7 November 2015, Bachir El Nakib (CAMS) Senior Consultant Compliance Alert LLC


The Know-Your-Customer (KYC) deficiencies is one of the significant compliance problems facing financial services institutions and wealth management priivate bankers. 

Do you know your customer? You better, if you’re a financial institution (FI) or you face possible fines, sanctions and maybe even public ridicule if you do business with a money launderer or terrorist. More importantly, it’s a fundamental practice to protect your FI from fraud and losses due to illegal funds and transactions.

“KYC” refers to the steps taken by a financial institution (or business) to:

  • Establish customer identity
  • Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
  • Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities

To create and run an effective KYC program requires the following elements:

1) Customer Identification Program (CIP)

How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 13 million US consumers and accounting for 15 billion dollars stolen in 2015. If you’re a US financial institution, it’s more than a financial risk; it’s the Law.

The CIP mandates that any individual conducting financial transactions needs to have their identity verified. As a provision in the Patriot Act, it’s designed to limit money laundering, terrorism funding, corruption and other illegal activities. The desired outcome is that financial institutions accurately identify their customers:

A critical element to a successful CIP is a risk assessment, both on the institutional level and on procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level.

2) Customer Due Diligence

For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure any potential customer is worthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and corrupt Politically Exposed Persons (PEPs).

There are three levels of due diligence:

  • Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts where checks are being on other levels
  • Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
  • Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a countries legislations, it’s up to a financial institution to determine their risk and take measures to ensure that they are not dealing with bad customers.

3) Ongoing Monitoring

It’s not enough to just check your customer once, you need to have a program that knows your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.

The OSC, along with the Canadian Securities Administrators (CSA), have published numerous regulatory guidelines outlining their expectations for KYC, Know-Your-Product (KYP) and suitability obligations in recent years. The requirements in those areas for registered firms in Canada. In 2014, the CSA published a Staff Notice 31-336 to provide additional guidance to registrants in the three areas as well as instructions on how to comply with the regulatory requirements.

Repeated KYC, KYP and suitability issues 

Many of the KYC-related deficiencies identified in the report are categorized as repeat deficiencies identified by the OSC during its annual reviews of registrants every year.

A common KYC deficiency cited by the OSC concerns a failure to collect sufficient client information. At the most basic level, some registrants failed to collect sufficient information from clients to establish their identity. Advisers and firms also encountered issues in classifying clients as accredited investors, due to a failure to collect information needed to conduct a suitability analysis.

The regulator also observed that some firms had trouble demonstrating that they had complied with KYC, KYP and suitability regulatory requirements. During reviews conducted by the CRR, the regulator observed that some firms failed to document business activities and client transactions; in other instances, these records were not up-to-date or were not readily accessible. 

Inadequate annual compliance reports could explain why KYC, KYP and suitability deficiencies continue to go unchecked at registered firms. In its report, the OSC noted that it often could not find any evidence that an annual compliance report, detailing the firm's compliance with securities laws, was submitted to a firm's board of directors. As a result, the OSC could not determine whether the firm's senior managers had assessed their firm's compliance program, or were even aware of any deficiencies, including KYC, KYP and suitability issues. 

Warnings and enforcement actions

The OSC has repeatedly warned exempt market dealers on KYC and suitability compliance deficiencies. Previous inspections carried out by the regulator found that nearly two-thirds of exempt market dealers that were inspected failed to collect or maintain adequate information on clients. 

Compliance reviews carried out by CRR staff have also resulted in enforcement action, ranging from requirements that firms provide the OSC with detailed remedial plans to suspension of registration and referral to the regulator's enforcement branch.

Between April 2014 and March 2015, CRR staff at the OSC initiated a total of 64 actions against registrants. Eight of those involved violations serious enough to refer to the OSC's enforcement branch. A majority of the misconduct named in the report involved KYC, KYP and suitability failings.

Relying on third parties to conduct KYC was among the more serious deficiencies identified by CRR staff in 2014. During a compliance review of Sloane Capital Corp and Freedman, an exempt market dealer, CRR staff found that the firm routinely failed to conduct adequate KYC. Advisers at the firm did not meet with clients to obtain KYC information prior to making trades and relied on representatives of the issuer to conduct KYC. Similarly, in another case, a portfolio manager had accepted referrals from unregistered financial planners and relied on these individuals to meet with clients to collect KYC information. 

Suggested practices

An initial guide to meeting regulatory KYC expectations of the OSC and the CSA is outlined in CSA Staff Notice 31-336. Additionally, the OSC has included a number of best-practice tips in the annual summary report outlining findings from reviews conducted by CRR staff. 

Registrants are expected to become personally acquainted with clients with the aim of obtaining thorough understanding of a client's personal and financial circumstances. As such, delegating the collection of KYC information to third parties, especially unregistered individuals, is almost guaranteed to raise red flags with securities regulators during compliance reviews. 

Asking clients to fill out a "tick the box" form without an understanding of their personal and financial circumstances is unlikely to be considered adequate for suitability assessments, thus supporting the need for advisers to engage clients in detailed conversation about their investment needs.
When making suitability assessments, registrants need to have adequate client information to determine whether certain investments are suited to a client's risk profile. To do so, financial advisers need to have a solid understanding of a client's life circumstances, investment goals and attitude towards financial risk, among other considerations. These factors may change over time, giving rise to the need to review and update KYC information on a regular basis. 

KYC information should be updated annually, at minimum. During a KYC review, advisers are required to evaluate whether a client's life circumstances or a significant change in market conditions have affected their suitability for certain investments such as exempt securities. As a best practice, any changes should be recorded in writing and signed off by the client and the adviser. 

Firms are also well advised to ask registered advisers to keep written records of information collected during a KYC consultation with a client and clear records of any updates or changes to a client's KYC file. Maintaining documentation that is easily accessible enables registrants to demonstrate to regulators that they have conducted KYC in compliance with regulatory requirements.

Accurate and up-to-date KYC records are a crucial part of any registered firm's compliance program. Advisers are increasingly expected to demonstrate that they have complied with suitability rules in selling exempt securities to accredited investors. Maintaining adequate documentation to support suitability analysis for trades enables registrants to be able to account to regulators. 

In addition to managing suitability assessments, maintaining robust KYC practices also play a role in mitigating regulatory risks pertaining to anti-money laundering (AML) reporting requirements. Securities dealers in Canada are required to have a compliance program in place to provide reports to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). To satisfy regulatory requirements, firms must collect adequate KYC information to ascertain the identity of their clients and maintain accurate records of such information.

While FINTRAC has yet to pursue high profile enforcement actions against investment firms, AML regulatory scrutiny may be on the horizon. Earlier this year, the Canadian government published a highly critical assessment of AML controls at Canadian banks. The report has generated much debate and could spur regulators to pay closer attention to KYC practices and AML compliance measures at financial firms.


Helen Chan is a regulatory intelligence and e-learning expert in the Enterprise Risk Management division of Thomson Reuters Regulatory Intelligence. Email Helen

Download File