KYC Utilities and Beyond: Solutions for an AML/CFT Paradox?
Eight years have passed since leading global bodies publicly recognized that financial exclusion poses a money laundering and terrorist financing risk. Why? Because financial exclusion relegates billions of people the world over to transacting in the untraceable world of cash, sustaining an economy that is abused by criminals. Yet paradoxically, the high cost of complying with the global requirements intended to mitigate these crime risks makes it harder for financial services providers (FSPs) to reach underserved and unserved populations. And since the early 2000’s the problem has only worsened, with many FSPs exiting customer and business relationships where compliance costs have rendered them commercially unattractive. This problem particularly affects remittance service providers and correspondent banking in poorer and smaller countries. Fortunately, new technologies, business models and ways of collaborating are emerging in the public and private sectors that could put us on the path to resolving this paradox.
Compliance with customer due diligence (CDD) requirements set by the Financial Action Task Force (FATF) for anti-money laundering and combatting the financing of terrorism (AML/CFT) is a critical component of a secure financial system. But it does impose significant costs. FSPs must identify clients and verify their identities (often referred to as “Know Your Customer” or “KYC” measures); determine whether clients are the real parties in interest; assess and compile risk profiles of clients, products and services; screen against sanctions and blacklists; monitor transactions; and report suspicious activity to a financial intelligence unit. Carrying out these CDD steps for low-income clients often entails additional time, costs and perceived risk for FSPs because, in many cases, there is insufficient documentation or data to easily verify these clients’ identities and assess their crime risk. The lack of reliable information about these clients, coupled with doubts about whether serving them can be profitable, have led some FSPs to avoid the customer segment completely.
In the past, FSPs carried the full burden — and cost — of CDD individually. More recently, utility-type models called “KYC utilities” have emerged — typically, commercial providers or industry bodies that store customer identity data in a single repository for use by multiple FSPs. By pooling resources, reducing duplicative efforts, and digitizing processes through KYC utilities, FSPs can shorten the time required for identity checks and verification, reduce CDD compliance costs and potentially improve the quality and reliability of customer data. For these reasons, KYC utilities represent one of the more promising ways to get around the CDD paradox that has been exacerbating financial exclusion and weakening AML/CFT efforts.
However, the term “KYC utility” is a commercial label, rather than technical one, and the concept is not clearly defined. This can lead to confusion about what is and is not a KYC utility. To start with, the term “KYC” reaches back to terminology FATF largely abandoned 15 years ago. While it is used nowadays by most people to refer only to the customer identification and verification elements of CDD, others use it confusingly to invoke the full range of CDD obligations. Moreover, the commercial concept of a KYC utility offers too narrow a lens on the dynamic and fast evolving CDD landscape. Not all CDD collaboration models, for example, fit the concept of a single repository, and the commercial concept of course leaves critically important public-sector actors out of the picture.
Despite the weaknesses of the KYC utility label, it is used — and will likely continue to be used — broadly in AML/CFT discussions. But we’re interested in exploring not only KYC utilities but a wide range of collaborative approaches to CDD that are emerging to help drive down the cost of financial services for the unserved and underserved. The global revolution in identity systems is of particular importance. Developments in digital identity and identity verification are reshaping the customer identification environment. India’s Aadhaar ID, for example, provides a unique biometric identifier that makes the formerly unidentified identifiable. The authority responsible for Aadhaar has made an “eKYC” service available to facilitate customer identification. With customer consent and a fingerprint scan, an FSP can access Aadhaar data to verify the client’s identity. When the identity of a prospective client is verified, the account opening form is automatically populated with the client’s Aadhaar-registered biographical data. Critically important is the fact that the authority vouches for the data. This means the FSPs can rely on the results, limiting FSPs’ obligations for two steps in FATF’s CDD requirements — identification of customers and identity verification — by simply checking the Aadhaar database. The three-minute video below provides an introduction to Aadhaar.
In addition to commercial utilities and national identity registries supporting CDD, the private sector is pioneering new technologies to address the toughest ID challenges, such as those faced by forcibly displaced persons. For example, blockchain startups such as Taqanu and EverID are seeking to create digital identity "containers" that allow an individual to manage their own data. These could allow forcibly displaced persons to have information such as their refugee status, vaccination records and social media profiles all available in one digital location that is continuously updated and accessible globally, potentially facilitating access to both social and financial services.
Alongside (and potentially linked to) these developments in identification and verification, there is an important rise in structured intelligence collaborations between FSPs, financial intelligence units and law enforcement aimed at identifying and investigating crime. AML/CFT frameworks require FSPs to design effective CDD measures to counter criminal abuse but do not equip them to understand fast-changing crime patterns and risks. These intelligence collaborations address that knowledge gap. They combine FSPs’ financial data with public-sector crime intelligence, increasing the effectiveness and efficiency of AML/CFT measures, resulting over time in better targeted, cost-effective CDD.
Despite the promise of these innovations in collaborative approaches to CDD, there are barriers to implementing them effectively on a global scale. Country-level regulations often limit FSPs’ ability to share information, a problem that becomes vastly more challenging in the cross-border context. For new identity verification models to function optimally, regulatory exceptions could be needed in some cases. There are also questions related to the technology underlying the utilities and related phenomena, which is prone to the same kinds of cyber risks that already keep FSPs and financial regulators and supervisors awake at night. Data privacy and protection must therefore be considered with due care. There may, however, be new means of achieving AML/CFT aims without creating undue privacy risks — for example, by employing innovative forms of privacy-protecting data sharing and use. Broad issues of data governance also require attention to ensure there is clarity about responsibility and accountability for compliance with data and consumer protection laws in a more collaborative framework.
In the coming months, we will move beyond KYC utilities to probe further the potential and challenges of these emerging collaborative approaches to CDD, as well as their prospects for facilitating financial inclusion. We will share what we find in future CGAP blog posts. Will these new types of CDD collaboration solve the AML/CFT paradox? At the least we see promising signs for substantial progress.