Periodic review of your periodic review process
Exchanging messages with a friend recently, he asked for some input on periodic review standards for lower risk clients. The conversation turned to some significant changes they could make to refine their risk-based approach.
In short, the company was performing a three yearly periodic review on all low-risk retail investors.
We discussed the huge operational burden for essentially no additional benefit and whether it would be acceptable to cease the periodic review entirely for these customers. Our conclusion was essentially, yes. But of course it isn’t always quite so straightforward.
Why we came to the conclusion:
There is no regulatory obligation to perform periodic review for these customers
Committing a significant chunk of your finite resources to large volumes of low-risk reviews is not a good risk based approach
The ultimate beneficial owners are stable
Effective trigger event monitoring could mitigate the risks of any material changes to the relationship
Before any changes could be implemented, there were three key questions we needed comfort around:
Is the KYC appropriate? To be accurate the client risk rating needs reliable, complete data. So firstly we need to assess how effective we believe KYC to be:
Design effectiveness assessment of KYC procedures. Do they align to regulations and appropriately convey all relevant requirements around KYC?
Have all customers been subject to the KYC procedures i.e. were they onboarded since the last material update or subject to a periodic review since then?
Can you validate the quality and completeness of KYC? This might be through sample based testing
Are they all really low risk?I If you’re going to stop doing a periodic review on low risk customers you need to be confident they are in fact low risk. There are a few ways you can do this:
Design assessment of the client risk rating methodology and tools. Is it designed effectively and in a way that (at least in theory) would have got the right outcomes?
How long had the customer risk assessment been in place, would all customers have been put through it?
Can you validate the risk ratings? This one is very data dependent but can you gather core customer information and model it to confirm it should in fact be low risk? If not, can you sample a sufficient number to validate that their risk rating is adequate?
Do trigger events work: there will be a broad range of specific trigger events, but these will generally fall into categories of automated and manual notifications of unusual activity or changes in a client’s circumstances. To consider:
Are the trigger events well understood and cohesive? Is there a list of what constitutes a trigger event and do all the processes and procedures underpinning them align to ensure they trigger a review of KYC if required
What evidence do you have that they are effective? Design and operational effectiveness testing will be needed, but what does existing MI tell you about trigger events occurring?
Whilst all of the above might seem a lot, the operational benefits and improved client experience of reducing these periodic reviews appear to outweigh the effort involved. As illustrated in the diagram, such an exercise can have a material impact (in this case a 45% decrease) on effort without having any impact on control effectiveness (trigger events pick up the issues, and most periodic reviews for low risk customers don’t result in any changes).
Of course, to strengthen your position you may want some independent assurance rather than doing the testing yourself. This improves the validity of your business case and will help ensure you’re not leaving risks unmitigated. We can help with the assurance or any associated control enhancements. We’d love to hear from you if you’re in a similar position.
