Shubhendu Mukherjee is a director in the risk and compliance practice at Protiviti, a global consulting firm. Shubhendu specializes in anti-money laundering (AML) and sanctions. Prior to joining Protiviti, he was a director with the Financial Services’ risk and regulatory practice of a Big 4 firm and, before that, worked at the Financial Market Integrity Group of the World Bank in Washington, DC.
We spoke to Shubhendu about the challenges financial institutions face when adopting digital services, and the negative impact that manual processes have on customers.
This year has been extremely challenging. For Protiviti, how have the firm’s priorities and focus shifted this year?
Like many firms, we had to pivot to working completely remotely. Our priorities and focus remained unchanged, though, and remained centered on our people and our clients. Throughout the year, we have worked diligently to ensure that our people have the resources and support that they need to thrive even in this unusual environment. For our clients, our goal continues to be to ensure that we help them with their immediate and near-term challenges, as well as their future resilience efforts, even as these needs shifted with the impact of COVID-19.
In the current environment, financial institutions are facing a host of operational challenges; capacity-strained functions, an uptick in cybercrime, and compliance and risk management challenges, just to name a few.
The pandemic has brought out the worst in terms of emerging financial crimes and vulnerabilities. This situation has been exacerbated by the fact that the gatekeepers are operating in a work-from-home environment, like many employees. Criminals are exploiting this environment. The authorities are reporting an increase in movements of large amounts of cash for the purchase or sale of illegal goods, use of money mules, and increased terrorist financing activity. So, from a risk and compliance standpoint, we are focused on helping financial institutions reduce their exposure to these emerging issues and to develop programs to satisfy their regulatory obligations.
For example, we are working with companies to incorporate COVID-19 vulnerabilities into the money laundering/terrorist financing risk assessment. We are also helping companies develop new COVID-19-specific transaction monitoring scenarios and make enhancements to alert investigation, case management procedures and reporting protocols for suspicious transactions in a remote working environment.
In your 20-plus years working in the financial services industry, how has the approach to AML changed?
Financial services companies have continued to invest heavily in people, processes and technology to improve their AML capabilities. They’ve had to do this to keep up with the ever-changing dynamics of financial crime. At the same time, companies are facing massive cultural and operational challenges responding to AML regulations. Maintaining an effective AML compliance program comes at an increasingly significant cost. One primary reason for this is most of their AML processes are predominantly manual and time-consuming, and therefore not as efficient. In other words, the industry still needs to make transformative changes in AML programs.
We know digital technologies can play a huge role in this transformation across jurisdictions. The need to digitize AML processes (including know-your-customer practices) we think is urgent. Last year, Protiviti and the International RegTech Association conducted a global study to investigate the effectiveness of existing KYC processes, their impact on customer experience across various jurisdictions and the efforts by financial institutions to innovate KYC controls. We interviewed regulators, digital service providers and a large number of financial institutions, and we came to a few key conclusions: Current KYC controls and processes are manually intensive and time-consuming. They frequently result in poor customer experience and can hinder financial inclusion, especially in emerging countries. Financial institutions can overcome these roadblocks by adopting digital solutions and digitally enabled shared platforms. The industry cannot do all of this alone. This effort will require the full engagement of policymakers and regulators, with COVID-19 accelerating the need.
What changes should organizations make before they can take their procedures digital?
Organizations should develop a better understanding of the processes, sub-processes and pain points associated with their AML programs. As part of this effort, management should assess the workload and the staffing needed to support various processes. This is necessary to determine what the resource deficiencies are and where investments in technology would produce the biggest bang for their buck. For many firms, embracing new technologies or optimizing existing ones starts with improving data quality and governance. Until a financial institution conquers its data challenges, automating the AML process won’t be feasible. The decision to automate and how should be guided by an understanding of the expectations of the various interested stakeholders, including the board, regulators and second line compliance teams. The desired outcomes from automating and the expectations of the stakeholders should be aligned. Finally, I would also definitely stress that a change in the culture may be required. Organizations should embrace a change management and transformational mindset. Digital transformation requires a philosophical change from the top, starting at the board level. Traditional banks can take their cues from “born-digital” firms or Fintechs that are excelling on this digitization front. Obviously, there should be a discussion about what is the right technology and how that technology fits into the organization’s particular environment.
Regarding the inefficiency of the KYC process, what impact does this have on the customer experience?
The time-consuming and manual nature of current KYC processes can create delays in onboarding, which often leads to friction and dissatisfaction with, and loss of, customers. Since KYC processes require financial institutions to gather information from customers at various points, there are multiple customer reach-outs along the way, and that too is very inefficient. Customers are not very receptive to these requests, especially when they are being asked to provide additional information. There’s a high abandonment rate among financial institutions because of these issues, which have a lot to do with data management challenges associated with legacy systems.
I can’t say there is a single digital solution that can fix all these issues. However, there are various technologies that can be deployed for various stages. For example, firms can use technology to reduce the need for document-based verification. They can use data that is collected at one point in time for other processes down the line. Thoughtful use of technology in the customer onboarding process can go a long way to improving the customer experience.
You mentioned KYC shared platforms could be useful – are they widely available?
Unfortunately, shared platforms (commonly referred to as industry utilities) are not very widely available, although we’ve seen various jurisdictions launch or attempt to launch shared platform initiatives. What’s important is that the shared platform concept is now being widely discussed, and regulators are engaged in these discussions.
One of the key concerns that financial institutions have about shared platforms is around data privacy and security. There are discussions within the industry over how to address these concerns, including having shared platform providers use technologies like zero knowledge and homomorphic encryption. Similarly, data sharing using distributed ledger technology, more commonly known as blockchain, is also being actively discussed.
For a global shared platform or multi-jurisdictional shared platform to work, providers and participants will need to adhere to various regulations. Privacy and data transmission restrictions would apply in this case.
There are some operational hurdles that shared platforms need to overcome to gain broader acceptance. For instance, existing shared platforms cannot perform many customer onboarding processes, such as risk rating of customers, adding to the slowness in the adoption of these platforms.
Still, even though digitally enabled KYC shared platforms are not available across the board in all jurisdictions, we certainly recommend their continued development, with government support, and their widespread adoption by financial institutions.
In what ways have regulators contributed to digital transformation so far and how can they continue to help the industry accelerate the pace of KYC optimization?
Most regulators realize the importance of innovation and technology advancements within the industry. The challenge they face is around balancing the competing interests of protecting all stakeholders within the financial services ecosystem and supporting and encouraging innovation. They can help the industry address the many technical and operational challenges impacting KYC processes by facilitating adoption of new technology. We saw evidence of this in India, when the Reserve Bank of India included e-KYC verification as a standard ID&V process. All banks adopted this process, making KYC more streamlined and frictionless. Recent guidance from the Financial Action Task Force on digital ID and verification is another great example of what regulators can do to allow financial institutions to use digital technologies across the board. Regulatory sandboxes for KYC are gaining traction in many jurisdictions, some more aggressively than others. The Global Financial Innovation Network Initiative, a global sandbox consisting of a network of 29 regulatory bodies, is a great initiative.
Going forward, we believe regulators should become more active drivers of digital transformation in AML/KYC processes. We would encourage more cross-border collaboration between regulators to improve their understanding of KYC technologies and to keep pace with innovation. Regulators can drive change by establishing standards and trust frameworks that can be universally applied across various jurisdictions. For instance, we’d like to see regulators expand collaborative efforts on defining minimum standards for KYC CDD/EDD collection. Organizing events such as TechSprints to improve the general understanding of technology, and to test new solutions, is another way for regulators to become more involved in innovation.