20/10/2020 Risk management
Christian Steiner

Do you know your customer?

It seems as if a bank should know its customers – in the private as well as in the corporate customer segment – after all, you are the bank! A person enters a bank, meets the friendly bank advisor he or she knows, receives a consultation and applies to open an account. So far, so good.

For some years now, specialist articles and blog posts have been discussing the great need for banks and financial institutions to catch up when it comes to getting to know their customers better. They often think of innovative banking products, quality requirements in consulting, low access hurdles (i.e. access speeds á la eCommerce) … It is well known that this change is not easy for established banks – and younger private customers are increasingly switching to alternative banking products from FinTechs, which have an appropriate approach and fulfil dedicated customer needs. This is a development that will increase rather than decrease – and no doubt the world will continue to evolve in corporate banking as well. Numerous B2B FinTechs are already active on the market or are in the starting blocks. There is a demand for them; innovative lateral thinkers and technologically competent, creative designers can be found in equal measure: Artificial Intelligence is looking for banking product niches.

And yet, one can hardly believe it, all these developments have to meet classical, banking requirements and answer the following questions: Who is my customer and what is his creditworthiness?

The topic of creditworthiness can now be depicted “relatively simply”. The question: “What do we actually do with the existing creditworthiness?” should be in the foreground! Who do we accept in addition? How do we expand business? Which products and conditions lead to a deal? However, fraud and money laundering prevention is becoming increasingly exciting on the compliance side!

The legal basis for this is provided by the Money Laundering Act (GwG) with the Money Laundering Directive – in June of this year the EU announced the fifth directive with a further tightening of compliance requirements, including with regard to transactions with crypto-currencies. The EU member states must implement the requirements by 10 January 2020 at the latest. The compliance employees of banks and financial service providers are fully aware of the measures. This article therefore deals further with the digital implementation of these regulations and highlights in particular the success factors of a lived compliance management.

The challenge lies in an automated, digital implementation!

A proactive and conscientious compliance manager often doesn’t have an easy everyday life. He or she is entrusted with the task of implementing and establishing Know-Your-Customer (KYC) processes in the organisation under the aspect of “digitalisation” (this buzzword is currently very much in vogue). Apart from her/him, only few people know what manual effort is involved in money laundering and fraud prevention.

It is a matter of breaking up processes that have been in place for many years, often unchanged or at least supplemented step by step with a set of rules. The know your customer (KYC) process in particular requires manual effort at the right place and the right address at the right time. Basically, the various areas affected by this – although it can cause frictions now and then – pursue the same goal: the generation of profitable, secure and also “clean” business. Extending the processes that have been put in place to include further compliance-related steps is often time-consuming and costly, and because it is not sales-driven, unattractive and therefore difficult to accept across the organisation. It is therefore obvious that good compliance management for coping with operational activities must demonstrate patience as well as a high degree of sensitivity, which goes hand in hand with a high level of competence in communication and conflict management.

As pronounced as these characteristics may be, compliance management will only achieve its goal – the establishment of KYC processes in everyday operations – if the new measures actually have a positive effect on the departments and people involved. Positive in the sense of reducing administrative work, increasing transparency, speeding up work steps, increasing productivity, reducing costs and ensuring audit compliance. Consequently, the key lies in the automated and digital implementation of compliance requirements. Automation means (correctly applied!) basically a reduction of complexity and acceleration of work processes. As far as the implementation of the money laundering guidelines is concerned, the decisive aspect is of course the traceability and documentation of processes and decisions. Every transaction within the scope of money and credit transactions must be documented in such a way that it is transparent and can be made available on demand. Thus, corresponding cases should be made controllable and comprehensible.

The right data strategy – no challenge for the modern compliance officer

Basically everything sounds wonderful. Unfortunately, the described implementation of digital KYC processes is not done by finger snapping. And just because decisions and work steps in transaction processes are to be automated, they do not fall away. The challenge is to identify the actual money laundering and fraud attempts of companies – within the process and preferably automated. However, these cases are typically well and individually prepared. Patterns usually cannot be transferred from one case to another and cases only come to light when the damage has already been done. If you are confronted not only with individual natural persons, but also legal entities, company networks and unimposing obscure interests that are not easy to identify at first glance, the individual case processing can become very complex and digitisation is no longer an option. It is therefore necessary to identify the candidates and – if there is an obvious motivation for money laundering or other criminal activities – to avoid and report corresponding money and credit transactions.

But how can it be ensured that the right workflows are initiated and implemented, taking into account the existing circumstances of a bank? One can already guess, data is a very important factor. Internal data, such as empirical values or historical transactions, represent it. These are enriched by external data. The basis for a successful KYC is already available from various providers, e.g. the well-known national and international credit agencies. These are recognised service providers with products that have been tested in accordance with the Money Laundering Act. Examples of these are SCHUFA, Creditreform, Bureau van Dijk and other providers. These are third parties recognised by the Federal Financial Supervisory Authority (Bafin), they have data and corresponding evaluation methods. The respective banks have been audited and positively certified, thus ensuring that the respective GWG products are suitable for use. Yes, these products cost money, but in the overall account this is worthwhile.

However, an important consideration must be the selection of the provider according to the bank’s own individual business processes. Questions to be considered within the scope of this selection process include

  • How often should the customer be checked?
    • On application?
    • At regular intervals?
    • In the event of changes in the ownership structure?
    • In case of prolongations of the credit business?
  • How can the customer portfolio be checked quickly? Can we quickly identify the risk of individual markets – for example, if a country is suddenly threatened by sanctions?
  • Can we document individual cases and follow up decisions?
  • How much does the cross-border audit cost? Is it necessary?

These and other questions – essential for implementing the right data and technology strategy – lead to different answers depending on the banking company and financial services provider. A compliance team that proactively tackles the challenge of implementing KYC requirements in its own company has certainly already addressed this issue.

But how does automation/digitisation work?

Upgrading a new customer process and extending it to include a KYC test can be costly. A set of rules in the process helps to query and document the corresponding cases in parallel and automatically. The team of specialists can process individual cases and the customer advisor can devote his full attention to the customer. The fraudster / money launderer will have patience, because he is prepared. It is therefore up to the credit institution to identify the company – if necessary with a corresponding GWG report from a credit agency – and to link it to existing commitments and customer groups (borrower units).

This brings us to the next keyword: the borrower unit. I have heard many colleagues say: “We develop a model and sell it”. Great idea. In my opinion, this is only suitable for having a framework ready – because in reality, different customer structures, product structures and especially data households come together and then suddenly the issue is no longer so trivial – or the project effort is unexpected. And the benefit? We just want to be a bank!

Let’s reduce the question back to KYC.

  • Check the identity of the company!
  • Check the beneficial owner!
  • Decide whether the information is sufficient and whether the transaction is feasible!
  • Introduce a set of rules for the regular audit as well as a special audit for specific occasions!
  • Document in an audit-proof manner!
  • Doesn’t really sound like witchcraft, does it?


If we compare today with the situation 35 years ago, when digitisation took its first steps, we can see that digitisation is above all a big, long learning process. Learning processes are also characterised by the fact that they never end. Every day we experience something new, which we absorb in filtered form, whether we want to or not. This can be a lot of fun and motivating, but at the same time it also leads to an enormous amount of effort, which usually goes hand in hand with a great deal of responsibility. You, dear readers, can certainly tell a thing or two about it. Every company and every person makes their own experiences.

Changes or investments are necessary in order to fulfil the legal requirements on the one hand and to protect the own company from financial damage on the other hand. An IT buyer once said: “Our parent company had to pay a fine of USD 500 million to the SEC in the USA a few months ago – this makes it easier for us to apply for a budget for this issue”.