Complying with ‘know your customer’ (KYC) regulation is costing banks a fortune and giving corporations a serious headache. In this article, we explore the role of third-party providers in easing the KYC burden, and the reasons why progress towards the standardisation and automation of KYC they offer, remains slow.
It didn’t take long for third party providers to spot opportunities in the KYC regulatory burden faced by banks and their corporate clients. In recent years, financial service providers have sprung into action to support bank compliance with regulation on money laundering, terrorism finance and the hundreds of other demands for more transparency in the wake of the financial crisis. KYC registries provide centrally stored data, easing multiple KYC requests, while more in-depth managed services, tailored to the needs of corporates and their banking partners, are bringing order to the chaos of KYC. For treasurers brave enough to jump on board, the new platforms promise a light at the end of the tunnel.
“A year ago I was drowning under KYC, but one of our banks persuaded me to sign up with a KYC service provider. Now all the other major banks we have relationships with accept the documents that are on the platform. It is no longer a burden,” enthuses Singapore-based Michael Sack, Head of Treasury and Financing at hearing aid manufacturer Sivantos Group. His comments stand out from the resounding moans and groans around KYC.
The complexity and volume of KYC-related regulation coming down the line for banks and businesses is certainly daunting in its reach. It ranges from the increased scope of the European Union’s Fourth Anti Money Laundering Directive and the Foreign Account Tax Compliance Act, designed to detect US tax evaders concealing their assets, to rules around Ultimate Beneficial Owners, new Common Reporting Standards and the pending European-wide Markets in Financial Instruments Directive, MiFID II. The days when compliance was confined to the back office are over, says Virginie O’Shea, an analyst at Aite Group, the capital markets consultancy. “There is a lot more regulation affecting the KYC universe and banks have so many more aspects to consider when on-boarding a client.”
To open a bank account a company needs passports of all signatories, names and addresses of all directors, certified articles of association, board authorisations and confirmation of Dodd Frank exemption – and that’s just for starters. KYC rigour varies in different jurisdictions, and also within jurisdictions, leaving global businesses to navigate challenges like supplying proof of residence in countries where there are no street addresses. In another development, executives are growing increasingly anxious about identity theft because of the amount of their own personal data now held with banks. Anecdotal evidence even points to a trend of more senior managers refusing to offer up their personal details for the umpteenth time, passing the authorisation responsibility down to clerical levels instead.
KYC takes resources away from core business at a time of macro uncertainty and slowing growth. Demands on corporate treasurers to provide separate information to their different banks – and different departments within the same bank – takes up precious time. According to a survey by Thomson Reuters, home to KYC managed service Org ID, approximately 30% of corporates questioned said on-boarding took over two months, and 10% said it took over six months.
“The lack of an ability to utilise information already in the financial system from trusted and verified sources is a missed opportunity,” argues Simon Pearse, Head of Compliance at the UK’s peer to peer lender RateSetter which has lent £250m to UK businesses over the last two years. “The impact of this is that customers provide information multiple times, ineffective customer journeys, and lost revenue for firms when customers are dissuaded from continuing with applications due to KYC processes.”
As banks grow wary of the financial penalty and reputational cost of breaking the rules, so they have pulled out of riskier parts of their business. HSBC was fined $1.9bn in 2012 for violating sanctions and money laundering rules in its Mexican operations. The US regulator stung BNP Paribas with an $8.9bn penalty in 2014 after it broke sanction rules, temporarily banning the French bank from clearing dollars and acting as a correspondent bank for third-party banks.
These banks, and many others besides, worried about working across jurisdictions and successfully negotiating the complex and multiple interpretations of different rules, have slashed their correspondent banking activities. Dollar clearing and remittance handling in countries in Africa, Latin America and the Caribbean have shrunk, impacting cross border payments and collections across all currencies. It’s restricting the lifeblood of companies with complex supply chains that depend on making and receiving international payments.
Utilities to the rescue
Financial service provider SWIFT was one of the first to spot the opening. Its KYC Registry, launched in 2014 and now with 2,700 members, provides banks with information on their correspondent and downstream relationships in a shared platform that manages and exchanges standardised KYC data. Specialising in inter-bank KYC, standardisation comes via specific information SWIFT gathers on banks. It ranges from basic identification of the owners behind the institutions and the types of products and services provided, to details of the organisation’s own compliance. “We currently have a defined baseline of data that we require comprising around 150 elements that will evolve as KYC requirements change,” says Bart Claeys, Head of KYC Compliance Services at SWIFT. “Despite the challenge of working with different jurisdictions we are as ambitions as possible in what we ask for,” he says.
Other managed service providers offer more than a repository, tailoring in-depth due diligence for banks, investment managers – and corporates. Thomson Reuters provides KYC services for 18 financial institutions, most recently adding South African banks Rand Merchant Bank, Barclays Africa and Standard Bank to its roster. The details of every one of the trio’s institutional and corporate customers will be placed on a shared database, explains Steve Pulley, Global Managing Director at Thomson Reuters’s Risk Managed Services. “These banks have committed all their customers and are putting real volume through. Their customers are in complete control of their own data and they like not having to deal with so many requests for information.” It’s the kind of standardisation and alignment of interest between banks and businesses that will increasingly emerge as financial institutions and companies seek to take the cost out of KYC, says Pulley. “This is a model we will see in other areas.”
Not so fast
SWIFT’s KYC Registry has eased the crisis in the inter-bank market and the likes of Org ID, and others, offer a solution to stressed corporate treasury teams. So why is the Holy Grail of standardised, automated KYC, still a way off?
One reason is that banks still have their own on-boarding methods. These can vary from digital-only banks’ use of biometrics like thumb prints and facial recognition, to others requiring the time-consuming collection and collation of hard copy documentation from their corporate clients. A “one stop shop”, argues Aite Group’s O’Shea, is difficult because of each bank’s own particular due diligence. “Every bank has their own checklist, and needs to ask different questions to on-board clients. It is a good idea to have a central place where information is stored and refreshed, but banks will still have to engage with third parties and ensure that clients are contributing the data they need to.” David Fleet, Managing Director, Client On-boarding and Management at Standard Chartered Bank in Singapore concurs. “In reality because there are still differences between policies and standards at various financial institutions, there are still requirements for additional data over and above what the utility collects.”
“Every bank has their own checklist, and needs to ask different questions to on-board clients. It is a good idea to have a central place where information is stored and refreshed, but banks will still have to engage with third parties and ensure that clients are contributing the data they need to.”
David Fleet, Managing Director, Client On-boarding and Management, Standard Chartered Bank
It begs the next question: why do banks cling to their own practices? The answer lies in the fact that ultimate KYC responsibility remains with banks – they are still accountable for knowing their customers and making final decisions regarding customer acceptance. “SWIFT is not a financial institution and we are not regulated as such,” says Claeys. Tom Devlin, Partner at law firm Stephen Platt & Associates and behind the development of KYC360, a community of anti-money laundering and financial crime professionals, adds. “These services are appealing because they reduce the workload and compliance headcount for banks, but the danger is that if the provider gets it wrong, the bank remains on the hook. Banks can’t outsource their responsibility.”
Competition amongst banks is also a factor impeding collaboration. “There is a cultural mentality amongst banks that if they do KYC well, and others do it badly, they will have an edge. How fast a bank can on-board a client affects how quickly they can win business,” says O’Shea. Similarly, the proliferation of competitive KYC services chasing the same segment reduces the chance of industry-wide standards. “Seven is too many. One or two would be plenty,” says David Blair, seasoned treasury expert and Managing Director of Singapore-based Acarate Consulting, in reference to the number of third-party providers competing for market share. He believes that the sector is likely to consolidate and special providers emerge for particular markets, like KYC for SMEs, just as SWIFT has cornered the inter-bank market.
It has left some experts to reason that only when regulators deliberately specify clear KYC parameters and requirements, will shared platforms or ‘one-stop-shops’ really work. “Regulators refuse to tell banks what constitutes adequate KYC and banks continue to dream up more and more ridiculous KYC criteria for their clients,” says Blair. “One alternative would be for national governments to take on policing KYC. They already provide passport and tax identification services, and hold details on corporate earnings. This is a good basis for KYC.”
He argues that corporates themselves should also work harder to create uniformity, taking a more proactive stance on submitting their information to shared platforms and updating outdated records that put the compliance process at risk. “This would make it much harder for banks to insist on their own in-house compliance requirements. A strong corporate stand will also make the banks’ position with the regulators stronger,” he says.
Bank acquiescence was certainly something Sack noticed. When Sivantos signed up with managed service provider kyc.com, a platform developed by IHS Markit and Genpact in collaboration with four of the big banks, he was immediately able to take a tougher stance with the company’s 30-odd banking partners over KYC and on-boarding. “By using a tool I know is acceptable to major banks, I can tell my banks to take it or leave it. From our experience they quickly come round to accepting the documents on the platform.”
Similarly, banks also need to encourage their corporate clients to get on platforms, ensuring treasurers understand the proposition and reassuring them that their data is protected. The concept of sharing and pooling information behind the platforms will only work when adoption rates grow, creating in Reuters’ Pulley’s words, “volume”.
Progress is also stalled by the lack of joined up regulation between regions. Local laws and restrictions, such as whether customer data can be stored outside the country, blight progress. Selvan Lehmann, a project manager at the not-for-profit Basel Institute of Governance explains. “You can’t violate privacy regulations and this also affects reporting obligations. There are still no clear regulations on what banks can, and cannot, disclose to regulatory authorities across jurisdictions.” In an unprecedented attempt to provide AML uniformity across jurisdictions, Basel launched the Basel AML Index in 2012, an annual global ranking of country risk regarding money laundering and terrorism financing. “There was no such tool available before and what we’ve achieved with the AML Index is still only a very small part of the compliance issue,” he says.
Yet these challenges are surmountable, counters Sack. “Our KYC requirements were a nightmare because of the different requirements in Singapore and Hong Kong, but you can find a tool that works for you,” he says. “We benefited from being a small company and having the freedom to make decisions ourselves. As the treasurer, I am responsible for on-boarding and I was happy to give it a go.”
For financial crime experts, shared platforms also have other worrying unknowns. Utilities, and even tailored managed services, struggle to provide the event-driven data that tracks the everyday financial habits of financial institutions and businesses. It is this information that builds the complete customer profile that is the real alarm bell to financial crime. “We don’t monitor clients; this is not our role,” admits SWIFT’s Claeys. “If information is updated we send a note to banks, but our role is objective and factual, not judgemental.”
Devlin argues that rather than “on-boarding the customer and then leaving them alone for five years,” KYC needs a more holistic approach that brings banks closer to their customers’ behaviour. It should include tracking client spending habits, social media activity and internet search histories to build an in-depth social profile: it is no longer just about who you are, but about what you do. “There is a limited value in extensively proving who someone is,” he says.
Technical innovation offers a solution on the one hand – but adds to the problem on the other. It puts KYC tools from biometrics to running searches for criminal convictions and compiling negative news data feeds at service providers and banks’ disposal. Yet more data means more information to submit and manage, more overheads, and the danger of losing what is truly valuable in the quantity of information. Regulators, and corporates already wary of identity theft, still need to engage with technology. Much KYC regulation was written in the pre-digital age and doesn’t readily facilitate the use of digital techniques, although regulators including the UK’s Financial Conduct Authority and the Monetary Authority of Singapore, are beginning to adapt.
And of course the relentless demand for data holds more worrying consequences altogether. It could push financial crime – and respected, frustrated businesses – away from conventional lenders to alternative financial intermediaries that are not subject to the same regulatory oversight. “Some people will begin to question whether to engage with mainstream financial services because of all the data requirements,” warns Devlin.
One solution could be Blockchain, the shared database technology shaped around a network of computers which approve a transaction recorded in a chain of computer code. It is increasingly touted as an answer to safely storing validated KYC details on individuals or companies. Details are recorded on a public ledger that anyone on the network can see. The more people that have the ledger and participate in the approval process, the more secure it becomes. Proponents of the technology, like consultancy PwC which is currently assessing the blockchain’s adaptation for KYC, argue it could help with data security around repositories holding large amounts of sensitive data, and greater standardisation.
A recent report by Spanish bank Santander, management consultancy Oliver Wyman and venture capital investor Anthemis, argues that the technology could cut banks’ infrastructure costs for cross-border payments, securities trading and regulatory compliance by $15-$20bn a year from 2022. “Greater innovation around how the information is collected from the clients can improve the overall client experience. Digital solutions are key to this and so are security technologies that improve and ensure data protection. While we are looking at Blockchain and its potential, it is still too early to determine what lasting impact this will have,” says Fleet. Others are more cautious, concerned that the future technology detracts from today’s pressing issues around compliance. “I understand why people are looking at Blockchain but I am still sceptical. I believe it would complicate KYC further, holding it back rather than encouraging it,” says O’Shea.
Whatever the future holds, easing the current regulatory burden of KYC depends on banks and their customers signing up to new platforms. “The end-game that third-party utilities can help drive a single and validated golden source is something that is going to be very valuable for the entire industry,” says Fleet. Far-sighted corporates have got to lead the way.