Know Your Customer's Customer
For more than a decade, U.S. regulators have been advising bankers to know more about their customers than who they are. In the next five years that may become the global norm as technology allows more granular transaction monitoring.
By 2020, the industry will "step away from customer identity and verification," said Thomas Piontek, head of regulatory services at Commerzbank AG, at the Society for Worldwide Interbank Financial Telecommunication's business forum in London last week. While he doesn't believe the concept of knowing your customer will go away, "we will look much more into customer transactions."
His predictions, and those of others on the panel discussion about the future of KYC, come as banks worldwide "derisk" by showing the door to whole categories of clients in response to steep penalties for anti-money-laundering lapses. Regulators insist they want banks to manage risk, not avoid it, but bankers say certain industries and geographies have becometoo expensive to profitably serve.
Delving deeper into customer transactions would allow banks to analyze the cash flows coming in and out of a particular client, partner and/or country. This would inform the bank of popular exports and imports and the businesses that deal with these products to see whether a client's transactions make sense, Piontek said. (A company importing oil into an oil-exporting country at an amount right under a reporting threshold might raise alarm bells, for example.)
A bank can then tabulate all sorts of data about its business customers, including what payment methods are generally used. This data can be compared against market prices and behaviors.
"That's almost like Know Your Country," said Guy Sheppard, KYC products market manager for Swift and the moderator of the panel.
While the Know Your Country model would give banks greater insight into a local region, allowing them to flag unusual behavior, there are substantial hurdles to realizing this vision. KYC and data sharing and privacy requirements differ from country to country. What Citigroup is allowed to share on customers inside the U.S. could very well be illegal in the U.K.
"What we try to do is enforce a common standard, a gold standard or global policy on KYC" throughout the bank, said Peter Drake, AML head of Europe, the Middle East and Africa for treasury and trade at Citi, which works in more than 100 countries. Citi's corporate KYC requirements sometimes differ substantially from local requirements, making it difficult for businesses to get accounts, Drake said. But Citi doesn't set out to serve e-commerce merchants or compete with local banks in most jurisdictions, he said.
Another issue banks are dealing with today is KYCC, or "know your customer's correspondent."
When looking at the correspondent banking partners they work with, Citi looks at a section of the year or a number of months of activity to see what the flows are between that bank and others. Then the bank asks itself: "Does it make sense that money is moving between these locations or companies?" said Drake. For instance, if a partner says it's not banking money-services businesses or money transmitters, yet its transaction history says otherwise, that's a problem, he said.
While banks have this data at their disposal today, most have a hard time analyzing it after the fact. To help banks deal with customer identification, several organizations are launching KYC registries, centralized indexes to store, authenticate and share corporate client information. The industry-owned Swift started such a registry in December, and during the forum announced that it now has users from 109 different countries.
One thing a bank doesn't want to do is store too much information that it isn't using, said Piontek, because regulators might be concerned about the risk it could be breached. "Any data you have on file that you're not using is a slightly difficult" conversation to have at audit, Piontek said.
For that reason, Russell Saunders, managing director of global payments at Lloyd's Banking Group, said the growth of utility services for this type of data management could be beneficial. "You can't un-know what you know," he said, which is why he sees a future where banks set parameters on what type of information they want back from a centralized registry organization.
A KYC registry service could also cut time and expense. "It can take 25,000 pounds [about $30,000] to aggregate a file on a correspondent bank... a file with tons of pages of information that are out of date by the time it' signed off on," Saunders said. But if there was a business that could focus on managing and updating customer data, the process could be much smoother.
But even in a future where banks use technology to decipher vast amounts of data, a bank can't stray far from the tried and true. A bank must continually retrain its compliance staff, knowing that 20% of their time will be spent "KYC-ing" customers, Saunders said.
While some banks may worry about sharing data with competitors, in the foreign trade business a good risk compliance process is not really a competitive advantage, said Commerzbank's Piontek. Compliance gives a bank an edge only on the retail side, he said (for example, with a good fraud risk-mitigation program to protect credit cardholders).
But banks don't have to decide just yet. The technology to make automatic exchange of information a reality is still in its early stages, said Mark Taylor, managing director of Equiniti Investment Services, an outsourced administration services provider. The charge is being led, at least in the U.K., by the insurance market, he said, although it's likely that in the next couple of years banks will start experimenting with the process.
Plus in the next few years, authentication technology such as facial recognition software will become not only industrial-strength but also scalable, Taylor said. But it will take time for customers to get used to it, he said.
Swift's Sheppard seconded that, saying customer experience is often most important and overlooked.
"Due diligence is going [only] in one direction … growing in increasing levels and becoming increasingly intrusive," he said.
And while Taylor agreed, he said using digital technology could help ease the process of data collection for customers. Banks need only give up their archaic identification methods, such as requiring customers to physically bring in a bank statement to prove who they are.