Legitimacy Lifecycle: Getting Risk right

Legitimacy Lifecycle slide

Legitimacy Lifecycle prioritizes ‘Know Your World’ intelligence for best Risk mitigation

By Frank Cummings, CEO

Lifecycle management has become an AML Compliance buzzword. But it’s often just new wrapping on the same old package. The Legitimacy Lifecycle, in sharp contrast, looks at the lifecycle challenge with a comprehensive emphasis on Risk relevance and Risk mitigation.

Unlike other lifecycle-management systems, the Legitimacy Lifecycle monitors and/or mitigates all human and human-caused activity within an institution. The Legitimacy Lifecycle is purely event driven and starts with the Know Your World (KYW) concept of Due Diligence, which enables monitoring of Risk-relevant events from onboarding to offboarding of your Risk-relevant relationships (i.e., all relationships).

KYW categories of Risk

Know your World (KYW) Due Diligence recognizes and accounts for Risk across your enterprise—not just your customers and transactions. Effective KYW comprises knowledge of the Risk potential and structured monitoring of the following categories:

  1. Customers
  2. All related parties of customers
  3. Vendors
  4. Employees
  5. Managers
  6. Artificial intelligence and machine learning applications (AI/ML)
  7. All known relationships among categories other than Category 2 to Category 1

Best-practice Risk management calls for KYW to be performed the same for each of the Due Diligence categories and for the same purposes. Each of these categories causes events to happen within your institution; your task is to confirm that all these events occur for “legitimate business purposes.”  A legitimate business purpose is defined as an event happening when it should and most importantly how it should happen, as well as by whom.

The Legitimacy Lifecycle specifies three main lifecycle stages that help predict stage-specific types of Risk specific to the seven categories above. Those lifecycle stages are onboarding of a relationship, the ongoing maintenance of a relationship, and the closeout of the relationship.

Each of these lifecycle stages requires its own Key Risk Indicators (KRIs) to be configured in a GRC solution to monitor all the Risk-relevant events within each stage of each relationship. The KRIs should automatically trigger a notification event for action to the required party. Actions might include sending an email, opening a research case, starting timed SLAs, etc.

The ‘Suppose Zone’

Let’s consider for a moment the kind of events that a KRI might initiate. This requires you to enter the “Suppose Zone.”

Suppose you are onboarding a new corporate customer. You are collecting documents and checking data interfaces; everything is looking good, and you are about to accept the customer when you get an email alert. Your public-records database shows the average monthly electricity usage is below that of a college dorm room.  The potential customer’s self-reported monthly electricity usage is over 200 times that.

Or suppose you have an employee who is always the last person to leave at the end of the day. And they always seem to pass on taking their vacation days. At the same time, you receive a garnishment demand for that employee. You conclude that one of your best employees is having money issues. Do you think they should be alone on your production systems?

Or suppose you had a breach, but you can’t figure out how they got in. Perhaps they did not break in, but rather you let them in. The little machine-learning application that marketing bought on the cheap was doing a bit more at night than you thought and was slowly but surely gaining access to your core and payments systems. Try explaining that to the board.

Anticipate and monitor to Know Your World

The Know Your World approach can help anticipate and monitor for these Risks. And the Legitimacy Lifecyclefacilitates a structured imagining of what is possible, and then gaining an understanding of its probability. At the core of this Risk-mitigation concept is establishing KRIs for the “whole” of who interacts within your firm and making sure that it is all legitimate.

Logo for RegTechONE, a platform for GRC and AML Compliance

Governance, Risk, and Compliance: Software solutions that transform results, costs, and efficiency

AML Partners designs GRC and AML software solutions that transform the work of Governance, Risk, and Compliance. With AML Partners’ platform technology for AML Compliance and RegTech, AML and GRC software solutions are easier, faster, and so much more effective and efficient.  With extraordinary configurability and built for API extensibility and Business Intelligence, the RegTechONE platform powers a range of end-to-end AML/KYC tools but also Dynamic Case Management, vendor management and risk, cyber risk workflows, FCPA workflows, and so much more. RegTechONE: For your institution’s Network of Applications and Ecosystem of Permissioned Data. Contact us today for more information and to schedule a Proof of Concept demonstration.

Start achieving more today.

We are so confident in the power of RegTechONE to transform your GRC and AML Compliance solutions that we will prove it to you. Contact us today to experience all the ways that RegTechONE is The Power of Everything.

AML Partners logo/wordmark in white

347 Village Street
Concord, NH USA 03303

Copyright © 2024 AML Partners. All rights reserved.