Financial institutions and businesses are extremely familiar with the guidelines of KYC (Know-Your-Client or Know-Your-Customer). The minimum of these regulatory standards includes the customer identification program, customer due diligence, and ongoing monitoring or enhanced due diligence. The goal of KYC standards is to verify the identity, suitability, and risks of current or potential customers to identify money laundering and financial terrorism before they materialize.
With these systems in place, do bank executives and chief compliance officers really know their customers?
No, they don’t.
What do we know?
In times past, in order to open a bank account, a customer would need to visit a retail location and provide a form of physical identification (i.e., a driver’s license or passport). Bank employees would then make a judgement of whether or not the customer was being truthful by comparing the photo ID and the face of the customer in front of them. Customers deemed truthful could proceed with the process.
As counterfeit identity cards became more convincing and prevalent, business would develop better technology to detect fake ID’s.
With this procedure firmly implemented, do banks know their clients?
For 100% identity verification, financial institution would need a DNA sample, a DNA sample from their parents, and the lab tests associated with DNA comparison. Then they would need birth records, like birth certificates, maybe even on-oath witnesses to corroborate the narrative of their birth in that particular hospital.
Is this a ridiculous standard to hold banks to?
Without-a-doubt identity authentication doesn’t exist.
Maybe in the future, subdermal microchips will be commonplace to confirm who is who, but maybe counterfeit, stolen, and replaced microchips will also be commonplace.
Regardless of the barriers and technologies regulators or business implement, fraudsters will find a workaround.
If it’s hopeless to know your customer, how do financial institutions create an effective strategy to prevent fraud and crime?
That’s right. Math!
Effective KYC goes back to high school calculus and probabilities. Client onboarding requires a deterministic probability.
Start by using the process of elimination.
At some point in school, teachers ask students to prove 1+1=2. The process often starts with a hypothesis that 1+1 is not = 2. Students try to prove this hypothesis with a ridiculous premise like 3=5. Since 3≠5, the conclusion becomes 1+1=2. Now, apply this technique to customer onboarding.
The current KYC model in the United States is broken.
Opening an account at a financial institution only takes four main elements into consideration: name, home address, date of birth, and Social Security Number or Tax Identification Number. Most people know that this information is not difficult to obtain. If someone knows this information for an ex-partner, they could open an account in their name.
A popular upgrade to onboarding beyond these four elements is a scan of their ID card and a selfie with biometric and liveness detection. However, banks often see a sharp drop-off of customers at this stage in the process. Many consumers find this procedure intrusive, regardless of the excess of selfies – some with driver’s licenses and passports in frame – they share to social media platforms. Fraudsters use the images from social media to construct convincing ID’s and animated deepfakes that makes the fraud and disguises in the Mission Impossible films seem amateur. These deepfakes bypass liveness detection and pass facial recognition with ease.
Many fintechs today prioritize customer quantity over quality, so they make the onboarding process as frictionless as possible. A fintech could require the bare minimum of KYC standards, allowing someone to create a new account in less than a minute. This saves the fintech money and supplies them the statistics of customer growth and adoption needed for the next round of fundraising.
Startups can come and go with their benefits but allowing bad actors to enter and easily move about the financial system can be extremely harmful. Fintechs can stop a significant amount of fraud at the gate.
So, how are fintechs, banks, and other fintechs supposed to identify money laundering and financial terrorism before they materialize?
- Step 1: Admit ignorance. Claims of complete lack of fraud are unfounded and will reveal itself eventually.
- Step 2: Implement a dynamic strategy, instead of a stagnant one. The KYC strategy should be able to be modified as requirements and times change.
- Step 3: Carefully select vendors and partners. KYC vendors should work hand-in-hand with the bank or credit union, occasionally offering advice for improvements.
- Step 4: Be willing to budget for real solutions. Onboarding is not a business component to cut corners on or select the least expensive option.
- Step 5: Stay vigilant. Fraudsters must only be right once to succeed. Financial institutions must prevent every attempt and occurrence to stay safe.
This article was originally published in The BHB BaaS Association Newsletter.