The Legitimacy Life-Cycle – All Risk Mitigated (Frank Cummings)

The Legitimacy Life-Cycle – All Behavioral Risk Mitigated

Lifecycle management has become an AML Compliance buzzword. But it’s often just new wrapping on the same old package. The
Legitimacy Lifecycle, in sharp contrast, looks at the lifecycle challenge with a comprehensive emphasis on Risk relevance and Risk mitigation.

Unlike other lifecycle-management systems, the Legitimacy Lifecycle monitors and/or mitigates
all human and human-caused activity within an institution. The Legitimacy Lifecycle is purely event driven and starts with the
Know Your World (KYW) concept of Due Diligence, which enables monitoring of Risk-relevant events from onboarding to offboarding of your Risk-relevant relationships (i.e., all relationships).

Know your World (KYW) Due Diligence recognizes and accounts for Risk across your enterprise—not just your customers and transactions. Effective
KYW comprises knowledge of the Risk potential and structured monitoring of the following categories:

1. Customers
2. All related parties of customers
3. Vendors
4. Employees
5. Managers
6. Artificial intelligence and machine learning applications (AI/ML)
7. All known relationships among categories other than Category 2 to Category 1

Best-practice Risk management calls for KYW to be performed the same for each of the Due Diligence categories and for the same purposes. Each of these categories causes events to happen within your institution; your task is to confirm that all these
events occur for “legitimate business purposes.”  A legitimate business purpose is defined as an event happening when it should and most importantly how it should happen, as well as by whom.

The Legitimacy Lifecycle specifies three main lifecycle stages that help predict stage-specific types of Risk specific to the seven categories above. Those lifecycle stages are onboarding of a relationship, the ongoing maintenance of a relationship,
and the closeout of the relationship.

Each of these lifecycle stages requires its own Key Risk Indicators (KRIs) to be configured in a GRC solution to monitor all the Risk-relevant events within each stage of each relationship. The KRIs should automatically trigger a notification event for action
to the required party. Actions might include sending an email, opening a research case, starting timed SLAs, etc.

Let’s consider for a moment the kind of events that a KRI might initiate. This requires you to enter the “Suppose Zone.”

Suppose you are onboarding a new corporate customer. You are collecting documents and checking data interfaces; everything is looking good, and you are about to accept the customer when you get an email alert. Your public-records database shows the average
monthly electricity usage is below that of a college dorm room.  The potential customer’s self-reported monthly electricity usage is over 200 times that.

Or suppose you have an employee who is always the last person to leave at the end of the day. And they always seem to pass on taking their vacation days. At the same time, you receive a garnishment demand for that employee. You conclude that one of your
best employees is having money issues. Do you think they should be alone on your production systems?

Or suppose you had a breach, but you can’t figure out how they got in. Perhaps they did not break in, but rather you let them in. The little machine-learning application that marketing bought on the cheap was doing a bit more at night than you thought and
was slowly but surely gaining access to your core and payments systems. Try explaining that to the board.

The Know Your World approach can help anticipate and monitor for these Risks. And the
Legitimacy Lifecycle facilitates a structured imagining of what is possible, and then gaining an understanding of its probability. At the core of this Risk-mitigation concept is establishing KRIs for the “whole” of who interacts within your firm and
making sure that it is all legitimate.