Regulators around the world have introduced new requirements to combat money laundering and terrorist financing. The costs of noncompliance can be high. Depending on the jurisdiction and severity of the violation, penalties for failing to meet anti-money-laundering/counter-terrorist-financing (AML/CTF) and sanctions requirements can range into the billions of dollars, and fines continue to increase. The reputational fallout of violations can, and often does, result in additional financial harm.
AML/CTF and sanctions requirements include numerous know-your-customer (KYC) provisions. Banks are required to collect information and documentation on prospective customers to help them identify possible criminals and terrorism financiers. However, such efforts can lead to onerous, inefficient, and ineffective KYC onboarding processes. Many customers express frustration with the amount of confidential information their banking partners require; meanwhile, banks are concerned that the growing costs of KYC compliance are becoming prohibitive. In addition, because KYC requirements are complex and prone to interpretive issues, compliance is often elusive.
To help thwart financial criminals and comply with regulatory requirements while also remaining profitable, banks must streamline their KYC processes. In this regard, blockchain — an open, distributed ledger that uses cryptography to link a continuously growing list of records (or blocks) — holds considerable promise. In certain jurisdictions, in fact, efforts to streamline KYC processes using blockchain are already underway.
KYC Requirements: A Complex Matrix
Jurisdictional KYC requirements are typically enforced through a combination of legislation, regulation, and guidance. In addition to meeting local requirements, the foreign branches of a multinational bank must typically meet the requirements of the bank’s home regulator, depending on which are more stringent. Bilateral requirements from previous regulatory actions and internal policy requirements may also apply.
KYC requirements can vary in their complexity, depending on the regulator or entity that issues them. Because requirements originate from a variety of sources, some may conflict with others. Banks must track any discrepancies and ensure their KYC policies meet or exceed all requirements to which they are subject, including home-regulator, host-regulator, and internal-compliance obligations. Deciphering and addressing differences between requirements requires considerable effort and resources, as does tracking changes to requirements.
Moreover, in many jurisdictions, regulators favor a principles-based approach to establishing KYC requirements, instead of a more prescriptive rules-based approach. Principles-based regulation refers to a set of general, broadly stated standards that allow for implementation based on the operations and risk profile of each institution. While a principles-based approach can create flexibility for banks, different interpretations of the rules can also lead to uncertainty over the intentions and expectations of regulators.
Challenges with KYC Processes
Challenges Facing Banks
Although KYC compliance is not difficult in theory, conflicting requirements and interpretative issues — as well as security concerns — lead to numerous uncertainties and inefficiencies. Many banks struggle to operationalize requirements and achieve full compliance.
KYC processes can be prone to the following issues:
Long onboarding times. At most banks, the collection and management of customer documents are performed manually, and onboarding is time-consuming as a result. Delays and repeated requests for documents can negatively impact a customer’s experience and cause banks to lose business.
High costs. Manual, time-consuming onboarding processes are a significant drain on a bank’s resources. In addition, many financial institutions spend large sums to update slow, outdated KYC systems that fail to meet basic onboarding requirements. Opportunity costs can be high as well; with AML/CTF compliance now a top priority for regulators around the world, executives of financial institutions are focusing more on KYC-related matters and less on revenue-generating activities.
Duplicate efforts. Most banks conduct their own KYC processes, thus duplicating the efforts of other banks that have the same client(s).
Regulatory challenges. Changing regulations force banks to constantly update their policies and procedures and, in many cases, continually invest in new systems and processes. In addition, updating the files of customers to address new standards, as well as changes to existing standards, may require significant remediation efforts. For the most part, banks within the same jurisdictions collect similar documents from customers. However, requirements can differ depending on a bank’s regulators and where the bank operates, and many banks have different approaches to implementing the same requirements. Some take laborious measures to request and collect more information than required; others adopt less conservative approaches that may be more amenable to customers but could leave them vulnerable to regulatory-compliance violations.
Challenges Facing Customers
Slow and inefficient KYC processes can also lead to poor customer experiences. Common customer grievances include:
Process inconsistencies. Because different banks follow different processes and procedures to meet KYC requirements, customers are often unclear about which documents to provide or whether they are unnecessarily sharing confidential documentation. Many prospective customers avoid new banking relationships because of the time and resources necessary to understand and fulfill the requirements of their banking partners.
Duplicate efforts. Customers that open multiple accounts with the same bank in different jurisdictions are often required to complete the same onboarding process in each jurisdiction. In addition, without an adequate system for sharing documentation between banks, customers are forced to repeat the same processes for each banking partner. These inefficiencies can be quite costly, considering that, even within a single jurisdiction, a customer might use one bank for foreign-exchange transactions, another for cash management, still another for trading, and so on. Repeatedly providing information and documentation is especially problematic for multinational customers, which can have hundreds of relationships with institutions around the world. Furthermore, each time a customer’s information changes — for example, when a legal entity changes a director or adds a new signatory — the customer must report the change to each of its banking partners. Many avoid this step until forced to report changes by a bank’s refresh processes, leaving banks with inaccurate and outdated information in the meantime.
Lack of transparency. After sending their information to a bank, customers are often blind to the status of the bank’s validation processes. This lack of transparency can frustrate customers with time-sensitive needs. In addition, customers typically have to wait weeks to receive updates, leading to potentially negative ramifications on their businesses.
Lack of security and privacy. Customers are often required to email sensitive information — such as the personal data of senior executives — to their banks. Because many don’t know who can access their data or where that data is stored after they send it, they are understandably concerned about the associated security and privacy implications.
Challenges Facing Regulators
Regulators face challenges with supervising and overseeing banks’ KYC programs. Different banks using different processes to implement the same KYC requirements creates a lack of consistency that makes supervision more difficult. And because the collection and management of customer information is such a manual, complex process involving many different areas of a bank, regulators often struggle to follow the audit trail, which may include dozens of email conversations, paper documents, and other forms of information.
Governance and Technology: Key Elements of a Collective Approach to KYC Processes
To make KYC programs more efficient, banks must find ways to streamline the collection and verification of customer data. Some use utility models, or third-party data repositories, to accomplish these aims. However, most KYC utilities suffer from a couple of key shortcomings: First, customers have little to no insight into how utilities use their information and store their data, much less different parties who may have access to it. And second, because banks claim they cannot fully trust information validated by a utility, they often wind up revalidating the data themselves, which largely defeats the purpose.
To be effective, a collective approach to KYC processes must have two key elements: sound governance and quality technology. A robust governance framework is vital to establishing the reliability and trust necessary to share data in a multiuser KYC environment. And trusted data definitions and collection processes must be supported by technology that organizes, stores, and shares customer information in a manner that meets today’s privacy, security, and reliability demands. Both elements are critical — and interdependent: Sound governance enables banks to get more value from technology solutions, and quality technology in turn enables sound governance.
Effective Governance: Factors
Sound KYC governance relies on the following factors:
Harmonized standards. To develop a shareable and transparent approach to collecting and validating customer data, banks require harmonized KYC standards. While full harmonization is difficult to achieve — particularly once an institution incorporates requirements from multiple jurisdictions — most industry stakeholders agree that, on a jurisdictional level, banks could come close. In addition, the governance function of a shared KYC utility must help update harmonized standards based on changes to regulations and industry best practices.
Independent assurance. A shared KYC platform or utility must have strong independent oversight for members to trust the information it provides. A system of checks and balances, coupled with independent subject-matter expertise, can help banks identify potential issues early — including ill-intentioned parties and suspicious activities — and suggest appropriate rectification actions.
Credibility with regulators. A shared KYC platform or utility must be able to engage regulators on the issue of harmonized standards and demonstrate compliance with relevant requirements and risk-based approaches.
Effective Technology: Factors
Meanwhile, KYC technologies must be:
Secure. Customers and banks should be confident that their information is not accessible to unauthorized parties or vulnerable to hacking. Security is becoming increasingly critical as privacy issues take center stage and stricter regulations come into effect. No bank wants to make headlines for a data breach.
Trusted. Institutions must have confidence in their technology — and their technology providers. Solutions must be user-friendly, reliable, and adaptable, and providers must be well-established. A provider with an uncertain future presents a major risk to banks, regardless of the quality of its technology.
Scalable. Technology needs to be able to scale to account for future increases in the volume and complexity of KYC information.
Interoperable. A bank needs to be able to exchange information with, and use information from, other systems. These include its own systems and the systems of institutions inside and outside its jurisdiction, such as platforms and utilities and other public and private sources of KYC information.
The Potential of Blockchain
Finding the right technology to support a bank’s KYC efforts is a critical but daunting challenge. Integrating new systems, loading those systems with information, training end users, and gaining end users’ buy-in is expensive and time consuming. Banks simply cannot afford to make the wrong choice and change course several years down the road. The objective is to find technology that will be relevant in the future, but with so many solutions on the market, not to mention the pace of change in the industry, this can seem like a fool’s errand.
One of the most promising technological innovations over the past few years is the blockchain distributed-ledger technology, which has all the necessary characteristics mentioned above to increase the effectiveness of KYC processes and eliminate many of the associated inefficiencies and privacy issues. In fact, a blockchain-based platform or utility in which member banks adhere to harmonized standards is one of the few technologies with the potential to benefit all industry stakeholders — banks, customers, and regulators.
Decentralizing and Sharing Information
When a customer provides information (or pointers to information) to a bank that is part of a blockchain-based KYC platform, that data is replicated to all the other banks on the platform. In essence, the storage of information is decentralized. However, because the information is also encrypted, no other bank can access it — they will not even know it exists, in fact — unless they have the customer’s explicit authorization. When a customer works with a different bank that is part of the blockchain, and that bank requests the same information, the customer simply sends the bank a decryption key to grant the bank access. In addition, blockchain’s trusted, immutable audit trail lets customers know which banks have accessed their information. Blockchain therefore enables a data-privacy model in which the customer retains full control.
This level of convenience and transparency yields significant benefits. On a blockchain platform that can share information seamlessly between members, customers just need to update their information once. They are therefore more likely to do so, thus improving the accuracy and reliability of their banking partners’ information. Data can even be destroyed, in effect. Through the General Data Protection Regulation and other measures, the European Union and certain regulators are focusing on the rights of users to destroy or erase their information. One criticism of blockchain is that once someone writes information, it is in the network permanently (which is why it cannot be tampered with). However, customers can also revoke permission to any and all potential users, thus restricting access.
Sharing information could also benefit banks and regulators. The costs of collecting, storing, securing, and moving information using blockchain could be much lower, and streamlining onboarding processes could lead to improved customer relationships and quicker access to new customers, freeing up more time for banks to sell services and provide support. And if banks shared information and adhered to the same requirements, evaluating programs could become much easier for regulators, allowing them to focus instead on the banks’ risk assessment and decision processes.
Early-Stage Blockchain KYC Projects
Collective approaches to KYC processes using blockchain are already underway in some jurisdictions. For example, in Singapore, several institutions — including Deutsche Bank, HSBC, MUFG, and the Treasuries of Cargill — have completed a shared KYC proof-of-concept that demonstrates how blockchain can provide a secure, efficient, and decentralized platform for banks to collect, validate, update, and share customers’ KYC information. This technology-focused POC was the first phase of a larger blockchain shared-KYC project.
The high-level objectives of the project include:
- Defining harmonized standards for the collection and validation of KYC information
- Eliminating repetition and redundancies and enhancing privacy through collaboration
- Creating a sharing economy between banks, customers, and regulators
- Digitizing KYC information for accuracy and authenticity
- Increasing transparency and trust with shared, up-to-date standards
While the final outcomes remain to be seen, early indications are that it is helping banks streamline processes, reduce risk, enhance security, and improve the customer experience. Customers are also benefiting from having to do less paperwork, since they only need to provide documents once before sharing them with the banks on the platform.
As regulators around the world become increasingly focused on preventing money laundering and terrorist financing, banks are being forced to contend with a complex matrix of KYC requirements, many of which are open to interpretation and, in some cases, in conflict. At most banks, processes for ensuring compliance are manual, repetitive, and costly. Traditional utility models partially address the problem, but most are plagued by issues with transparency, efficiency and interoperability.
The potential to streamline KYC processes lies in blockchain which — when coupled with sound governance — can facilitate a more open, transparent, secure, and efficient approach to compliance with continually evolving (and increasingly onerous) regulatory requirements. In Singapore, large banks have already begun proving the value of this strategy. Approaches to KYC compliance will continue to evolve, but for now, a blockchain KYC platform appears to be the ideal solution for the industry.
Alexander Carmichael is the Chief Operating Officer of Promontory Financial Group Australasia, LLP. Alex works with clients to strengthen their risk management and compliance processes. With a background in quantitative risk measurement and information management, Alex specializes in the effective communication of risk information across large and complex organizations. Since joining Promontory in 2006, Alex has been highly successful in helping clients improve their anti-money-laundering controls and realize benefits and savings from investments made in regulatory compliance programs and technology.