miércoles, diciembre 18, 2019

Towards the KYC routines of the 21st century

1940 Identity Card

Great user experiences are critical for the success of digital businesses in all industries. A 2017 study by Gartner ventures the following prediction:

“By 2022, digital businesses with great customer experience during identity corroboration will earn 20% more revenue than comparable businesses with poor customer experience.”

And then there's Fintech. Wherever you look in the realm of Fintech, you will see businesses that are built around what we could call "User Experience USPs". These come in all shapes and forms but tend to revolve around ideas of convenience, speed and ease-of-use: Revolut offers the possibility to "open a current account in minutes", Vivus promises to give you a loan "fast, with no guarantors and without paperwork", N26 seems ready to enable you to "Take control of your finances (...) With just one app" and Monzo claims that by using their app you can "Pay people in Seconds".

This apparent laser-focus on UX can be explained by many factors. The most cynical of observers may suggest that it is merely explained by considerations of the marketing kind: Fintech entrepreneurs and marketers seem to be in a consensus that adopting a bank-bashing narrative is good for the business. In the core of that narrative is the idea that Fintech should be defined and portrayed as an evolution of banking, if not in outright opposition to traditional brick-and-mortar banks which are perceived as the home of excruciating user experiences.

While there is a kernel of truth in that train of thought, my view is that the obsession within Fintech is mostly explained by basic unit economics: Since the beginning, anyone in Fintech (at least anyone that was doing anything other than Payments) shared an intuition that later became a data-driven realization: Acquiring customers for digital financial services is very expensive. In fact, after slightly more than six years of working very closely with product teams in Fintech I can comfortably assert (without feeling extremely compelled to raise too many caveats) that product teams in Fintech tend to be obsessed with the idea of building funnels and lead-cycles that are all about ensuring that those extremely expensive leads are not lost on the way. This is so very much the case that any product counsel or compliance officer in Fintech who does not have a good grasp of marketing basics and UX design is in serious trouble (but this is a topic for another occasion).

So Fintech is particularly interesting because it seems to care very deeply about user-experiences yet (unlike many other "digital industries") its creative efforts to build cutting-edge user experiences are heavily constrained. One of those constraints, perhaps the most stringent of them all, is Anti-Money-Laundering Law in its most basic form: Statutory requirements/ Regulatory guidelines for customer identification/ KYC. This constraint is aggravated by the fact that most Fintech transactions occur via the internet, which puts them under the dreaded category of "Non-Face-to-Face transactions" (NF2F), the kind of transactions that require more robust KYC routines because they are considered to pose a higher risk of Money-Laundering/Terrorism Financing according to the discourse of AML Law.

If we are to believe that Gartner's predictions will hold true for Fintech and if we share the view that the evolution of financial services involves a shift to a paradigm of customer-centrism and great user experiences, it is critical to revisit AML Law to ensure that it achieves its very laudable aspirations (In terms of the 5th EU AML Directive: "To prevent the use of the financial system for the purposes of money laundering or terrorist financing") without creating unnecessary legal constraints for the industries which prosperity depends precisely on building cutting-edge user experiences.

I submit that this is an extremely important public policy discussion for the future of financial services and I would like to use the lines below to propose some preliminary thoughts and ideas that I hope would contribute to that discussion:

1. AML Law for the 21st century must fully embrace Risk-Based approaches and abandon taxative lists of pre-approved KYC measures

The fourth EU AML directive (AMLD4) was a very good step in that direction because it abandoned the temptation of proposing taxative lists of compulsory customer due-diligence measures and seemed to favor a full-blown risk-based approach. In contrast, the third AML directive (its predecessor) enshrined a list of due-dilligence measures that were a priori sanctioned as sufficient for non-face-to-face-transactions, namely: 

“(a) ensuring that the customer's identity is established by additional documents, data or information;
(b) supplementary measures to verify or certify the documents supplied, or requiring confirmatory certification by a credit or financial institution covered by this Directive;
(c) ensuring that the first payment of the operations is carried out through an account opened in the customer's name with a credit institution."

Granted, the derogated article 13.2 of AMLD3 explicitly stated that the items on the list above are mere examples of measures that could compensate for the higher risk of money-laundering posed by non-face-to-face transactions, but it seems that the legislators in many European Member States read that list as an invitation to create their very own country-specific lists of mandatory KYC measures. This was certainly the case of Poland (though their new AML act does not contain the list anymore) but perhaps more alarmingly, is still the case in Spain where obliged entities must carry out at least one of the following measures for non-face-to-face transactions in accordance with Art. 21 of the regulation that implements the Spanish AML act (the translations to english are mine):

“a) To verify the identity of the customer in accordance with the Law on electronic signatures.
b) Ensuring that the identity of the customer is verified by means of a copy of the identity document (…) insofar said copy was issued by a notary public. (The literal expression in the Spanish regulation is “Fedatario Público”).
c) Ensuring that the first cash flow of the transaction is routed from an account in the name of the same customer with an entity that is domiciled in Spain, the European Union or equivalent third party countries”. (This is what in some Fintech circles is called the cent-transfer or penny testing KYC routine).
d) Ensuring that the identity of the customer is verified by any other secure proceedings previously authorized by the executive service of the Comission for the Prevention of Money Laundering.”

This particular provision in Spanish AML regulation is an example of a half-hearted risk-based approach. In general, obliged entities can decide which KYC measures to apply to their customers by consulting only their AML risk assessments, but when it comes to non-face-to-face transactions, they need to apply at least one of the measures that the regulator has sanctioned a priori. The obvious problem with this policy stance is also perfectly exemplified by the provision above: The Spanish legislator seems to have decided, in its infinite wisdom and foresight, that asking customers for electronic signatures or notary certifications is a sensible idea in the year 2019. Granted, the Spanish regulation has given the executive branch some discretion to approve new KYC measures for NF2F transactions that are not included in the list, but it is mid-February 2019 and the use of this discretion has not given us much more than a rather cumbersome KYC routine based on video-conferences. (Because video-conferencing is so cutting edge, right?).

In sum, I would propose that fully embracing the risk-based approach (which seems to be the current stance in EU Law) is the right way to go: The role of the regulator in this ideal scenario should be to lay out the minimum elements of a sound AML risk assessment and then give the innovators some freedom to devise KYC routines that effectively address any identified risks, be it for transactions that occur inside a bank branch or through the internet.

2. Tech-Neutrality is very important: ID-cards and state-issued documents are technologies

As recently as August last year, the Polish AML Authority (GIIF) issued a binding guideline where it stated (using nicer words) that obliged entities are free to adopt risk-based KYC measures but, in the case of NF2F transactions, they should always implement KYC routines that encompass at least one verification that is based on a document that attests identity “within the meaning of generally applicable laws (…) For example your ID or driver's license”.

It is not my intention to single out the Polish AML regime and/or GIIF which, in my view, are friendlier to UX innovation that most. The point is that there are very similar provisions/regulatory guidelines in the KYC rules of virtually every jurisdiction, so there seems to be some kind of obsession with one set of technologies: State-issued cards and paper documents. I submit that this is far from a technology-neutral policy stance and that the AML Law of the 21st century should stop running in circles around these rather outdated technologies as the only enablers of reliable identification.

3. Non-Mandatory State-sanctioned KYC solutions are most welcome (India’s Aadhaar and Russia’s SNILs are good examples)

The Aadhaar system in India has been controversial from the privacy perspective, but it hints at some interesting possibilities for the future of AML Law. At its core, Aadhaar is a 12-digit number issued by the Unique Identification Authority of India to all Indian residents. These numbers are linked to the demographic and biometric information of Indian residents who can also choose to link their mobile phone number. Perhaps the most interesting aspect of Aadhaar from the AML perspective is that Indian AML Law and the regulatory guidelines of the Reserve Bank of India allow for the possibility of a KYC routine wherein the potential customer of a financial services provider simply discloses his/her Aadhaar number to the latter, who is able to use the Aadhaar infrastructure to send a One-Time-Pin (OTP) to the mobile phone linked to the Aadhaar number in question. Immediately afterwards, the financial services provider can prompt the potential customer to type in the OTP into an Aadhaar widget in its website, for example. If the OTP provided by the potential customer is a match, the KYC routine is completed.

As usual, there are some caveats: The Aadhaar OTP KYC may only be used for transactions involving very small amounts and must be followed by a full blown paper-document-based due diligence within one year, but it still looks like a step in the right direction.

Another good example comes from Russia, where the SNILs database allows for an equally convenient onboarding experience wherein financial service providers can simply cross-check the information provided by potential customers with the information in the SNILs database. A match between the data provided by the potential customer and the data in the database (as linked to the potential customer's SNILS number) would constitute a sufficient KYC routine under Russian Law.

How incredibly simple is this? How about allowing Financial Service Providers to use these very convenient routines for all customers who have been adequately assessed as low risk customers from the AML perspective?

4. It might be a good idea to focus the scope of application of AML Law on transaction typologies instead of “Obliged Entities”

AML Law is typically formulated in such a way that its scope of application is mostly a question of whether the purveyor of goods/services falls into a category of “Obliged entities” which is predetermined by statute. This is typically called “subjective scope of application” in legal praxis. What that means is that in order to determine whether AML applies in a given scenario the first question is whether an “obliged entity” is involved in the transaction.

Article 2 of AMLD4 , for example, states the following:
“This Directive shall apply to the following obliged entities:
1. (1) credit institutions;
2. (2) financial institutions;
3. (3) the following natural or legal persons acting in the exercise of their professional activities:
(a) auditors, external accountants and tax advisors;
(b) notaries and other independent legal professionals, where they participate, whether by acting on behalf of and for their client in any financial or real estate transaction, or by assisting in the (...)”

Now, this approach is very helpful for the purpose of delimiting who is subject to AML Law (and who is not) but it tends to suggest that all transactions carried out by any entity included in the list is subject to the whole corpus of AML Law including, inter-alia, KYC requirements. I am somewhat convinced that this is misguided: Do we really think that all transactions carried out by consumer credit providers (for example) must be subject to KYC? How about consumer credit transactions that are non-interest-bearing or involve incredibly small amounts that make smurfing impossibly costly or inefficient? Granted, most AML legislation sets de minimis thresholds that exempt certain small amount transactions from KYC requirements, but a more conscientious emphasis on the typology of exceptions or (even better) a possibility to omit KYC altogether for transactions that pose very little AML risk (as demonstrated by a sound risk assessment) would be an interesting possibility to explore.

5. Enforcement, enforcement, enforcement

I think it is worth repeating, for the record, that KYC rules are critically important for AML Law to fulfill its very laudable purpose. If that is the case, it is of the essence to renew the regulatory commitment towards the enforcement of these rules. This is, in my experience, particularly true in Fintech. Some of the spaces and verticals within Fintech that are not overseen by a “specialized financial regulator” (such as a central bank, a financial supervision authority or similar) seem to be afflicted by a case of cognitive dissonance: Market incumbents (or at least their compliance teams) know that AML Law and KYC rules exist and that they -probably- apply to their businesses, but some act as if KYC was only a real concern for banks or more traditional brick-and-mortar financial institutions.

This cognitive dissonance has a very simple explanation, in my view: a lack of effective enforcement of AML Law or the credible threat of same. It is rather painful for me as a legal and compliance professional to admit this, but I am convinced that there are verticals within Fintech where a businessman with a good commercial acumen might reasonably decide that it is irrational for his/her business to bear the costs of implementing fully-compliant KYC practices. In these verticals you will frequently hear senior marketers or salespeople uttering a data-driven version of the dreaded “none-of-the-competitors-is-doing-it” fallacy, except that in these spaces that flawed logic is enabled by what seems like regulatory inaction.

This tendency towards inaction can in turn be explained by many reasons, the most obvious one is the same reason that explains insufficient enforcement in all realms: the state apparatus does not have enough resources to ubiquitously enforce AML Law in all cases. But a lack of effective enforcement creates regulatory limbos where the only one specialized regulator with competence over AML simply relinquishes its role vis-à-vis a cluster of market incumbents and fails to send a message that should be heard loud and clear by everyone: AML Law is binding and it must inform your compliance program.

So, at the risk of sounding trite, I phrase my last suggestion as follows: The KYC rules of the future should be enforced in all verticals and for all types of obliged entities. Regulators should strive for a clear enforcement strategy aimed at Fintech that clarifies which regulatory body is responsible for supervising each vertical and leaves no doubt about the fact that the enforcement efforts need to go beyond supervising the practices of a single type of obliged entity. For the jurisdictions where financial supervisors are genuinely lacking resources to have a good oversight of AML programs across the whole financial system, a good start would be to double-down on mandatory AML audit requirements, for instance. A reputable auditor’s report which cost is borne by the obliged entities (submitted every year, perhaps) might go a long way to ensure that costlier enforcement action (such as on-site inspections or dawn-raids) are used only when strictly necessary.

I am sure that there are healthy and vibrant AML policy discussions in the AML community about some of these issues, so I offer these suggestions not as the certainties of a self-proclaimed authority on the matter but as a sort of message from the trenches. My hope as a legal and compliance professional in this space is that Fintech becomes an assiduous participant in policy discussions. There is very little to be gained from an apathetic stance towards regulation. Fintech has a lot to contribute.

Disclaimer: The opinions expressed by the author in this post are strictly personal and do not reflect the official position of the Kreditech Group. Any threatened law-suits, hate-mail or angry rebuttals in response to this are ideally to be addressed to the author directly, in the comments. :)

jueves, noviembre 28, 2019

About Privacy 2030: The Posthumous manifesto of the Patriarch of Privacy Intelligentsia

       Originally published in Linkedin.
One of the issues with contemporary legal education, specially legal education in countries which legal systems enjoy certain prestige, is a tendency (let’s call it a positivist tendency) to look down on policy discussions. Duncan Kennedy, one of the founders of the Critical Legal Studies movement, offered some interesting insights about this issue in his brilliant critique to legal education: 

“(…)in most law schools, it turns out that the tougher, less policy-oriented teachers are the more popular. The softies seem to get less matter across, they let things wander, and one begins to worry that their niceness is at the expense of a metaphysical quality called “rigor,” thought to be essential to success on bar exams and in the grown-up world of practice”.

When discussing the policy underpinnings of GDPR, for example, I have been accused by highly esteemed colleagues of something even worse: Of being very interested or even “very good” at the “philosophical questions”. Anyone who has gone to law-school knows that there is not an ounce of compliment in such a statement. 

Now, the reason I start this write-up with an apparent digression from the theme that I promised in the title is because Butarelli´s manifesto is very important in one very critical manner: It uplifts the status of policy discussions. It shows how critically important policy discussions are for legal practitioners and virtually anybody who works in the tech industry in the year 2019. No legal practitioner working in anything related to technology has a claim to be a well-informed legal practitioner if he/she has not read Privacy 2030 (Yes: Even if you practice at the so-called Magic Circle). I would argue that a similar statement applies to tech CEOs and I would submit that even if you are a cynical CTO secretly hiding enormous stockpiles of personal data in a removable hard-drive somewhere, you should read Privacy 2030 if only because it provides first-hand insights on how the enemy thinks. Let’s make no mistake: This is it. This is give or take the definitive compendium of all the aspirations, latent-dystopias and anxieties that give meaning to Data protection Law and Privacy Law in the European Union. 

In order to keep this write-up succinct, I will refrain from examining the main themes of the six chapters of the manifesto. Instead, I will suggest a few more reasons why we should celebrate Privacy 2030 and I will propose an incipient critique. Let’s start with the first: The manifesto seems innovative in bringing about a policy aspect that is still foreign to the typical ESG discussions that one may encounter nowadays in the context of technology, a space where companies that are not hardware manufacturers tend to be perceived as greener and where that item of the due-dilligence checklist is rapidly ticked-off. I will quote directly from the Manifesto:

“The religion of data maximisation, notwithstanding its questionable compatibility with EU law, now appears unsustainable also from an environmental perspective (…)”

So, while the manifesto does not abound in hard evidence for the premise that data maximization has a tangible effect on climate change, the author offers some interesting suggestions about the places where that question might lead us: A “Digital Green New Deal”, perhaps. And this bring us to one more reason why the manifesto is an important read in the times that we live: Given how ambitiously idealistic it reads, it shows that even in our time it is possible to be both an unrestrained titan of humanism and a world-class technocrat. It occurs to me that Butarelli was one of the last fellow liberals. This is a slight digression but: If specimens of this endangered species are to be found only as a byproduct of the European project, I am tempted to think that we have one more critical reason to preserve it. I will write no more hagiography because there is enough posthumous praise circulating at the moment, but this is one of those men whose hagiography does not strike me as particularly annoying. We need many more Butarellis in the generations to come. 

Back to the subject that occupies us, the manifesto is also interesting in the sense that it proposes some last-resort measures that need to be on the table if we are to make sure that certain technologies are harnessed for the good: 

“Impose a moratorium on dangerous technologies, like facial recognition and killer drones, and pivot deployment and export of surveillance away from human manipulation and toward European digital champions for sustainable development and the promotion of human rights.”

Moratoriums sound somewhat radical, just like Alexandria Ocasio Cortez’ suggestion of sitting Facebook out the 2020 elections if they don’t assume responsibility for the way their business affects democracy. But even if one thinks (as I tend to do) that corporations should not be put in a position to decide what is truthful enough for people to read, these last resort measures seem necessary to ensure that all stakeholders take the policy discussions at hand very seriously.

One final reason for giving the manifesto a good read: There is a very brief afterword by Shoshana Zuboff, whose work was first introduced to me by the always acute Tim Walters from the Content Advisory at a conference (yes, one can actually learn new stuff at conferences). Her afterword is not a particularly compelling piece but it does work as a privacy-contextual introduction to Zuboff´s notion of Surveillance capitalism, which has been portrayed as some sort of inadvertent marxism by Evgeny Morozov in this great review. Technomarxism of the very interesting kind, I feel like writing.

And now to the incipient critique:

The manifesto tends to follow the typical discursive recipe of the contemporary policy discussions about privacy in the EU: It devotes many words to listing and describing a good number of latent dystopias, of extremely undesirable states-of-affairs that we must urgently prevent by means of regulation. On the other hand, it devotes much fewer words and exactly one page to propose a “10-point plan for sustainable privacy". Let me try to be fair: manifestos do not need to offer all the answers and Privacy 2030 does propose some brighter views on technology, but still, its decided effort to unearth, expose and imagine all potential risks and pitfalls of technological advances is dangerously close to a Neo-luddite impulse of sorts: A tendency to believe that technology is mostly and mainly a source of latent dystopias.

Now, precisely because technology is not just a source of dystopias but also an important instrument for innovation and progress, it would be wise to look at it with much more sympathy. Zuboff´s afterword is right in calling-out the lobbyist talking points for what they are: Regulation will not necessarily stifle innovation. But there is good evidence that bad regulation will. In order to have a civil discussion about the future of privacy and the regulation of technology, it would be great to start by recognizing that not every bit of optimism is corporate propaganda and that skepticism about the role of regulation to solve these problems is not always an exercise of techno-solutionism.

Privacy 2030 is a very important read, but I want to insist on this: A hysteric perception of technology and the world we live in will most certainly lead us to a kind of policy discourse so desperate to rule out latent dystopias that it prevents us from seizing the tangible opportunities in the present. I would echo Zuboff´s invitation: Let’s make sure that we fight all the fires together, but let’s make sure we leave some room for the flame of progress.

You can download the manifesto directly from the IAAP resource center here.

Disclaimer: The opinions expressed by the author in this article are strictly personal and do not reflect the official position of the Mash Group or any of its directors or employees. Any threatened law-suits, hate-mail or angry rebuttals in response to this write-up are ideally to be addressed to the author directly, in the comments. :)