Let’s face it, the number of people who really enjoy KYC guidelines and AML requirements are not many. The question of whether KYC & AML requirements are making a difference for our society or if it is window dressing is something to be discussed in another forum. The fact is that the guidelines are there and that many businesses (not only financial services firms but also accountants, real estate brokers, and insurance brokers) have to adhere to them by law. Another fact is that many large players have neglected the guidelines and now have to pay hundreds of millions of dollars for it. In other words, one should take the requirements seriously. But how can one go about adhering to the requirements whilst avoiding time-consuming and costly processes? The answer spells automation and API.
Start with your KYC policy
(If you are well versed in KYC & AML requirements, you can skip this part.)
As a first step, go find your company’s KYC & AML policy and get an understanding of what data is to be collected in order to know your customer and what the next actions are (monitoring, etc.). If you don’t have an established policy yet, you have the chance to form the policy somewhat based on what you can automate. Yes, you read right, the responsibility of setting up a policy is on you, whilst the authorities are making sure that the policy is of a good enough level and that you adhere to it. So there is some room for adjustments based on what you’d like your service to look like. (Don’t take my word for it and check what is required in your legal jurisdiction, but this is how I have interpreted it in Sweden, Switzerland and Germany. Also, this is not legal advice for those of you who are wondering..)
In general, most requirements have to do with the following things being completed:
- Identification: you have to identify your clients in one way or another. The riskier the client (more on this later on) and the riskier the distribution channel, the more secure way of identification is required. What is a risky distribution channel? In general, online is considered as risky distribution channel. Ok, but what is considered to be a secure way of identifying someone? The most secure is the good old fashioned ID-card/passport being provided in a physical meeting with your client. Depending on what jurisdiction you operate in, the rest look somewhat different. Under the headline “Let’s start with the fun part, APIs!” below you can read more about specific identification services for different countries.
- Collecting customer information: start with the basics both for consumers (name, address, date of birth, etc.) and businesses (business name, address, organisation ID, industry etc.). If you are catering to businesses you also have to figure out who is the beneficial owner, i.e. who owns or controlls 15/25% or more of the company. Depending on what service you provide, you will have to collect more information. E.g. if your clients will transfer you money for one reason or another, you need to ask them where the money comes from.
- Risk evaluation: based on the information you have collected, you need to determine how risky your client is. You do this by comparing the data you have collected against some pre-set criteria on what is considered to be risky. Some of these criteria have established guidelines (FATF, etc.), like if a country of origin is considered as a high risk (North Korea is for instance), other your Chief Risk Officer has set in your company’s guidelines.
- Action: depending on how risky your client is considered to be, the next steps look different. If your client is considered as risky, you need to collect some more information about it before you start doing business with it. For all customers you have to update your risk assessment about every year or so, but if it is a high risk client you have to do it more often than so. Also, you have to be more stringent on what is called monitoring, i.e. checking whether the client is acting as you expect it to act (transaction volumes being made, etc.).
Let’s do the fun part, APIs!
The next step is to establish an understanding for what data points you can collect through different online services. As mentioned above, identification is a key element of your KYC process.
In the Nordics and the Netherlands, there are solid mobile applications for identification (also called eID), like BankID in Sweden & Norway, NemID in Denmark or Trust Network in Finland. In other countries, Germany and Switzerland for instance, service providers like IDNow offer an video-identification service.
As there is a lot happening in this space, you should do some research on what is the most user-friendly and compliant identification in your jurisdiction (or contact us and we’d be happy to help you). When you read this, the services mentioned above might already be outdated.
Most of the above are offering solid APIs to connect to and iframe solutions. This allows you to integrate a userfriendly identification solution into your service, whilst ensuring the first step towards knowing your customer. Not bad!
Additional data to be collected
As mentioned above in the “Start with you KYC policy”, the data to be collected differs depending on what type of service you are running. However, many data points are pretty basic ones that are required for most services that are required to do KYC (e.g. address, industry if it is a business client, etc.). Other are more detailed ones, like who is the beneficial owner.
Luckily, there are many service providers that can provide you with this data so your customer does not have to answer 1000 questions in order to complete your sign-up funnel. The traditional credit rating bureaus (UC, Bisnode, Dunn & Bradstreet, Creditsafe, CRIF; SCHUFA, etc.) offer this information through their APIs. Most of these are SOAP based and they vary in the complexity (read confusing documentation and non-user friendly structures), though some of them do a good job. There are also some new players in the market, one being Roaring.io from Sweden for instance (now also in the Nordics?).
Integrating with a service like the one above helps you to minimize the number of steps your client has to complete in order for your to get all the info you need about them. Every step that can be removed will increase your conversion rates significantly, and by that your financial performance, so it is definitely worth it to connect to these APIs.
Automating risk evaluation & monitoring
The data is collected and it is time to do a risk evaluation. Can this really be fully automated? Yes and no. The assessment (i.e. is the country of origin a risky one?) can definitely be automated. However, the answer is not so easy when it comes to if the assessment then needs to be signed off by a Credit Officer or another person in your organisation or not. This depends on your jurisdiction, service and KYC/AML policy.
Nonetheless, automating the assessment step is 95% of the job. This is done by writing an algorithm based on your risk model. The more complex the model the more complex the algorithm is. However, as it is possible to build high-frequency-trading models and natural language processing models, you don’t have to worry, your risk model can be automated.
Based on the assessment, it is possible to automate the required next steps. E.g. collecting more information from your client, monitoring their transactions, etc. As these actions look very different depending on the type of business you run and how your processes are designed, we will not go further into this subject in this post. However, if you’d like to discuss how to automate these steps, just reach out to us and we’d be happy to see if we can bring some clarity.
Alright, so what is the conclusion, can KYC really be fun? Well, in my opinion the KYC/AML part will never be fun. BUT, solving a real life problem with technical solutions sure is. So my conclusion is that solving the KYC/AML problem with APIs and automation actually is fun.