Consolidated KYC Risk Management - final document
Note: The BCBS revised and merged this document within the February 2016 publication: Sound management of risks related to money laundering and financing of terrorism
The adoption of effective know-your-customer (KYC) standards is an essential part of banks' risk management practices. Banks with inadequate KYC risk management programmes may be subject to significant risks, especially legal and reputational risk. Sound KYC policies and procedures not only contribute to a bank's overall safety and soundness, they also protect the integrity of the banking system by reducing the likelihood of banks becoming vehicles for money laundering, terrorist financing and other unlawful activities. Recent initiatives to reinforce actions against terrorism in particular have underlined the importance of banks' ability to monitor their customers wherever they conduct business.
In October 2001, the Basel Committee on Banking Supervision (BCBS) issued Customer due diligence for banks, subsequently reinforced by a General Guide to account opening and customer identification (CDD) in February 2003. The CDD paper outlines four essential elements necessary for a sound KYC programme. These elements are: (i) customer acceptance policy; (ii) customer identification; (iii) on-going monitoring of higher risk accounts; and (iv) risk management. The principles laid down have been accepted and widely adopted by jurisdictions throughout the world as a benchmark for commercial banks and a good practice guideline for other categories of financial institution.
A key challenge in implementing sound KYC policies and procedures is how to put in place an effective groupwide approach. The legal and reputational risks identified in paragraph 1 are global in nature. As such, it is essential that each group develop a global risk management programme supported by policies that incorporate groupwide KYC standards. Policies and procedures at the branch- or subsidiary-level must be consistent with and supportive of the group KYC standards even where for local or business reasons such policies and procedures are not identical to the group's.
Consolidated KYC Risk Management means an established centralised process for coordinating and promulgating policies and procedures on a groupwide basis, as well as robust arrangements for the sharing of information within the group. Policies and procedures should be designed not merely to comply strictly with all relevant laws and regulations, but more broadly to identify, monitor and mitigate reputational, operational, legal and concentration risks. Similar to the approach to consolidated credit, market and operational risk, effective control of consolidated KYC risk requires banks to coordinate their risk management activities on a groupwide basis across the head office and all branches and subsidiaries.
The BCBS recognises that implementing effective KYC procedures on a groupwide basis is more challenging than many other risk management processes because KYC involves in most cases the liabilities rather than the assets side of the balance sheet, as well as balances that are carried as off-balance sheet items. For reasons of customer privacy, some jurisdictions continue to restrict banks' ability to transmit names and balances as regards customer liabilities whereas there are now very few countries maintaining similar barriers on the assets side of the balance sheet. It is essential, in conducting effective monitoring on a groupwide basis, that banks be free to pass information about their liabilities or assets under management, subject to adequate legal protection, back to their head offices or parent bank. This applies in the case of both branches and subsidiaries. The conditions under which this might be achieved are set out in paragraphs [20 to 23].
Jurisdictions should facilitate consolidated KYC risk management by providing an appropriate legal framework which allows the cross-border sharing of information. Legal restrictions that impede effective consolidated KYC risk management processes should be removed.