Know Your Customer (KYC) regulations are a longstanding requirement for combating fraud, money laundering and the financing of organised crime or terrorism. All regulated sectors, including law firms, face a great deal of scrutiny with respect to KYC rules compliance.
The UK Law Society recently made a significant regulatory change to retention of KYC information by law firms, bringing the regulation very much in line with increasingly prescriptive data privacy trends brought about by GDPR and other requirements. But the new rule creates several challenges for law firms, as they are now required to delete any KYC information from all firm systems no more than five years after the last matter for that client was closed.
While this may sound simple, there have been several changes compared to the existing processes for removing such information in line with standard law firm retention policies. At the very least, a law firm needs to know what KYC it owns on a client-by-client basis, the last matter close/activity dates need to be proactively managed, all KYC information needs to be identified separately from other client/matter information, and separate workflows are needed to remove this specific type of record.
“Managing KYC obligations adds to an already heavy workload for records and compliance personnel. Firms that lack the internal expertise to establish and manage these programmes may benefit from looking at newer, more flexible information governance solutions to manage the increasingly complex rules and regulations around data and records retention, governance and destruction.”
Managing KYC obligations adds to an already heavy workload for records and compliance personnel. Firms that lack the internal expertise to establish and manage these programmes may benefit from looking at newer, more flexible information governance solutions to manage the increasingly complex rules and regulations around data and records retention, governance and destruction.
When seeking help from an outside expert to aid with KYC retention requirements, there are many factors to consider. Legacy records systems often lack the ability to integrate with other core business platforms or automate certain functions that help promote policy compliance. Consider these factors when vetting outside providers:
- Ability to recognise KYC classifications with flexible definitions of document types or class
- Integration with financial systems that allow metadata (such as last invoice date) to be synchronised with client and matter profiles
- Triggers to research potentially closed matters and identify records subject to disposition
- Disposition review workflows that ensure timely review of KYC documents and final disposition from document management and records management systems
As the compliance burden for law firms rises under KYC regulations, we strongly advise them to trust providers with experience implementing KYC strategies as part of an overall governance solution.