Winning a new wealth client is just the start of the relationship. The next step, client onboarding, requires the firm to conduct due diligence including regulatory compliance. It is where the client sees how the firm performs. Many firms are turning to technologies such as Robotic Process Automation (RPA) and Application Programming Interfaces (APIs) to achieve a streamlined but thorough onboarding process.
This article is Part 2 of our series on the Benefits and Risks of APIs in Wealth Management (“WM”) and here we focus on the Client Onboarding phase. In Part 1 - Focus on Client Engagement, we considered the benefits and risks of using APIs to enhance client engagement.
Critical client experience begins after the client decides to sign up with a firm. The onboarding process gives the client their first experience of how the firm works in practice. It is this “second impression” that firms often find challenging.
Why it is a challenge
Wealth Managers need to conduct a thorough client due diligence (CDD) including regulatory checks such as a comprehensive Know-Your-Client (KYC) and Anti-Money Laundering (AML) to ensure that the client is who they say they are, have ownership of the assets they claim to have, are investing for themselves, are not engaged in criminal or terrorist activities, and are not subject to economic sanctions or other restrictions.
Additionally, certain clients may require enhanced due diligence (EDD) checks based on their profile. High Net Worth Individuals (HNWI) and Ultra High Net Worth Individuals (UHNWI) invest across multiple asset classes and geographies. This can lead to a complex structure of ownership across legal jurisdictions which may require Wealth Managers to engage with a third-party Service Bureau to conduct broader checks and perform EDD.
There are several steps involved in onboarding a client to ensure the Wealth Manager meets all the relevant regulatory requirements and here we highlight some of them -
- Financial Needs Analysis: The advisor gathers information about the client, their aspirations, risk appetite, and investment horizon by interviewing the client. For consistency and to meet regulatory requirements, this data is captured in a standard form, which is generally paper based.
- Identity Verification: Traditional methods of identity verification consisted of inspecting physical documents: passport, driver’s licence, national identity card, etc. This has obvious problems, including forged documents, manual interpretation of likeness (of photographs) and the need for hard copies. Also, it requires manual processing, storage, and distribution of documents in the firm.
- Company Legal Identity and Beneficial Owners: The regulator in each country maintains a register of companies, which is accessible by the public. Wealth Managers whose clients have interests across several countries would need to verify data across jurisdictions.
- Anti-Money-Laundering / Counter-Terrorism-Financing / Sanctions Checks: Individuals and companies need to be cross-checked against Sanctioned list for money laundering, terrorism financing, human trafficking, Politically Exposed Persons (PEPs) and / or on the US government’s Office of Foreign Assets Control (OFAC) list.
- Asset Verification: Confirming the existence, location, and condition of assets such as property, plant, and equipment, and verifying ownership.
- Create Client Account in the Core Systems: Client needs to be set up in Wealth Managers’ core system, which records clients’ position and activity. During the client engagement phase described in Part 1 of this article series, information about the client is typically stored in a Customer Relationship Management (CRM) system. When the client is onboarded, much of this information would be transferred to the core system.
- Provisioning the Client’s User Account: Wealth Managers build portals to enable clients to review the status and transactions on their accounts. These portals are generally more modern than the firm’s core system, and can communicate through APIs.
The manual nature of the above processes can lead to severe bottlenecks leading to delays and frustrated client experience. Therefore, digitising documents as early as possible or better still verifying identity digitally, can streamline the process and the workflow can be moved swiftly through each of the stages of verification, approval, and fulfillment.
But it is not as simple as that. Source documents are often on paper, and legal documents are not structured in a way that can be easily read by a machine. This results in manual data entry and interpretation by humans.
Robotic Process Automation (RPA) in Client Onboarding
RPA is designed to automate processes that are manual, repetitive, high-volume, rules-based, involving data in a structured format. They can involve front-end (customer-facing) systems such as Customer Relationship Management (CRM) system, or back-end (non-customer-facing) systems such as IT help desks. Processes that involve human creativity or evaluation are not suitable for RPA.
The work is done by a software robot (“Bot”) that interacts with systems that have only a human interface, by mimicking the keystrokes and movements that a human performs on a keyboard.
Bots can assist in processes such as moving or adding clients from CRM to Core Systems and creating client accounts; thus, eliminating the risk of manual copy-paste or re-keying errors from one-system to another.
Bots can also automate a user’s interaction with external web-based applications.
Automating a workflow with RPA involves building a Bot, a sequence of tasks that would normally be carried out by a human. A Bot is “trained” by a human operator recording the keystrokes and actions they would normally carry out during a process. This is similar to the way a macro is recorded in spreadsheets such as Excel. RPA software is more powerful, as it can automate steps across multiple applications (not just within one application). Bots can also be stored centrally, so subject matter experts can design new Bots that can be applied across the organisation.
Bots can incorporate rules to identify abnormal conditions in the data being processed. These may be business rules, or rules derived from Artificial Intelligence (AI) models. As there is a risk of false positives (determining something is bad when it is actually good) and false negatives (determining the condition is good when it is actually bad), abnormal conditions should be flagged for human review, rather than taking automated actions.
The skills required to create, and train Bots are more easily acquired than for traditional programming languages. Business analysts, and in some cases subject matter experts within a team, can combine Bot creation skills with their understanding of the firm’s processes to achieve good results.
While Bots are simpler to create than other software, like other software they should be tested under different conditions, with a variety of data before releasing. They should be able to handle “error conditions”, circumstances when an unexpected input or output is provided. They should also be checked to ensure they cannot be used to grant access to unauthorised users.
APIs in Client Onboarding
In Part 1 - Client Engagement we gave an example of calling an API to retrieve stock price data.
APIs in client onboarding are more complex, as they pertain to Personally Identifiable Information (PII). Greater security is needed to protect clients’ privacy. Also, it is necessary to gain explicit consent from the client to share information with third parties.
APIs that can assist in client onboarding are available from government and commercial services.
Service bureaus offer digital verification of client identity through API calls. Firms can upload images of clients’ passports, drivers licences, national ID cards, and in some cases visas. The service provider uses Optical Character Recognition (OCR) and AI to extract the details from the image and returns its assessment to the requestor.
Governments of some countries have launched identity verification initiatives, which can assist Wealth Managers. The Singapore government launched their MyInfo service, https://www.ndi-api.gov.sg, to simplify the identity verification process. Leveraging the National Digital Identity (Singpass), financial institutions can offer clients the option of authorising the government to share their identity information with the institution. This removes the need for institutions to physically see clients’ identity documentation. Verification can be conducted completely online. Many banks and insurers in Singapore now offer their customers this option.
India’s Aadhaar eKYC, https://www.indiastack.org/ekyc/, leverages that country’s Aadhaar national digital identity to verify the Identity and Address of the client. With the explicit consent / authorisation by the resident, the Aadhaar e-KYC service provides an instant, electronic, non-repudiable “Proof of Identity” and “Proof of Address” along with date of birth and gender. It also provides the resident’s mobile number and email address to the service provider.
Additionally, in some jurisdiction information about registered companies is available to the public. In Singapore, the Accounting and Corporate Regulatory Authority (ACRA) publishes APIs that provide information about companies and partnerships in its API Mall https://www.acra.gov.sg/announcements/acra-api-mall.
Some of the most important APIs for Wealth Managers conducting due diligence include:
- Entity Name (current and previous) Details: This API service retrieves details on entity's name and effective dates (including former names where applicable).
- Entity Officers Record: This API service retrieves entity officer records including officer/s ID, name, position, appointment date, withdrawal date, reason for withdrawal (including disqualified for Company and LLP).
- Company Shareholders Details: This API service retrieves company shareholders records including shareholder/s ID, name, appointment date, cessation date, appointment status (Active, Withdrawn), share type, number of shares allotted, and currency.
Some service providers use APIs to conduct AML/CTF and sanction checks. The requestor sends a search term (e.g. person or company name) via API, and the service provider returns a list of references to the search.
The challenge with these checks, whether made via API, RPA or manually, is that data is imprecise. People and companies may be listed on different registries under slightly different names or other details. Human review of search results is therefore important to prevent mis-categorisation.
A hybrid approach combines RPA and API technologies. In this approach, RPA is used to access a human only interface (“green screen”) system and expose the data to other systems through an API. RPA Bots can also call APIs.
Which is better: RPA or API?
Choosing between RPA and API approaches to client onboarding depends on a firm’s planning horizon and development capability. RPAs can be implemented quickly, as they require limited technical skill, and minimal changes to existing processes and systems. APIs, on the other hand, enable a more seamless experience. Data can be incorporated into the firm’s own applications, and so can be presented with a consistent look and feel. However, this requires skilled software developers.
Robotic Process Automation
- Non-invasive: does not require changes to systems or processes
- No-code/low-code: Business analysts with good knowledge of the process can often automate it with minimal training
- Particularly useful when “green screen” systems do not have other methods of integration
- May leave archaic/cumbersome processes in place, depending on what is taught
- Can encourage “band-aid” mentality
If applied by end users without governance, mission-critical process steps may rely on bots that have no effective controls
- When processes change, bots may no longer work
Application Programming Interfaces
- Efficient information transfer between the firm and external service providers
- Security mechanisms can be built in to prevent unauthorised access
- Enhanced user experience, as data from the service provider is built into the firm’s own applications (rather than the disjointed process of staff logging into external systems)
- Requires more coding than the RPA approach
- Interacting with a third-party service accessed through the internet increases the “attack surface” of the firm (systems exposed to potential hacking attacks). Continuous monitoring of system access and activity is necessary despite the lack of human intervention in the API calls themselves.
AI in Customer Onboarding
Whether Wealth Managers apply RPA, API or Hybrid RPA/API technologies into the client onboarding process, the nature of clients’ financial dealings is often too complicated for a static set of rules to be sufficient to address all cases.
AI is being applied to identify red flags, and alert human operators for further investigation.
There is also a risk of AI models becoming outdated, producing too many false positives and false negatives.
Risk Management of APIs, RPAs, AIs and Third-Party Data
In Part 1 - Client Engagement of our series we gave examples of the risks that need to be considered in Client Engagement and here we add to it:
- API or RPA (either technology implemented) used to extract data from the digitised client onboarding forms should be checked for completeness or accuracy.
- API and RPA need to be updated to keep up with the updates in technology, forms, applications.
- Extracted client data should be catalogued.
- Storing and cataloguing methodology should be clearly articulated and agreed in the organisation.
- A database as a single source of truth which includes results of the client CDD/ EDD checks.
- Avoid storing client data in multiple systems / databases. API calls can be made for specific use.
- When engaging 3rd party service bureaus, it is critical to monitor movement of data from internal to external systems and keep the encryption key updated.
- In 2017, there was a case of data breach in Equifax, credit bureau in America. Equifax was hacked, 40% of Americans were impacted. One of the key point that stood out in this case was “Like many cyberthieves, Equifax's attackers encrypted the data they were moving in order to make it harder for admins to spot; like many large enterprises, Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, specifically to sniff out data exfiltration events like this. But in order to re-encrypt that traffic, these tools need a public-key certificate, which is purchased from third parties and must be annually renewed. Equifax had failed to renew one of their certificates nearly 10 months previously — which meant that encrypted traffic wasn't being inspected. ” Source: CSO Online
- Regulatory requirements such as GDPR / PDPA should be incorporated into the digitised forms and disclosures made including right of access, use of data and erasure at the end of a relationship.
- Wealth Managers should engage with the Legal department to ensure agreements with 3rd party service providers (such as Service Bureau, Cloud provider) gives the Wealth Managers insight into the use of their client data, storage, and erasure, as well as their cybersecurity controls. This can be via Audit reports for e.g.
- RPA is only as good as it is programmed. It is not for unique, creative, or one-off processes.
- Risks of AI in the near term relate to bias, and inequality.
Despite the impression that Client Onboarding is a back-office function, streamlining this process benefits the client experience as well as internal efficiency. Technologies such as APIs, RPA and AI can simplify information gathering from clients, accelerate the onboarding process, and enhance Identity Verification, AML/CTF and sanctions screening and break down the traditional silos between Front Office and Back Office.
Effective implementation of these technologies requires an understanding of the risks, including security and privacy of data, accuracy of information, and the robustness of controls applied by both the Wealth Management firm and external service providers.
The next article in this series will consider how APIs can enhance Investment Analysis in Wealth Management firms.