Digital Client Risk Management: Best Practices

Most financial institutions (FIs) understand the importance of taking a risk-based approach to compliance. But what this means when it comes to client risk management practices differs by sector, organization and channel. 

Clients expect to be able to onboard and manage their finances remotely. Technological advances have accelerated this trend: 

• An increased volume of reliable digital data can provide the same quality of verification as meeting in-person 
• Integrating this data into customer engagement channels is feasible due to low costs
• The necessary technology is available on a wide array of mobile devices, expanding access to financial services to underbanked customer segments 
• Transparency has improved, enhancing an FI’s ability to detect a change in a customer’s risk profile and update it promptly 
  

The Wolfsberg Group, an association of 13 global banks, recently published guidelines for FIs managing the shift to digital channels at three stages of the customer lifecycle: onboarding, dynamic risk assessment and ongoing due diligence. Here’s a summary of their advice.  

Onboarding

FIs now have access to a much broader scope of identity attributes which complement basic details and help build a progressive identity. Some data points require consent, like location, but others are less intrusive, for instance the way a customer navigates an onboarding questionnaire or holds their device. These data points change over time, so they should be updated regularly.

Various public and private initiatives (and partnerships) have improved an FI’s ability to verify a customer’s identity by providing access to official sources such as government databases. In some countries, FIs can retrieve records from these databases by leveraging application programming interfaces (APIs). 

Technology also allows the initial authentication event, where the customer proves they’re behind an application, to take place remotely. Facial recognition software confirms the person at the other end of a video call or in a video selfie is the same person featured in the official ID document submitted from the customer’s device. Older smartphones that don’t capture video shouldn’t be an obstacle, as FIs can rely on ownership factors to establish authenticity, such as cryptographic keys and knowledge factors like a password.  

Dynamic risk assessment

Digital client risk management helps FIs develop a deeper and real-time understanding of a customer’s risk profile. This capability means FIs can transition from periodic refresh cycles to a trigger-based approach to maintaining accurate customer data (discussed in the next section), while reducing their reliance on traditional factors like professional activity, country of residence and delivery channel. 

Digital delivery channels become key to an FI’s ability to mitigate risk throughout the lifetime of the customer relationship for two reasons. Firstly, the initial authentication event determines the level of confidence about a customer’s identity from the start. If this step is weakened by a lack of facial recognition, it undermines the entire process, which the FI must address at a later stage.  

Secondly, digital channels allow FIs to gather data from a customer’s device, such as a unique identifier known as an internet protocol (IP) address or global positioning system (GPS) data which tracks location. Of course, the customer can choose to deny consent by blocking permission on the FI’s app or using a virtual private network (VPN) to hide the device’s IP address and therefore its location.  

Ongoing due diligence

To develop a trigger-based approach to maintaining customer data, FIs should consider breaking down each risk factor into a series of variables which they can use to measure for deviations from the norm. Variations against a threshold would prompt an FI to check for changes to the customer’s risk profile.   

For example, if an FI establishes a customer’s country of residence using an IP address, an alert would be triggered by the customer spending a significant amount of time abroad. The FI can verify if the device has switched hands by monitoring whether the current owner holds it at a different angle or has started copying and pasting data into web forms. If so, the FI may need to carry out a low-level authentication event like asking the customer to re-enter a personal identification number. It can also use an API to check with government sources about changes to residency status. 

Learn more about digital client risk management

Read the Wolfsberg Group’s guidance to uncover on a deeper level how technology can enable an FI to both meet customer expectations on digital engagement and prioritise resources in an effective, risk-based manner.