We recently returned from the K(NO)W Identity Conference hosted by One World Identity, the first major conference focused on digital identities. For years identities have been taken for granted, while most business leaders didn’t realize that they sit at the center of every business transaction in the digital era. Our friends from One World Identity not only recognize this, they also understand that education and collaboration are necessary to unlock the value of digital identities for businesses, regardless of the industry.
At IdentityMind Global, we’ve been working on digital identities for the last eight years. A digital identity is the combination of an individual’s digital footprint and physical-real-world information, their transaction history, and their behavior. It validates that individuals are who they say are, AND, from the identity risk perspective, are acceptable to work with. More than that, digital identities are the bridge between where we are now, and where we want to be: where businesses and regulators can better understand the risks presented by all customers and trust is quantified. As a result businesses can deliver better products/services while eliminating security threats. This is a world where financial inclusion is a reality, where financial services are available to all, and where credit scores no longer determine whether you can access capital. These are the possibilities digital identities enable, and the ideal we work for.
The K(NO)W Identity Conference was the validation of this ideal. Bringing together Government agencies, policy-makers, NGOs, and the private sector; it built a space for innovation, cross-industry and sector conversations, and creating a better understanding of identities.
The opening keynote was by Edward Snowden (ES). We’ve read the news, watched the movies, so we were curious to hear what he had to say. During the conversation he addressed issues such as the recent data breaches, privacy, cybersecurity, and what identity means in this time and age.
At the tail end of the keynote, the moderator – Manoush Zomorodi (MZ), posed the following question:
MZ: “Do you think existing regulations on know your customer and money laundering are effective tools to encounter illegal actors, including drug, human trafficking, funding of terrorism violence, etc?”ES: “No, they’re not. They might be helpful on certain cases; but the threats keeping us up at night, the people who actually worry us, those won’t be held back by KYC (Know Your Customer) regulations.”
Later the following day we participated in a panel “Turning Risk and Compliance into a Competitive Advantage” and Amit Sharma, the moderator, challenged the panel to share their thoughts on Snowden’s take on KYC.
I kept coming back to Miss Zomorodi’s question. I understand there is no perfect answer, but I also can’t agree to the argument of KYC being useless. On the other hand, I noticed an alarming level of disagreement on the concept of KYC, its purpose, its limitations, and how it can be made better by adopting a digital identity strategy.
It’s been two weeks, and now that I’ve had time to better articulate my thoughts, I want to share them with you. My goal is not to convince you of anything, rather I would like to challenge your beliefs on KYC just enough so that you can consider that the problem is not the concept, it is how we [the regulated industries] go about it. It’s about turning a challenge – a friction point, if you will, into an opportunity. Or rather, a competitive advantage.
The notion of turning a challenge into opportunity is nothing new, but because of the importance of KYC, both from a risk management and regulatory standpoint, it needs to be carefully planned and executed accordingly. This blog post outlines what I believe are the elements you need to consider when going from KYC to KYC 2.0 – more on this later. For now, let’s start by defining KYC and why is it important.
KYC 1.0 – Are you who you say you are?
The regulatory framework and requirements known as KYC were amended and enhanced by the the USA PATRIOT Act following the September 11 terrorist attacks. The objective was to deter and detect money laundering, financing of terrorism, and other financial crimes. Here, KYC is built upon two requirements: the Customer Identification Program (CIP) and Customer Due Diligence (CDD).
In essence, KYC is a collection of information so that financial institutions can understand the risk of doing business with a potential client. Even though we are all aware of the literal meaning of KYC: Know your customer, there is no agreement on a formal definition for the term, and requirements may differ across states, countries and regions. However, we all agree that Customer Identification Programs (CIP) are legal requirements necessary to comply with Anti-Money Laundering regulations.
It is important to note that KYC is not a one-time endeavor, it is an ongoing effort. The objective is to first establish a baseline of who the client is, enabling you to predict with relative certainty a client’s behavior in order to determine what is normal and what is potentially suspicious. Below we provide a top-level view of what is normally understood as KYC.
Know Your Customer
Compliance and Risk Officers, as well as the Board of Directors, are responsible for the design and implementation of [effective] KYC programs. In practice, KYC has been reduced to data validation. This is quite dangerous, especially in online only scenarios as:
1) The explosion of data breaches, has led to identity data being easy to obtain.2) Immediate expectation for service availability. There is a direct correlation between friction (activities that inhibit people from painlessly achieving their goal) and the success rate of customer acquisition. This prevents in-depth KYC.3) Auditors and examiners have focused on data validation, giving the impression that data validation is enough.
But let’s back up for a second, and talk a little more about data validation.
Data validation vs. KYC – What is the difference?
Data validation is the process of verifying the customer information provided through documents or through non-documentary methods, and validating it, in terms of identity attributes, against different databases to analyze its consistency. Through data validation you prevent onboarding synthetic identities. The image shows a straightforward example of data validation.
Data validation is a necessary process. But the customer data used for validation, along with that needed to perform KBA (knowledge based authentication) is readily available for purchase on the dark web. The rise of PII (Personally Identifiable Information) data breaches and cybercrime have landed identity theft its place amongst the top ten fears of Americans.
Identity theft is increasing due to a combination of factors, from the online fraud perspective, two major factors are the shift to EMV chips and our growing online presence. In 2016, there was a record high identity fraud incidence rate, with 15.4 million U.S. fraud victims, and fraud losses of $16 billion. This year alone there have been 676 data breaches, exposing over 10 million records, in the U.S. alone – and keep in mind these are the known security breaches.
It’s important we understand how these security breaches tie back to our fraud and AML processes and procedures. Cybercriminals are not collecting this data for fun, The black market for stolen identities is huge, with a going rate for an individual identity varying from $2 to $500 – depending on the richness of the information, and the value of certain attributes like credit scores, number of functioning credit cards, etc. The fact that such marketplaces exist renders data validation as a standalone methodology useless, or at the very least, largely inadequate. Data validation is then only a small part in an effective KYC program.
Now and Then – KYC meets Digital
Current KYC regulatory requirements were introduced over a decade ago, back when identity verification was done the traditional way: face to face at a branch location. As we’ve migrated towards digital and online services and interactions, it’s become increasingly challenging to adapt the regulatory requirements to the customer expectations, user experience and interface (UX & UI), product processes, and business models.
We can sum up what we’ve been talking about so far in that KYC requires more – more than data validation, that is. But in the era of instant gratification and online user acquisition, it is important to consider what we can do and how, without making the process detrimental to the user experience. It probably doesn’t come as a surprise that friction during a user’s interaction with an application or service can increase abandonment. And even though KYC is a regulatory requirement, customer growth is THE GRAIL of metrics when it comes to online businesses’ valuation.
For online financial services, people DO expect instant gratification, and you DO have to comply with regulatory requirements if you wish to stay in business, but this doesn’t necessarily mean that there is a trade-off. Recent developments in cybercrime and data breaches have made customers more aware and wary of security requirements, in fact, they expect you to protect them by having the right processes in place.
This notion is applicable across industries, but even more so in financial services. Users understand the difference between a messaging app and a banking app. Not only does this make them more tolerant to additional steps for identification, verification, and authentication purposes, this security layer elevates their confidence in the service provider. And trust, although is not a metric, has invaluable importance to the longevity of your business – especially in the FinTech and Sharing Economy sectors.
In rethinking KYC for the digital era, it is clear that siloes need to go down, functional and information siloes. A successful and effective KYC program that isn’t detrimental to the UX and that improves the relationship of trust between a business and a user starts with a partnership between product management, compliance and risk.
We won’t go over how outdated KYC regulation is again, but there is one characteristic that you can leverage to spark that partnership between product management, compliance and risk: The risk-based approach. In a few words, what this means is that KYC is not about ticking boxes of a check-list in a “one-size-fits-all” model, on the contrary, each business is free to design their own compliance and risk management program, tailored to their own risk tolerance levels.
A KYC 2.0 program is built up from the foundations of traditional KYC and takes into consideration regulatory, business, and customer requirements. It takes your Compliance and Risk Management functions one step forward by incorporating a digital identity strategy that will ultimately help you to answer four questions about a potential customer or client:
Is it a real user/business entity?
Is the person presenting the data authorized to use the information?
Can you do business with that user/business entity?
What is the risk that the user/business entity poses to my business brand?
Your Digital Identity Strategy has to answer these four questions at some capacity. Being able to do so in real time will help you address your current KYC challenges from the following perspectives:
- User Experience friction: by leveraging digital identities during onboarding and authentication processes you can personalize the UX to match the risk associated with the user or transaction. Different stages of KYC, that are informed by the assessed risk allows you to place friction points only where necessary. For example, the risk of an individual transferring $100 to a friend to pay for dinner is very different than when a business wants to borrow $15,000 from an online lender.
- Emerging Markets and User Demographics: one of the greatest advantages of online businesses is the potential for growth by targeting emerging markets, or other user demographics such as millennials, the unbanked, and underbanked. What these potential customers have in common is that there isn’t enough information about them. They may not have credit history, or live in a country where there are no government-issued identity cards, but there are still non-traditional information sources, and technology that can help to solve this problem. Digital identities in this case will allow you to create the models you need to verify, authenticate, and serve these users. While remaining compliant with the applicable regulations, and understanding the risks you are exposing your business to.
- Cost: without a cost equation, there wouldn’t be a business case to argument – for or against. The requirements and activities involved in traditional KYC programs are not cost efficient, meaning that the overhead cost per transaction can be ever-increasing. Gathering physical documents, performing manual reviews, and checking against many different data providers to validate attributes are all costly activities – even more so if you don’t have in place the appropriate risk models to compensate for different risk levels – like we discussed in the first point above.
KYC regulations and guidance do not impose cookie-cutter approaches. Rather, institutions are expected to have in place risk assessment processes that analyze the particular risks of each customer. The data that feeds risk ratings or scores will vary by institution, but the information can be divided in three general buckets: products, geographies, and customer types. It is then up to your Compliance and Risk Management officers to design a methodology, within the scope of your digital identity strategy, where you can leverage machine learning to analyze the links between identity attributes and understand the underlying risk of both transactions and users. This will not only satisfy your KYC program requirements effectively, but also allow you to personalize each user experience to different risk policies and thresholds.
And now, before we adjourn, let’s go back to the original question… Is KYC useless? – The answer is certainly NO if we are true to what it was intended to represent. Think about the four questions I just numbered, beyond compliance and risk management, the information you will receive is valuable across all business functions: to better understand your product, your markets, and how you can improve to better serve the users you’re targeting. The information you’re collecting will enable you to improve customer satisfaction with more customization, use of predictive analytics to offer related products or services, and behavioral analysis to protect your customers from identity theft. But, if we continue to use KYC as a fancy name for data validation, then the answer is yes, it would be completely useless.