Blog

Enhanced Due Diligence: Ensuring KYC and Regulatory Scrutiny

  • Richard Marley
  • September 16, 2019
  • 7 minutes read
  • 2876
blog_image

Enhanced Due Diligence: The adoption of innovative solutions in businesses today, should not have the sole purpose of making profits. A broader vision is required that could abstractly look into the secondary dependencies that can impact a business. These dependencies vary from the third-party services and businesses to associated regulations and compliance requirements. Instead of limiting the focus on business revenue generation, knowledge of local regulations and guidelines should also be ensured. 

Customer identification and verification become a crucial step for businesses to meet the Know Your Customer (KYC) guidelines. While partnering with third parties and businesses, especially the financial institutions and banking industry who has a lot to deal with multiple other industries should ultimately comply with the need of knowing them fully. This serves as the primary step to curb the risks of harsh penalties and local regulatory fines.

A recent study shows that In the EU, regulatory fines can reach up to €20 million. This could be estimated to be 4% of the business annual revenue. Per violation, it costs about $1,000,000 in countries like Australia and Brazil. KYC compliance is the step that can deter the risks of such huge monetary loss. The banks when open new accounts for users need to conduct the Customer Due Diligence (CDD) process. This process ensures the identity of the user under certain KYC parametres. It includes the Anti-money Laundering (AML) background checks, terrorist financing, and checks for Politically Exposed People (PEPs) to ensure that any forbidden entity does not dare to be the part of the legitimate business.

Enhanced Due Diligence (EDD) is an advanced concept of CDD, the security perspectives and guidelines that are CDD do not cover are wrapped up by EDD. It ensures a high-level security potential that could impact the business directly or indirectly. The hidden security challenges, identity assurance, risk assessments, and evaluation are part of EDD. The high-risk privacy and security concerns are eliminated with EDD compliance at an organizational level. The monitoring and screening of entities and transactions reduce the chances of online fraud and payment scams. Also, introduce soundness and reliability in the business.

The intersection of Enhanced Due Diligence and KYC

EDD and KYC both fulfill the purpose of customer authentication. EDD policies intersect with KYC ensuring the rigorous onboarding process for the end-users. The data should be collected, examined and processed with responsibility and detailed auditing should be performed to keep track of the activities been performed in the system. Controlled data access should be done in order to limit the number of users accessing sensitive user data. In this way, there will be fewer chances of integrity interruption within the data. EDD requirements also assure KYC risks associated with each verification process, with individual risks calculation and assurance before further processing. Also, Identities should be verified against money laundering and counterterrorism checks that make sure the honest traffic on board. 

Under the hood of local regulatory compliances, EDD ensures the data privacy and protection rights associated with the user. User data privacy rights include the intentions for which data are collected, analyzed and processed. The time span to which data will be saved in the database and the tasks in which data will be used is also answered. The organizations that fail to comply with these laws are subjected to heavy lawsuits.

Regulatory Penalties Around the World

The comparison of data protection regulations around the globe is done, among which it is discovered that about 65% of countries have made amendments into their policies or have adopted the GDPR requirements when it was announced. Penalties can be demonstrated on the basis of local regulatory compliance by the countries and how they see it. This alignment of lawsuits can extend in case of non-compliance accordingly. The fines are not only applicable to the ones who undergo some cyberattack or data breach but it doles out to each individual business who does not comply with local regulators. Below are some of the countries and companies who are recently fined:

Germany: first fine Germany faced back in July 2018. A German social media network named Knuddles got hacked which compromised the information of more than 330,000 users which includes 808,000 email addresses and relevant passwords. The reason, this information got hacked was that Knuddles has stored the user information in plain text which is entirely against the GDPR law. The company this breach in September and blocked all the affected user accounts and informed those users. Due to this data breach, Knuddles was subjected to a small fine of €20,000, which was under debate by many people. Although local regulators find it totally proportional to the loss the company has made due to data breach. After this, the company put strong security measures to protect their system from similar and further incidents of a data breach.

Poland: Poland’s DPA subjected to a fine of €220,000 on April 1, 2019. A digital marketing agency, Bisnode failed to dole up with the requirements of GDPR. Bisnode scraps the data and process it, but without notifying the data subjects, which leads them to a heavy fine. As it is the GDPR law, that without the permission of subjects, user data cannot be used. Additionally, Bisnode was supposed to mail 6 million people in the next three months which cost them an extra €8 million. If this company has notified its end-users previously could avoid this heavy risk. 

Google: In January 2019, Google subjected to a heavy fine of €50 million. The violation of the requirements of GDPR was taken in notice when data subjects complaint about the inappropriate method of Google for asking consent from them. The lack of transparency is one of the key points of GDPR which was not fulfilled. According to GDPR, consent should be freely given, must be informed, must be granular and should involve affirmative action. But, Google failed to comply with all these specifications as the boxes for consent were pre-ticked which is not considered as valid consent.

How Enhanced Due Diligence help avoid Penalties?

One of the major challenges with EDD is to know how much information is required from a customer to verify the identity. Electronic checks are implemented by financial institutions that automate the tasks of verifying identities against money laundering and terrorist financing. These tasks are audited automatically which keeps the track of entities entering and leaving the system while screening them against multiple checks. Their activities are constantly monitored to avoid the chances of malicious actors being part of the system.

Online Identity Verification

Verify the onboarding customers using a bunch of necessary information which includes personal information i.e. name, date of birth, address, age, etc. (varies with the niche of businesses accordingly). This can reduce the risks of online fraud that take place every now and then with multiple faces.

Avoid Financial Crime

With EDD, dirty money can be prevented which includes the money from PEPs, terrorists, and money launderers. The necessary security precautions are covered by EDD due to which soundness and transparency in the system are ensured that deters the risks of financial crimes.

Clear Compliance Details

The compliance details of the company should be obvious. It is not necessary that a data breach explicitly shows how secure your software is, but the key step is complying with local regulators and privacy programs. In the business’ policies, all the compliant documentation should clearly mention the laws that are required by your specific business niche.