Banks use KYC to obtain data on their clients for onboarding and periodic review processes – a set of protocols to assist with gaining a better understanding of the exposure to risk within a book of customers. Conducting KYC effectively and efficiently, let alone doing so on an ongoing basis, for many banks is a challenge in itself.
However many big banks don’t just operate direct customer relationships, but have a much bigger role in the financial ecosystem as providers of the “rails” that allow other organizations to move money around the world; for instance, correspondent banks and payment service providers. In these business models, a bank doesn’t have direct exposure to end customers, but rather services the payment intermediaries that interface directly with merchants and consumers.
Increasingly we are seeing regulators insist that the owner of the payment rails take responsibility for the end-to-end transactions that they are enabling and the ultimate beneficiary organizations. Effectively, regulators are pushing for big banks to take responsibility for their partners’ (or customers’) customers. And so KYCC (Know Your Customer’s Customer) is born.
The much-maligned Wirecard scandal that has recently been the talk of the financial world detailed how a fully-licensed German fintech company (dealing with legitimate porn companies) had a recorded €1.9 billion in missing cash laundered and sent through third parties, culminating in the arrest of its chief executive and bringing the quality of the work by an international auditor into question. Would Wirecard’s partners, their bank and any other services providers to Wirecard have had a better understanding of Wiredcard’s customer base, many of them might not have wanted to work with the company in the first place or at least might have treated them as a higher risk customer. It’s important to say that this wouldn’t have been about the fraud that turned out to be at the heart of the Wirecard scam, but rather just about the aggregate level of regulatory, fraud and reputational risk that Wirecard’s “legitimate” customer base posed.
KYCC is a numbers game
At a very high level, the process for identifying information on an entity’s multiple connections is similar to KYC, adding another layer of security, attempting to identify the legitimacy and background of each of the customer’s customers.
As a customer typically interacts with very large volumes of other parties – and banks typically have high volumes of customers – it is not realistic to expect that a manual solution is going to be sufficient. Take the example where a bank has 10,000 corporate customers. If each of these customers have 1,000 customers of their own, that indicates 10,000,000 entities for banks to conduct KYCC on – millions of customers – a sheer impossible task if done manually.
One anti-financial crime area which has experience in dealing with high volumes of entities (and transactions) is AML. With KYCC touching on both customers and their transaction parties, it is obvious that one could think of AML detection engines as a solution for KYCC. These tools, however, are primarily focused on identifying AML risk and are reactive in nature in that an AML pattern will need to have occurred for it to be detectable.
Other solutions which have experience in dealing with higher volumes of entities are more retail focused tools. It is not surprising that electronic identity verification (eIDV) providers are trying to capture some of this market potential. The challenge is that this will require consent and cooperation from a customer’s customers. In addition, volumes can quickly become so exponential that even eIDV solutions might not be able to manage the workload.
What can be done
The basic tools for KYCC are – like for KYC and AML automation – data and entity resolution. By uniquely identifying third parties quickly and efficiently, analysts and investigators can automate enrichment with high-quality data and accelerate triage of high-risk counterparties.
This allows banks to focus manual investigative work much more narrowly, as well as making sure that investigations start with accurate targeting, including information on related parties, possible risk areas, adverse media and regulatory actions. Ultimately, being able to leverage leading risk indicators creates better outcomes and greater efficiency. With KYCC touching on both customers and the entities they transact with, it is a good starting point to look for automated solutions which can help achieve convergence between KYC and AML.
What we’ve seen from our customers is that by automating the process of resolving entities against external data sets and automatically aggregating and distilling risk indicators, we can support the automation of AML and KYCC processes but also more traditional remediation activities.
Through leveraging the connectivity we provide to both entity data and risk data we are able to populate entity and risk profiles for large numbers of entities with minimum manual effort. The resulting profiles can be risk scored and ranked, which, combined with an effective KYC process, can be used to generate a much more insightful composite risk score for the customer and its business relationships. It can help banks make a much more accurate assessment of the risks in doing business with a specific entity, not reactively when the crime has already occurred, but proactively during onboarding or periodic review. With KYCC as an extra, vital weapon in a bank’s armory, such high-impact scandals like Wirecard can be more easily avoided in the future.