Blog article
See all stories »

The Legitimacy Life-Cycle – All Risk Mitigated

The Legitimacy Life-Cycle – All Behavioral Risk Mitigated

Lifecycle management has become an AML Compliance buzzword. But it’s often just new wrapping on the same old package. The Legitimacy Lifecycle, in sharp contrast, looks at the lifecycle challenge with a comprehensive emphasis on Risk relevance and Risk mitigation.

Unlike other lifecycle-management systems, the Legitimacy Lifecycle monitors and/or mitigates all human and human-caused activity within an institution. The Legitimacy Lifecycle is purely event driven and starts with the Know Your World (KYW) concept of Due Diligence, which enables monitoring of Risk-relevant events from onboarding to offboarding of your Risk-relevant relationships (i.e., all relationships).

Know your World (KYW) Due Diligence recognizes and accounts for Risk across your enterprise—not just your customers and transactions. Effective KYW comprises knowledge of the Risk potential and structured monitoring of the following categories:

  1. Customers
  2. All related parties of customers
  3. Vendors
  4. Employees
  5. Managers
  6. Artificial intelligence and machine learning applications (AI/ML)
  7. All known relationships among categories other than Category 2 to Category 1

Best-practice Risk management calls for KYW to be performed the same for each of the Due Diligence categories and for the same purposes. Each of these categories causes events to happen within your institution; your task is to confirm that all these events occur for “legitimate business purposes.”  A legitimate business purpose is defined as an event happening when it should and most importantly how it should happen, as well as by whom.

The Legitimacy Lifecycle specifies three main lifecycle stages that help predict stage-specific types of Risk specific to the seven categories above. Those lifecycle stages are onboarding of a relationship, the ongoing maintenance of a relationship, and the closeout of the relationship.

Each of these lifecycle stages requires its own Key Risk Indicators (KRIs) to be configured in a GRC solution to monitor all the Risk-relevant events within each stage of each relationship. The KRIs should automatically trigger a notification event for action to the required party. Actions might include sending an email, opening a research case, starting timed SLAs, etc.

Let’s consider for a moment the kind of events that a KRI might initiate. This requires you to enter the “Suppose Zone.”

Suppose you are onboarding a new corporate customer. You are collecting documents and checking data interfaces; everything is looking good, and you are about to accept the customer when you get an email alert. Your public-records database shows the average monthly electricity usage is below that of a college dorm room.  The potential customer’s self-reported monthly electricity usage is over 200 times that.

Or suppose you have an employee who is always the last person to leave at the end of the day. And they always seem to pass on taking their vacation days. At the same time, you receive a garnishment demand for that employee. You conclude that one of your best employees is having money issues. Do you think they should be alone on your production systems?

Or suppose you had a breach, but you can’t figure out how they got in. Perhaps they did not break in, but rather you let them in. The little machine-learning application that marketing bought on the cheap was doing a bit more at night than you thought and was slowly but surely gaining access to your core and payments systems. Try explaining that to the board.

The Know Your World approach can help anticipate and monitor for these Risks. And the Legitimacy Lifecycle facilitates a structured imagining of what is possible, and then gaining an understanding of its probability. At the core of this Risk-mitigation concept is establishing KRIs for the “whole” of who interacts within your firm and making sure that it is all legitimate.






Comments: (0)

Frank Cummings

Frank Cummings


AML Partners LLC

Member since

02 Jun 2022



Blog posts


More from Frank

This post is from a series of posts in the group:


Regulatory technology, is a new technology that uses information technology to enhance regulatory processes. With its main application in the Financial sector, it is expanding into any regulated business with a particular appeal for the Consumer Goods Industry. Often regarded as a subcategory under FinTech, RegTech puts a particular emphasis on regulatory monitoring, reporting and compliance and is thus benefiting the finance industry.

See all

Now hiring