The emergence of big data technologies has led to a fundamental shift in the otherwise disconnected compliance information supply chain. Traditionally, organizations have relied on antiquated know-your-customer (KYC) and customer identification program (CIP) methods to solicit, capture and collect critical pieces of information about their customers, which is then disseminated across multiple business lines and often compartmentalized to make assessments about risk tolerance, marketing efforts, and compliance with laws and regulations. However, too often this information becomes stale and decidedly one-sided, limited in accordance to the level of diligence expended by the organization collecting it.
The rapid acceleration of the volume, availability and quality of data in the past decade has quickly outpaced the financial industry’s ability to effectively manage the collection and analysis of consumer information that could more accurately track consumer behavior and remain up-to-date. Banks and other financial institutions are often restricted by outdated collection techniques, antiquated systems, and a lack of financial incentive or financial ability (given the potential cost) to do any more than maintain the status quo. As an increasing number of regulatory violations have come to light, regulators have cracked down, tightening regulations to assure strengthened KYC due diligence.
In July 2016, the U.S. Financial Crimes Enforcement Network issued a final rule containing a mandate for heightened customer due diligence requirements by expanding the rule to include the identification and verification of the beneficial owners of any legal-entity customers. This amplification of regulatory review continues to place pressure on financial institutions' ability to ensure data collection is accurate and up-to-date, especially as they are not the only participants facing increasing scrutiny and penalties. In some cases, compliance officers and other executives have been held personally liable for compliance violations.
Three main trends characterize the current state of KYC information in financial institutions.
1. Banks often lack a single, comprehensive view of the customer. Traditionally, KYC information management is highly decentralized and redundant across an institution’s multifarious set of systems.
Successful KYC programs need to be able to uniquely identify their customers across the full enterprise of product and service offerings, compliance requirements and marketing efforts.
2. Complications frequently arise with the consolidation of KYC data from antiquated systems, as information often becomes stale before the cycle of information gathering is complete. Although efforts have been made by institutions to consolidate the vast amounts of otherwise disparate KYC data into enterprisewide customer information systems (i.e. data lakes), maintaining one reliable and up-to-date system of record for each customer and ensuring data is being validated accurately presents challenges for banks. Frequent updates to customer records on one system may not be captured in real time on the larger enterprise record, and therefore additional data validation efforts, spending resource time and money, are required to confirm the complete package of customer information is being captured. The data lake becomes a data swamp.
3. There is also a substantial KYC information vacuum that exists inside many financial institutions. The primary method of customer information collection takes place during a bank’s onboarding processes or when a customer signs up for new products and/or services. Basing ongoing customer patterns against stale and outdated information poses a threat to the accuracy of in-place monitoring systems and could impact an institution’s ability to identify suspicious customer activity.
In an attempt to manage this increased data burden and to relieve some of the pressure on individual banks, a number of KYC utility solution providers, such as Markit, Genpact and Swift’s Know-Your-Customer Registry have been introduced into the market. These utility solutions look to provide centralized repositories that maintain standardized sets of information that are required for KYC compliance or that can alert banks to potentially high-risk customers. While these utility providers are gaining traction and popularity with many international banks, they still face many of the same challenges in maintaining up-to-date and accurate information.
Can the Spirit of Big Data Salvage KYC Data Management?
In order to address the shortfalls of traditional KYC information practices and modernize data gathering methods, internal measures need to be taken so that a complete inventory of all customer KYC information is available to compliance, legal, risk and any other relevant stakeholders. Financial institutions can begin by instituting self-sourcing practices, by consolidating available KYC data from all enterprise sources — from compliance and credit risk groups, to marketing and account management teams — to ensure customer data, and insight derived from that data, is shared across all business lines and operational departments. As big data forges vast new data points available for use, the nature of traditional information collecting ultimately needs to change as well. Organizations should embrace a more sustainable practice, moving away from the conventional use of a standard transactional profile for customers and moving toward the creation of holistic digital profiles. For instance, institutions are now looking into their customer’s methods of access — now largely via mobile devices or the internet, instead of through traditional branch banking — as a way to identify suspicious behavior that previously may not have been captured. The interactional information collected from such sources, leveraging big data, can enhance the larger customer profile and make it easier to identify abnormal activity.
Oftentimes the modernization of antiquated KYC information collection will require a concerted effort both through self-sourcing internal efforts as well as through the building of relationships with external vendors or third-party information providers. As stated in the Federal Financial Intuitions Examination Council’s customer information program (CIP) rules, institutions may elect to obtain KYC information “with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.” Although it is important to maintain a strong internal and holistic baseline of the customer information an institution possesses, the use of third-party vendors that leverage big data can provide a competitive advantage in the industry. When used strategically, this information can be used to enrich the quality of KYC data and help to reduce the time and resource burden of supporting a more robust internal customer onboarding process and maintaining regular updates of this information.
The Future of KYC
At present, every financial institution is effectively reinventing the wheel when it comes to KYC information collection. For each bank account that is created by a customer, every organization essentially collects and stores the same information about that individual, with little to no standardization of method or process available. The industry together is bearing a collective cost for each duplicative customer information search and validation carried out by individual institutions. Combined with the rapid expansion of data, which is continuously outpacing the ability to rationalize and interpret the information that is being collected and stored, financial institutions still continue to struggle to effectively manage their risk.
To combat these challenges, financial institutions can take measures to assess the information that each internal business unit is tracking on their customers to better guarantee information correlation and the reduction of risk. If the chief information security officer’s (CISO) office manages the secure entry of customer logons by tracking “digital fingerprints” like IP addresses, MAC addresses, credentials and security questions, the compliance office can use this information to confirm that transactions expected for a low- or high-risk customer are validated in their own transaction monitoring rules. If a customer logs onto multiple bank accounts even if they are only listed as the owner of one of the accounts, this could then alert the bank officials of potentially irregular activity. Additionally, recent developments in the use of blockchain technologies could permit the idea of continuous monitoring of activity with minimal need of manual updating.
Recent trends in the financial services industry demonstrate a clear need for a centralized, distributed information store of KYC information that leverages efficiencies gained in big data technologies. Information collected from automated data analysis platforms and a pooling of resources and available data will help to drive down the general costs of KYC management and reduce the burden of in-house resources to store, revise and update customer information locally. The creation of a system of universal customer profiles will help to protect the accuracy of information that is available to institutions and will allow them to proactively manage data risk. Although a movement aimed at centralizing KYC information will most definitely elicit debate into the implications of such measures on data privacy and customer rights, the discussion will undeniably take place in the near future.
The emergence of single sign-on providers have made similar practices redundant for major retailers by offering a centralized, secure and, most of all, convenient way for consumers to be identified. The idea of KYC-as-a-service, which is just an extension of the same single sign-on concept, has already presented itself as a viable option for many organizations that no longer conform to traditional brick-and-mortar ways of doing business. It is only a matter of time before cost, risk and regulatory reach drive the financial services industry toward adoption of increasingly centralized, standardized and managed KYC information providers to complement (or even replace) existing KYC information stores. Eventually, the need for financial service institutions to collect any customer information may become obsolete.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Originally published in Law360.