CDD guidelines are a fundamental part of the risk management procedures that financial institutions must implement to meet the requirements of the law. In 1977, the Sanctions Act came into force, which was supplemented thirty years later by the Act on Financial Supervision and in 2008 the Money Laundering and Terrorist Financing (Prevention) Act came into force. Legislation that obliges financial service providers to help prevent financial crime. Suspicious transactions must also be reported to the Financial Intelligence Unit (FIU). If financial institutions fail to comply with this legislation, they risk fines, damage to their reputation or the loss of their licences. Brussels has also imposed a number of successive so-called AML Directives on Member States in recent decades to prevent money laundering and terrorist financing. In addition to AML and CTF, Member States should also actively pursue the prevention of blackmail and corruption.
Financial institutions operating in the Netherlands must comply with the following Dutch and EU legislation and regulations:
– Financial Supervision Act (Wft), Basel III and (in 2023) Basel IV;
– Solvency II, in particular for insurance companies;
– FATCA, which lays down the tax liability between the Netherlands and the US;
– Common Reporting Standard (CRS), in which more than 100 countries have made agreements on the automatic exchange of financial data of persons and organisations;
– Anti-Counterfeiting and Anti-Corruption legislation;
– General Data Protection Regulation (GDPR) is superior to the Dutch Personal Data Protection Act and applies stricter rules and higher sanctions in the event of a violation;
– the Personal Data Protection Act (Wbp);
– legally required introduction of internal codes of conduct;
– training of staff on compliance requirements.
The identification and verification of new customers is a crucial part of the Customer Due Diligence (CDD) and Know-Your-Customer (KYC) process. Compliance departments are constantly expanding to cope with stricter legislation. Thousands of trained staff work on identification, screening and risk profiling based on defined risk criteria, depending on the company’s ability to tolerate risk. At the end of this process, a new customer is either accepted or rejected.
During the customer acceptance or onboarding process, so-called underwriters calculate and examine new customers, which are screened and checked against a number of risk-sensitive criteria. A risk is calculated (Risk Scoring) based on a combination of factors that together result in a (low, medium, high) risk score. This score is taken into account in the Risk Assessment prepared by the underwriter.
Unfortunately, risks are often exaggerated. This is called “false positives”. Experts estimate that between 75% and 95% of alerts are ultimately false positives. These have to be carefully analysed and this requires a considerable human capital and time. False positives are the result of a risk score, calculated on the basis of standardised criteria and according to specific rules. This is called rule-based risk management. It is a very binary way of risk scoring, without taking into account the underlying complex nuances. For example, a customer can be classified as suspicious because he/she transfers or receives money from a country that is classified as high risk, while the customer does not actually pose a risk to the bank. Vice versa, terrorist finances can remain unnoticed as ‘alerts’ are not being triggered by transferring low amounts of money. The financing is only discovered once the terrorist act has been committed and one applies ‘follow-the-money’ procedures. False positives cost companies a lot of time and overhead. False negatives, however, cost lives. To prevent false positives or false negatives, companies are increasingly adopting a risk-based approach. This risk-based approach is described in detail in a recently released report by the International Financial Task Force (FATF), an organisation that regularly makes recommendations in the areas of CDD/KYC, Anti-Money Laundering (AML) and the Prevention of Terrorist Financing (CTF).
Regulatory Technology (Regtech)
Regtech refers to the use of technology that translates structured and unstructured data into so-called decision making rules that help legislators and financial institutions in their compliance process. Regtech optimises the workflow, decision making and reporting to the financial authority. Data analysis guarantees a good overview and the possibility to recognise and prevent risks, hence the overlap between Compliance and Risk Management.
More and more financial service providers are opting for a partnership with a Regtech company that streamlines the compliance process. Two-thirds of Regtech solutions include artificial intelligence (AI), machine learning (ML), big data, cloud computing and APIs. According to EBA Europe, 10% of financial institutions in the EU expect to invest as much as 50% more in this technology in the coming years.
What are the benefits of Regtech for Risk Management and in particular for the Customer Identification Programme (CIP)? Time and cost savings, efficient and accurate use of existing data, better system integration and a holistic approach to risk management. Regtech prevents human error. New customers’ documentation is identified and screened against national and international sanction lists in no time, and the potential risk they pose is automatically calculated and adjusted using pre-configured risk parameters. Regtech prevents many false positives. Artificial intelligence (AI) analyses data quickly and carefully. Machine learning makes AI increasingly accurate at recognising unusual patterns without flagging the innocent as suspicious. Regtech solutions can be configured and scaled to meet a company’s specific needs and risk scoring can be quickly adapted to new CDD/KYC and Anti-Money Laundering (AML) laws and regulations.
France, Germany and the Netherlands are leading the way in the adoption of Regtech solutions within the EU. The Netherlands is also a growing Fintech and Regtech Hub. Hyarchis has been the market leader in Document and Data Management for decades. Regtech solutions run on good data. A Regulatory-Technology-driven, optimised Customer Due Diligence process ensures efficient risk analysis of data, while adhering to privacy regulations that protect the most sensitive customer data.
Contact Hyarchis for more information on our innovative data management and CDD solutions.