Financial institutions still struggling with KYC rules
Financial institutions and other businesses covered by anti-money laundering legislation are struggling to meet the required know-your-customer verification standards.The AML regulator, Austrac, has been in touch with a number of organisations advising them that its audits have revealed problems with their procedures.Professionals in the AML field say their clients are finding compliance challenging.Deloitte partner Graham Dillon said large organisations had tended to underestimate the complexity of the task and are still coming to grips with it several years after AML became law.The Anti-Money Laundering and Counter-Terrorism Financing Act was passed in December 2006, and the new regulatory regime was introduced in stages over the following two years.The know-your-customer rules, which require identification, verification, risk assessment, monitoring and reporting on customer accounts are a core part of the regime.Dillon said: "The organisation has to set up a system for client identification, they have to verify those details and they have to do due diligence to assess the riskiness of their customers. There is a constant monitoring task."Things can go wrong at every step. Identification is simple when you are talking about one customer, but when you are dealing with millions of files all the little variations in the documents that people supply to you are going to result in situations where records are not populated accurately or completely."Verification gets complex when you are dealing with companies, trusts and foundations. The law requires the identification of the beneficiaries and an ASIC (Australian Securities and Investments Commission) search will not always produce that information."What we find with a lot of organisations is that their systems do not have the controls in place to secure the right outcome. "For example, about two per cent of names are entered into KYC systems with spelling mistakes. An organisation must recognise that inaccurate data entry is an issue and it must have controls in place to pick up those mistakes."The Institute of Internal Auditors issued a report last month, saying that internal audit of AML procedures tended to be limited to broad, high-level issues but did not delve into the nuts and bolts of systems and controls.The institute's director of policy, Joe Garbutt, said: "Some internal auditors limit their reviews to questions such as whether the company has an appropriate AML policy. An effective review requires auditors to dig deeper."The know-your-customer rules, which require banks to perform a series of checks on a customer's identity when they open an account, are a good example of an area where there is no substitute for probing."