miércoles, diciembre 18, 2019

Towards the KYC routines of the 21st century

1940 Identity Card

Great user experiences are critical for the success of digital businesses in all industries. A 2017 study by Gartner ventures the following prediction:

“By 2022, digital businesses with great customer experience during identity corroboration will earn 20% more revenue than comparable businesses with poor customer experience.”

And then there's Fintech. Wherever you look in the realm of Fintech, you will see businesses that are built around what we could call "User Experience USPs". These come in all shapes and forms but tend to revolve around ideas of convenience, speed and ease-of-use: Revolut offers the possibility to "open a current account in minutes", Vivus promises to give you a loan "fast, with no guarantors and without paperwork", N26 seems ready to enable you to "Take control of your finances (...) With just one app" and Monzo claims that by using their app you can "Pay people in Seconds".

This apparent laser-focus on UX can be explained by many factors. The most cynical of observers may suggest that it is merely explained by considerations of the marketing kind: Fintech entrepreneurs and marketers seem to be in a consensus that adopting a bank-bashing narrative is good for the business. In the core of that narrative is the idea that Fintech should be defined and portrayed as an evolution of banking, if not in outright opposition to traditional brick-and-mortar banks which are perceived as the home of excruciating user experiences.

While there is a kernel of truth in that train of thought, my view is that the obsession within Fintech is mostly explained by basic unit economics: Since the beginning, anyone in Fintech (at least anyone that was doing anything other than Payments) shared an intuition that later became a data-driven realization: Acquiring customers for digital financial services is very expensive. In fact, after slightly more than six years of working very closely with product teams in Fintech I can comfortably assert (without feeling extremely compelled to raise too many caveats) that product teams in Fintech tend to be obsessed with the idea of building funnels and lead-cycles that are all about ensuring that those extremely expensive leads are not lost on the way. This is so very much the case that any product counsel or compliance officer in Fintech who does not have a good grasp of marketing basics and UX design is in serious trouble (but this is a topic for another occasion).

So Fintech is particularly interesting because it seems to care very deeply about user-experiences yet (unlike many other "digital industries") its creative efforts to build cutting-edge user experiences are heavily constrained. One of those constraints, perhaps the most stringent of them all, is Anti-Money-Laundering Law in its most basic form: Statutory requirements/ Regulatory guidelines for customer identification/ KYC. This constraint is aggravated by the fact that most Fintech transactions occur via the internet, which puts them under the dreaded category of "Non-Face-to-Face transactions" (NF2F), the kind of transactions that require more robust KYC routines because they are considered to pose a higher risk of Money-Laundering/Terrorism Financing according to the discourse of AML Law.

If we are to believe that Gartner's predictions will hold true for Fintech and if we share the view that the evolution of financial services involves a shift to a paradigm of customer-centrism and great user experiences, it is critical to revisit AML Law to ensure that it achieves its very laudable aspirations (In terms of the 5th EU AML Directive: "To prevent the use of the financial system for the purposes of money laundering or terrorist financing") without creating unnecessary legal constraints for the industries which prosperity depends precisely on building cutting-edge user experiences.

I submit that this is an extremely important public policy discussion for the future of financial services and I would like to use the lines below to propose some preliminary thoughts and ideas that I hope would contribute to that discussion:

1. AML Law for the 21st century must fully embrace Risk-Based approaches and abandon taxative lists of pre-approved KYC measures

The fourth EU AML directive (AMLD4) was a very good step in that direction because it abandoned the temptation of proposing taxative lists of compulsory customer due-diligence measures and seemed to favor a full-blown risk-based approach. In contrast, the third AML directive (its predecessor) enshrined a list of due-dilligence measures that were a priori sanctioned as sufficient for non-face-to-face-transactions, namely: 

“(a) ensuring that the customer's identity is established by additional documents, data or information;
(b) supplementary measures to verify or certify the documents supplied, or requiring confirmatory certification by a credit or financial institution covered by this Directive;
(c) ensuring that the first payment of the operations is carried out through an account opened in the customer's name with a credit institution."

Granted, the derogated article 13.2 of AMLD3 explicitly stated that the items on the list above are mere examples of measures that could compensate for the higher risk of money-laundering posed by non-face-to-face transactions, but it seems that the legislators in many European Member States read that list as an invitation to create their very own country-specific lists of mandatory KYC measures. This was certainly the case of Poland (though their new AML act does not contain the list anymore) but perhaps more alarmingly, is still the case in Spain where obliged entities must carry out at least one of the following measures for non-face-to-face transactions in accordance with Art. 21 of the regulation that implements the Spanish AML act (the translations to english are mine):

“a) To verify the identity of the customer in accordance with the Law on electronic signatures.
b) Ensuring that the identity of the customer is verified by means of a copy of the identity document (…) insofar said copy was issued by a notary public. (The literal expression in the Spanish regulation is “Fedatario Público”).
c) Ensuring that the first cash flow of the transaction is routed from an account in the name of the same customer with an entity that is domiciled in Spain, the European Union or equivalent third party countries”. (This is what in some Fintech circles is called the cent-transfer or penny testing KYC routine).
d) Ensuring that the identity of the customer is verified by any other secure proceedings previously authorized by the executive service of the Comission for the Prevention of Money Laundering.”

This particular provision in Spanish AML regulation is an example of a half-hearted risk-based approach. In general, obliged entities can decide which KYC measures to apply to their customers by consulting only their AML risk assessments, but when it comes to non-face-to-face transactions, they need to apply at least one of the measures that the regulator has sanctioned a priori. The obvious problem with this policy stance is also perfectly exemplified by the provision above: The Spanish legislator seems to have decided, in its infinite wisdom and foresight, that asking customers for electronic signatures or notary certifications is a sensible idea in the year 2019. Granted, the Spanish regulation has given the executive branch some discretion to approve new KYC measures for NF2F transactions that are not included in the list, but it is mid-February 2019 and the use of this discretion has not given us much more than a rather cumbersome KYC routine based on video-conferences. (Because video-conferencing is so cutting edge, right?).

In sum, I would propose that fully embracing the risk-based approach (which seems to be the current stance in EU Law) is the right way to go: The role of the regulator in this ideal scenario should be to lay out the minimum elements of a sound AML risk assessment and then give the innovators some freedom to devise KYC routines that effectively address any identified risks, be it for transactions that occur inside a bank branch or through the internet.

2. Tech-Neutrality is very important: ID-cards and state-issued documents are technologies

As recently as August last year, the Polish AML Authority (GIIF) issued a binding guideline where it stated (using nicer words) that obliged entities are free to adopt risk-based KYC measures but, in the case of NF2F transactions, they should always implement KYC routines that encompass at least one verification that is based on a document that attests identity “within the meaning of generally applicable laws (…) For example your ID or driver's license”.

It is not my intention to single out the Polish AML regime and/or GIIF which, in my view, are friendlier to UX innovation that most. The point is that there are very similar provisions/regulatory guidelines in the KYC rules of virtually every jurisdiction, so there seems to be some kind of obsession with one set of technologies: State-issued cards and paper documents. I submit that this is far from a technology-neutral policy stance and that the AML Law of the 21st century should stop running in circles around these rather outdated technologies as the only enablers of reliable identification.

3. Non-Mandatory State-sanctioned KYC solutions are most welcome (India’s Aadhaar and Russia’s SNILs are good examples)

The Aadhaar system in India has been controversial from the privacy perspective, but it hints at some interesting possibilities for the future of AML Law. At its core, Aadhaar is a 12-digit number issued by the Unique Identification Authority of India to all Indian residents. These numbers are linked to the demographic and biometric information of Indian residents who can also choose to link their mobile phone number. Perhaps the most interesting aspect of Aadhaar from the AML perspective is that Indian AML Law and the regulatory guidelines of the Reserve Bank of India allow for the possibility of a KYC routine wherein the potential customer of a financial services provider simply discloses his/her Aadhaar number to the latter, who is able to use the Aadhaar infrastructure to send a One-Time-Pin (OTP) to the mobile phone linked to the Aadhaar number in question. Immediately afterwards, the financial services provider can prompt the potential customer to type in the OTP into an Aadhaar widget in its website, for example. If the OTP provided by the potential customer is a match, the KYC routine is completed.

As usual, there are some caveats: The Aadhaar OTP KYC may only be used for transactions involving very small amounts and must be followed by a full blown paper-document-based due diligence within one year, but it still looks like a step in the right direction.

Another good example comes from Russia, where the SNILs database allows for an equally convenient onboarding experience wherein financial service providers can simply cross-check the information provided by potential customers with the information in the SNILs database. A match between the data provided by the potential customer and the data in the database (as linked to the potential customer's SNILS number) would constitute a sufficient KYC routine under Russian Law.

How incredibly simple is this? How about allowing Financial Service Providers to use these very convenient routines for all customers who have been adequately assessed as low risk customers from the AML perspective?

4. It might be a good idea to focus the scope of application of AML Law on transaction typologies instead of “Obliged Entities”

AML Law is typically formulated in such a way that its scope of application is mostly a question of whether the purveyor of goods/services falls into a category of “Obliged entities” which is predetermined by statute. This is typically called “subjective scope of application” in legal praxis. What that means is that in order to determine whether AML applies in a given scenario the first question is whether an “obliged entity” is involved in the transaction.

Article 2 of AMLD4 , for example, states the following:
“This Directive shall apply to the following obliged entities:
1. (1) credit institutions;
2. (2) financial institutions;
3. (3) the following natural or legal persons acting in the exercise of their professional activities:
(a) auditors, external accountants and tax advisors;
(b) notaries and other independent legal professionals, where they participate, whether by acting on behalf of and for their client in any financial or real estate transaction, or by assisting in the (...)”

Now, this approach is very helpful for the purpose of delimiting who is subject to AML Law (and who is not) but it tends to suggest that all transactions carried out by any entity included in the list is subject to the whole corpus of AML Law including, inter-alia, KYC requirements. I am somewhat convinced that this is misguided: Do we really think that all transactions carried out by consumer credit providers (for example) must be subject to KYC? How about consumer credit transactions that are non-interest-bearing or involve incredibly small amounts that make smurfing impossibly costly or inefficient? Granted, most AML legislation sets de minimis thresholds that exempt certain small amount transactions from KYC requirements, but a more conscientious emphasis on the typology of exceptions or (even better) a possibility to omit KYC altogether for transactions that pose very little AML risk (as demonstrated by a sound risk assessment) would be an interesting possibility to explore.

5. Enforcement, enforcement, enforcement

I think it is worth repeating, for the record, that KYC rules are critically important for AML Law to fulfill its very laudable purpose. If that is the case, it is of the essence to renew the regulatory commitment towards the enforcement of these rules. This is, in my experience, particularly true in Fintech. Some of the spaces and verticals within Fintech that are not overseen by a “specialized financial regulator” (such as a central bank, a financial supervision authority or similar) seem to be afflicted by a case of cognitive dissonance: Market incumbents (or at least their compliance teams) know that AML Law and KYC rules exist and that they -probably- apply to their businesses, but some act as if KYC was only a real concern for banks or more traditional brick-and-mortar financial institutions.

This cognitive dissonance has a very simple explanation, in my view: a lack of effective enforcement of AML Law or the credible threat of same. It is rather painful for me as a legal and compliance professional to admit this, but I am convinced that there are verticals within Fintech where a businessman with a good commercial acumen might reasonably decide that it is irrational for his/her business to bear the costs of implementing fully-compliant KYC practices. In these verticals you will frequently hear senior marketers or salespeople uttering a data-driven version of the dreaded “none-of-the-competitors-is-doing-it” fallacy, except that in these spaces that flawed logic is enabled by what seems like regulatory inaction.

This tendency towards inaction can in turn be explained by many reasons, the most obvious one is the same reason that explains insufficient enforcement in all realms: the state apparatus does not have enough resources to ubiquitously enforce AML Law in all cases. But a lack of effective enforcement creates regulatory limbos where the only one specialized regulator with competence over AML simply relinquishes its role vis-à-vis a cluster of market incumbents and fails to send a message that should be heard loud and clear by everyone: AML Law is binding and it must inform your compliance program.

So, at the risk of sounding trite, I phrase my last suggestion as follows: The KYC rules of the future should be enforced in all verticals and for all types of obliged entities. Regulators should strive for a clear enforcement strategy aimed at Fintech that clarifies which regulatory body is responsible for supervising each vertical and leaves no doubt about the fact that the enforcement efforts need to go beyond supervising the practices of a single type of obliged entity. For the jurisdictions where financial supervisors are genuinely lacking resources to have a good oversight of AML programs across the whole financial system, a good start would be to double-down on mandatory AML audit requirements, for instance. A reputable auditor’s report which cost is borne by the obliged entities (submitted every year, perhaps) might go a long way to ensure that costlier enforcement action (such as on-site inspections or dawn-raids) are used only when strictly necessary.

I am sure that there are healthy and vibrant AML policy discussions in the AML community about some of these issues, so I offer these suggestions not as the certainties of a self-proclaimed authority on the matter but as a sort of message from the trenches. My hope as a legal and compliance professional in this space is that Fintech becomes an assiduous participant in policy discussions. There is very little to be gained from an apathetic stance towards regulation. Fintech has a lot to contribute.

Disclaimer: The opinions expressed by the author in this post are strictly personal and do not reflect the official position of the Kreditech Group. Any threatened law-suits, hate-mail or angry rebuttals in response to this are ideally to be addressed to the author directly, in the comments. :)

No hay comentarios.:

Publicar un comentario

Su comentario aquí: