We started out serving customers such as Notz Stucki with our original screening tool. This tool helped them to screen their clients in their existing program more efficiently and more effectively by providing a single search interface to get all the data they required. We soon realized that the whole process was arcane and artisanal in even the most successful firms. This led us to focus on total compliance automation. We developed the Enterprise Risk Management System in direct response to this need.
Our early adopters were tech forward focused financial services.
We helped BNP Paribas to implement a robo-prospector for their wealth management services enabling their relationship managers to prioritize and onboard high-net-worth prospects efficiently based on the compliance risk and complexity they represented.
We helped Dao Maker to become the leading social mining rewards platform with strong KYC at competitive rates.
We helped Moolya Coin in India to KYC/AML process 8,000 investors in less than a week so that they could complete a crowd-sourced fundraising of more than $1,000,000 in just a few days.
We helped EMPCorp to AML screen more than 20,000 clients per month for their pre-paid card and card remittance programs without hiring any additional compliance staff.
We helped Chaineum implement an AML compliant asset issuance platform quickly and very cost effectively.
We helped Bob’s Repair, a nationwide handyman service in the USA, to carry out KYC/AML on several thousand investors while raising more than $2,000,000 in a single week.
And many more…
We have helped a nearly $1 billion dollar Africa focused alternative investment fund stay compliant and improve their AML risk program to the satisfaction of their regulator, the CSSF. At the same time we delivered enough efficiencies so they could reallocate a senior risk manager from AML compliance to financial risk management, saving them more than €158,000 per year on their direct AML program costs.
We have helped a prominent virtual asset service provider to implement a compliance risk management program on their 300,000 clients, including automated screening 50,000 active clients every day and managing the potential risks. We delivered all of this capability and they didn’t need to add any additional staff.
We are providing our technology to a $1.4 trillion asset manager for the secure and automated collection of documents and data. We are able to deliver this capability for a fraction of the cost that they had already spent on a custom solution that failed to meet their needs.
We are providing our technology to a $70 billion asset manager who has been able to scale up the effectiveness of their AML program and comply with new and ever increasing regulation without engaging any additional staff and for a fraction of the cost of what a larger team would cost.
We are providing our technology to a multi-national bank with $2 trillion under management who are using our technology to better identify customers and eliminate more than $1 million in fraud per year.
And we continue to add new success stories every day…
If you are tired of worrying about the status of your compliance effectiveness, then keep reading.
If you are overwhelmed with manual checklists, forms and email processes.
If you need to get some breathing room from the daily minutiae so that you can focus on strategic issues.
If you want to know what risks are hidden in your customer files.
If you want your customers to thank you for making their lives easier.
If you are tired of the headaches from work-arounds and lack of visibility in your processes.
If you want your board and shareholders to thank you for running an efficient and profitable company.
If you really want everything in a simple and reliable way that “just works”
If you want to make it easy for your investors to complete their disclosures, avoid compliance fines at all costs and to maximize your efficiency, you are at the right place.
It is possible for asset managers to massively improve their investor experience, avoid compliance fines and boost their bottom line by 200k annually.
However, most people fail or struggle because their business doesn’t value a holistic approach to compliance yet and the teams are overwhelmed with complicated onboarding, extensive customer due diligence, complicated risk assessments and audits that involve lots of manual checking and double checking.
This is because they are stuck with manual processes, lack integration, are overloaded with documents and different evaluation tools, rely heavily on emails, manual checklists and spot reviews.
We are the only people dedicated to solving this problem for alternative asset management firms.
Our founder, Jed Grant, has been active in technology for over 30 years and has been an active compliance practitioner since 2008, when he co-founded a consulting firm dedicated to enhanced due diligence in the financial sector. In 2009, he was a co-founder, along with Jacques Santer and several other leading Luxembourg professionals, of the Institute for Financial Integrity and Sustainability asbl (www.ifis.lu).
Jed Grant has been developing software for secure environments his entire career. He started with small private efforts and was quickly recruited into NATO where he spent 10 years as a civilian officer in charge of a full IT section, including development, operations and security for more than 1,000 end users in several countries. At the time under 30 years old, he was NATO’s youngest civilian Lt. Col equivalent, a record that we believe he may still hold, and a rank that he achieved based on technical and organizational competence with software in TCP/IP networked environments and their operation for NATO. Under his leadership, his section deployed the IT systems that supported KFOR and SFOR in theater in former Yugoslavia. He has been a cryptographer and IT security expert since the early 1990s (you can find archived posts in the ACM Risks Forum to prove it). In that capacity, he also held a secret security clearance for more than a decade and is intimately familiar with information security and handling practices. Finally, he also spent nearly a decade as a member of the board and executive director responsible for all aspects of IT strategy of a regulated investment firm under the supervision of the CSSF (Firm P00000229 License 1886979). This and his years of financial sector experience since make him intimately familiar with the IT requirements of regulated financial services providers.
Today he is a recognized leader in his field, an active expert in many official EU panels related to regulation/technology and an adjunct professor at the University of Luxembourg, and on the board of several technology think tanks and observatories. He has personally recruited and vetted large teams of technical and financial professionals. He coaches, guides, and educates them as needed. Security is a permanent agenda item in our team meetings. KYC3’s Software Development Life-Cycle (SDLC) process is led by experts who also have decades of experience in secure software development practice and are accomplished software engineers in their own right. Prior to working in the private sector, some of them were also NATO cryptographers with security clearances.
Around 2010, Jed realized that the current state of the art for compliance and due diligence was very artisanal and manually driven, with different expensive and time consuming databases and tools being used at different stages of the process. Doing due diligence himself, he realized that there was an incredible amount of work that could be done automatically using new machine learning technologies and capitalizing on the capabilities of recent advancements in data processing and storage, so called “big data”. He looked for a solution that could be used to automate and manage the entire due diligence process in an auditable and reliable manner and found no commercial off-the-shelf solution.
He decided to design and implement a solution that would collect and process due diligence information for his own use. As digitizing the whole process is a gargantuan task, the first version only provided the due diligence research and reporting capabilities, but they were very useful nonetheless.
By 2013 it was apparent that others would like to use the solution as well and in 2014 KYC3 was incorporated so that the first commercial contracts could be signed with clients.
KYC3 is a Luxembourg based provider of KYC/KYB risk management automation solutions aimed at alternative investment, private equity, wealth and virtual-asset managers.
KYC3’s first formal product offering has been available since June 2014. In 2014, KYC3 received an Innovative Research and Development Programme Grant from the Ministry of Economy of Luxembourg to further research and develop our technology.
In 2015 we began working with our first institutional clients in the AIFM and PE sector. We were delighted to count the esteemed alternative investment management firm Notz Stucki in Geneva as an early adopter of our solutions.
In 2016 we began offering API access and bespoke deployments that take full advantage of our advanced screening capabilities. In March 2016, KYC3 was selected as an innovation partner by BNP Paribas Wealth Management where we delivered technology components for a very innovative client facing project.
In November 2016, KYC3 became a founding member of the Infrachain initiative led by the Luxembourg Ministry of State whose goal is to deliver a common regulatory compliant blockchain infrastructure to the EU/SEPA financial marketplace. Jed Grant is a member of the board of this initiative.
In 2017 we began to focus on the alternative investment and virtual asset sectors with the release of version 1 of our dedicated platform for KYC/KYB. Since then we have helped numerous AIM and VASP clients in Luxembourg, Switzerland, France, Germany, the UK, the Netherlands, as well as Singapore, Hong Kong, India and Canada, to realize substantial savings in their compliance processes.
KYC3 is not a reseller of other companies’ solutions. All of our software and IP is developed and owned in house.
We remain focused on solving the challenges faced by AIFMs, PE and VASPs in their compliance and in developing new and more efficient ways to remain compliant, manage risk and improve customer experiences.
Jed founded KYC3 to vastly improve the way KYC is done for financial institutions worldwide. KYC3 is all dimensions of Know Your Customer, Counterparty and Competitor. Transforming regulatory and reputational risk management into competitive advantage is the core objective that we intend to achieve for our clients leveraging machine learning, big data and eventually blockchain to achieve economies of automation – saving you time and money.
Today, Jed and his team work tirelessly to continuously improve the platform and deliver efficient digitalization to as many AIFMs, PE funds, Wealth Managers and VASPs as possible.
An effective AML program will prevent you from being fined and protect the reputation of your company from being tarnished. There are 5 major functions with many activities in an effective AML compliance program. Let’s dive in and see how they work.
The first activity in a working compliance program is to decide, at board level and with formal records, what risks your organization is ready to accept and manage. Based on this statement, your program of compliance risk management policies and procedures can be implemented. This means you must decide which counterparties are potentially acceptable for you to engage within the scope of products and transactions in your business. To state the obvious, this isn’t about defining any illegal activity – those are already outside your risk tolerance. The Risk Acceptance Statement defines the level of risk in legal activity that you are willing and able to manage, knowing that when things go wrong, it is usually an apparently legal activity of a counterparty that is actually covering something more sinister and illegal.
Often, limited Risk Management capability limits the Risk Acceptance scope, the resulting policy and procedures, and creates a poor customer experience. With a digital process, the Risk Acceptance scope can be reviewed, the ability to handle clients effectively can be improved and the overall customer experience can be approved, resulting in a much more effective business for you.
The old way:
Review business capabilities and expected market, estimate risks and define a RAS
The new way:
Define your RAS based on empirical review of clients using automated capabilities and real-time reporting
The old result:
A RAS based on assumptions about the organization, the market and risks that may not match operational realities
The new result:
A RAS based on measurable parameters from your clients, products and markets.
Every risk management program starts with a Risk Acceptance Statement (RAS). This should be up to date, in line with your risk management capabilities and board approved. The traditional method for determining your risk tolerance is to assess your business assumptions and review your manual process capacity in order to develop a Risk Acceptance Statement based on these assumptions. This results in a risk policy that is limited by the assumptions of your business. The new way of reviewing your risk tolerance is to get a real-time look-through at your risk profile and a better understanding of your actual accepted risk versus your risk management capabilities. With a fully digital system, you can compare your actual risk to your Risk Acceptance Statement at any time instantly. This results in faster, clearer and more accurate risk acceptance and risk mitigation.
The old way:
Develop procedures and checklists that enable the RAS to be implemented in your organization
The new way:
Configure your compliance process based on the limits of a dynamic and integrated digital system
The old result:
An operating manual detailing a system of elaborate procedures and checklists, usually managed with tools such as Excel, Word and Email
The new result:
Digitalization delivers a standardized compliance process that is leaner and more agile.
Once the RAS is approved, the procedures for managing risk are established or adapted to the RAS. The old way of doing this is to develop detailed procedures with forms and checklists to be followed. This results in an elaborate and complicated process with manual steps and decision points. The new way of managing this process is with workflow management techniques. This results in a leaner compliance process with fewer steps. Using a fully digital, dynamic and integrated system you can do more with less and can adapt your risk management processes to new regulatory and business requirements quickly and inexpensively.
The old way:
Review the risk assessments to ensure that they are consistent and that risks are properly accounted for
The new way:
Configure the risk assessment engine directly in the system and begin using it. Dynamically adjust the parameters so that the risk results filter into the correct risk level automatically.
The old result:
Manual review of test or real cases in order to determine if the risk assessment process is correctly categorizing risks
The new result:
Once tuned, there is no need to review the risk assessment process as a standardized digital process delivers provably consistent results.
After establishing your processes, they need to be reviewed in order to ensure that the checks and balances are working as intended. The old way of doing this is to conduct manual reviews of “spot check” cases in order to determine if the risk assessment process is correctly categorizing and assessing risks. The new way of doing this is with automated risk assessment techniques, involving the use of linked algorithmic risk calculations. Digitalization of the risk assessment process delivers a standard, automated and fully audible risk assessment process with no need to conduct further spot checks
You need to identify who your counterparty is. In short, you need to know if the investor with a large ticket for your fund is a political slush fund that may be the proceeds od corruption to be used to fund terrorism or if it’s a family fortune gained from the sale of a business. The individual you deal with may be identified. However, you need to know if they represent themselves or they represent something else, such as another individual or an organization. If they represent an organization, you need to know who owns and who controls that organization all the way to the Ultimate Beneficial Owner. This is much harder than it sounds as the UBO may not even be a shareholder. High net worth individuals and private equity structures often use “nominee” shareholders and directors to represent them in official records. This isn’t usually done for nefarious reasons, it is rather to maintain a high level of discretion and keep a lower profile as part of a sensible personal risk management strategy that any sane high net worth individual would require. A Counterparty Identification Program involves deciding what kinds of questions and documentation you will request from your counterparts based on your assessment of the apparent risk they represent.
In a traditional setting, identifying your counterparty involves meeting the people face-to-face, having them present government documents for identification and to demonstrate their role and partners in any legal entity that they represent. This is the traditional “account opening”.
In a digital world, this becomes a new process. You need to identify the individual sitting behind the internet connected device, to collect relevant information from them and to ensure that the information is true and valid to the best of your ability. You can do this by using video conferencing tools, collecting documents electronically and having clients send additional information in with legally binding signatures.
The old way:
Speak to customers and ask have them provide identity documents
The new way:
Let customers complete a digital identification process on a secure portal
The old result:
Compliance office receives documents and certifies the ID of the customer
The new result:
Customers can onboard any-time, any-day and faster
The old way:
Customers are asked to send in documents by email and/or by postal service
The new way:
Allow customers to digitally upload documents via a secure customer portal
The old result:
Compliance officer receives documents in various channels, bit by bit and must manually check, organize and review them
The new result:
Faster onboarding, document requirements are clear, customers are happy = more business
You need to verify that what your counterparty has claimed is valid and represents a true and accurate depiction of what and who you’re dealing with. This means that you must review the documentation provided in order to assess its relevance and authenticity. You must cross check to a reasonable level of effort that the claims of your counterparty make sense. This can involve doing Google searches, using specialized databases and resources, conducting meetings with involved and related individuals or even sending private investigators to collect first hand information. Your due diligence should result in you knowing the risk level of your counterparts and treating them accordingly.
Conducting due diligence involves the verification of the information provided by your prospective client as well as cross checking the client identity against government lists and available public media in order to conduct a money laundering risk assessment of your customer. Traditionally, this involves scrutinizing the documents provided by the client, analysing the client’s statements and using public sources, such as trade registries and press archives, to verify the client’s background and claims. This also involves checking to be sure that the prospective client isn’t a wanted criminal or terrorist by referring to a multitude of lists issued by national and supra-national law enforcement organizations.
In a digital world, this becomes a much more complex task, as there are a large number of data sources and data changes very quickly. You can use search engines and public access government databases to do much of this checking. With these sources, you gather information, analyse it in context, and compile reports summarizing the identified risks and their likelihood of posing a threat to your business from compliance, AML and repurationalal perspectives
The old way:
Documents are dumped into a folder and reviewed against the checklist
The new way:
Organize documents in a “smart” system that knows the dossier requirements and can be quickly reviewed using a fast and efficient “Tinder for compliance” approach.
The old result:
Checklist is completed manually and deficiencies are noted in time consuming process
The new result:
Faster onboarding, document requirements are clear, customers are happy and you can handle more business
The old way:
Customer data is entered into a due diligence system and results are checked by the compliance analyst.
The new way:
Screen customers against PEP, sanctions, adverse media and search engines as soon as a customer data is captured and immediately add results to the dossier.
The old result:
Results are “copy/pasted” or downloaded and integrated into a customer risk report document that is added to the dossier. Manual work is error prone and lacks full audit trials
The new result:
Real-time customer due dil available quickly and easily without switching systems and with a full audit trail of risk assessment and analyst review
The old way:
Customer provided structure charts and business descriptions are reviewed, if questions arise, clarification is requested
The new way:
Assess risks using all the inputs from the customer, such as roles and organizational relations. Quickly review dynamic and automatic structure charts and business risk flags.
The old result:
Charts of various formats and data quality are included in customer files for reference, along with Q&A notes
The new result:
Standardized structure charts are generated automatically. They are dynamic and easy to manage. Structures are reflected “as is” in real time based on available information and can be merged and split with a single click. Risks are calculated and updated “on-the-fly” based on the latest information.
The old way:
Based on the evaluation of customer inputs and risk assessments, additional information may be required from the customer by email or telephone
The new way:
During automated risk assessments and structure review, compliance can send an invitation to the customer to upload additional information directly
The old result:
Compliance sends an email to customer and awaits the response
The new result:
Customers can provide additional documents any time of day quickly and analysts can confirm them immediately
You need to continually monitor your counterparty risk levels and take appropriate action if the risk level of a counterparty changes. This means you need to screen your counterparts against official lists of wanted and known criminals and terrorists, such as the OFAC, Interpol, UN, EU, FBI and other published lists. This also means you need to know if your counterparty is or becomes politically exposed – meaning they are in a position of political power that may be conducive to corruption. Finally, you need to make sure your counterparties are not engaging in behaviour that could be damaging to your reputation as their service provider. The media is full of regretful financiers making excuses that they were unaware that Jeffrey Epstein was a sadistic pedophile yet this information was in the public media for nearly a decade before the scandal became front-page news.
Monitoring of client risk involves keeping tabs on your clients, as one would do with a traditional press clipping service. This means scanning the press each day for negative information about your clients. Also, this means scanning all official lists of wanted criminals and terrorists to ensure that your client is not added to one of these lists.
Because of the volume of information and the multitude of sources, it is no longer feasible to connect directly with each official source and with search engines to review each client each day. In a digital world, you will need a client screening solution. In general, you will have to purchase access to a consolidated data source that makes all of this information available in a single search. Still, with such a data source, there are several ways to screen your clients.
First, you can purchase access to a web tool in which you will screen each of your clients manually each day, possibly by uploading them in batches once per day and checking them against the data. This approach keeps all of your customer data private to your company at the expense of a daily intervention that involves collection and review of the same results each day, so that you can check for new data points.
Second, you can share your client data with a third party who will screen your clients each day and send you notification of any new negative information arising about your clients. This approach reduces your workload at the expense of sharing all of your customer data with a third party who becomes a legal custodian of that data.
The third option, and one that combines the benefits of both keeping your client data private and fully automating your workload, involves running the screening in your systems so that your client data stays with you and your nightly screening records are also kept with you so that old results are remembered and new results can be handled with a minimum of work.
The old way:
The compliance team will upload a list of customers to a screening service in order to check them, or the compliance team will give the customer list to a third party for nightly screening
The new way:
Operate everything automatically and in-house. Get risk alerts and review them directly in the system. A secure system downloads risk data from the data providers and screens the customers every night in-house.
The old result:
Customer data is handled every day by third parties and potential hits are provided to and assessed by the compliance analysts
The new result:
Customer data stays in your company, results and assessments are collected and reviewed in a couple clicks with a full audit trail.
The old way:
Periodically, the compliance analyst will review the dossiers and ensure that all required documents are included
The new way:
The analyst is notified whenever a dossier is deficient and can trigger a remediation request via a secure portal. An automated system knows all required documents and tracks their expirations.
The old result:
Regular periodic spot checks reveal missing or expired documents. Customers are asked to remediate the situation via email, phone or letter
The new result:
Customers receive immediate notification of missing or expired documents and the analyst can review them on the spot when they are uploaded
The old way:
Based on their risk level, customer dossiers must be reviewed periodically.
The new way:
Receive automatic notification on any specific dossier review date and quickly check the file for any changes of risk status.
The old result:
On an annual, biannual or tri-annual basis, dossiers are assessed to ensure that the assessed risk level has not changed
The new result:
Digital dossiers become “smart dossiers”. No dossier will be forgotten and the remediation workload is evenly distributed over the year.
You need to be prepared to confirm the efficacy of your risk management program to your board, to your auditors and to your regulator. To do this, you need to track and assess your performance across all elements of your program. You need a reliable audit trail and easy to produce reports. Ideally you can produce up to the minute reviews quickly and efficiently on any counterparty, product or transaction in your business. Not only will your board, auditors and regulator appreciate these reports, you will sleep better at night knowing that your system is well monitored and everything can be proven to be in order.
Typically your reporting program will involve reporting for several different purposes, including board reporting, internal audit reporting, external audit reporting, and regulatory reporting.
These reports are usually developed as templates ahead of time that are regularly completed and provided to the relevant authority. Board reporting may be bi-monthly, monthly or quarterly, internal audit may be monthly or quarterly, external and regulatory reporting may be quarterly or annual. When all combined, these responsibilities create a very busy reporting calendar. Each report needs to be prepared by its deadline and delivered to the appropriate authority. The preparation of reports involves checking the dossiers, looking at audit notes, reviewing the KPIs and usage of tools and databases that are used to assist in the risk assessment, as well as review of the processes and procedures in place. This is a time consuming task that involves the collection and collation of information from many sources in order to produce clear and concise reports that accurately reflect the risk and compliance events in the reporting period.
The old way:
Occasionally a specific dossier will require a full review due to a trigger event, such as a specific transaction or activity change
The new way:
Set up “smart dossiers” so that risk assessment is continual and always up to date. Consultation dossiers whenever a trigger event occurs
The old result:
The dossier is reviewed in detail. Documents, the assessments and the other considerations are checked to confirm a potential change in risk level
The new result:
Client risk levels can be quickly reviewed and confirmed whenever a trigger event occurs. Digitization even means that trigger events may even be signaled using automated API calls
The old way:
The BoD requires risk updates and needs concise information to approve any exceptional cases. Compliance must prepare these reports using data from their various systems and processes.
The new way:
Keep all data in an integrated system with full audit trails and detailed statistics. Reports are available in real time all the time
The old result:
Periodically, the compliance team will review and update their overview statistics and then generate reports and detailed and time consuming reports to be included in the “board pack”.
The new result:
Reports can be generated in minutes rather than hours with standardized formats and consistent data directly from the system. Data is also accessible by API to automatically feed complex business intelligence and decision support systems
The old way:
Each year the auditors will want to review the process, procedures and results of the risk management program.
The new way:
Auditors review the configuration rules and results in place directly on the system along with the audit log showing exactly how the system was used.
The old result:
Auditors review the printed documents and procedures and confirm that the risk management program is performing as expected. They note any deficiencies that may exist due to regulatory or best-practice changes since the last audit, which results in changes and updates to the procedures.
The new result:
Auditors can make quick empirical observations of the entire process and result in a single system. The analysts can address deficiencies on the spot and get auditor sign-off for the configuration changes very quickly.
The old way:
Periodically, regulatory authorities will want to review the process, procedures and results of the risk management program
The new way:
Analysts can produce detailed records, including documents, assessments and audit notes for the regulator in standard formats with the push of a button.
The old result:
Regulators review the printed documents and procedures and confirm that the risk management program is performing as expected, as evidenced in the resulting files
The new result:
Regulators can verify that the risk management program is effective and working without having doubt as to manual process steps and undocumented decisions.
Building the right compliance management program just requires the proper organization of your setup, operation and assurance processes. If you get these right, you can make your investors’ lives easier, avoid compliance fines and save 200k per year on a typical alternative investment compliance operation.
So as you can see, all you need to do is to integrate 1) the Fundamentals of Risk Acceptance and Risk Management, Configuration and Tuning, 2) a robust Customer Identification process, 3) a standardized and comprehensive Customer Due Diligence and Risk Assessment process, 4) a Continual Customer Monitoring process and 5) a structured and automated event capturing Regulatory Reporting and Audit Review process, into a digital platform with automated workflows, smart dossier logic and a secure and direct customer communication portal and you can make your customers happier, boost your bottom line by €200k and never again face a compliance fine.
There are several ways to achieve this:
You can set this up all in house with the support of major consulting advisors. You will end up with a compliance framework, process and team that mirrors your competitors. This will take at least 1 year and cost well over €800,000 up front with an annual cost of about the same for a small team. Costs will increase steeply as you scale up the team.
You can pull together various compliance tools and hire a systems integrator to put them all together for you. This will take at least 2 years and cost well over €1,000,000 with an annual cost of at least €800,000 for a small team. Costs will increase, but not as steeply as the first option, as you scale up.
Or you can work with KYC3. We can deploy a fully configured and ready to use digital compliance automation solution for you for a fraction of the cost and in weeks to months of project time. You can scale your team and your costs will scale evenly and marginally as you increase your business.
Again, KYC3 is for alternative investment, wealth management, private equity and virtual asset service providers who are looking to digitize their entire compliance processes, but are struggling with the complexity and technical challenges of integrating everything together within reasonable time and budget constraints.
We have helped companies such as an Afican focused private equity fund with approximately $1billion under management who were able to digitize their AML risk management across 26 team members in offices in France, Luxembourg, Madagascar and several other countries. They were able to reallocate AML/KYC staff onto higher value risk management functions with immediate annual savings in excess of €125,000 and to focus more on enhanced deep-dive due diligence that is expected to help them produce better investment returns over time.
We have digitized compliance for a retail focused brokerage in the United Kingdom, helping them get up and running in less than 2 weeks, recovering from a failure of their KYC provider and getting their client onboarding process fully digital and integrated in record time.
We have automated the risk screening process for an OTC asset trading firm based in Paris, helping them to screen more than 50,000 counterparties involved in their business over the past years and to fully automate the management and reporting of their AML risk.
We have implemented fully digital dossier risk management for a leading private equity firm in the United Kingdom and Luxembourg. Enabling them to leap from manual checklists and processes to a fully integrated compliance process with immediate remediation and real-time risk screening of all of their counterparties and their components.
Here is what’s going to happen when you work with us.
Our engagements consist of two phases, the first phase consists of configuring and delivering your digital compliance platform and processes and ensuring that your company’s analysts are able to make efficient use of them. The Second phase is the long term operation of the Enterprise Risk Management Systems (ERMS) with occasional short projects for upgrades and revision, as needed. Both of these phases are aimed at helping you to have the most effective and efficient digital compliance program for your business.
We will review your Risk Acceptance Statement and accompanying policies and procedures, as well as the definition and planned automation of your processes, we can help. Prior to commencing any technology deployment, we are happy to assist with the detailed technical solution architecture and planning. We are also able to help you to address any deficiencies in your compliance risk management program. Our founder, Jed Grant, is an experienced systems architect with 30 years of enterprise grade solutions experience gained in international institutions, such as NATO, and CSSF regulated financial institutions in Luxembourg, with nearly a decade of board and executive committee member experience under the IML and then CSSF, as well as regulated institutions in France, the UK and Switzerland. Jed or an equally qualified technical and compliance professional leads our pre-deployment consulting and advisory engagements. At the end of this review, we will present you with an assessment and detailed plan of the transformation to digital compliance for your organization.
The KYC3 ERMS delivers your KYC/KYB client identification, due diligence, continual monitoring and regulatory reporting in a simple and integrated platform that automates and facilitates the most laborious tasks of compliance.
KYC3 ERMS Dashboard gives you an immediate overview of your dossiers, potential screening risks identified, counterparty demographics and risk profiles – all with comprehensive and simple sort and drill down capabilities.
KYC3 ERMS Smart Dossiers collect all the information for customer identification, documentation, due diligence, structure, risk assessment and monitoring in a simple to use and comprehensive dossier.
KYC3 ERMS Risk screening engine checks your customers against PEP, Sanctions, adverse media and search engines and provides daily updates of any new risks identified.
KYC3 ERMS Entity-relations Manager provides easy visibility of individual relations (KYC) and corporate structures (KYB) for conflict of interest detection, UBO documentation and management control charting.
KYC3 ERMS Reporting module gives quick and easy access to detailed audit information on every event, decision and note that has been made in the system.
KYC3 Due Diligence Research portal offers open and flexible access to the full risk intelligence data set, so you can search as easily as using Google. It also offers a comprehensive report builder for generating detailed risk assessment reports in PDF format.
KYC3 ERMS Entity Tagging system lets you slice and dice your client data however and how-many ways you require, for example, sorting by fund, by customer type, by business unit. You can always get the exact report you need using the right tags.
The KYC3 ERMS is a flexible on-premise, own-cloud or hosted SaaS solution. An instance can be deployed in your company’s data center, with your chosen hosting provider or hosted by KYC3 on your behalf. We coordinate with the technical teams for proper access and security controls and we coordinate with the hosting team to ensure proper business continuity measures are in place.
The identification of clients is a new challenge in a digital world. In order to have the most efficient and secure interactions possible, you will want to enable your system to identify and collect information directly from your clients.
Let’s recap all of those features and benefits and put some value on them.
In order to be effective, all the elements need to be integrated and interlocking.
You need all of this to work together, flawlessly and automatically so that you can
– Manage Inherent Risk from customers and products
– Achieve Control Effectiveness in your organization and your governance and supervisory structures
– Make informed decisions regarding your Residual Risks
There are 3 main phases involved in the establishment and operation of an effective AML risk management program covering all of the activities described above for a small compliance team operating in an alternative investments or fintech niche.
First there is the setup. Develop a system with a compliance expert. Define checklists, documents and periodic reviews. Build risk evaluation methods, print, sign and record everything. Make sure audit records are in place. This effort involves at least €250,000 in resources to achieve. Typically amortized over 5 years, this represents €50,000 per year.
Second there is the operation. Collect documents; review risk, and manage dossiers. Identify risk, conflicts of interest or other potential negative aspects. Build new dossiers, conduct risk assessments and manage corporate changes within counterparties and investments. Ensure proper risk screening, review, remediation and follow up. A typical operation with 3 full time employees has a fully loaded annual cost of at least €450,000.
Third, there are the assurance efforts: board reporting, audits and regulatory reviews. Prepare reports based on regular or periodic demand. Gather and collate documentation. Verify facts and statistics across processes. Confirm the application of policy and procedure. Synthesize summaries and evidence to third parties that reports are accurate and reliable. In a mid-sized investment firm, this effort typically engenders at least ½ full time equivalent (FTE) annually plus external service providers, representing a fully loaded annual cost of at least €250,000.
Our solution delivers on all 3 areas. We focus our efforts on the efficiency and reliability of the processes we enable. This means that your company can handle more growth with less cost, delivering real bottom line gains.
Fully loaded cost of 4-6 FTE compliance professionals |
|
€750,000.00 |
Efficiency Gain |
Probability of Realization |
Expected Values |
0% |
2% |
€0.00 |
10% |
3% |
€2,250.00 |
15% |
15% |
€16,875.00 |
35% |
65% |
€170,625.00 |
50% |
15% |
€56,250.00 |
Expected gains |
|
€246,000.00 |
Against a base subscription of €4,000 per month, this represents more than a 500% annual Return on Investment on the typical annual investment in our core solution and support.
A typical comprehensive IT project of this scale typically has a 3 year breakeven, making annual savings of this order of magnitude worth at least €750,000.
By adopting a fully digital compliance process on an integrated platform, you can achieve massive capability gains, deliver savings that flow through to your bottom line, and help you achieve the compliance and customer satisfaction you have always wanted.
Since its inception, KYC3 has developed its own intellectual property and provides SaaS solutions tailored to the needs of AIFM and crypto-asset firms. Our solution eliminates the labor and risk inherent in old school manual dossier processing and tracking systems based on document stores, Excel spreadsheets and email communications by providing an integrated dossier management and risk screening environment with a complete audit trail and a white labeled secure counterparty portal for document collection. Our systems have handled millions of name screening checks and thousands upon thousands of client onboardings.
So let’s summarize what you get with KYC3’s fully integrated and digital compliance ERMS:
– Adjusting your Risk Acceptance Statement to match your capacity to manage risk
– Streamlining your compliance process and improving your operational controls
– Automating the risk assessment process for continual and consistent compliance
– Identifying your clients, even if they are complex entity structures
– Collecting documentation through your own secure digital portal directly into your platform
– Secure authentication through video and identity verification
– Quickly reviewing and evaluating provided documentation
– Understanding your clients with automated structure charts and visual risk indicators
– Conducting proper due diligence with built-in PEP, sanction, adverse media and search engine screening
– Automatic “to-do” remediation actions are added based on risk assessments
– See your risk and compliance “big picture” in an easy to understand, always up-to-date dashboard.
– Receive daily alerts of any new PEP, sanction or adverse media elements
– Receive real-time alerts for all expired or outdated documents
– Automatically be notified of mandatory reviews based on risk levels
– Automatically add “to-do” remediation actions to dossiers when customer circumstances change
or to meet new regulatory requirements
– Simply merge complex structures together when deals are consummated and have all risk updated accordingly
– Produce simple to use risk overviews for regular board meetings, investment committee meetings and more.
– Push button detailed audit reports and full customer dossier reports for auditors and regulators.
– Detailed screening metrics reporting.
– Slice and dice your entity data with tags that you define. Group customers by fund, by business type, by
investment, or however you need.
Q: What about GDPR and data protection?
A: Our system is designed with GDPR in mind. You remain the custodian of your client data at all times and are in complete control from a GDPR perspective. The exposure of your client data to KYC3 is minimized to a small number of “data processing” cases and data is not retained.
Q: If the solution is on-premise or “own-cloud”, how does that work?
A: We deploy the system to your preferred host platform. If your company does not have a preferred hosting provider, KYC3 can arrange hosting at a trusted provider for your company in full financial transparency. You own the hosting infrastructure.
Q: Do we have to decide on all of those options at the start?
A: You can start basic and add features later on. We are happy to start small and grow with you.
Q: Can we have a “free trial”?
A: KYC3 ERMS is an enterprise software platform that is delivered per client. Unfortunately we are not able to offer “free trials”. We can offer a “risk free” guarantee period on our solutions and will refund in full if your company is not satisfied for any reason during this time.
Q: What about security?
A: Our computer cluster is hosted in an ISO27001 data center and we employ industry standard security protocols and procedures to limit access to the cluster. None of your data is stored in our cluster. Your client data, your documents and your conclusions all reside in the ERMS platform that we deploy for you in your preferred host platform.
Q: What are your security procedures?
A: We do grey-box security audits of our technology on major releases and address any identified deficiencies. We also maintain security updates on dependencies in oru software. We regularly review our systems and employ strong security procedures and reviews across them. As our solution is deployed on-prem/own cloud, we do a vulnerability scan after each setup and share this with you at handover. You are free to do pen tests on your deployed instances at any time and can manage the security of the environment the system is deployed to according to your existing policies and procedures.
Q: Can we audit your systems?
A: We are also ready to conduct any feasible test or security audit that you may request on our systems, if you are prepared to cover the third party expenses.
Q: Are you a regulated company?
A: We have not applied for the PSF license as the current scope of our services doesn’t fall under the regulatory regime and would cause significant price increases in our services. KYC3 is capitalized and organized so that it may in the future become a regulated service provider “PSF Agent Administratif” in Luxembourg under the CSSF should our service offering expand or the regulator requests that we do so.
Q: What are your standard terms and conditions?
A: An agreement of 3 annual terms with invoicing at the start of each term. Delivery commences upon reception of the signed Service Agreement and effective payment received. The standard terms for KYC3 services apply.
Q: We have a detailed risk assessment process and need to be sure that it will work with your system?
A: If you require detailed risk assessment engine configuration to match your policies and procedures, we can deliver it.
We can tune and configure the ERMS risk assessment engine to match the existing standards used within your company’s business and partner businesses. This is a one-off exercise that saves time and avoids the frustration of change.
We review the risk calculations across all dimensions of risk: PEP, sanction, ML/CFT, reputation, structure, jurisdictions and more. Using your company’s existing risk management methods and tools as a baseline, we will configure the system and the risk screening engine to produce compatible results.
We will work with your company’s compliance team to validate and tune/adjust as necessary to ensure that results are as expected during the first 6 weeks of operation.
Q: We already have our customer data in an existing system. Can we import the data directly to the KYC3 system?
If you have legacy systems containing data that you would like to load into your platform, we can assist you with the extraction, transformation and loading of the data into the ERMS.
Manually loading data into a system can be time consuming and is very laborious and error prone work. For the cost of a few man-days, we can map out and automate this work to load your data efficiently and without errors.
We will conduct a review and assessment of the existing documentation and data and devise a data extraction, transformation and loading (ETL) plan so that the KYC3 ERMS can be loaded with existing client data from the first moment of production. Existing digital assets will be considered and structured data will be incorporated directly into the system meta-data while unstructured data, i.e. scanned documents, will be imported into the document management.
We will organize and load the electronic data into the system in accordance with the defined ETL plan.
Q: We will need to be trained. Can you train us on how to best use the system?
A: Absolutely. Well trained employees will make the best use of the tools they are given. While the least expensive option of the KYC3 deployment options, a 5% gain in efficiency repeated on a daily basis over 180 working days is 45 days for a team of 5, representing ROI of at least 500% on the training investment.
We will deliver detailed training on how to use the KYC3 ERMS. Training is delivered in English via Zoom conference or in person in Luxembourg. Basic training can be completed in a 3 hour session.
Q: Can we interface KYC3 with our core systems?
A: Yes, we provide a full API and can assist with integration. If there are manual processes that would be required to interface between the KYC3 ERMS compliance platform and other core systems, such as an investment management or CRMsystem, investing in automating these integrations saves time and reduces manual manipulation errors and always represents a very good ROI over the long term. We can help evaluate where such expenditures make sense and then help carry them out as cost effectively as possible.
We will develop a common understanding of the detailed requirements of the systems and share how KYC3 technology can best fit into the solution. To do this we will review the desired KYC processes as defined by project management at your company and evaluate where KYC3 can provide maximum benefits.
Q: We have a lot of data and/or demanding BCP requirements, such as redundant systems. Can you scale for our business?
A: Yes. Our Big Data Module enables the system to hold documents for hundreds of thousands or even millions of entities across a distributed and redundant database and our Counterparty Data Loading service can be extended to load large quantities of entity data into the system prior to production.
We can configure multiple ERMS systems to replicate or share data across them. This is useful for business continuity planning and multi-jurisdictional compliance.
We will lead or assist your company’s chosen systems integrator to implement the planned integrations.
We can support data sets up to hundreds of thousands or millions of full digital dossiers.
We can engineer deployments that use swarmed, clustered or replicated instances and can support multi-instance BCP installations.
Q: Can you help with the review and elaboration of our existing procedures and provide advisory?
A: Yes, our analysts can work with you to review your compliance program with advisory and assistance on the 5 program elements: Risk Acceptance, Counterparty ID, Counterparty Duedil, Counterparty Monitoring and Compliance Risk Reporting.
We can provide assistance with the formulation and/or adaptation of the Risk Acceptance Statement, the AML Program Policies and/or the AML Program Procedures in light of the capabilities that KYC3 brings to your organization.
Q: What is included in the core KYC3 SaaS ERMS Monthly operating subscription?
A: Access to the KYC3 SaaS ERMS and EDD WebUI for up to 25 users.
Nightly PEP, Sanction and Adverse Media screening for up to 2,000 nominals.
Access to the KYC3 Compute Cluster for data updates, including full access to our proprietary FACT4 risk database.
System updates, bug fixes and ongoing minor releases.
Simple and remedial technical support by email, video or voice call during CET/CEST working hours on regular business days.
Q: What is included in the Onboarding Portal subscription?
Operation of a white-labeled onboarding portal instance with the KYC3 ERMS.
Updates and minor adjustments of forms, user interfaces and other minor changes to keep abreast with your company’s regulatory requirements and commercial web presence as they evolve.
Q: Can we use the World-Check Refinitiv Data for screening?
A: Absolutely. We have a module that allows the system to download the Refinitiv data file on a nightly basis and include Refinitiv data in the risk screening process. To make use of this option, your company must also have a separate data license with Refinitiv.
Q: What are your typical engagement goals and terms?
A: We deliver value in the form of better solutions to the overall process of compliance and risk management. We look at how we can automate and streamline current working processes. We seek feedback from our clients and the industry in order to prioritize and capture as much value for our clients as quickly and efficiently as possible. An agreement of 3 annual terms with invoicing at the start of each term. Delivery commences upon reception of the signed Service Agreement and effective payment received by KYC3.
Q: What is FACT4 and what data is in it?
A: FACT4 is our risk intelligence database. It includes more than 250 million documents gathered since the inception of KYC3 and with history going back more than 30 years in some cases. Every major sanction list is included from around the world, PEP information from many international sources and our own proprietary sources, adverse media from more than 110,000 media sources categorized and risk assessed by our FACT4 AI, and company data from several European countries, including the UK, France, Luxembourg and more.
Q: Although FACT4 has some business registries, can you provide more company information?
A: Yes, we have an EBR Data Module that allows access to the European Business Registry data on demand. The EBR charges a per-document fee for downloading the documents into your system.
Q: Can you help us with operational compliance support to use the system?
A: Yes, KYC3’s analysts can assist your company with the operation of their ERMS. Engagements are led by an ACAMS certified anti-money laundering specialist.
Q: Can you offer bespoke Support and Training for our specific SLA requirements?
A: Yes, we can provide extended technical support to your company’s IT team or systems integrator. We can arrange dedicated training sessions for new staff or advanced and bespoke training for existing KYC3 users.
Q: Can you help us with our audit or regulatory review for specific points, if needed?
A: Yes, we can provide executive support directly with your company while engaging in tandem with auditors and supervisory bodies in order to assist with audits or other reviews, covering any points related to our solution, its use and review.