In an ideal world, trust in commerce would be inherent in every transaction. But for this to be the case, we must live in a world without lies. And if you’ve ever seen the film The Invention of Lying, you’ll know that a world without lies is far from the world we live in, or perhaps more accurately, far from the world we want to live in.
In the movie, the main character and script editor, Mark Bellison, played by Ricky Gervais, takes us through a world without lies. A world where advertisements plainly describe a product’s features and where dating, especially for our main character, is nothing less than an eye-watering experience. Of course, if we looked at the world of economics in this parallel universe, we would see a world without fraud or identity theft. Anti-Money Laundering laws like the newest Anti Money Laundering Directive (AMLD5) wouldn’t be required. Digital transactions could be conducted online without the worry that cybercriminals are fraudulently claiming to be organisations and people they are not. A wishful thought.
In today’s economy, IoT and other technologies exist but widespread adoption is being blocked by a lack of ability to truly identify users, clients and organisations. The characters in this parallel world would not have the same issues and digital technology initiatives like IoT and blockchain would be allowed to move forward with a much faster pace.
But of course, we do not live in this fantasy world: we live in the real world. A world where cybercrime is rife and identity theft is the most common outcome of a data breach. In 2017 alone, consumers reported $905 million in total fraud losses, according to Experian research.
What is Know Your Customer (KYC) Compliance?
One of the ways we have aimed to solve this problem, is with Know Your Customer (KYC) requirements. These requirements stipulate that a business should conduct due diligence checks of their customers before they actually accept their business. This means, identifying that a customer really is who they say they are and that they are willing to conduct honest business transactions with you.
A simple example is asking for a government issued identity document like a passport or driving license alongside a proof of address like a utility bill or bank statement. Any doubt about a customer’s identity means you should not be conducting any business transactions with them.
At this point, regulations that require KYC checks are namely those that carry out high value business transactions on the marketplace. It is deemed a higher risk when transactions are carried out that are over €10-15,000.
Due Diligence In Onboarding
When establishing a new business relationship, you must record:
- the purpose of business relationship; and
- the purpose of the transaction and where the funds will come from (also known as the nature of the business relationship).
For these points to be recorded, you need to obtain and check a number of documents from the customer. Examples of documents include:
- details of business and employment;
- details of account where transactions will come from;
- copies of recent financial statements; and
- details of relationships between signatories.
Due Diligence After Onboarding
The job of due diligence is not done once a customer is onboarded. As we know, customer’s information is changing all the time and it is the responsibility of a business to stay on top of this and ensure that the data they hold is still accurate. Keeping data accurate allows us to maintain an accurate picture of risk.
Requirements for Enhanced Due Diligence Checks
In some situations, enhanced checks are needed. Examples of situations where this is required include:
- when a customer is not physically present;
- when you enter into a business relationship with a ‘politically exposed person’ – typically, a non UK or domestic member of parliament;
- when you enter into business with someone from a high-risk third country;
- any situation where there is a higher risk of money laundering.
If you’re dealing with a customer that may not be physically present, for example, you may want to make extra checks to establish the identity of the person, check the documents supplied against the financial institution and checking first payment was made from an account opened in the person/organisation’s name.
As well as doing due diligence checks, organisations must also ensure that they keep and maintain accurate records of daily transactions for each of their customers and keep these records for at least five years.
Why Know Your Customer (KYC) Is a Broken System Today
I wanted to briefly go over the Know Your Customer or KYC check obligations today so we can take a look at why these checks might not be working to the best of their ability.
You already have an idea of just how much administration, checking and record keeping is required to conduct high value business transactions today but if all of this hard work isn’t going anywhere then we must conclude that the system is broken and look at ways of fixing it.
Areas where KYC are thought to be failing are:
- number of identifiers,
- lack of consistency,
- time and cost to comply,
- accuracy of data and
- ability to scale and transfer KYC checks.
The GLEIF published a study where they questioned 102 senior people in the banking sector about KYC. These were a mixture of different sized companies from the US, UK and Germany. The study found that it takes an average of six weeks to onboard a new client/customer. A quarter of this process still involves manual tasks which nearly half of those questioned agreed represented a major burden. Thomas Reuters also found that corporations are contacted an average of eight times during the onboarding process.
Still, many organisation’s compliance teams have different ways of interpreting the regulation and forming processes to ensure compliance. With compliance teams spending more and more time learning and interpreting new regulation, some of the weight of onboarding can be seen shifting to other areas, especially as technology becomes more essential. The GLEIF found that 18% of respondents cited KYC compliance as the longest stage in the onboarding process.
All of the above leads to a lack of trust with organisations as customers are asked for significant amounts of data and often find discrepancies with what is asked for by other organisations. Quite rightly, customers who aren’t lying shouldn’t have to go through such gruelling onboarding measures because of the smaller minority of customers who do lie.
McKinsey published a report in January 2018 that found 33% of organisations citing cultural and behavioural challenges as a major challenge to meeting digital priorities. Perhaps this lack of ability to quickly change culture and internal structures and processes are part of the problem. How will organisations adapt to the new environment Open Banking will bring in 2019? This is another significant regulatory step towards open infrastructures and data exchange that could be a detriment just as much as it could be an opportunity in onboarding – depending on how organisations adapt.
“A collection of electronically captured and stored identity attributes that uniquely describe a person within a given context and is used for electronic transactions. It provides remote assurance that the person is who they purport to be”….
“A person’s digital identity may be composed of a variety of attributes, including biographic data (e.g., name, age, gender, address) and biometric data (e.g., fingerprints, iris scans, hand prints) as well as other attributes that are more broadly related to what the person does or something someone else knows about the individual.”
In the paper, they also have a look at what forms of documentation are typically required to open a commercial bank account.
On a broad scale, every person has a large number of identifiers associated with them. Your bank account, national insurance number, age, address, email, place of work and football club can all be identifiers. In reality, and especially when onboarding for high value business to business transactions, this question is a lot harder. Does your registered business address, bank account, phone number and Companies House registration qualify as enough to tell an organisation that you really are the business that you claim to be?
According to the GLEIF, businesses surveyed use an average of four identifiers internally but nearly a third say they use five or more. When looking at the number of identifiers used, we can see that the more an organisation uses, the longer it takes to onboard and the more time is spent doing manual tasks.
In terms of KYC regulation today, there still isn’t a standard set of identifiers or a required number of identifiers for a bank or financial institution to use. There also isn’t a central database or registry where these identifiers are held. Especially when we look at identifying an organisation, this issue is far from resolved.
Accuracy of Data
Lack of accurate information and ability to reconcile information is a significant issue in the KYC process as we know it today. The GLEIF reported 57% of respondents found that reliability of information was a significant challenge of KYC, while 52% cited contradictory information from different sources to be an issue.
As we saw earlier, one of the stipulations of KYC compliance is that regular checks are maintained to ensure data is accurate. If a company registrant has a role change or the organisation goes through a merger or acquisition, how and when will this information update and accurately reflect in the KYC record?
The use of multiple databases for identifiers has led to more issues with reporting accuracy. The GLEIF found that financial institutions using multiple identifiers for cross-checking often found different organisations using the same identifiers or different identifiers relating to the same organisation.
Added to the KYC compliance, GDPR also stipulates the importance for ensuring data is accurate and kept up-to-date. This isn’t a new issue either. In September 2017, Thomas Reuters was already reporting that compliance teams believe data management and quality are a top priority (62%).
Costs of Compliance
As consumers demand faster and more efficient services, banks and financial institutions are working hard to meet these demands but are coming under constant battle to ensure they are doing this in a compliant and transparent way. A study on the cost of compliance by Thomas Reuters in 2017 found that over 50% of professionals expecting compliance budgets to be slightly more or significantly more over 2018. 58% of firms also expect to be communicating and liaising more with regulators.
What does this mean?
It means that the financial industry has to put a significant investment into their compliance teams and ensure that compliance is given enough resource to make the changes needed over the coming months. Compliance teams need to research and interpret the regulation, implement process changes within the financial institution and liaise with regulators and auditors. This is a heavy responsibility and cannot be done by compliance alone, which is why a good strategy is to have compliance lead a wider change management initiative within the organisation.
Luckily financial institutions have already recognised this need which is why Thomas Reuters can report that 66% of firms expect the salaries of their senior compliance staff to increase in 2018 (a figure which is up 6% on the previous year).
Scalability and Portability
I’ve already mentioned that processes in KYC may vary depending on a compliance team’s interpretation of the regulation. But how is KYC applied on a larger scale and as a business grows?
We already know that some countries have less people banking (because of accessibility) and therefore bank ID’s are harder to use but regulatory requirements also differ for business to business checks. One way the process is different is in the business registration process itself. For example, every country has their own version of Companies House and rules on registering.
It is therefore not easy to transfer identity across borders without registering your business twice. The amount of time spend on administration in a business can be quite high when they have to register their business again and go through all the same KYC checks they already went through in their home country. If KYC were truly portable, we could perform these checks with our bank in our home country and transfer these to the country we want to expand in with ease.
On the advent of Open Banking and PSD2 requirements, set to be enforced in 2019, banks and financial institutions are having to think about the many integrated relationships they have with third-party providers.
Preferably, we are trying to get to a future where KYC checks are done once, with one provider and transferred to other providers. How can this be done when standards are different for each business?
I have not seen a lot of articles written on the subject of scalability and portability. I do think this is a hugely important aspect of KYC that is perhaps overlooked in the coming age of data sharing and APIs. Please feel free to send me any links to articles on this subject if you know of any.
How Legal Entity Identifiers Can Help
I have already explained what a Legal Entity Identifier is in great depth in a previous blog post and also the regulation that has helped accelerate it (MiFID II) and the Global Legal Entity Identifier Foundation or GLEIF who support its global adoption.
When thinking solely about LEIs use in the KYC process, we can see how a single standard for business entity identification can vastly improve the speed and efficiency of business to business KYC checks. LEIs contain plenty of reference data (including company hierarchy and business information like address) that are considered ‘identifiers’, which essentially means that the banks and financial institutions have far less checks to do, since LEIs are already checked and verified.
As far as maintaining accurate and up-to-date data is concerned, banks and financial institutions have a lot less work to be done if they use LEIs because the onus is on the individual businesses to ensure that their LEI is up to date and accurate. This includes renewal of LEI on a yearly basis where information is updated.
Finally, while LEIs are only mandated for businesses conducting high value transactions, I see a future where every business AND every individual can be issued an LEI. A public database maintains all of these ID’s where individual businesses and persons are responsible for keeping their own record up to date. When thinking about portability and scalability, this means any third-party service wanting to work with the bank and financial institutions can all use the same level of data. This holistic approach will speed up efficiency of increased business partnerships and API integrations.
If global adoption of LEIs happens, KYC with LEIs can be applied to smaller value business transactions as well. Meaning the cybercriminals and fraudsters will have a much harder time of stealing identities and laundering money with fraudulent transactions.
To summarise the benefits of using LEIs in KYC:
- LEIs lower the number of identifiers a bank or financial institution has to check;
- putting the onus of maintaining up to date an accurate information back to the individual companies or persons;
- speed up and lower the cost of onboarding new clients;
- offers scalability and portability with KYC checks in other organisations and across borders;
- unify registration data to one single global database which can be used and applied to all KYC checks in the future; and
- reduce the cost of compliance and administration.
Cristina is an experienced professional with a diverse career that has played to her strengths as a pragmatic, multilingual manager and educator with a passion for building trust through clarity and communication. Founding ManagedLEI was a natural step for Cristina as an intrepid entrepreneur and under the Trusted Identity banner she has many exciting plans for the future of ManagedLEI and it’s anticipated associated financial and digital security products and services.