Anti-money laundering (AML) technology has developed at an unprecedented rate over the last few years. This has brought more confidence to financial organisations as they feel more secure in dealing with customers, however, one aspect of cybersecurity that has not been looked at in as great a depth is customer risk assessment.
Abhishek Chatterjee is the Founder and CEO of Tookitaki, a global regtech company disrupting the regulatory landscape with advanced machine learning solutions in AML compliance and reconciliation. He is a visionary, thought leader and an innovator in the rapidly evolving compliance space and is focused to eradicate human suffering and promote safe, sustainable societies through technology sophistication. He holds a master’s degree in Applied Mathematics from the University of Southern California and has worked in companies like DoubleClick (Google) and JP Morgan.
Speaking to The Fintech Times, Chatterjee explains how companies need to capture a customer’s activity through proper identification of risk indicators and continuously update customer profiles as underlying activities change. Having this done once with long intervals in between isn’t enough:
The rise of neo banks has disrupted the conventional banking landscape with a visible shift towards online banking. The pandemic has led to an irreversible change in consumer behaviour, with a permanent increase in digital services usage. In Southeast Asia, there are now over 400 million internet users across the region, with a digital penetration of 63% set to rise rapidly in coming years. In BCG’s June 2020 REBEX Pulse survey of 17,600 respondents across 30 countries, 16% of those surveyed enrolled into online or mobile banking for the first time as a result of the covid-19 pandemic. This goes to show that this period of transformation has driven even reluctant digital adopters to embrace digital banking for the first time from opening an account to apply for credit.
In recent years, there has been accelerated growth in Asia’s digital banking sector. More fintech and newly licensed virtual banks are coming to market to address the unbanked segment, while traditional banks are transforming to manage costs and achieve operational efficiency in this increasingly competitive landscape.
However, the Know Your Customer (KYC) process is still a vital part of a bank’s anti-money laundering activities, the development of which has been on the rise for the past decade. KYC refers to steps taken by a financial institution (or business) to establish customer identity, understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate), and assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities.
In Southeast Asia, governments are pushing for greater adoption of digital financial services by introducing favourable regulations on digital onboarding, digital banking, and more. Electronic KYC (e-KYC) can help increase financial inclusion. Using AI and biometric technology, e-KYC platforms allow financial institutions to perform their KYC checks and due diligence processes without the need for physical verification. For example, e-KYC technology can reduce the number of in-person checks or even the entire physical exchange. This proves especially critical today as the world seeks to eliminate the covid-19 virus. e-KYC allows customers to access financial services without putting their health at risk.
The most up to date trends affecting KYC processes and their developments includes digital identification, use of virtual banking tools, utilisation of analytics and a unified remote work flow for KYC processes.
Rise in money laundering activities
In 2020, authorities based in the Asia-Pacific region issued fines totalling $5.1billion for breaches of Anti-Money Laundering (AML) laws and related misconduct, which represented a seven-fold increase from 2019.
Money laundering is a serious problem for the global economy, with the sums involved variously estimated at between 2 and 5 percent of global GDP. Financial institutions are required by regulators to help combat money laundering and have invested billions of dollars to comply. Nevertheless, the penalties these institutions incur for compliance failure continue to rise: in 2017, fines were widely reported as having totalled $321billion since 2008 and $42billion in 2016 alone. This suggests that regulators are determined to crack down but also that criminals are becoming increasingly sophisticated.
The need to include equitable risk assessment practices
For the verification of the identities of existing and potential customers to understand their risk profile, financial institutions across the globe are mandated by their regulators to implement customer identification programs. Financial institutions collect as much data as they can about their customers, analyse the data they obtain, determine the risk and provide a risk rating. Customers with a high-risk rating are closely monitored for their actions. Low-risk customers are also monitored but not as diligently as high-risk customers. Even after onboarding a customer, banks periodically update their database about customers. Typically, they do data updates for high-risk customers more frequently than low-risk customers.
Different jurisdictions have different standards for setting up these programs. The following are the widely adopted methods in customer risk assessment:
- Data gathering.
- Gathering of essential information about individual (name, date of birth, address and national identification number) and corporate (name, date of incorporation, registered address, registration number) customers is the first step in the customer identification process. This is done at the time of onboarding and at defined intervals once the customer is onboarded. The depth and frequency of data collection change depending on the type of institutional customers and the type of service requested. After gathering, this data is verified by cross-checking with public databases and consumer reporting agencies. Some institutions and services require physical verification of the customer.
- Customer Due Diligence (CDD)
- CDD procedures attempt to ensure if a customer can be trusted or not. These procedures are important given that doing business with criminals, terrorists and potentially exposed persons (PEPs) can create multiple compliance issues for the company. There are three levels of due diligence:
- Simplified Due Diligence (SDD): This is applicable to very low-value accounts where the perceived compliance risk is significantly low.
- Basic Due Diligence (BDD): This is applicable to most of the customers. Here, financial institutions verify customer identity and assess the risks associated with the customer.
- Enhanced Due Diligence (EDD): EDD is used in high-risk situations where a financial institution requests additional information to have a deeper understanding of the risks associated with a customer.
- In the CDD phase, financial institutions conduct steps to understand the level of due diligence required for each customer. These include gathering information about the customer’s location and nature of business and classifying the risk category. Financial institutions at times conduct continuous research into the customer information to get real-time risk assessment as some customers, who may not be a risk at the time of account opening, may turn into a risky customer in the future. For this research, additional information such as location, occupation, transaction details and payment methods.
- CDD procedures attempt to ensure if a customer can be trusted or not. These procedures are important given that doing business with criminals, terrorists and potentially exposed persons (PEPs) can create multiple compliance issues for the company. There are three levels of due diligence:
- Ongoing monitoring
- In the third phase, financial institutions track customers in real-time with ongoing monitoring of the available data points. Here, they pay attention to the types of services used, transactions carried out and third parties involved. This will help them find out unusual activities that are further investigated. In case the activity gets verified as unnatural, a Suspicious Activity Report (SAR) is filed. This is a complex process and often requires superior data analytics and modern technologies such as artificial intelligence and machine learning.
Building the ability to identify anomalies outside of normal tolerance at pace
Many of the current customer risk rating models are not robust to capture the complexities of modern-day customer risk management of fintech companies. Customer risk ratings are either carried out manually or are based on rudimental data models that use a limited set of pre-defined risk parameters. This leads to inadequate coverage of risk factors which vary in number and weightage from customer to customer. Further, the information for most of these risk parameters is static and collected when an account is opened. Often, information about customers is not updated in the required format and frequency. The current models do not consider all the touchpoints of a customer’s activity map and inaccurately score customers, failing to detect some high-risk customers and often misclassifying thousands of low-risk customers as high risk. Misclassification of customer risk leads to unnecessary case reviews, resulting in high costs and customer dissatisfaction. Adding to this, the static nature of the risk parameters fails to capture the changing behaviour of customers and dynamically adjust the risk ratings, exposing financial institutions to emerging threats.
How AI can help in customer risk scoring
As regulators are becoming more stringent globally around AML compliance, strengthening the AML systems continues to remain among the top priorities. Today, modern technologies like AI and machine learning are getting widespread attention for their ability to improve business processes and regulators are encouraging financial institutions including fintech companies to adopt innovative approaches to combat money laundering. In the area of customer risk scoring, the need of the hour is a sophisticated technology that can capture the complete customer activity through proper identification of risk indicators and continuously update customer profiles as underlying activities change.
Someone once said that nothing can happen for decades and then decades can happen in weeks. What we are seeing in the financial services’ risk assessment space is akin to years of innovation exploding at scale and at pace in the recent past and that is a good sign for the future of the financial services industry.
