Accelerating and Lowering Costs of KYC/AML Processes with a KYC Utility
By Kati Suominen, Founder and CEO, Nextrade Group and Techical Director, eTrade Alliance
One of main challenges for entrepreneurs and MSMEs to engage in formal ecommerce is limited financial inclusion of both consumers and businesses. Parties do not have bank accounts from which to send and receive payments; and MSMEs that need working capital to process orders cannot get it from banks.
The key reason behind the challenges for MSMEs to get bank accounts are the ever-tightening anti-money laundering (AML) and know your customer (KYC) rules that raise the costs for banks to carry out due diligence and disincentivize them from dealing with small and opaque “thin-file” borrowers. KYC processes do not stop at opening a bank account: financial institutions constantly verify customer identities, such as upon opening an account, keeping records of that customer’s activities, and examining suspicious transactions – and authenticating and authorizing the customer to use banking services.
Nine out of ten banks say KYC and AML rules are a significant or very significant barrier for them to offer trade finance, making them more biased to large borrowers and existing customers. Vetting and onboarding a new client can cost as much as $6,000 for the bank and just as much in paperwork and labor for the MSMEs that are seeking to open a bank account. The situation is even worse for MSMEs that want to bank in several countries, as is increasingly the case for ecommerce and technology-driven companies that are regionalizing across small developing countries.
In a 2016 Thompson Reuters global survey of 822 banks, the average bank spent $60 million on KYC and customer due diligence, with the total amount of time to onboard a new client rising at 20 percent annually. The largest financial institutions spend as much as US$500 million annually on KYC and customer due diligence. The toughest, most opaque segment tends to be private and small developing country firms. One study estimated that smaller family-owned businesses in less-known jurisdictions made up a fifth of applicants but half of banks’ workloads.
Accentuating these costs is that the processes by which banks identify customers and assess customers’ AML compliance are often outdated, paper-based, and manual. In one study, over 50 percent of banks’ cost to issue a letter of credit is estimated to arise from manual document handling and checking.
Reducing the time and cost that goes into KYC/AML is an important priority for banks and customers alike. As customers digitize and require more streamlined processes, banks also compete on user experience, such as on the number of customer touchpoints and steps during the onboarding process. Streamlining KYC/AML is also critically important to bridging the global trade finance gap, estimated at $1.5 trillion and mostly affecting developing country MSMEs. Alisa DiCaprio and Ying Yao’s studies show that stringent KYC/AML rules are the main cause of the MSME trade finance gap.
State of KYC Utilities
To date, MSMEs in most developing countries struggle to authenticate and verify themselves to financial services providers. Better information sharing on MSMEs among the many players in the financial service ecosystem can however change this setting. Typically 80 percent of the programs and processes banks use in their due diligence (e.g. questionnaires, documentation, screening and risk-scoring processes, and so on) are the same across banks. Thus, instead of replicating their KYC processes, banks would ideally draw on a global registry or “KYC Utility” on MSMEs and their activities.
Such data pools of course already exist. Among the first generation private KYC registries, SWIFT’s KYC registry, formed in 2014, enables 5,500 financial institutions to streamline the exchange of KYC information around the world among correspondent banks. Research firm IHS Markit has a KYC registry with 30,000 profiles that large banks can peruse to perform due diligence when a customer requests a new transaction. The company captures some 80 data points in a company’s business, ownership and key controllers, and integrates with other databases such as Politically Exposed Persons (PEPs) and adverse media and sanctions/watchlists.
KYC registries are to reduce duplication of efforts, as participating banks would not have to perform the same due diligence processes when interacting with a company; make it harder for criminals to migrate across providers and jurisdictions; and help smaller banks access the same KYC data with limited resources as available to large banks. They also help standardize KYC processes and their auditability across banks. Both banks and governments have seized on the KYC Utility concept. Banks can use it to accelerate onboarding; governments, to reduce corruption, tax evasion, and money laundering and improve financial inclusion.
There are various KYC Utility models – government-led as in India’s Central KYC Registry with individual customers’ data; public-private models tested in Singapore and later in the Nordic region; and more purely private sector-led models adopted by blockchain consortia, such as Mastercard’s Track that is used by many banks, and South African bank consortia in partnership with private company Refinitiv.
The Nordic KYC Utility established by six Nordic region banks (DNB Bank, Danske Bank, Nordea, Handelsbanken and SEB and Swedbank) was set up in 2017 to combat financial crime and cut banks’ compliance costs, via a common platform with standardized processes for handling KYC data. The utility is a joint venture company in which each bank has an equal share; the European Commission blessed it as consistent with EU’s merger rules. The company is autonomous and will initially offer KYC support on medium-size and large borrowers based in the Nordic region. The service is free of charge for corporates seeking suppliers and partners in the Nordic region; financial institutions pay to access the data. The project has not been easy – for example, the group has had to spend more time than expected in reconciling differences around compliant KYC information as well as exploring alternatives for a digital platform to share data.
Also poorer countries have made progress on shared KYC data. In 2019, African countries set up a KYC Utility-type system using blockchain. Multilateral trade finance bank Afreximbank’s Mansa, a pan-African customer due diligence platform, facilitate intra-African trade by providing the single trusted source of primary data required to conduct due diligence checks on counterparties in Africa. The entities that use the platform are either “contributors” (such as African financial institutions, corporates and MSMEs, who will upload their information to the repository using standardized KYC/AML templates), or “users” (financial institutions that provide banking facilities and are looking for information on a particular company).
Some governments have also considered KYC Utilities; for example, industry utility steering committee comprising Singapore indigenous and large international banks, reporting to the
Council of the Association of Banks in Singapore, tried to set up a corporate KYC Utility solution with the government, only to find that the cost of the effort defeated the savings generated to banks.
There are also private models. The South African shared KYC Service formed between Refinitiv and the largest banks in South Africa and large corporations, hedge funds, and asset managers who use it as a centralized solution for sharing KYC documents and information among several financial institutions through a secure and free-of-charge web-based portal. There are some recent private sector solutions such as Mastercard Track, which is both a B2B know your customer and know your supplier solution and an accounts receivable and payable management solution, and a firm registry that brings together thousands of metrics, such as sanction and media signals for a company. This transaction-level database enables monitoring of transactions that is key to reducing banks’ AML risk.
There have also been some private pilots sharing KYC data with blockchain. For example, in Southeast Asia, OCBC Bank, HSBC, IMDA, and Mitsubishi UFJ Financial Group in 2018 completed a proof of concept for a KYC blockchain. In 2018, five banks in France piloted common KYC processes with R3’s Corda, with 26 corporations. The participants implemented KYC requests within a shared network where banks could request access to data and corporate clients could approve access and the data were recorded on the blockchain.
A blockchain-based registry could accelerate the gains while inherently creating an audit trail of data. In personal banking, the Financial Services Agency of Japan has been working on a new digital ID powered by blockchain, to streamline financial services for its individual customers. A consumer with an account at one of the participating banks would use the blockchain-powered digital ID to access banking services at other banks.
Lessons learned from KYC Utilities
KYC Utilities can accelerate and lower the costs of KYC/AML checks, enhance banks’ customer experience, and standardize data and processes across banks, streamlining audits for all. KYC Utilities can also help banks better forecast revenue, currently subject to the hard-to-predict costs of KYC/AML processes. A large common pool of standardized real-time data also opens the door for predictive analytics. A multi-member utility in principle has more data that in turn enable better predictive analytics and detection of anomalous and fraudulent patterns.
At the same time, KYC Utilities have been difficult to mount and operate. In a recent review, several private and government-led parties attempted to create KYC and AML utilities, but had difficulty for three reasons: incentives for third-party utilities are intrinsically misaligned; overly ambitious designs can lead to costs that outweigh savings; and compliance with privacy laws can complicate data sharing. The costs of integration of databases and technologies have also often been larger than expected.
The stakeholders driving the creation of the Singaporean KYC Utility have produced an excellent report on the lessons learned, both successes and challenges. One key lesson is that flexibility and adjustments are key to the process of building a KYC Utility because banks under a common regulatory regime can vary widely in their risk-tolerance and sophistication; thus one-size fits all KYC Utility does not work as well as a utility that can be tailored to each banks’ existing KYC processes, risk methodologies, data and technology requirements. In addition, Singapore discovered that migrating historical bank data into the Utility was an operationally intensive work leading to high costs, since the data had to be transferred to the Utility much like it would to a credit bureau and then returned to banks to re-processing and risk rating.
Further lessons-learned on the challenges and success drivers for KYC Utilities include:
KYC Utilities need to be driven by their beneficiaries, the participating banks. While there are different models such as KYC utility as joint venture and “KYC as a service” provided by a third party, the Utility needs to be user-driven to meet banks’ specific data needs and processes, and banks need to agree on common data governance and standards from the start.
Regulators need to be engaged as key stakeholders in KYC Utilities from the start. They receive banks’ reports and need to understand what data the Utility has and how they are collected and used. Regulators should also help the designers of the Utility to anticipate and reflect changes in regulations.
KYC Utilities need robust cybersecurity defenses, physical security protocols, and clear data access rules. KYC Utility security will also need to be adjusted to new technologies such as biometric identity verification that is already adopted in consumer banking.
While data may be shared, processes to access and use it need to be kept separate as banks have different levels of sophistication, risk tolerance, and processes. Users could also be allowed to access data in different tiers for different purposes, such as generally accessible information and customer due diligence information.
While in principle a global KYC Utility with data on all firms would be the most efficient options, in practice local utilities can have more complete information and may be able to validate it faster. Regional and global utilities quickly run into disparate national laws and cross-border data share rules. In an important lessons-learned, Singapore has found that while national regulators are willing to cooperate and harmonize regulations, business and industry practices differ country to country and are often stickier, precluding international harmonization.
Banks that use data from a KYC Utility are still liable for that data and thus incentivized to double-check the data; the European Banking Authority (EBA) recommends they do so. A Utility thus helps with the operational costs of compliance, but does not obviate it. This duplication could be solved by using public registries as the basis of KYC Utility data.
KYC Utilities can be especially beneficial when they are regional, especially in regions with small countries and companies with offices in many locations. A regional digital identity solution could support such regional KYC Utilities. For example, the EU has put in place the Electronic Identification (eID) system to enable European businesses and consumers to prove electronically they are who they say they are and open bank accounts and access financial and insurance services across Europe. The eID is voluntary and based on national ID systems, and does not require harmonization among them. The European Commission subsequently formed an expert group on electronic identification and remote KYC (eID/KYC), to facilitate the use of remote identification and secure authentication for financial services within the EU.
KYC Utilities can also fuel trade finance if they provide data on cross-border transactions and counterparties, and on the counterparty banks. In 2016, 40 percent of banks surveyed by the ICC Banking Commission terminated correspondent relationships, and in 2015, 44 percent did, due to compliance concerns.