Data Privacy regulations increase challenges for bank KYC and AML programs
Financial services organizations are under increasing pressure from regulators to focus on KYC and client due diligence. This pressure is exhibited in the form of fines and penalties that have been levied upon numerous banks and other organizations for
lax procedures. Due to the differences in regulations across jurisdictions and the sheer number of clients and transactions many banks have had to increase headcount by the thousands. For large banks risk and regulatory compliance now accounts for up to
20% of operating costs. Compliance with these mandates is further complicated by additional and sometimes conflicting regulations.
The challenges of managing Personally Identifiable Information
The term Personally Identifiable Information (PII) is defined by US privacy law as information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Banks and other
financial institutions are required to protect sensitive client PII and utilize it only for intended purposes i.e. regulatory compliance. Banks obtain consent of their clients to obtain and maintain protected data only to initiate or maintain a banking relationship.
Different jurisdictions also maintain restrictions on related entity data, the family and business associates of clients, and the ability to share a client’s PII across the organization.
IT security is the major concern for institutions of all sizes
Among the most critical issues today for banks is the prevalence of cyber-attacks. Banks have been and continue to be a target of hackers, both nefarious individuals as well as highly organized state and non-state sponsored groups, looking to steal client
data and assets. Data privacy regulations universally require that banks maintain a high-level of cyber and IT security. This can extend to the monitoring of employee activity.
Data Residency Requirements limit flexibility and inhibits efficiency
The protection of client information extends to include physical data privacy through local data residency requirements. Banks doing business in countries with hard physical privacy rules such as Russia, Switzerland and South Korea are required to maintain
their client data within the physical borders of the jurisdiction. Even the ability to view client PII may be limited to the KYC teams located within those borders.
The conflict between data aggregation and data privacy
These organizations are also faced with additional regulations that create further challenges. The conflicts between KYC and AML regulations and the lack of globally consistent data privacy rules is one such case. Additionally, the Basel III mandates,
such as BCBS 239, require that financial institutions aggregate risk data can also conflict with data privacy rules, especially when considering the data residency requirements.
The challenge for financial institutions is how implement the most efficient operating model to maintain compliance with the various sets of rules.
How do banks implement best practices to solve the data privacy challenges?
In deciding how to approach the data privacy issue banks first need to be clear on the individual regulations in the countries in which they operate and to then determine how to best to organize the teams. In many banks, KYC operations, have developed in
silos creating disparate teams, using different processes and even running different software platforms. These teams may have been created to support different lines of business or regions or perhaps they were a part of a legacy acquisition.
The consolidation of business operations is often used to reduce operational redundancy. However, for global banks it is often necessary to maintain coverage in various time zones. Thus, a strategy consolidating teams to several regional centers with responsibility
across all lines of business maybe the best compromise. This would create teams well-versed on local requirements and facilitate the efficient sharing of necessary documents and knowledge of their regional clients.
Comparable protection provides some flexibility
In some cases, a country may accept the privacy rules of another if deemed to have a satisfactory level of comparable protection. This provides banks the ability to consolidate some KYC operations in a single location but does not completely resolve issues
such as those created by national KYC requirements. The recently signed agreement between the EU and US is but one example of comparable protection.
To avoid the redundancy of updating regulations for individual jurisdictions onto multiple systems banks should considering migrating their KYC functions onto a single platform. However, there are several considerations for developing such a platform:
- Creation of a single consistent target operating model
- Consolidation of client reference and product data
- KYC rules engine covering all jurisdictions, client types and products
- Consolidation of the management of client documents
Logical versus Physical Privacy
The KYC platform utilized by the bank must provide for role-based entitlements that restrict read or write access to client data, using logical soft privacy features such as data masking, for any non-essential bank personnel (i.e. non-KYC team). Data residency
requirements that mandate hard physical privacy will require physical storage within that jurisdiction. Banks wishing to operate in that jurisdiction will need to create a satellite or obtain accommodation from local regulators.
Synchronization solves some of the conflict between privacy and aggregation
Banks can utilize a form of synchronization to share the existence of a client record without sharing client data when restricted by residency rules. Thus, teams across different locations can share updates on clients, such as adverse news or watch list
activity without sharing restricted client information.
As banks struggle to maintain compliance with various regulatory requirements across different jurisdictions conflicting rules increase challenges. To improve efficiency in this environment banks must look at the issue from a strategic perspective. Consolidation
of the KYC process must be considered but within the context of regional coverage, comparable regulations and data privacy challenges, such as, data residency. Technology can help ease these challenges but requires an approach that also encompasses both the
people and the process.