3 Segregation of Duties

3.1 Principles

The general purpose of segregation of duties is to mitigate the operational risks of error, conflict of interest and fraud, by distributing the tasks associated with a specific business process among multiple independent participants.

Segregation of duties in the KYC process aims at preventing error, oversight and fraud, and ensuring:

  • The integrity of information and documentation.
  • A fair and unbiased risk assessment.
  • An informed and appropriate decision on client onboarding and recertification.
  • An effective first- and second-level control setup.

Underestimating the client risk may lead to unwanted exposure to AML, CFT, corruption and sanctions risks. Overestimating the client risk may result in unjustified negative decisions impacting business performance. Segregation of duties aims at avoiding both situations.

The following role overview describes a generic task assignment. Some of these tasks may not be required in all situations:

  • The precise task assignment may be adapted to the Businesses’ organization and level of automation (§3.3).
  • In smaller BUs, Compliance may validate limited departures from the standard segregation of duties between the Business teams. At a minimum, the four-eye principle should be complied with.

3.2 Role overview

3.2.1 Relationship manager

The RM bears the primary responsibility for ensuring adequate client due diligence and exercising constant vigilance over the business relationship.

In some cases (non-resident accounts, mutualized coverage), the RM may be attached to a BU that is different from the BU where the client is to be onboarded or recertified, provided (s)he is fully enabled to exercise his/her responsibility, including constant vigilance, and local regulation does not prohibit such arrangements.

Process initiation
  • Initiates the KYC process for prospective clients.
  • Reports on client-related events that may trigger a recertification.
  • Exercises constant vigilance and immediately reports any known or suspected adverse information, suspicions or integrity concerns that develop during the course of the relationship, as well as any other factors indicating that an increase in risk level or due diligence level may be appropriate.
  • Cannot change the periodic recertification due date or postpone its initiation.
Information and documentation collection
  • Contributes to the information and documentation collection – specifically, the ones being of a non-public nature, and requiring a face-to-face meeting with the client.
  • Cannot alter the collected information and documentation.
  • Contributes to the materiality assessment and mitigants of adverse information, but does not make the final assessment and cannot alter the reports filed by the KYC Operations team.
  • Assists in identifying a PEP’s position in the client organization.
  • Is usually not involved in the name checks.
Risk assessment
  • Is not involved in the scoring calculation.
  • May propose, but not decide on, a risk level that is different from the one given by the score.
Decision
  • Proposes the client onboarding or recertification, and may decide on lower risk files.

The RM’s ability to make decisions is subject to a full implementation of the segregation of duties principles, particularly an independent KYC Operations team in charge of directing each file to the appropriate decision level, and reporting decisions to Management.

Compliance at the OPs or Businesses level may further restrict the scope or constrain the framework of this principle, by authorizing selected RMs, e.g. to exclude the most junior ones, and/or by setting up a sample-based managerial control over the decisions made by the RMs.

3.2.2 KYC Operations

This term refers to any team or department that is independent from the RM and purely in charge of an operations role. Therefore, the RM’s assistant or direct support does not qualify as the KYC Operations team. The RM and the KYC Operations team may however share the same ultimate reporting line, so long as there is independence from the Front Office and there is no direct or indirect incentive for the KYC Operations team to act favorably with respect to any client onboarding, file review or recertification.

File handling
  • Generally manages the KYC file.
  • Monitors the file completion and the integrity of information.
Process initiation
  • Initiates a targeted file review or a full recertification further to trigger events.
  • Initiates a full recertification based on the file’s due date.
Information and documentation collection
  • Contributes to the information and documentation collection – specifically, the ones being of a public nature or internal to the Business, and not requiring a face-to-face meeting with the client, although some Businesses may allow such meetings.
  • Checks all appropriate names against sanctions and PEP lists as well as any other applicable lists.
  • Performs adverse information searches and assesses their materiality.
Risk assessment
  • May run the scoring system, and files the score.
Decision
  • Coordinates the decision process.
  • Organizes CACs for HR files and other specific cases.
  • Prepares and submits files to Compliance or a CAC, as appropriate.
  • The KYC Operations manager may be empowered to recertify Low Risk files, when specifically authorized in the applicable client segment policy.
  • Monitors the approval conditions.

Some of these tasks may be performed by an automated workflow system.

3.2.3 First-level control

The organization of 1st-level control depends on the Business internal control policy and the size of the BUs. 1st-level control is ideally performed by a dedicated department that is independent from both the RM and the KYC Operations team. However, it may also be performed within the KYC Operations team, by its Manager or by a distinct group. In the smallest BUs, a given staff member may perform both operational and control tasks, provided (s)he never performs controls on the files to which (s)he has contributed.

3.2.4 Business Unit Management

The BU’s Management validates the client onboarding or recertification, after due diligence is complete, except when the RM is authorized to make the decision. When a CAC is required, the BU’s Management chairs the committee. The BU’s Management may delegate its authority under certain conditions (§3.2.2).

When approving PEPs or client banks to which correspondent banking services are offered, the BU’s Management must be empowered to represent the affiliate’s executive body.

3.2.5 Compliance

  • Ensures a permanent advisory role vis-à-vis the Business.
  • Confirms the client’s risk level as the case may be.
  • Validates the risk level recommended by the RM when different from the one given by the scoring.
  • Is involved in the decision process or participates in CACs, as the case may be.
  • May impose conditions on the acceptance or continuation of a business relationship.
  • Holds ultimate veto power over onboarding and recertification decisions (§7.2.3).
  • Ensures the 2nd-level control.

3.2.6 Inspection Générale

Inspection Générale ensures the 3rd-level control mission.

3.2.7 Information systems

Information systems play an important role in risk management and mitigation by structuring the process, securing information, and automating tasks. More specifically, Businesses should maintain:

  • A database for automating the Global Recertification Program (GRP – §9.2.1) and the key risk indicators.
  • An electronic content management system for securing information and documentation and making them available for further queries.
  • A scoring system.

3.3 Specific business models

Retail banking, some specialized Businesses as well as B2B2C models:

  • Do not necessarily manage business relationships individually, i.e. their clients are not assigned to RMs. In this case, the information and documentation collection is managed by the KYC Operations team or equivalent.
  • May rely on authorized intermediaries (as per KYI – Know Your Intermediary – policies) to collect information from clients. The Business remains in charge of the risk assessment and the client onboarding and recertification.
  • May operate an automated or semi-automated, internet-based onboarding process, where the client inputs the required information, and the system performs automatic completion and consistency checks. The KYC Operations team may need to complement these checks, particularly in relation to the verification of the client’s identity. In the absence of any anomaly or risk factor, the client may be deemed accepted.