Corporate Treasury - Approaches & Experiences with KYC & AML

Commentary

Everyone hates KYC and AML, even the banks who do them. No-one ever seems to be able to do anything about it: the collection and handling of the data, while necessary, could, and should, be done better. We know the solutions - but we get, at best, marginal improvements.

We entered our annual visit to the topic without much optimism, but, to our surprise, there was a modicum of good news. Some banks (but by no means all!) are actually getting their act together and almost behaving as though they cared about making life easier for their clients: in a brief poll on LinkedIn, just over 20% of respondents found the situation is improving. For over 35%, it is getting worse, while the rest find it is the same. The (modest) process improvements are being at least offset by an increase in the number and scope of data requests.

When asked which banks they would nominate, if there was a KYC award, most said none. A couple would nominate JPMorgan or BNP Paribas. Even these banks were generally found to delve into excessive detail, but they are willing to agree schedules up front and stick to them. They also shared data between their subsidiaries and branches across countries, so the data only has to be provided once. 

Other banks agreed schedules and then did not abide by them: surprise mid-year data requests are still the rule, and the same data has to be provided to different entities within the bank. HSBC was singled out for this – and according to one peer they also require hard copy documents to be couriered, and frequently lose them - while local banks with whom there was no group wide relationship proved to be uniformly difficult. Another tracks KYC requests by bank and by country, and has found a total lack of consistency: the same bank may renew KYC qualification annually in one country, and every three years in another. Other international banks will have different frequencies in those same countries.

Some countries are more difficult than others: Serbia has long had a reputation for requiring translations and documents validated by the local consulate, while India and many Middle Eastern countries tended to have the same issues.

So the old problem remains: banks often cite a legal or regulatory requirement, but are unable to prove the law or regulation exists. One peer now obtains a legal review of all KYC requests, and only responds if the requirement genuinely exists. For the first time, we heard that a bank had actually tried – unsuccessfully – to charge a client for its own KYC costs. Also, the sanctions themselves are not consistent: most notably, there are countries the US sanctions which the EU does not. This adds further to the confusion: whose list applies?

In last year’s call, [report / commentary here]  a couple of peers had passed KYC processing to an internal shared service centre of competence, often located in a low cost country. There is even an outsourcing company doing this, which has built up expertise on what is acceptable. 

None of the peers on this year’s call has followed this path: they all have a person in their team who handles all the requests and manages duplicate requirements. It was felt that installing a tool or using a shared service centre would amount to accepting Treasury ownership of KYC, when Legal and HR have a part to play. KYC is usually handled in the centre, to avoid having local subsidiaries give in to pressure, but some peers leave local teams to handle KYC with local banks – in part, to dissuade them from insisting on using these banks. Also, some use the banks’ portals to upload documents, even if this means multiple logins and data protocols. Some have developed a standard KYC package, telling banks they need to accept that. 

Some peers did complain that banks who use a shared service centre or have outsourced KYC show no knowledge of the business and tend to be very inflexible.

None of this is new. The big, unwelcome, innovation is the constant expansion of the data. Initially, KYC and AML were linked to crime or sanctions; increasingly, banks are asking for data relating to non sanctioned countries. This happens mostly with China, but any business in Africa or Latin America draws similar attention. It appears to be contagious: some peers find their banks asking them questions (which they generally refuse to answer) about their activities in countries where they do not have a relationship with the bank in question. Peers who have, fully authorised, humanitarian business in sanctioned countries (mostly medical and pharmaceutical) find that disclosing this generates even more questions, even with banks who have no link to that business. 

Banks are also asking more and more questions about internal controls and sanctions screening processes.

On KYC, banks are requiring ever more data on the ultimate beneficial owner (UBO). These requests can be deeply intrusive, including the names and passport copies of all the directors of all entities in the ownership chain, and, in one case, having to explain the origin of the personal wealth of the owners. At the same time, many banks are reducing the threshold for UBO reporting to 10% from 25%.

Many peers are satisfying the UBO requests by providing evidence that all subsidiaries are 100% owned by the parent, which is usually a publicly listed entity. But, as always, some banks are more persistent than others, and insist on obtaining the complete corporate organisation chart, with details of all directors of companies in the ownership structure. It appears the Netherlands now has a regulatory requirement to provide this.

Some peers threatened to close their banking relationships over unreasonable behaviour, but this tactic was not always successful. However, KYC was one reason for reducing banking relationships – some peers on the call have reduced the number of their banks by over 50%.

Bottom line: If there is any light at the end of the tunnel, it is an approaching train. Some banks are sharing information internally, so it is only provided once. But many do not – and most are indifferent to the negative impact on customer relations. Treasurers have tried industry repositories, with no success, and are reluctant to install tools to handle the issue, as this may result in full internal ownership of KYC.

At the same time, the requirements are being expanded to countries which are not the subject of any current sanctions, and the data requested for ultimate beneficial ownership continues to grow and raise privacy issues for directors. 

Although both banks and treasurers complain about this process, they seem to accept it. Treasurers will fire a bank over FX or cash management: for KYC, they will push back and challenge, but usually not much more. Banks seem to be prepared to lose customers rather than water down the requirements of their compliance teams. 

As long as this dynamic holds – and it is probably logical - improvement will be gradual, at best.