The general purpose of segregation of duties is to mitigate the operational risks of error, conflict of interest and fraud, by distributing the tasks associated with a specific business process among multiple independent participants.
Segregation of duties in the KYC process aims at preventing error, oversight and fraud, and ensuring:
- The integrity of information and documentation.
- A fair and unbiased risk assessment.
- An informed and appropriate decision on client onboarding and recertification.
- An effective first- and second-level control setup.
Underestimating the client risk may lead to unwanted exposure to AML, CFT, corruption and sanctions risks. Overestimating the client risk may result in unjustified negative decisions impacting business performance. Segregation of duties aims at avoiding both situations.
The following role overview describes a generic task assignment. Some of these tasks may not be required in all situations:
- The precise task assignment may be adapted to the Businesses’ organization and level of automation (§3.3).
- In smaller BUs, Compliance may validate limited departures from the standard segregation of duties between the Business teams. At a minimum, the four-eye principle should be complied with.
3.2 Role overview
3.2.1 Relationship manager
The RM bears the primary responsibility for ensuring adequate client due diligence and exercising constant vigilance over the business relationship.
In some cases (non-resident accounts, mutualized coverage), the RM may be attached to a BU that is different from the BU where the client is to be onboarded or recertified, provided (s)he is fully enabled to exercise his/her responsibility, including constant vigilance, and local regulation does not prohibit such arrangements.
|Information and documentation collection||
The RM’s ability to make decisions is subject to a full implementation of the segregation of duties principles, particularly an independent KYC Operations team in charge of directing each file to the appropriate decision level, and reporting decisions to Management.
Compliance at the OPs or Businesses level may further restrict the scope or constrain the framework of this principle, by authorizing selected RMs, e.g. to exclude the most junior ones, and/or by setting up a sample-based managerial control over the decisions made by the RMs.
3.2.2 KYC Operations
This term refers to any team or department that is independent from the RM and purely in charge of an operations role. Therefore, the RM’s assistant or direct support does not qualify as the KYC Operations team. The RM and the KYC Operations team may however share the same ultimate reporting line, so long as there is independence from the Front Office and there is no direct or indirect incentive for the KYC Operations team to act favorably with respect to any client onboarding, file review or recertification.
|Information and documentation collection||
Some of these tasks may be performed by an automated workflow system.
3.2.3 First-level control
The organization of 1st-level control depends on the Business internal control policy and the size of the BUs. 1st-level control is ideally performed by a dedicated department that is independent from both the RM and the KYC Operations team. However, it may also be performed within the KYC Operations team, by its Manager or by a distinct group. In the smallest BUs, a given staff member may perform both operational and control tasks, provided (s)he never performs controls on the files to which (s)he has contributed.
3.2.4 Business Unit Management
The BU’s Management validates the client onboarding or recertification, after due diligence is complete, except when the RM is authorized to make the decision. When a CAC is required, the BU’s Management chairs the committee. The BU’s Management may delegate its authority under certain conditions (§3.2.2).
When approving PEPs or client banks to which correspondent banking services are offered, the BU’s Management must be empowered to represent the affiliate’s executive body.
- Ensures a permanent advisory role vis-à-vis the Business.
- Confirms the client’s risk level as the case may be.
- Validates the risk level recommended by the RM when different from the one given by the scoring.
- Is involved in the decision process or participates in CACs, as the case may be.
- May impose conditions on the acceptance or continuation of a business relationship.
- Holds ultimate veto power over onboarding and recertification decisions (§7.2.3).
- Ensures the 2nd-level control.
3.2.6 Inspection Générale
Inspection Générale ensures the 3rd-level control mission.
3.2.7 Information systems
Information systems play an important role in risk management and mitigation by structuring the process, securing information, and automating tasks. More specifically, Businesses should maintain:
- A database for automating the Global Recertification Program (GRP – §9.2.1) and the key risk indicators.
- An electronic content management system for securing information and documentation and making them available for further queries.
- A scoring system.
3.3 Specific business models
Retail banking, some specialized Businesses as well as B2B2C models:
- Do not necessarily manage business relationships individually, i.e. their clients are not assigned to RMs. In this case, the information and documentation collection is managed by the KYC Operations team or equivalent.
- May rely on authorized intermediaries (as per KYI – Know Your Intermediary – policies) to collect information from clients. The Business remains in charge of the risk assessment and the client onboarding and recertification.
- May operate an automated or semi-automated, internet-based onboarding process, where the client inputs the required information, and the system performs automatic completion and consistency checks. The KYC Operations team may need to complement these checks, particularly in relation to the verification of the client’s identity. In the absence of any anomaly or risk factor, the client may be deemed accepted.