May 9, 2016

The standard of KYC across the financial services industry has been brought into question in recent years following a series of scandals. Negligence and poor controls have damaged banks – both through the large fines imposed on those banks found guilty of violating sanctions with countries such as Iran and North Korea, and the resulting reputational damage. The low quality of assurance around identifying clients has been exemplified by the recent release of the Panama Papers. The public reaction and likely consequences should serve as a warning to banks – improve your KYC or face greater financial and reputational risk.

The release of the Panama Papers, consisting of 11.5 million files from Mossack Fonseca – the world’s 4th largest offshore law firm - has drawn a great deal of attention in the media in recent weeks. Much of the data leaked does not reveal any illegal activity, but rather opaque, yet legitimate, business practices usually designed to minimize tax bills. However; the data reveals how complex ownership structures, offshore shell companies and nominees can be used by those who wish to disguise the ultimate beneficial ownership of funds. The media has taken the opportunity, with some justification, to label these practices as a deliberate attempt by some to a[1]void tax, implicating a number of world’s foremost political and business leaders in the process. Another consequence, not yet highlighted in earnest by the mainstream media, is what hiding beneficial ownership means for financial institutions in the fight against money laundering and terrorist financing.

Any KYC practitioner will know the importance of identifying Beneficial Ownership (BO) of an entity as part of good practice. Identification of beneficial ownership gives banks the opportunity to identify and prevent placement (the first stage of the money laundering process where illegal funds are introducing into the financial system) and layering (the second stage of the money laundering process where a series of transactions aims to distance the funds from the initial criminal conduct). Only by knowing the true source of funds can a bank hope to identify the proceeds of crime, PEPs (Politically Exposed Persons) and funds originating from sanctioned countries.

The ease of identification can vary substantially. Often ownership crosses borders and jurisdictions, including areas with stringent privacy laws and varying levels of publically available information. Identifying the beneficial ownership of a UK company listed on the London Stock Exchange is in most cases a simple check of public records – as public companies are required by law to make such information available. However, doing the same for a private company based offshore is not nearly so simple. Given the expense and time required to deal with these cases, too often KYC is becoming an afterthought as the desire to service a client and transact business outweighs the need to complete due diligence. Too many of these exceptions are being made by banks and other financial institutions and the culture needs to change before changes are enforced by law.

Precedent tells us that the consequences of failing to ensure such processes are effective are both financial and reputational. Making exceptions for clients by shortcutting or overlooking the KYC process is one of the leading reasons behind some of the fines levied against banks in recent years, such as for Standard Chartered $340m (2012) & $300m (2014) fines, ING $619m (2012), HSBC $1.9bn (2012) and BNP Paribas $8.9bn (2014). When you include Credit Suisse’s $2.6bn (2014) fine for assisting with client tax evasion, the potential scale of the risk that banks face with the leak from Mossack Fonseca becomes apparent – especially if the leaked documents reveal something a bank should have captured during onboarding. The FCA has made tackling money laundering one of its priorities for 2016 and has begun making enquiries relating to the leak, as has the US government. A total of 60 financial institutions have been contacted by the FCA in relation to the Panama Papers[1]. Whether this leads to further legal action and prosecutions remains to be seen, but it may be too late for banks to correct any wrong doing yet to be revealed by the masses of leaked data.

Financial institutions have started to focus on their own KYC practices, in some cases considering them to be a competitive advantage. In recent years we have seen commitment by the banks to reform of KYC across the industry with the introduction of several KYC Utilities and common standards[2]. This mutualisation of cost and oversight gives the banks a certain strength in numbers, while also shifting the burden of data collection to the utility firms - but it doesn’t in itself fix any underlying cultural problem and, for some, may be too little too late.

This is an industry that cannot continue to endure the financial and reputational damage caused by lapses in KYC processes. Despite the advances being made, some will always be tempted to weigh the risk of fines and reputation damage against the profit made by transacting with clients before proper due-diligence is conducted. It is the culture which needs to change in order for AML become more effective. KYC first needs to become the norm and this should be embodied by senior management. Banks must consider the introduc[2]tion of zero tolerance policies for front office staff attempting to affect the due-diligence process. You must know your customer before you transact to solve the BO problem.