Most firms we have spoken to have a set of basic rules in place that are used to assign a risk rating to an entity. These are usually based on geography of the customer, type of customer, kind of business the customer wants to do with the bank and the appropriateness of that business to the customer. In addition, some firms will check to see if an entity has any listed securities and will see if the entity is regulated by an “approved” regulator. The list of “approved” regulators varies from firm to firm. For higher risk entities or entities that have affiliated PEPs, some firms have a four-eye review process, where a peer must review the work of the KYC investigator. Some firms conduct a four-eye review on all investigations because they want a second set of eyes confirming an entity is low-risk. More difficult or high-risk investigations are often conducted by more seasoned analysts.
Our observations reveal that the degree to which financial institutions deploy a risk-based approach depends on three factors:
1) Communication between relationship managers and the KYC team
2) Size of business the customer intends to do with the financial institution
3) The level of “process” employed by the KYC team.
The more formal the communication is between relationship managers and the KYC team, the more likely that critical information about the applicant will be complete. When the KYC team understands the type of business the customer wants to conduct, from which geography and in what size or volume, they can conduct the appropriate level of due diligence. Lack of such communication often results in many customers being onboarded in the same way, often with less rigorous diligence.
In the case of size of business, a risk-based approach is simply the deployment of common sense. In the commercial banks we observed there was a strong correlation between the level of due diligence and the size of the loan applied for, both to combat money laundering as well as to reduce credit risk.