A few years ago, when Panama Papers and other offshore leaks were the subject of news stories, I remember reading an article about a woman, a resident of a small island in the Caribbean, who was listed as a director of over 1200 companies. Many of those companies listed her addresses as post office boxes or other non-residential addresses, while a few listed unknown residences in the Channel Islands or the Caribbean. She also had a partner who was listed as a director of another 1000 or so legal entities, many of which were incorporated in jurisdictions known for their favorable tax rules. This story immediately sparked a thousand questions, mostly from a risk perspective.
How was she able to open a bank account in most jurisdictions?
Did she have to disclose herself as a beneficial owner/director of all 1200 companies?
How much time did it take her to open an account, as all of those 1200 companies would have to be validated by the financial institution opening the account?
At the time, most financial institutions relied solely on information provided by the customer to create their records and estimate the risk profile of the customer. So in this case, not disclosing directorship in any of these entities was not easily discovered, and thus the financial institution would likely record her as a low-risk resident of a quiet island in the Caribbean.
Years before this story developed, regulations were put in place that require financial institutions to accurately identify their customers and use a risk-based method to profile them (USA PATRIOT Act, EU AML directives, etc.). Identification of beneficial ownership has long been one of the requirements of customer identification and due diligence programs in order to prevent sanctioned entities and criminals from using shell companies to benefit from global financial markets.
In recent years, many regulators across the world released clarifications and improvements to existing identification and beneficial ownership requirements to keep up with the times. Some amended older regulations to clarify what is expected from due diligence, some merely encouraged financial institutions to use machine learning and AI in their AML programs. A notable example is the current Canadian regulation, PCMLTFA, which received an update in the summer of 2019. In some cases, this regulation allows customer identification using external sources and even further allows using identification data obtained by another entity to supplement accurate customer identification (Part 3 of the changes). A common trend across new regulations is to use a more comprehensive approach to KYC and AML, either via the use of technology or the use of external data sources.
Today financial institutions are beginning to use external data sources during their customer onboarding processes. The low-hanging fruit here includes using lists like OFAC SDN, which help organizations quickly compare a potential customer against sanctioned entities and individuals. Once sanctions screening is complete, the next most common step includes running a customer’s name against a politically exposed persons lists to identify any linkages to senior political figures, and checking for any negative mentions in media. While use of external data to enrich customer data is on the rise, even in 2019, a surprisingly low number of institutions use third-party systems and additional data sources to enrich customer data to get a more comprehensive view. Canadian financial institutions tend to be slightly ahead in this area, likely due to enhanced regulatory requirements. See chart below.
Now let’s take this one step further – and let’s imagine a comprehensive customer 360 view that can be achieved with further enrichment from external sources.
Individual data can be enriched using internal sources such as employee and supplier master data, while external sources like credit history and affiliate marketing data can be used to further enrich customer profiles for both compliance and sales purposes. Other third party enrichment options include:
Compare individual records to public data to gather a complete profile of the customer and ensure that your customer is a real person with a real address.
Enrich legal entity data using GLEIF or Dun & Bradstreet Hoovers data to clean and normalize legal entity names.
Look into public corporate records and address information to ensure that a legal entity is an actual business with an actual address. Obtaining legal entity parent information can speed up the quest to identify Ultimate Beneficial Ownership.
And lastly, run a quick search engine check to enrich your customer data with publicly searchable data to ensure no data point is left out.
Once all records are fully enriched with these datasets, more accurate golden records can be produced to be leveraged across the organization.
Using my original story, if any of the 1200 entities or the director herself decided to open an account at an institution powered by external reference data, it would have taken only moments to find those names in any of the offshore leaks database and identify all associated parties.