Special Contributor Report: Digitizing Customer Life Cycle Management to Tackle Financial Crime – the delicate balance of capturing customers digitally, conveniently, but calibrating compliance risk quickly, carefully

By Sachin Shah
Financial Crime Compliance SME
January 26, 2023

With edits and content additions by ACFCS VP of Content, Brian Monroe

Background

Customer Life Cycle Management (CLCM) is one of the most strategic focus areas of any of the Regulated Entities (REs) globally in the financial service space, an industrywide initiative spurred by a global pandemic to better virtually onboard and oversee customers.

Right from the point of establishing contact with prospective customers to onboarding them and then finally exiting, it how to digitally welcome customers to everything a bank has to offer has a correlation to the value systems, business models and compliance cultures of all the REs.
This connection transition weaves through the various phases of the CLCM, i.e., identification, validation, verification, authorization, periodic review, customer exit etc., and aims to maintain a delicate balance between customer, convenience and compliance.

Whether it’s the old days of “brick-n-mortar” business models or the new digital era, this taught balance has not lost its importance.

In fact, in the new digital era it has gained an enhanced focus from all the stakeholders of REs.

This renewed scrutiny also exposes firms to an increased level of Financial Crime (FinCrime) risk, which results in greater challenges around optimizing the CLCM by REs globally.

These challenges and tactics to overcome them are also at the forefront of a March 2022 report by the influential Wolfsberg Group titled “Guidance on Digital Customer Lifecycle Risk Management,” with key considerations across the anti-money laundering (AML) program.

In short, the timely, rich and relevant guidance exhorts banks to champion fincrime compliance convergence, viewing the customer through more than just the lens of AML risk.

Institutions must also view digital customers from the perspective of fraud, corruption and cybercrime and then further augment those results with data outside the institution, including OSINT and social media, according to the report.
To read the full nine-page report, click here.

In seeking to “transition from traditional to more innovative mechanisms in the customer lifecycle,” including remote onboarding and verifying digital documents, Wolfsberg states that financial institutions (FIs) should consider these overarching guidelines:

• Convergence resurgence: Build a more holistic customer profile via a wider concept of identity that complements elements required under AML/CTF regulation with additional identity attributes (often used to prevent fraud or cybercrime), always in line with customer consent and applicable data protection regulation.
• Seeing the full picture: Map the variables behind the holistic customer profile to internal or external data sources capable of alerting the FI to a possible change or deviation from the expected value of any particular data point or attribute, and structure data and the FI’s systems architecture in a way that facilitates the regular updating and tracking of these variables under a risk-based approach.
• Don’t occlude on inclusion: Recognize that reaching the ideal level of trustworthiness on building the underlying customer profile is a risk-based decision, where, for example, certain local conditions, including support for 9 of 9 initiatives from competent authorities on financial inclusion, may warrant distinct approaches to identification, verification, and authentication.
• Compare new, old frameworks: Develop a robust assurance strategy focused on the key dependencies upon which the FI’s digital customer lifecycle risk management approach is based, assessing their reliability in line with existing frameworks and standards.
• Collaboration, communication with regulators: Collaborate with competent authorities on digital initiatives aimed at increasing access to high quality identity data, including, but not restricted to, government-supported digital ID and similar accessibility initiatives that promote interoperability and facilitate access to financial services.
• Data is power, use responsibly: Embrace as a design principle the recognition that using innovative technology for customer lifecycle risk management should be responsible — i.e., that the design and use of the technology is fit for purpose, secure, reliable, privacy preserving, consent-based and accessible to users with relevant regulatory, policy requirements.

The touchy subject of calibrating customer fincrime risk, without touchpoints

In the historical era of brick-n-mortar banking business models, there were manual touchpoints with customers and there was a heavy reliance on the physical presence of the person to verify the details provided for the personal or business line accounts.

The Financial Crime compliance ecosystem evolved considering this physical interaction and suitable controls were built to leverage the customer information, often collected and reviewed manually.

These controls were dependent on the data collected in the form of customer information, such as AML prongs including know-your-customer and customer due diligence duties, and it was reasonably manageable to identify the bad actors from a FinCrime risk perspective.

The depth, quality and accuracy of these customer risk assessments – done under overarching frameworks such as illicit finance or more specific underlying generators of tainted funds, including human trafficking, corruption and fraud – have been increasing regulatory focal points for examiners and investigators.

The reason: the final customer risk delineations – low, medium or high – form the foundational customer risk assessment, which typically feeds into and sensitizes the AML transaction monitoring system.

The classic dynamic: the higher the risk of the customer or business, the more readily the system will spit out an alert on aberrant activity to be reviewed by an analyst or turned into a suspicious activity report (SAR) or suspicious transaction report (STR).

However, technological innovations in last few decades have prompted the business line to adopt a more agile and digital way of acquiring customers: allowing some or in certain cases all of the customer identity documentation to be submitted remotely.

While this was a boon during recent years of a global pandemic preventing some banks from even operating their physical branch networks, this has also resulted in increased exposure to Financial Crime risks.

Many large international banking groups and investigators alike have seen an explosion of illicit acts and actors, including money mules, synthetic identity frauds, ransomware attacks and crypto payouts.

In addition to these financial crime risks, there are also other challenges in terms of data accuracy, data integrity and data analytics, which can have adverse implications for the REs across general customer relationship management goals and adherence to regulatory compliance requirements.

Regulators globally are cognizant of the changing landscape resulting from the digital acceleration approach by the REs.

Technology is now playing a significant role in the continuously evolving ecosystem of the financial services arena.

As a result, REs are heavily investing in digitizing the CLCM and adopting digital strategies for customer acquisition, customer on-boarding, launching new products and services, enhancing customer loyalty and experience and increased level of regulatory adherence.

There is a paradigm shift in managing the digital dilemmas by the REs.

Though there is a significant improvement in terms of striking a balance between customer freedom and compliance oversight, that must be weighed against the increased pressure by REs to strengthen their lines of defense – including customer facing tellers and business line heavyweights – against criminals actively looking for financial crime compliance gaps.

A quick elaboration on these challenges will help us to understand the strategies adopted to digitize CLCM.

Digitalized Landscape and the FinCrime Challenges

In recent decades, the financial services industry has witnessed a massive increase in taking on non-face-to-face customers.

Part of this adoption has been spurred by the way Internet and mobile technology has penetrated our personal lives, with digital onboarding further hastened by necessity driven by the coronavirus pandemic.

It has also seen the same reflection in many banking business models too.

Gone are the days when a prospect customer needed to walk in physically to open accounts. The internet and mobile devices have made the whole process very quick and convenient.

However, it has also resulted in more opportunities for organized criminal groups, cyber-enabled fraudsters and money laundering syndicates – in some cases by stitching together stolen or hacked information into synthetic identities, a soaring scourge dubbed zombie or Frankenstein fraud.

These identities only exist on paper and don’t have to walk into a branch – but can be synthesized and copied, submitted to hundreds or thousands of banks around the world at the same time.

The current CLCM approach may not be effective enough to handle these two seemingly opposing objectives: onboarding customers quickly and easily while accurately calibrating and mitigating FinCrime risks.

A few of these challenges are listed below:

Increased regulatory expectations

As the financial services ecosystem evolved, so has the regulatory framework. With the increased digitization, regulators are also introducing stringent CDD and KYC requirements.

For example, recently there has been a push for obtaining Beneficial Ownership (BO) details to better uncover corrupt oligarchs, sanctions and tax evaders and launderers hiding behind impenetrable ownership structures.

Lawmakers, law enforcement and regulators are trying to address this glaring global vulnerability, with recent guidance issued by Financial Crimes Enforcement Network (FinCEN) in its Corporate Transparency Act (CTA) and the European Union’s (EU) fifth and sixth AML directives.

Apart from that there is detailed guidance by various regulators for the controls to be built around Video KYC (VKYC).

Similarly trigger events like the Russia-Ukraine war have resulted in a barrage of sanctioned parties requiring analysis by human and system name screening processes and digested by related compliance frameworks.

Technology Infrastructure Limitations

Regulated entities are aware of this changing digital landscape.

However, one of the biggest bottlenecks is the weak technology infrastructure. Even though there is lot of non-face-to-face interaction and lot of information is being obtained by the institutions, a persisting challenge is that there are multiple systems where the data is housed and these systems also work in silos.

As a result, the information may not give a holistic view of the customer profile at an enterprise level.

This adversely impacts the institution’s capability to detect anomalies and identify bad actors.

For example, there might be a situation where a customer is operating away from the geographical location details he/she has provided at the time of on-boarding. This might be a potential financial crime red flag.

Moreover, if a bank can’t detect data across systems, jurisdictions or divisions of the bank – a person could have a personal account, maybe a business and related account and potentially securities and trading accounts, all at one banking conglomerate – it could miss crucial linked transaction details.

If there are technological limitations, there is a possibility that this red flag may not be detected resulting in a festering, unreviewed and unaddressed financial crime risk.

These technological constraints combined with process inefficiencies may further increase the exposure to missed alerts, missed SAR flings or worse: missed incidences of actual laundering and fraud.

For example, while on-boarding the customer via mobile applications, if there is no process to verify the identity of the documents provided by the prospect customer against government or any other industry accepted databases, there might be a possibility of on-boarding a bad actor.

Or worse, a host of bad actors working in concert against the bank as part of a dedicated fraud or laundering operation.

This will no doubt lead to a regulatory rebuke if several such instances are noted by the regulator.

Operational Inefficiencies and Manual Processes

One perennial challenge is that many existing CLCM initiatives are fraught with significant operational inefficiencies and hamstrung by often manual processes.

Even though the relevant information is obtained from the prospective customers, there can also be endemic data accuracy and data integrity issues.

For example, a mobile number or email ID is an important data point, but not if it’s wrong.

Such an error can have an adverse impact on maintaining the correct customer profile or client outreach during the periodic refresh exercises and also impact the relevant investigations which may be carried on the said customer.

Another example is the impact on client exit management.

If post investigation, a RE decides to off-board the customer, the client outreach might not happen due to incorrect capturing of the customer data.

Digitizing CLCM – The Need of the Hour

Addressing the above challenges along with keeping pace with the digitization can be a daunting task for the REs.

However, a conscious and well-planned approach in digitizing the CLCM process can be a perfect solution to mitigate the FinCrime risk arising from these challenges.

In onboarding customers digitally, there typically won’t be a quick-fix solution for the challenges mentioned above because they involve so many dimensions of bank rules, roles, regulations, policies, people, systems and data capture, archiving and analysis.

Beyond that, even when these updates are made, it may take additional time to make the changes happen on a regular basis, ideally even in a real time environment.

Before we delve deeper into the ways of digitizing the CLCM approach, it might be appropriate to first understand what we mean by digitizing CLCM processes.

It is nothing but leveraging the latest technology to enhance the design and operating effectiveness of CLCM process.

This is done by reducing the manual intervention pieces and achieving greater synergy between customer contentedness and greater adherence to regulatory requirements.

Digitizing CLCM holistically can effectively address the challenges mentioned above and it can be transformative also.

By carefully evaluating various pain points of the current CLCM model, if REs focus on the following areas, they can achieve great synergies and attain an effective and robust CLCM.

These focus areas are as follows:

Automating Data Collection and Verification

The current CLCM process has lot of manual intervention which triggers operational challenges go froward and may expose the REs to greater FinCrime risk.

For example, even though there is a sharp increase and focus on digital on-boarding, however there is lot of manual data which is captured into various systems.

This data capturing is prone to human errors, such as capturing the wrong mobile number or email id or KYC identification number. These kinds of issues may result into data integrity and data accuracy issues which have aftereffects for all the phases of CLCM process.

These failings can affect transaction monitoring by having wrong data points and resultant risk score, meaning someone who should be ranked high is ranked low, but also affects the periodic KYC refresh exercise and customer exit.

The only way to mitigate such risk is to automate the data collection at the time of customer on-boarding.

How can a bank do this with the same headcount, resources and do so at scale? There are technologies available like “Optical Character Reading” (OCR) which reduces the manual intervention as far as data collection and capturing is concerned.

By adopting OCR technology, organizations can ensure faster turn-around time with the increased level of data accuracy.

Similarly, REs can also automate their process of customer KYC validation.

Currently, there is manual intervention where either the front-line staff or the back-office staff validates the identification documents from the existing available database and proceeds with the customer on-boarding.

Again, this process is prone to errors where either the wrong validations are being performed or even no validation is being undertaken.

REs can again leverage technology to better automate the customer identification and verification process, resulting in faster verification processes without sacrificing AML due diligence and risk ranking requirements.

Leveraging Data Analytics

Once REs automate data collection and verification, the next focus area is to harness the power of advanced analytics.

Currently, there is a deluge of data points across systems in and out of the institution.

This makes it more difficult for many banks to utilize the power of data in their decision-making processes, an amorphous threshold typically the domain of the human brain.

One of the examples is IP address-related data.

There is a possibility that post digital on-boarding the potential customer is undertaking transactions from a different geographical location.

If REs automate the data collection and harness the power of data analytics, such anomalies can be more quickly identified, and further investigation can be performed to evaluate the financial crime risk.

Another way to leverage the data analytics capabilities is for better customer risk categorization and strengthening the customer profile. The intelligent automation technologies supplementing the data analytics can also assist the REs in conducting adverse news screening more meaningfully.

For example, if there is an alert during adverse news screening against a particular customer, the alert can be discarded if it is for a petty news, like a penalty for breaching traffic rules or being in the news for a case going on in local court for a family dispute.

The intelligent automation will raise the alert only when there is a more serious piece of adverse news, like sanctions, felony convictions, etc.

This will ultimately enhance the detection capability of financial crime compliance-related red flags and effective transaction monitoring too, with the added benefit of better managing spare AML analyst resources for investigations that matter.

Synchronized Workflow

Once REs automate the data collection and harmonize the existing data analytics technologies, it is then imperative to embed a synchronized workflow environment in the CLCM workflow.

This requires interlinking different systems to ensure smooth data flows between multiple archives.

This is very critical to build and leverage an enterprise customer profile. In short, by looking at a customer across bank systems and divisions, more teams have access to the data pool.

In an ideal scenario, this results in quick and easy to access to alerts and review by the relevant stakeholders and a shorter time to be picked-up by the systems to identify the outliers in a more holistic way.

For example, if a customer is operating at a location for a longer period that is different from the geographical location disclosed at the time of on-boarding, the automated data collection will ensure this data point is obtained in a discreet way.

The synchronized workflow can then ensure that the outlier is identified and flagged immediately so that the impact on the customer profile and customer risk categorization can be evaluated for any changes.

Subsequently the same information can be leveraged for effective transaction monitoring, undertaking periodic refresh exercises and also for customer outreach.

This example is evidence on how digitizing the CLCM ecosystem can go a long way for the REs in building up a holistic and progressive customer profile and assist in identification of the risk at an enterprise level.

Conclusion

The last few decades have witnessed a paradigm shift in the digitization of the business models for the financial services sector.

It has not only impacted all the facets of a CLCM, and the way customer relationships are managed, but has also resulted into newer typologies of financial crime like money mules, synthetic identify frauds, etc.

The pace of technology innovation has been a challenge and REs are behind the curve in adopting the same for addressing the additional financial crime risk.

Adopting the digitization of CLCM has enterprise-wide level benefits and can be seen in all the phases of CLCM, i.e., customer onboarding, identification and verification, transaction monitoring and the client exit process.

Continuous evaluation of effectiveness of the CLCM process along with a well-planned road map for the required enhancements in CLCM is the need of the hour.

REs needs to embrace the digitization and the technology in the CLCM ecosystem and automate the data collection, dissemination and retrieval workflows.

Supplementing it with enhanced data analytics technology and synchronized system workflows will ensure CLCM effectiveness, can enhance the customer experience and the success in mitigating financial crime risks.

About the author

Sachin Shah is a financial crime compliance subject matter enthusiast with more than 23 years of experience working with some of the world’s top global banks, Big Four accounting firms and domestic banks across India, Asia Pacific and the Middle East region.

His primary focus has been on compliance, with senior positions assisting financial institutions in mitigating a broad spectrum of financial crime risks. He is also on the ACFCS India Chapter Board as the Programming Director.

Sachin is a regular contributor to industry publications and advises on editorial decisions to sector associations with a particular focus on sanctions risks and compliance.

He also has a BA in Management and MMS in finance. He is currently an SME in the Financial Crime Compliance Advisory practice at Tata Consultancy Services.