Know your customer well

Do you know your customer?

With the adoption of the fourth EU money laundering directive, the financial institutions have taken on the obligation to take measures appropriate to the compliance risk for the entire duration of the customer relationship in order to take action against money laundering. These so-called due diligence obligations, which are essentially the responsibility of the compliance department, have a significant impact on the company's operational units. This is illustrated by the example of the Know Your Customer process (KYC).

Legal framework conditions promote the risk-oriented approach

The fourth EU money laundering directive came into force on June 25, 2015, further strengthening the risk-based approach in the financial industry. The member states now have two years to implement the new regulations in national law. The most far-reaching change concerns the risk-based approach, which was already required in the third EU money laundering directive and is now being significantly upgraded. The task of compliance is to assess the risk of the individual customer in relation to money laundering and to define appropriate due diligence obligations for monitoring. The rule of thumb in this case is: the higher the potential risk to the customer, the more closely he must be observed.

The associated procedure is usually referred to as the KYC process, whereby a distinction is made between customer acceptance (onboarding customer due diligence) as a one-off incident and ongoing monitoring (ongoing customer due diligence).

Onboarding Customer Due Diligence (CDD)

Establishing a new customer relationship has always been a central component of financial institutions. In addition to the classic topics such as personal identification, credit checks, embargo and sanction list checks or the origin of the funds to be invested, etc., the fourth EU money laundering directive takes up further aspects.

For corporate customers, this includes full evidence of the beneficial owner, including the type and scope of beneficial ownership. On the other hand, the elimination of positive lists in third countries or the reduction in the special position of domestic PEPs (Politically Exposed Persons) prevent automatisms in the assessment of the compliance risk that make an individual assessment necessary.

An important point is the creation of a TARGET profile that, based on the information provided, reflects the future behavior of the customer. Statements about the number and amount of foreign transactions, the type and number of financial products to be used, etc. are stored there.

The data collected as part of this process is condensed into a number using a mathematical model, which quantifies the customer's compliance risk. Based on a classification into small, medium or high risk, simplified, general or enhanced due diligence obligations (enhanced CDD) are applied.

Ongoing Customer Due Diligence (CDD)

The one-time and recurring readjustment of this risk is incorporated into the operational systems and processes of the institute. With the increased duty of care, the monitoring of transaction behavior to detect anomalies in relation to money laundering is stricter and more closely meshed and the time cycles for the regular recalculation of the compliance risk are shorter (simplified due diligence up to five years, increased due diligence up to one year).

High-risk customers are also subject to a certain "management attention" in that the expansion of the business relationship desired by the customer, for example through the addition of new financial products or payment transactions, is subject to a specially defined approval process.

In this context, it is important that a spontaneous re-examination of the customer can take place at any time. This can be caused, for example, by the inclusion of the customer on an embargo or sanction list or by deviations in customer behavior from his target profile, insofar as this has a risk-increasing character.

IT support - a critical success factor?

This process must be carried out for every customer: for private and investment customers who want to open a savings account or take out a loan, to wealth management customers who invest their assets worldwide, to global companies that offer a variety of different financial products and - services uses.

The CDD process will certainly depend on the respective customer segment and therefore appropriately trained and experienced staff is required in the compliance department in order to discuss the necessary measures with the operational sales units and to respond to their concerns. Only then is an efficient implementation possible. In the opposite case, compliance would quickly be perceived as a “sales obstacle” and meet with a lack of acceptance.

There will always be processes that require the specialist knowledge of compliance officers and can therefore only be carried out manually. For this reason, the tool-supported implementation of the process is important, always where it is possible and sensible, otherwise the effort involved cannot be managed. For retail banks with several million customers in particular, automation is unavoidable in order to ensure the complete inspection with the required quality.

KYC as an opportunity

As is so often the case, such legally motivated tasks are initially assessed as a “necessary evil” and thus more from a cost and not a benefit perspective. By collecting the large amount of information and considering it over time, however, a new way of looking at the customer arises, which, from a reputation point of view, helps to avert possible damage to the institution. And the recent cases that have been made public in the public show that it is also economically worthwhile for many financial companies to seriously address this issue.


The KYC process will keep financial institutions very busy over the next few years. The “monolithic island” of compliance will be further dissolved as the interlocking with the operational units progresses and compliance is perceived as an integral part of the risk management of an institution. This is an opportunity to transport compliance as a whole into the company and anchor it there.

In doing so, companies can take advantage of the leeway that the legislative authorities allow for practical implementation. However, you should take the issue seriously, because if you violate the extended inspection obligations, companies will have to reckon with severe sanctions and fines (up to five million euros or ten percent of total annual turnover); the associated loss of reputation not included.

And testing won't be limited to customers. In the area of ​​correspondent banks, the topic of “Know Your Customers Customer” is increasingly coming into focus. The same applies to the examination of third parties (suppliers, service providers, joint venture partners, etc.). Legally motivated by the UKBA (UK Bribery Act) and the American FCPA (Foreign Corrupt Practices Act), the question of who the (global) company works with is of great importance from a reputation point of view.