Alison Lee

Alison Lee

The Legal Team Template of the Week – Responsible Sourcing Programme

Dear Readers,



In today’s world it is all about responsible living and doing the right thing.

So, this week’s topic is all about how to source responsibly, in a conscious and in a sustainable manner.



Responsible Sourcing Policy

In order to establish a Responsible Sourcing Programme, one needs to develop a Responsible Sourcing Policy; a written statement that clearly articulates your organization’s commitment to sourcing responsibly, in line with recognized principles and standards, especially when your organization sources goods or products from conflict-affected and high-risk areas (CAHRAs), i.e., from areas characterised by the presence of armed conflict, widespread violence, or other risks of harm to people.

The Responsible Sourcing Programme helps ensure that all relevant stakeholders are aware of the Organization’s commitment to responsible sourcing, which will be reflected in its various Business procedures and sourcing decisions.

The Programme must meet international expectations and should be consistent with the Due Diligence Guidance for Responsible Supply Chains as laid down by the Organisation for Economic Co-operation and Development (OECD).

Appointing a Compliance Officer

A dedicated “compliance officer” should be appointed, to be responsible for establishing and implementing the Organization’s Responsible Sourcing Programme, as well as for due diligence in the Organization and for reporting (if applicable).

In many cases, especially for small and medium-scale companies, this “compliance officer” may be the owner of the company.

The “compliance officer” should also be responsible for reviewing relevant policies and procedures every year to ensure the Organization continues to uphold current changes to relevant laws and regulations.

Creating the Responsible Sourcing Policy Document

A Responsible Sourcing policy document relevant to the scope of the Organization’s business(es) should be created. It should cover the materials applicable to the business, and the complexity of the business’ supply chains.

This policy should be appropriate for the Organization and its business, and need not be complicated or detailed. It should be very clearly understood by suppliers and stakeholders, and implementation of the policy should be verifiable through transaction documentation.

Documented Terms of Business with Suppliers and Policy Statements

An organization should be able and ready to supply to interested parties its Responsible Sourcing Policy Document, describing to them the principles that have been applied and the procedures that have been put in place.

The Organization should have documented terms of business with suppliers and policies and procedures in place which include the Organization’s Responsible Sourcing Policy.

The compliance officer should establish and communicate to suppliers and external stakeholders the Organization’s Policy for responsible practices through the supply chain.

Members of the participating industries should be able to demonstrate through transaction documentation that these terms of business and policies have been implemented throughout their business, through documentation such as invoices, warranty statements, delivery notes, product certificates, etc.

Suppliers should acknowledge receipt and commit to meeting the expectations set out in the Policy.

To do this, the Organization should consider requesting its suppliers to attest in writing that they will comply to the requirements set out in the Policy. It is important to make the requirements part of its supplier contractual obligations.


Introduction to Supply Chain Due Diligence

Due diligence is a continual process of collecting information about counterparties in your supply chain, in order to identify, prevent and mitigate risks with which a business may be associated. It is an on-going, proactive and reactive process.

Organizations, Companies and business have a responsibility to demonstrate that they enter into business relationships with individuals and commercial entities that are respectful of the law, and that they all uphold the same governance, social, and environmental commitments.

This is done by doing due diligence, which at the minimum should include:

  • Ensuring that business partners are legitimate and conduct business in compliance with the law;
  • Engaging business partners and communicating the Organization’s commitments and expectations upon entering into, and throughout, a business partnership;
  • Identifying, assessing and mitigating risks associated with the business partners’ activities and sourcing practices;

The continuous monitoring of all of the above.

Supply Chain Due Diligence Procedures

Organizations should develop or obtain a systematic and demonstrable due diligence procedure to understand and map their supply chains as far as possible. It should include clear identification of their own suppliers, Know Your Counterpart (KYC) details, terms of business and any proof of provenance of materials, such as certificates, invoices, Blockchain verification, etc.

To understand properly who their suppliers are and how they operate, it will be necessary to obtain documented materials, such as company registrations, and study the supplier’s websites, etc. Written terms of business should be prepared and as much documentation as possible obtained about the provenance of products and/or materials.

A company’s Responsible Sourcing and/or supply chain policy should be incorporated into contracts and/or agreements with all suppliers.

Risk Assessment Process

As part of the understanding of an organization or company’s supply chain, the Organization should undertake a risk assessment that is designed to identify any potential threats in their supply chain that may impact negatively on its Responsible Sourcing Policy.

The Organization should also assess the risk of any adverse impacts in the supply chains for each good, product or commodity or material. For example, this could involve assessing whether the supply chain may be infiltrated by material sourced from an area of conflict.

There should be a formal methodology for identifying risks in the supply chain. There are a number of ways of conducting risk assessments, either based on specialist skills that the Organization has in-house, or by contracting services from external parties.

Risk Mitigation Plans

If any risks are identified, an organization should design and implement a strategy and action plan to respond to them, and undertake more detailed due diligence on that supply chain.

Such actions may include:

Reporting findings of the supply chain risk assessment to designated members of the senior management of the Organization, even if the findings are that there are no identified risks.

Devising and adopting a risk management plan

This should be a strategy for responding to identified risks that is consistent with the responsible sourcing and/or supply chain policies, and appropriate to the type and scale of the risks and the Organization’s position along the supply chain.

The plan may involve continuing to trade throughout the course of a measurable risk mitigation effort, or conversely temporarily suspending trade while pursuing ongoing measurable risk mitigation.

It may require disengaging with a supplier or suppliers after failed attempts at mitigation or where the Organization deems risk mitigation not feasible or unacceptable.

Implementing the risk management plan, monitoring and tracking performance of risk mitigation efforts, and reporting back to designated senior management.

After a change of circumstances, conducting additional fact and risk assessments for further risks that may require mitigation.

Third Party Audits

Depending on the Organization’s position in the supply chain, where possible, the Organization may carry out or support independent third-party audits of supply chain due diligence at identified points in the supply chain.

Supply chains can be long, highly complex and characterised by low visibility.

This can make it difficult to determine which suppliers to assess, and conducting assessments of due diligence processes of multiple suppliers can be a costly endeavour.

A solution could be conducting third-party verification or audits at identified points in the supply chains.

This may help avoid audit fatigue, both for those carrying out the audits and those who are subject to them.

Reporting Supply Chain Due Diligence

Where possible, the Organization should report on its supply chain due diligence, for example on its websites, and in corporate social responsibility or annual reports.

A report does not have to be long or complicated but must be appropriate to the size of the business and its exposure to risk. It should include the following information:

  • The responsible sourcing or supply chain policy
  • The due diligence system implemented, including a summary of the methodology adopted and the results of the risk assessment
  • Where risks are identified, a summary of the risk management plan and of the actions taken to mitigate risks and whether improvement was made towards eliminating such risks.


Introduction to Know Your Counterparty (KYC) & Anti-Money Laundering

To help prevent, mitigate, and manage risks that undermine responsible sourcing, Organizations should collect, verify and archive information on their customers, suppliers, contractors and other third parties with whom they conduct business regularly. These measures, called Know Your Customer/Counterparty (KYC), are considered a first step for conducting due diligence.

Organizations should apply KYC to their supply chains, establishing wherever possible the identity of all organisations with which they deal, having a clear understanding of their business relationships, and having a reasonable ability to identify and react to transaction patterns appearing out of the ordinary or suspicious.

A key objective of KYC is for the Organization to demonstrate that it has carried out checks on its counterparties, even if to rule out their association with any money laundering or illicit activities. The expectation is that reasonable effort should be taken to complete these checks, commensurate with the size and nature of the business.

Money laundering is the illegal process of concealing the origins of money that is generated by criminal activity.

“Dirty” money is “laundered” by passing it through a complex sequence of bank transfers or commercial transactions in order to hide its origins.

The laundering process aims to make “dirty money,” generated by criminal activities, look “clean,” as if it comes from a legitimate source.

Anti-money laundering (AML) procedures, which include KYC, help mitigate the incidence of money laundering in the supply chain.

Even if an organization is small, but is involved in business relationships and trading of material that could be perceived as having links with money laundering or the funding of terrorism (by virtue of its country of origin, for example), then a greater effort should be AML due diligence.

If a counterparty is considered to be a “high risk,” additional information should be collected about the counterparty to provide a deeper understanding of its activity, in order to mitigate associated risks.

KYC Policy Document

It is advisable that each business has a written KYC policy. This need not be long or complicated, but should state the clear intent to apply KYC principles on all customers, suppliers, contractors and other third parties with which the business has a formal relationship.

The policy statement does not have to be stand alone, but rather can form part of a broader set of policies.

KYC Procedure Document

It also is advisable that each Organization has a documented KYC procedure.
Examples of KYC procedures may include:

  • Collection and analysis of basic identity information
  • Name matching against lists of known parties (such as company registers)
  • Details of the member’s policies and procedures (especially relating to identification of sources of scrap/recycled supply)
  • Determination of the member’s risk, especially in terms of propensity to supply materials from an area of conflict and the trade of these products on a cash transaction basis
  • An expectation of a customer’s transactional behaviour
  • Monitoring of a customer’s transactions against their expected behaviour and recorded profile

Implementing a KYC Procedure

At a minimum, when implementing a KYC procedure, one should:

  • Establish the identity of the organisations with which the Organization and its business deals
  • Provide a clear understanding of the business relationship
  • Confirm beneficial owners, meaning, the person(s) who directly or indirectly ultimately owns or controls the corporate entity
  • Confirm that beneficial owners are not featured in lists of known criminals issued by the government.

The information gathered from these exercises should be documented and stored in a place that can be easily accessed by responsible staff and senior managers.

To collect information on counterparties in a structured format, the Organization and its business can use a form or questionnaire, which can be filled out by the counterparty or internally by the business itself. In all cases, the counterparty should be given the opportunity to verify the information and to affirm its accuracy.

Ongoing KYC Monitoring

Over the course of the business relationship, the Organization and its businesses should monitor transactions, in order to identify patterns that might be appearing out of the ordinary or suspicious. To do so, businesses should maintain records of all cash or cash-like transactions, with a value above the defined financial threshold under applicable law.

Where required, they should report these to the relevant designated authority.

Ongoing monitoring should be also based on a counterparty’s risk profile.

More frequent and stringent attention should be paid to counterparties based on:

  • The activities that the counterparty is or has been involved with.
  • The location where the counterparty carries out the activities.
  • The expected volume of transactions and payment methods.
  • The counterparty’s customers and business relationships.
  • The counterparty’s anti–money laundering policies and procedures.
  • Any negative information or allegations about your counterparty in the media.


Introduction to Corruption through Bribery and Facilitation Payments

Corruption through bribery and facilitation payments constitutes a moral, compliance and reputational risk, which Organizations are expected to manage.

The risks associated with corruption are mitigated by instituting stringent Know Your Counterparty (KYC) procedures.

Bribery, a form of corruption, occurs when one person offers an incentive, which can be financial payments or material (such as gifts, holidays, schooling, entertaining), to another individual in order to obtain a business advantage.

A bribery conviction could lead to the loss of an individual’s career or even a prison sentence.

Facilitation payments are payments made to expedite an administrative process to which the payer is legally entitled.

These are a specific form of bribery, as they are payments made to a person in a position of power in exchange for speeding up a service, thus obtaining a business advantage.

Although facilitation payments might seem less serious than other types of bribery because the payer is legally entitled to the service even without the payment, they still create an unfair advantage over other businesses.

For this reason, they are considered illegal and punished by law in most countries.

An organization should be able to demonstrate that it understands the law.

This means that there should be someone either on staff or whom the Organization can engage, or retain, who is responsible for knowing the legislation and regulation in the country of operation that applies to the business, and who will make sure the Organization is aware of how to be compliant.

They should also be responsible for reviewing relevant policies and procedures every year to ensure the Organization continues to uphold current changes to relevant laws.

Documented Bribery and Facilitation Policy

Each Organization should have a written anti-bribery and facilitation payments policy, or policy statement. This must state the clear intent to avoid and prohibit bribery in all aspects of the business.

The policy should be signed by the CEO or a senior manager and be easily accessible to employees and contractors.

For example, the policy might be stored in a shared drive in the business’s IT system or a hard copy posted in a common meeting area, canteen or building entrance.

The objective is for all employees to know that there is a policy and what that policy requires. It is recommended, too, that the policy be made available to external stakeholders on request, or posted in an appropriate location on the Organization’s website.

One should also consider including the policy statement on invoices and supplier agreements.

The policy statement does not have to be stand alone, but rather can form part of a broader set of policies.

The Organization should establish policies that:

  • Prohibit bribery in all business practices and transactions carried out by the member and by agents acting on behalf of the member;
  • Protect employees from any penalty or adverse consequences for identifying in good faith concerns related to suspected bribery, for refusing to participate in bribery, or refusing to pay a facilitation payment where facilitation payments are prohibited;
  • Set the criteria and approval procedures to be followed by employees in respect of the offer and/or acceptance of gifts with third parties;
  • Train relevant managers and employees on policies and procedures;
  • Record relevant gifts to and from third parties in a gift register, as per the member’s policy;
  • Investigate any incidences of suspected bribery within their organisation;

Where facilitation payments are permitted by applicable law, the Organization should:

  • Undertake actions to eliminate all facilitation payments, or to reduce the size and frequency of Facilitation Payments over time;
  • Ensure that any facilitation payments are of limited nature and scope;
  • Implement controls to monitor, oversee and fully account for any facilitation payments made by or on behalf of the member.

Anti-Corruption Procedure Document

An anti-corruption procedure document will ensure that the Organization’s staff has the guidance it needs to integrate the policy into it business activities.

The procedure should cover the following:

  • What actions your business is taking to prevent bribery and facilitation payments, such as training and implementing relevant accountability mechanisms
  • How concerns will be recorded and investigated
  • What actions will be taken if corruption is identified.

Gift Registry

Among the activities that one should carry out to monitor how employees or agents interact with business partners and to detect potential alerts of bribery and facilitation payments is the adoption of a Gift Registry, where your employees record all gifts received.

The offer/acceptance of a gift can make a valuable contribution to the development and maintenance of good business relationships.

However, gifts that create or appear to create an obligation, impacting either party’s (the gift giver or gift receiver) impartiality or constituting an undue influence on a business decision, is a form of bribery.

Setting specific the criteria and approval procedures in respect of the offer and/or acceptance of gifts with third parties and creating and maintaining a Gift Registry are an important part of an anti-bribery policy.

They safeguard the Organization as it keeps track of all gifts received and legitimize these interactions.


Introduction to Risk Management for Conflict-Free Sourcing

Due diligence should aim to ensure that there is no direct or indirect support to non-state armed groups through the extraction, transport, trade, handling or export of materials used by companies.

Members of the relevant industry should take measures to evaluate their supply chains to identify any risks relating to conflict.

Identifying Conflict-Affected and High-Risk Areas (CAHRAs) in the Supply Chain

According to the OECD, Conflict-Affected and High-Risk Areas (CAHRAs) are: “identified by the presence of armed conflict, widespread violence or other risks of harm to people.
Armed conflict may take a variety of forms, such as a conflict of international or non-international character, which may involve two or more states, or may consist of wars of liberation, or insurgencies, civil wars, etc.

High-risk areas may include areas of political instability or repression, institutional weakness, insecurity, collapse of civil infrastructure and widespread violence. Such areas are often characterised by widespread human rights abuses and violations of national or international law.”

Due diligence, in this context, should aim to ensure that businesses sourcing from, or operating in CAHRAs should neither tolerate nor by any means profit from, contribute to, assist with or facilitate the commission by any party of:

  • Worst forms of child labour
  • Forced or compulsory labour
  • Torture, cruel, inhuman and degrading treatment
  • War crimes or other serious violations of international humanitarian law, crimes against humanity or genocide
  • Other gross human rights violations and abuses such as widespread sexual violence
  • Direct or indirect support to non-state armed groups
  • Risk related to the contracting of public or private security forces
  • Money Laundering
  • Bribery and fraudulent misrepresentation of the origin of minerals
  • Non-payment of taxes, fees and royalties due to governments.

In order to identify and assess risks in the supply chain relating to conflict you should, as recommended by the OECD Guidance:

  • Complete a Red Flag Identification

(This is a preliminary alert, warning or indicator of a potential risk, which is usually based on the geographic origin of the material and transit route of the material or to location and sourcing practices of the supplier, among other factors. A red flag does not necessarily indicate an actual risk, but the potential for risk that triggers a need for further investigation.)

  • Analyse the supply chain to identify CAHRAs

(In order to identify the red flags listed above, you should also have a process in place to determine whether a certain country may fall under the definition of CAHRA.)

  • If the presence of red flags in the supply chain are identified, one should proceed to conduct a more in-depth risk assessment to determine whether there are risks in your supply chain.


Introduction to Human Rights

Human rights are inherent to all human beings, without discrimination, regardless of race, sex, nationality, ethnicity, language, religion, or any other status. They include the right to life and liberty, freedom from slavery and torture, freedom of opinion and expression, the right to work and education, and much more. They cannot be taken away, except in very specific circumstances, such as the right to liberty when a person has committed a serious crime.

There are three overarching types of rights and freedoms. These are civil and political rights, social and economic rights and labour rights. They are interrelated, interdependent and indivisible. The improvement of one facilitates advancement of the others, and, likewise, the deprivation of one adversely affects the others. When it comes to internationally recognized human rights, one usually refers to those covered by the:

  • The International Bill of Human Rights , consisting of the Universal Declaration of Human Rights and the main instruments through which have been codified;
  • the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights); and
  • The eight ILO core conventions as set out in the Declaration on Fundamental Principles and Rights at Work.

UN Guiding Principles on Business and Human Rights (the Guiding Principles) is an instrument that was endorsed by the United Nations Human Rights Council in 2011. It consists of 31 principles and provides the first global standard for preventing and addressing the risk of adverse impacts on human rights linked to business activity. Today, the UN Guiding Principles continue to provide the internationally accepted framework for enhancing standards and practice regarding business and human rights.

The framework is based on three pillars:

  • The state duty to protect human rights
  • The corporate responsibility to respect human rights
  • Access to remedy for victims of business-related abuses.

The Company should ensure that they and their suppliers respect Human Rights and observe the UN Guiding Principles on Business and Human Rights in ways appropriate to their size and circumstances

At a minimum, the Organization should do the following:

  • Formulate a company policy commitment to respect Human Rights as part of Responsible Sourcing
  • Include measures in the company’s due diligence process that seek to identify, prevent, mitigate and account for how they address their impacts on Human Rights
  • Where members identify that they have caused or contributed to adverse Human Rights impacts, they shall provide for or cooperate in legitimate processes to enable the remediation of those impacts.

Preparing a Human Rights Policy

A human rights policy formalises the business’s vision and commitment to respect human rights, both in the business itself and long the entirety of the supply chain. The policy should outline the business’s expectation from its staff, contractors and suppliers. It should be signed by an executive or senior manager, and include the date when it became effective.

The Organization should communicate the policy to internal and external stakeholders. This can be done in many ways including posting the human rights policy on the website, posting the policy prominently in the business premises, for example in hallways and notice boards, adding the commitment statement in the supplier contracts and invoices.

One approach of communicating the policy to internal stakeholders is to train workers. The training can be done in many ways, possibly through instructor-led classroom trainings or webinars. In this respect it is important to keep and maintain records. The training record should include information such as the date and time of training, what the workers were trained on, the name of the training instructor, names of the workers who attended the training and their signatures. The training records should be maintained for at least five years or as prescribed by the law. Training of employees should be done regularly; at minimum, upon hiring, and annually as a refresher.

At least one person within a business should be responsible for ensuring the Organization keeps up with all applicable human rights law (for example, labour rights law), and ensuring that the business is compliant. The person will be responsible for monitoring all applicable human rights laws and regulations and for reviewing relevant policies and procedures, to ensure that the Organization continues to comply with changing laws.

Preparing a Human Rights Due Diligence Procedure

Human rights due diligence refers to the set of ongoing processes through which the company identifies potential human rights impacts caused by the business or business relationships, prevents potential human rights impacts, and mitigates and accounts for how the business addresses its impacts on human rights, where such impacts are identified.

According to the UN Guiding Principles, human rights due diligence should include 4 key steps:

  1. Assessing actual and potential human rights impacts
  2. Acting to prevent or mitigate the impacts
  3. Tracking how effectively impacts are addressed, by collecting feedback, including from affected stakeholders, to better understand whether the activities designed during step II are effective for preventing and mitigating the assessed impacts
  4. Communicating how impacts are addressed, to help build trust and demonstrate accountability.

The Human Rights Due Diligence Procedure document should provide clear instructions and guidance to employees on how to carry out the activities needed to implement the Organization’s human rights policy.


Introduction to Grievance and Whistle-Blowing Mechanisms

The Organization should have in place a company-level and/or an industry-level grievance mechanism, as an early-warning risk-awareness system in their own or other supply chains.

All grievances or reporting of identified risks should be treated in strict confidence.

Each business should have written grievance and whistle-blowing procedures.

These need not be long or complicated, but must clearly outline the process to lodge and resolve grievances or to “blow the whistle.”

To successfully create a business system that incorporates early warnings, grievance and whistleblowing procedures, one should follow these steps:

Step 1: Write a grievance and/or whistle-blowing procedure

Step 2: Communicate the procedure(s) to workers and other relevant stakeholders. For example; the procedure can be posted on notice boards, workshops, changing rooms, and other areas where workers gather. To reach external stakeholders, the procedure(s) can be posted on the company website where available or can be communicated through newsletters or emails

Step 3: Train relevant management and staff. Training should be given to managers, supervisors, and workers and their representatives, particularly those that will have a more active role in investigation, facilitation, and decision-making

Step 4: Track all grievances and reports of wrongdoing lodged by workers or community members

Step 5: Launch an internal investigation into the lodged grievances, hold a grievance hearing process, and communicate the outcome

Step 6: Remedy. Where grievances are found to be based on legitimate complaints, take appropriate remediation action, meaning, take appropriate action to resolve or find a solution to the complaints.

Grievance Mechanisms

A grievance mechanism is a system which provides employees and other stakeholders with a clear, standardised, reliable and safe way to report grievances, which are complaints of unfair treatment.

This system is set up to not only record grievances but also to provide remedy for them.
A grievance mechanism typically takes the form of an internal procedure that addresses any of a broad range of employee concerns and potential causes of complaints that can arise over the course of employment, such as unethical recruitment, workplace discrimination and sexual harassment, among other issues.

Grievance mechanisms can also be externally facing and provide an opportunity for customers and other stakeholders (such as labour organisations, civil society organisations and local communities) to lodge concerns about the business, its activities and products.

A grievance mechanism works effectively when employees and external stakeholders are given the platform to raise their grievances through a confidential channel without fear of victimisation and retaliation, and when those grievances are resolved transparently, fairly and promptly.

In order to be developed, maintained and handled effectively, a grievance mechanism should reflect the principles of legitimacy, accessibility, transparency, equitability and predictability. In addition, a grievance mechanism should be rights-compatible, based on dialogue, and a source of continuous learning.

It should be stressed that the grievance mechanism should not impede access to judicial or administrative remedies.

Whistle-Blowing Mechanisms

A whistle-blowing mechanism is an early warning system for workers to report concerns of wrongdoing within a business. Wrongdoing refers to any unlawful or unethical activity or malpractice in a business. These include:

  • Criminal offences (this may include, for example, types of financial impropriety such as fraud, bribery and corruption)
  • Failure to comply with an obligation set out in law
  • Endangering of health and safety of individuals
  • Damage to the environment
  • Covering up wrongdoing in the above categories.

An effective whistleblowing mechanism enables employers to be aware of irregularities in the business and to take necessary corrective action, thus helping the business prevent potential negative escalations.

A key hindrance that businesses face in the fight against malpractices, such as bribery and corruption, is that employees are often too intimidated to blow the whistle although they may be obliged to do so as part of their employee contracts. Among the forms of retaliation feared by employees are dismissal, probation, punitive transfers, withholding of promotions, loss of status and benefits, reduction of pay and work hours, isolation, blacklisting and threats of such actions.

To protect whistle-blowers, Organizations should consider a whistle-blower’s right to confidentiality. This may include choosing to enable anonymous reporting.

When employees believe they will be supported by top management and do not fear retaliation, they are more likely to report wrongdoings.


What’s the Difference between AML and KYC?

Anti-money laundering (AML) is a broader and more holistic practice than KYC.

AML compliance is the comprehensive set of policies that an organization uses to protect against criminal infiltration, money laundering, terrorism financing, human trafficking and more.

KYC is an important part of AML for corporations, banks, fintechs, and other financial institutions.

Know your customer (KYC) is the regulatory process in which a financial institution verifies a customer’s identity by assessing their credentials before allowing them to use a service.

KYC policies allow Organizations to better understand their customers and their customers’ financial dealings, which helps to effectively mitigate and manage risks.

How is KYC related to AML?An Organization’s AML compliance program has many steps, and KYC is the first one. KYC is the process used to verify a client’s identity and understand their risk profile, but there are more steps necessary to completely protect against financial crimes.

A complete AML compliance program includes KYC procedure as an initial step to verify a customer’s identity, manage their risk factors, and monitor their accounts. KYC is the most crucial step in an institution’s AML policy. It’s important to carefully verify a customer’s identity, assess their risk, understand a customer’s general financial habits, and have the necessary procedures in place to catch abnormalities. Strong AML compliance policies allow companies to easily find and eliminate risks as they arise.

The 3 Components of KYC

KYC may seem like a simple concept, but when working with some of the largest financial entities in the world, the processes of customer identity verification and customer due diligence are critical to a successful AML program.

There are three components of KYC compliance.

The first pillar of a KYC compliance policy is the customer identification program (CIP).

CIP was imposed under the USA Patriot Act in 2001 to better protect the world’s financial systems in response to the September 11 attacks. The Patriot Act made it mandatory for all banks to implement written CIPs based on the bank’s size and its customer base. The act also required all banks to implement CIPs into their larger AML policies. CIPs verify the customer’s identity using credentials like their name, date of birth, address, social security number or other documents. Understand the role of customer screening in the modern FinTech climate.

The second pillar of KYC compliance policy is customer due diligence (CDD). CDD is a KYC process in which all of a customer’s credentials are collected to verify their identity and evaluate their risk profile. It is broken down into two separate tiers: simplified due diligence (SDD) and enhanced due diligence (EDD). SDD is used for accounts at low risk for money laundering or terrorism funding, like standard bank accounts or low-value bank accounts. EDD is used for customers that are at a higher risk of infiltration, terrorism financing or money laundering. If a customer is determined to be a higher risk, additional information collection is necessary. EDD procedures also include transaction monitoring. It’s important to keep track of the typical amount and frequency of a customer’s transactions to better find irregularities. It is the financial institution’s responsibility to determine each customer’s risk profile to determine if SDD or EDD is necessary. See how we help drive ROI with advanced CDD solutions.

The third pillar of KYC policy is continuous monitoring. Checking a customer once isn’t sufficient to ensure security. Understanding a customer’s typical account activity and monitoring the activity is necessary to catch irregularities and eliminate risks as they arise.

Why is KYC so important for financial institutions?

KYC AML compliance is not only important to keep customers protected and satisfied, it’s the law. All banks and financial institutions must comply with regulated sets of AML policies. KYC policies are the first step in a holistic AML approach to financial security. They protect against identity theft and ensure that banks and other financial institutions aren’t involved — knowingly or not — with terrorist, money laundering, human trafficking or other criminal organizations.

What is KYC?

Know Your Customer (KYC) procedures are a critical function to assess customer risk and a legal requirement to comply with Anti-Money Laundering (AML) laws.

Effective KYC involves knowing a customer’ identity, their financial activities and the risk they pose.

Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions, and reputational damage, if you do business with a money launderer or terrorist. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions.

“KYC” refers to the steps taken by a financial institution (or business) to:

  • Establish customer identity
  • Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
  • Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities

To create and run an effective KYC program requires the following elements:

1) Customer Identification Program (CIP)

Customer identification Program

How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 16.7 million US consumers and accounting for 16.8 billion dollars stolen in 2017. For obliged entities, such as financial institutions, it’s more than a financial risk – it’s the law.

In the US, the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures.

The desired outcome is that obliged entities accurately identify their customers.

A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level.

The minimum requirements to open an individual financial account are clearly delimited in the CIP:

  • Name
  • Date of birth
  • Address
  • Identification number

While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both.

These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.

The exact policies depend on the risk-based approach of the institution and may consider factors such as:

  • The types of accounts offered by the bank
  • The bank’s methods of opening accounts
  • The types of identifying information available
  • The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations

2) Customer Due Diligence

Customer Due Diligence

For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and Politically Exposed Persons (PEPs) who might present a risk.

There are three levels of due diligence:

Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts.

Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.

Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors.

Some practical steps to include in your customer due diligence program include:

Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer.

When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally.

Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following:

  • Location of the person
  • Occupation of the person
  • Type of transactions
  • Expected pattern of activity in terms of transaction types, dollar value and frequency
  • Expected method of payment
  • Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit.

3) Ongoing monitoring

Ongoing monitoring

It’s not enough to just check your customer once, you need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.

Depending on the customer and your risk mitigation strategy, some other factors to monitor may include:

  • Spikes in activities
  • Out of area or unusual cross-border activities
  • Inclusion of people on sanction lists
  • Adverse media mentions

There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual.

Periodical reviews of the account and the associated risk are also considered best practices:

  • Is the account record up-to-date?
  • Do the type and amount of transactions match the stated purpose of the account?
  • Is the risk-level appropriate for the type and amount of transactions?
  • In general, the level of transaction monitoring relies on a risk-based assessment.

Corporate KYC

Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts, and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB).

While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program:

Retrieve company vitals

Identify and verify an accurate company record such as information regarding register number, company name, address, status, and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows.

Analyze ownership structure and percentages

Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party.

Identify Ultimate Beneficial Owners (UBOs)

Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting.

Perform AML/KYC checks on individuals

For all individuals that are determined to be a UBO, perform AML/KYC checks.

It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thompson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. Eighty-nine percent of corporate customers have not had a good KYC experience – so much so that 13 percent have actually switched to another FI as a result.

Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100.

Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors.























Alternative Resources:











These templates are available to our subscribers at no cost.  For any readers who wish to purchase any of these templates, please contact us.

If you would like to subscribe to our UPDATE service, please contact us for a quote.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email