Customer Due Diligence and Data Protection: Striking a Balance
Identity verification is the starting point for most financial transactions, but making sure a person is who they claim to be — and that they aren’t engaging in criminal activity — has become a complex and costly process in the digital age. A consensus is emerging among financial services providers (FSPs) that pooling resources to tackle customer due diligence (CDD) requirements collaboratively — as some are now doing through know-your-customer (KYC) utilities — can lower compliance costs, improve CDD risk management and, thus, facilitate financial inclusion.
Yet for these collaborative CDD arrangements to work, FSPs, regulators and other parties must be able to exchange customer data in ways that are often prohibited by a complex web of information laws, rules and obligations. Given the pressures being placed on FSPs to meet CDD requirements, what’s needed now is a new information-sharing framework that strikes a balance between the need to share data for CDD purposes and important concerns around individuals’ rights.
The laws, rules and obligations that currently govern information sharing in most countries are wide-ranging, spanning customer-banker confidentiality, public sector secrecy, data protection and anti-money laundering and combatting the financing of terrorism (AML/CFT). Here is a look at the main information-sharing rules FSPs must consider and how these rules can make it more difficult to meet CDD obligations.
The contractual relationship between a banker and a customer typically prohibits the banker from disclosing information about the customer’s affairs and accounts to third parties. However, there are exceptions to this confidentiality obligation. For example, it does not prevent the bank from disclosing a customer’s information if it is required to do so by law. This is precisely what AML/CFT laws do: compel banks to report suspicious transactions and customers to national financial intelligence units (FIUs) without customers' knowledge and consent. However, these laws limit further information sharing. They prohibit FSPs from informing anyone else about reports filed with an FIU, including customers and other FSPs, making it harder for providers to alert others to CDD issues.
Secrecy laws are a common governance feature of public sector organizations. They are designed to protect certain classes of information by prohibiting government organizations, employees and contractors from divulging such information. As in the case of customer confidentiality, exceptions do apply. One such exception may be disclosure that necessarily occurs in the performance of another legal duty — e.g., disclosure to an oversight body during a statutory inspection. However, secrecy provisions in AML/CFT laws generally inhibit CDD collaboration by restricting the ability of a country’s FIU to share information with FSPs about specific cases of criminal conduct.
Data protection laws
Data protection laws — sometimes referred to as “information privacy laws” — are designed to give individuals control over how their personal information is collected and processed. They typically involve other rights and obligations, such as a right of access to personal information, the right to correct errors in one’s own data and requirements that personal data be kept accurately and securely. Although data protection laws provide important protections, they generally require FSPs to obtain the consent of customers — including suspected criminals — before sharing their personal information with other FSPs.
Data protection rights, however, are not absolute. They can be trumped by other rights, such as the community’s right to a safe and secure society when supported by national security and law enforcement interests if other compensating protections are put in place. Limitations on data protection may, for example, relate to protecting society against the risks of money laundering and terrorist financing.
New approaches to old barriers
Some types of collaborative CDD, such as commercial KYC utilities, have found ways to share some information, but their effectiveness is hampered by a patchwork of laws and regulations that are not fit for this purpose — i.e., they have not been designed to support AML/CFT objectives.
Rethinking information sharing to facilitate AML/CFT measures means developing a bespoke legal framework that authorizes the necessary information flows in a way that is consistent with fundamental rights like privacy protection. Such a framework could be supplemented by technical standards and rules that help to operationalize it by encouraging a common digital approach to information sharing.
A new legal framework could:
- Allow FIUs to confidentially share information with one or more FSPs — and FSPs to share information with one another — if it is reasonably believed that such information will be treated securely and confidentially and aid in AML/CFT efforts.
- Allow changes to customer information to be shared for AML/CFT purposes among FSPs that have a customer in common, as long as they have a formal agreement and if the customer is informed and has an opportunity to correct the data or prevent sharing.
- Allow utilities to monitor transactional patterns on behalf of multiple FSPs, possibly even allowing the utility to file reports with FIUs on behalf of the FSPs, subject to appropriate control measures.
- Regulate data standardization to make it easier for one FSP to share data with another.
- Outline the conditions for allowing regulated entities to rely on KYC utilities for CDD purposes, relieving them from liability for errors in KYC utilities’ data where their reliance was reasonable (e.g., there was no reason to doubt the accuracy of the data).
Collaborative CDD, including KYC utilities, can significantly improve the effectiveness and efficiency of AML/CFT. To achieve these benefits, however, we need to improve the current information sharing framework. A new framework, collaboratively designed by all stakeholders, can sensitively align individual rights, the commercial operations of FSPs and national security interests.
Is there not a substantive step we can take to rethink the approach where it is all about the bank and put the customer, wherever they may be in the world, more in control of their data and who has access to it.
There are already issues of trust between banks, who would carry the can if the information shared is wrong and had been acted upon for example. There are also issues about the use (misuse) of personal, or indeed corporate, information and its sharing for gain.
Such a rethink could be delivered via verified Self-Sovereign Identity systems, such as the system from ObjectTech Group. This outs the individual in control and allows them to decide who gets what information and when. This in turn, in agreement with the regulator, allows an institution of any description to hold very much reduced amounts of data.
Such systems do need to be able to be transferred across jurisdictions and regulatory frameworks for sure but as they are verified they will bring down the costs of CDD and KYC/AML exponentially.
In addition to improving current services, such a system is also a gateway to services for those currently excluded from financial processes and products. So, when combined with pro-poor products (the costs of delivery of such products are also substantially reduced) and financial literacy, Self-Sovereign Identity systems play the pivotal role of key enabler with the potential to boost economic activity and resilience globally.
In the course of this project we looked at examples of self-sovereign identity systems and agree that they may contribute to better approaches to information sharing. For such a solution to be employed in relation to AML/CFT CDD requirements it needs to be endorsed by the regulator. We are interested in the regulatory requirements that may be imposed. Given CGAP’s focus we are also interested in how appropriate solutions will empower poor and vulnerable individuals in developing countries to decide what to share with whom and when. These solutions appear particularly relevant to the customer identification and verification element of CDD but may not be sufficient to enable reliable sharing of risk information for AML/CFT purposes. AML/CFT-regulated institutions will still need to collect and potentially share sufficient personal information of clients to enable them to assess the ML/FT risk posed by each client and to monitor their transactions in order to identify suspicious and unusual transactions.
In the course of my training AML staff in various countries moving in the direction of Financial Inclusion I have advocated a multi-pronged approach for KYC/CDD. With large sub-populations without any form of identification such as birth certificates, marriage certificates, national ID cards etc. a digital photograph taken at the bank does help together with some identification from an existing customer (e.g. those who go from door-to-door every morning to supply newspapers will come to know certain customers). Bank officials need to verify the address (often unauthorised or makeshift structures) by personally visiting the given address. A low threshold limit for the maximum amount to be kept in the account does help in the early years. Discretion has to be exercised prudently. Accounts have to be closely monitored.