AML: Efforts to launch KYC register gather pace
Anti-money laundering rules present a considerable challenge to organizations wishing to do business. While certain processes need to be observed, large corporations and banks face the added cost – and frustration – of replicating those efforts for every relationship they have.
For banks as much as their corporate clients, the burden of these processes has risen markedly, and to such an extent even fiercely competitive banks are contemplating working together to tackle the issue.
“KYC [know your customer] is the most obvious candidate [for collaboration],” said Assaf. “We all use the same data, but there is no proprietary value in doing KYC. We should look at creating a KYC utility, which will save costs.”
This call is being answered.
Swift, the banking industry-owned global provider of secure financial messaging, is expected to launch its own KYC register in the next few weeks or early in the new year, and will be accessible to its financial institution clients, which will be able to update information on themselves for the convenience of trading partners globally.
It is not alone. Markit and Genpact, which have experience offering KYC services to clients, are also working on an offering, with Morgan Stanley and HSBC involved in the project. The States of Guernsey is also understood to be considering a niche offering for its high net-worth investor clientele.
Meanwhile, KYCme, a secure online vault that was launched in September, approaches the problem from a different angle. It allows people or companies to share documentation for KYC authentication, though without attempting to become a comprehensive register.
“This is not a new problem,” says Julian Wakeham, investment banking partner at PwC. “The issue is 10 years old at least and several consortia have been put together to tackle it over the years, but none have ever succeeded because the problems are complex.
“There are too many jurisdictions with their own specific requirements and each institution has their own risk appetite/risk models and their own due diligence requirements driven by those different interpretations of risk.”
Although the economic logic for the register is compelling, says Wakeham, the idea presents operational challenges. It is not only every regulator with its own set of rules with which a global KYC offering needs to comply, but every tax authority as well.
The solution to this is flexibility combined with the highest level of integrity and validity, says Mehul Kotedia, founder of KYCme.
His service allows clients to upload any documentation to its encrypted vault, be that ID card, passport, CV or letter issued as a proof by a legal counsel or notary public. This means whatever documentation a particular regulator requires can be accommodated. All uploaded documentation is authenticated by intermediaries that have themselves been vetted by KYCme.
“The Financial Action Task Force realizes that not all jurisdictions will apply the same policies for ID verification and a guide was published by one of the big four accountancy [firms] looking at the different global requirements that are in place, and we cover significant majority of those already,” says Kotedia.
Any successful register or other player in the KYC space must command considerable trust. Institutions that have failed to meet their KYC compliance requirements have been heavily fined. The liability rests not with the KYC solution provider but the customer.
“US regulators have been very clear on this – there is no risk shift when a third-party provider is used,” says Wakeham.
“If a bank uses a KYC register, the bank is still liable for the accuracy of the information and is still likely to verify everything itself. This doesn’t mean there is no cost-saving being made – the verification of the data can be quite easy to do – but it does mean the risk is still there for the banks.”
The success of any central KYC register will depend on it achieving critical mass.
“The service is only as good as the businesses on it,” says Wakeham. In this regard, Swift is well-placed, maintaining relationships with the majority of the big, wholesale banks, based on transaction processing.
With 7,000 banks expected to be on Swift’s KYC register, it should have the critical mass necessary to make a central register relevant.
Yet KYC is a new service to Swift, with limited overlap on its traditional business. There is also the question of Swift’s own funding model, which could present challenges.
Its larger members that benefit from its KYC register might be happy it is allocating resources to the issue, but its smaller members might not want to be involved and might resent Swift diversifying into this new business.
Few question the integrity of the data that will be contained on any of the KYC registers that come to market. Data bureaux prove there is a business for central registries, although many bureaux now offer auxiliary services to augment a drop in data prices, says Magnus Bray, sales manager at miiCard, an online ID service that avoids relying on data checks for primary identity.
However, while a register will confirm the accuracy of data about a person, it will not prove people are who they say they are.
“Knowing information about your customer will continue to play a part in customer on-boarding decisions, but proving the customer is who they say they are is the real challenge,” says Bray.
“Proving you are you online no longer equates to providing information about you. For KYC to be effective, identity proof, not just data, is key.”
Others worry compiling such registers will attract hackers.
Data held in central repositories will be encrypted and held as securely as possible to combat this risk, even if it cannot be eradicated. But concern about security should not be an excuse for inaction, warns KYCme’s Kotedia.
“People don’t think twice about sending this kind of documentation via email,” he says. “So much is currently being shared this way and it is frightening.”