domingo, julio 14, 2019

Account Information Services as KYC enablers

Barclays Bank Limited, 61-63 Old Christchurch Road, Bournemouth, Dorset

A few weeks ago in this write-up I proposed some ideas on how AML Law can evolve to enable financial service providers to innovate their customer on-boarding experiences. One of my suggestions was that the AML Law of the future should abandon exhaustive lists of mandatory KYC measures that circle around specific technologies and instead lay out the minimum elements for an adequate AML risk assessment while allowing financial service providers to devise and implement KYC routines that effectively address any identified risks.

That piece was a very long chunk of text by internet standards, so this time I will try to keep it succinct and focus on a very interesting set of regulated services contemplated in PSD2 that are particularly well-suited for building seamless KYC routines in the context of online/Non-face-to-face financial services. I am referring specifically about Account Information Services (AIS), defined in Art. 4 (16) of the PSD2 as follows:
"An online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider;" 

What I propose is that AIS can be used by financial service providers to build the kind of enhanced due-diligence measures that are required by AML Law whenever an AML risk assessment shows high risk indicators such as business relations or transactions that take place fully online (or non-face-to-face). A hypothetical enhanced-due diligence measure that relies on AIS in the context of online consumer credit, for example, could be outlined as follows:


  1. Credit applicant is prompted to fill in an online credit application form that is deliberately designed to gather information that could be later on verified by means of AIS. This information could well be: IBAN numbers, exact names of account owners, name of banking institutions, etc.
  2. Once the Credit applicant has filled-in the online credit application form, the Consumer Credit Provider obtains his/her consent to work with a licensed Account Information Service Provider (AISP) in order to gather information from the applicant's account(s) disclosed in the form.
  3. Once the AISP gathers the account information and passes it on to the Consumer Credit Provider, the latter cross-checks the information gathered directly from the account and the information that was provided by the customer in the online application form. This can be done automatically, without the need of human interaction. If there is a good match between the information provided by the customer and the information collected by means of AIS, then the enhanced due-diligence measure can be deemed to be fulfilled.

Here is a flow-chart of how that routine could look like:




Now, the kind of routine I described above is not a silver bullet for all types of transactions and should probably be accompanied by some sort of complementary ID verification, but if we look at the history of enhanced due-diligence measures that were accepted as valid for NF2F transactions in the AML Law of most jurisdictions, it becomes apparent that this routine is in some ways a superior analog to the once ubiquitous "Cent-Transfer" or "Penny-testing" routine which, in the European context was widely accepted as mimicking one of the examples in Art. 13. 2 (c) of the third AML directive:

"(...) ensuring that the first payment of the operations is carried out through an account opened in the customer's name with a credit institution."

This so-called "cent-transfer routine "typically consisted on prompting a prospective customer of financial services to make a very small payment to the account of a financial services provider in order to ensure that the first payment (and the subsequent transactions that took place in the course of the relationship) were done, whenever necessary, through an account opened in the customer's name with a bank that, in turn, had an obligation to carry out KYC routines on the prospective customer and probably had done so before opening the account from which the first payment is initiated.

In my mind, it is easy to see that the routine I briefly described above as the AIS KYC routine is ultimately not so different from the "cent-transfer" routine. In fact, assuming that the AISP collected the account information in compliance with the Secure Customer Authentication standard enshrined in the regulatory framework of PSD2, it is clear that the AIS routine would allow a financial services provider to corroborate with a good level of certainty the ownership of the payment accounts of its prospective customers and to safely initiate a business relation insofar as the verified payment account serves as the basis for the new "non-face-to-face" relation with the customer in question. (In the case of credit, for example, the consumer credit provider can simply refuse to disburse any loans to accounts that are not adequately verified by means of AIS).

Again: This is no silver bullet. In non-face-to-face contexts there is always the risk of impersonation but this routine seems solid enough especially if accompanied by a proper AML risk assessment and by an adequate system and methodology for transaction monitoring. I should say that my team has not yet been successful in getting the approval for this kind of routine as a compliant NF2F KYC routine by the Spanish AML Authority (after two years of well written submissions with detailed explanations on the processes and technologies involved) but I tend to think that now that the PSD2 is here, companies like Kontomatik, Figo and Perfios that have built significant expertise and reliable APIs for the provision of account information have one more interesting application for their technology: In the the very near future they might just be perceived as key enablers of seamless and compliance-enabling NF2F KYC routines.




No hay comentarios.:

Publicar un comentario

Su comentario aquí: