customers are concerned. This makes the need to be able to obtain formal documentation all the more important, adds Joyce.

A question of culture

Beyond the logistical challenges of data gathering, cultural sensitivities to sharing personal information are also proving a barrier to successful implementation of AML measures. Under Indian KYC laws, the regulator requires the financial details of clients – such as their annual income and net worth – to be provided. However, while this information is used by the intermediary to monitor money-laundering activities, current regulations do not require institutions to authenticate it, which could point to a hole in the system.

"Culturally, in most Asian countries, people shy away from declaring their wealth, income and so forth. In many cases this information may be incorrectly given by the client by mistake or intentionally, and the surveillance performed by the intermediary may not be serving the purpose," says Jose.

Recently, Markit teamed up with Genpact, a services provider, to launch a new KYC data management service to help financial institutions streamline their client onboarding.

"Companies are struggling with all the different KYC requirements in the various jurisdictions, and there are huge inefficiencies around all of the banks trying to get the same information from underlying clients," Jaffer says.

Markit is not the only service provider seeking to capitalise on all the confusion. Dozens of others have come forward with solutions purporting to make the transition to KYC compliance less painful. Thomson Reuters provides a centralised database of high-risk individuals around the world, which financial organisations can consult in order to decide whether there is a need to step up their due diligence with any of their customers. Financial messaging service provider Swift's centralised KYC database was launched in January and is now being rolled out in Asia.

"KYC regulation [in the region] means that banks have to be able to support a huge management of information, but at the same time their business requires speedy onboarding of clients," says Tom Golding, vice-president of product and proposition at Thomson Reuters. "It is difficult for organisations to get economies of scale if they do all the onboarding in-house, which is why they are increasingly looking at how they can outsource the process."

However, with so many solutions coming on to the market, it is unclear to what extent the various platforms will communicate with one another.

Patrick Pang, managing director and head of fixed income, compliance and tax at the Asia Securities Industry & Financial Markets Association (Asifma), says: "We would encourage industry and regulators to think about having some kind of KYC utility, where someone – this could be a third-party service provider or government – sets up a central database where banks or financial organisations can access the data. So they only have to do one KYC exercise rather than multiple times [per transaction]."

There are huge challenges to overcome, however, before information can be shared around the region freely. A particular issue is the restriction placed by some governments on data leaving their jurisdictions. "This is a problem that people have been grappling with for years. If you can't get the data out of the country, what else can you do?" says Jaffer. "There are very few solutions around this and no one [that we spoke to] had a clear idea of how to efficiently cope with these data challenges."

Singapore, Hong Kong, Malaysia, South Korea and Japan all have fairly rigid data-protection rules in place, but Indonesia is highlighted as causing particular difficulties for pan-regional players.

"Indonesia is often seen as the tough customer and the country that probably causes the most hassle in terms of onshoring requirements," says Joyce. "Singapore also has a lot of restrictions in this respect, but it doesn't matter quite as much because regional banks are more likely to opt for Singapore as their hub."

Joyce believes data-protection rules in Indonesia are likely to get tougher rather than easier. "This is a big problem for anyone looking to get access to Indonesia," he says. "Firms need to make sure they have their data centres housed in the country and they will have to go to great pains to get their systems onshore. This is an issue for many international and regional banks, which prefer to have centralised, hub-based models."

There may be ways of circumventing the restrictive data-protection rules. Singapore, for example, allows personal information to be shared with foreign parties as long as the recipient has adequate levels of protection in place to prevent it being misused. Hong Kong has also introduced such exemptions.

Golding of Thomson Reuters says it is possible to "anonymise" data before taking it out of a particular jurisdiction. "Initial scrutiny of the data can be done at local level and then, in cases where a heightened risk is detected, personal details can be stripped out of the data before it is pushed back to head office," he says, although he concedes such solutions represent an additional overhead for firms wishing to operate in the region.

While KYC legislation has become a particularly hot topic over the past couple of years, as an idea, it has been around for a lot longer.

"Several years ago, many financial institutions saw an efficient KYC process as a way of gaining a competitive edge, in terms of faster onboarding of clients and getting business first," says Pang from Asifma. "I think that kind of mind-set has pretty much gone now, because KYC compliance has become so labour-intensive and most financial institutions now view it as something that just has to be done."

Pang thinks this change in mind-set could encourage industry participants to work together towards a more harmonised KYC compliance system across the region.

However, Paul McSheaffrey, head of banking (Hong Kong) at KPMG, believes the successful companies in this area will be those that not only manage to meet all the new requirements from regulators, but do so in such a way that adds value to their business.

"The majority of institutions may not be able or willing to seek the competitive advantage, but I think this is an opportunity that is being missed," says McSheaffrey. "Intellectually, I can understand why financial institutions take this position, and very often it is a conscious decision for a variety of reasons, but I think the bank that can crack this will have an advantage when we come out of this [regulatory] cycle in a few years' time. Right now the focus is on ‘let's fix the problem', because the risk of not getting it right is too great."