What’s Perpetual KYC and How Can I Implement pKYC Successfully?
March 11th, 2024
In this 7-minute read, discover how you can use perpetual KYC to ensure continuous compliance.
Perpetual KYC (pKYC), also known as event-driven KYC, is seen by many as the solution to ensuring continuous compliance and risk management when it comes to Know Your Customer (KYC) and Know Your Business (KYB) processes. But what’s pKYC, what does it look like in practice, and what does it take to implement it successfully?
To learn more about pKYC, I interviewed Carl Kemmerer, a subject matter expert and Senior Product Manager at NICE Actimize. Before joining NICE Actimize, Carl spent almost 25 years working at a financial institution (FI) in New York, running a KYC program himself.
He now uses that experience to shape NICE Actimize’s X-Sight Entity Risk product, delivering the tools FIs need to minimize risk, reduce fraud losses, and improve AML compliance. With significant expertise developed over his career, Carl is a true KYC historian who has seen how the field has changed over the years, integrating new approaches and processes.
Interview Q&A:
What are the differences between traditional and perpetual KYC?
To compare the two, we must look at the history of how the traditional KYC process began and how it has evolved over the years.
One of the key attributes of a traditional KYC approach is the concept of time-based, periodic reviews. Institutions onboard a client and, if it’s a low-risk client, perform their next review in three or five years depending on their specific policy. Many institutions still follow this method today.
To understand why time-based periodic reviews were initially put in place, you must go back to the early 2000s and the U.S. Patriot Act. At that time, we didn’t have digital platforms. We were still using physical files, phone calls, faxes, and email. Much of the information FIs captured was in paper form.
So, for example, when we screened clients, it was done manually. FIs didn’t have access to content providers like we do today. The ability to automate through screen scraping or APIs didn’t exist back then.
Therefore, time-based periodic reviews were a way of managing the manual effort required. FIs didn’t have the resources to continuously review clients and their risk. The traditional KYC model was based on the technology, resources, content, and third-party services of the day.
We’ve come a long way since then. New technology, content, and third-party services have empowered institutions to conduct ongoing KYC checks, reviewing clients based on client behavior and any changes they see, rather than on a fixed time basis. This running process is pKYC. It enables FIs to look at all of their clients and confidently say they’re continuously compliant.
How can pKYC help institutions better manage their risk and their regulatory obligations?
In the United States, FinCEN’s CDD rules have warnings to say that FIs should look for and update their clients’ profiles on an ongoing basis. In the EU, the 4th Money Laundering Directive says, that as part of CDD, organizations must conduct ongoing monitoring of the customer relationship, including scrutiny of transactions undertaken throughout the course of that relationship. pKYC directly helps FIs comply with both regulations.
But perpetual KYC is not only about regulatory requirements. It also helps FIs understand the opportunities a client presents, improving engagement and personalizing banking services to the needs of the client as they change in real time. Not at the next periodic review.
However, many FIs are not currently taking advantage of the technology and third-party service providers available to do this. By technology, I mean content but also APIs in rules orchestration. There are many opportunities to improve so that you can constantly look for changes and better know your clients and the risks they present.
A lot of organizations are concerned about how scalable pKYC is, given FIs must evaluate clients on an ongoing basis. Does pKYC create more work?
This is a common concern people have when they talk about continuous compliance or pKYC. Time-based reviews give FIs a level of certainty. By knowing how long it takes to perform a review and how many periodic reviews need to be done a month, FIs can align their resources and staff accordingly.
The certainty of time-based reviews offers easier, but not necessarily better, management of operational risks (or of operational risks associated with KYC/AML client reviews.) If FIs know they can manage the workload, they can ensure that operational risks do not become compliance or regulatory risks.
The uncertainty introduced by pKYC is indicative of the cultural mindset shift that banks need to make when moving to continuous compliance. When a bank is continuously compliant, the focus shifts from planning for how much work will need to be done over the next few months to addressing changes that impact risk as they are happening.
When you do a periodic review, you are reviewing the entire file. When you do KYC continuously, based on events, you are only looking at the changes. You are saying, “What’s changed? And how does it impact the risk?”
By shifting your mindset to say, “We are going to benefit from understanding our clients’ risks and opportunities as changes occur,” you no longer need to rely on periodic reviews. When you can prove that you are continuously compliant every month, periodic reviews become redundant work. You can streamline your efforts and refocus resources on material risks to your institution.
I’m a runner, and I think a good analogy for this cultural shift is the difference between people who are runners and people who train to run a specific race, say a 10k or a half marathon. These people train, follow a plan, finish the event, and that’s it. They’ve achieved what they wanted.
In contrast, a runner is someone who trains and runs every day for years and years. They see themselves as a “runner,” and they do it continuously. It is part of their DNA, their culture. Both types of people might run the same race, but for some people, the end of the race is the finish line. They just wanted to run a specific race.
Taking the analogy to KYC, time-based periodic reviews are the same as periodically running a race. If you do it on an ongoing basis instead, becoming a “runner,” you are likely to see significant benefits.
If you’re looking at KYC compliance continuously across your entire portfolio, on a frequency of every week or every month, you’re going to be healthier from a financial and regulatory perspective. But continuous compliance has got to become a part of your culture—more than just a to-do item in a checklist.
Similar to how runners need suitable shoes and proper nutrition for a successful race, a lot of institutions also need the right tools to help them shift to a pKYC mindset. What should they look for?
Today, the world is moving toward the concept of API-first. With APIs, all data orchestration can occur at the same time, enabling FIs to bring together the different components of pKYC. They can implement a system that includes events related to every aspect of KYC and processes the resulting changes altogether or automatically triggers downstream actions.
Event-driven, API-first technologies helps FIs say, “I can identify events important enough to review and update profiles accordingly, so I am continually compliant across my entire client base.”
So, there is lots of technology out there to help. But where do most FIs go wrong when implementing pKYC?
You need to be able to prove that you can operationally do this without exposing yourself to regulatory risk. Do you have the resources to process this amount of alerts in a safe way?
Banks are often updating processes to move closer to pKYC. But they are doing different pieces of it separately, introducing potential gaps and operational risk. What they need to do is change their resources, policies, procedures, and perhaps some of their platforms to have the common goal: “I need to prove my whole client population is KYC-AML compliant on the first of every month or the first of every quarter.” Aligning on a common goal, makes it much easier to proactively identify any gaps and iron out operational concerns, so you are not exposing yourself to regulatory risk.
I know you’re doing some interesting work to help institutions enhance their continuous compliance. Can you talk a little bit about your work and how you’re trying to change the industry today?
When I worked in a bank, we implemented some of the policies, procedures, and technologies we discussed today. Now, at NICE Actimize, we are working to build a solution called Entity Risk that does the same thing—tying together all the components related to pKYC in a single solution that works with your existing infrastructure.
We look at KYC information and link it automatically to external data sources to notify institutions of client profile changes. This can be configured based on risk appetite—whether you want to look for KYC profile changes every week, every month, or every quarter.
It considers customer due diligence, screening, transaction monitoring, and fraud information, bringing together all these disconnected risk signals to return a standardized measure of financial crime risk. This measure gives our customers a quick and easy way of understanding their clients.
If you want to look at your client profiles constantly and consistently, we have the technology to connect all these solutions. We understand not every client uses every NICE Actimize product. But we are exposing our APIs to other platforms that are capturing risk signals or looking for changes so we can connect to wherever connections need to be made.
I just want to close by asking what piece of advice you would give to institutions looking to implement pKYC?
The advice that I would start with is to explore the last time you updated your people, processes, platforms, and approaches to managing KYC-AML regulatory requirements. Do an internal assessment and determine how far away you are from what can be achieved today.
For example, suppose you are still performing manual screening and time-based periodic reviews to show that a corporate client in a higher-risk country is not sanctioned. In that case, that is a gap in proving you’re compliant with existing regulations.
Identify the biggest gaps in your current approach and find lightweight solutions. This is where Entity Risk and what we are doing here at NICE Actimize can help. We can close those gaps with often only marginal changes to the way you operate.
Click here to learn more about our Entity Risk solution.