Your relationship with KYC Utilities: Who’s in control?
03 February 2016
Adopting a ‘know your customer’ (KYC) utility is gradually being considered by more financial institutions. It is, though, deemed as outsourcing, an arrangement in which the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have shown a healthy interest; the PRA recently fined a bank £1.3m for improperly managing the bank’s outsourcing arrangements. The message is clear - ‘you can delegate or outsource work but you cannot delegate or outsource responsibility’. So, to avoid falling foul of the regulator, establishing adequate oversight and controls over any KYC utility arrangement is essential.
The service management solution
One option is to set up a service management function, which serves as a link between the client outreach team and in-house KYC operations team (see below). Supervision over the utility arrangement is more easily demonstrated and helps the organisation build structure around the relationship and operationalise the service. Our recent report provides a discussion of other points to consider when integrating with a KYC utility.
Carefully thinking and planning about the function’s remit is very important, including:
- Effective contracting to agree the KYC standards to apply, the obligations of both organisation and utility provider, and commercial arrangements
- Adequate risk management to manage vendor risk (this could include using the organisation’s broader third-party risk management processes), and to agree key policies such as information security, data privacy and business continuity
- Regulatory compliance – seek out guidance from local regulators on the outsourcing requirements and the use of third-party technology banking solutions
Dedicated or virtual?
There’s no one-size-fits-all solution when establishing a service management function; the areas of responsibility shouldn’t change, but staffing will vary across organisations. How the function’s set up will depend on the organisation’s risk appetite and the extent to which services are being outsourced. At one end of the scale, organisations may choose to set up a dedicated team solely focussed on managing the relationship. Other organisations may create a ‘virtual’ team, drawn from different teams and disciplines.
Whatever type of service management function is employed, it shouldn’t just be made up of KYC and client on-boarding specialists – including people with broader experience in outsourcing services will add significant value.
Understanding the organisation’s client portfolio can help to arrive at the most suitable solution. The more complex it is (and therefore more challenging to manage), the more resources will be required to ensure that the utility is performing as expected. Considerations include:
Scale of business: Is the organisation a large, global bank with KYC presence in many countries? Or has a large client portfolio across multiple jurisdictions? Or is it more contained (within certain countries) and therefore more manageable? How many clients are intended to be processed through the utility?
Profile of client portfolio: How risky is the portfolio? Does it include a significant number of higher risk entity types, or clients operating in higher risk jurisdictions? Is there a wide range of client types (and therefore various levels of due diligence) to manage or are there common client types?
Planned utility landscape: Is the organisation expecting to use more than one vendor? Or is the contractual relationship with the utility likely to be complex to manage?
Existing in-house organisation structure: Is the operation centralised, or are the teams dispersed? Is there a mix of in-house teams, off-shore (or near-shore) teams?
The advantage of a dedicated team is clear; resources are focused on coordinating and controlling the interactions between the KYC utility and the financial institution. Indeed, this same function can also oversee the activities of in-house or off-shore KYC teams. However, organisations may decide to lean towards a ‘virtual’ team, particularly those facing resourcing constraints or requiring flexibility in their operations.
Wherever along this spectrum each organisation sits, it’s important to evidence the set-up of the service management function in order to demonstrate compliance with outsourcing regulatory requirements. To operate effectively (and demonstrate adequate oversight), the roles and responsibilities need to be clearly defined and assigned - and ideally, reflected in job descriptions
Knowing who’s in charge
Establishing a carefully considered service management function shows that an organisation is taking responsibility over the utility arrangement. But it’s not something to do lightly; you need to set aside the time and budget to design and detail how it should operate. Get it right now, or pay the price later.
This post was written in collaboration with Pawel Jaroszewicz and Agata Morrison from our international Financial Services Risk and Regulation community.