Enhanced customer due diligence - seeking present, not past

Over the last two decades, we have seen a data mining process, developed late last century, become the prevalent approach to KYC in the UK. It might be time to reconsider it.

Historic Database Checks

Database driven KYC checks have been the most popular form of identity proofing in the UK, relying on static data such, as credit reference databases, telephone directories and electoral rolls. The data mining approach has been sufficient to date, as the interpretation of AML requirements has been that customers are to be identified at the time of on-boarding.

The 4th Anti-Money Laundering Directive (4AMLD) strengthens the requirement for ‘continuous and ongoing’ customer due diligence, which requires regulated operators to focus on the present, not merely the history, of the customer.

So, what happens when an operator goes back to the data source, and the data source has remained the same with regards to an end customer’s data? Does that mean that the data is up to date, or, does it mean that the data hasn’t been updated? How can the data broker know if a material change in KYC data of any end customer, including address, has occurred?

Will an operator, going back to a data broker source, without a record of any update between KYC requests, be able to satisfy the AML requirement for ‘continuous and ongoing’ due diligence?

KYC data brokers include GBGroup, Experian, Trulioo, Equifax, Dunn & Bradstreet and W2. These data brokers generally present a confidence score for each customer based on the amount of historic information they have been able to collect to verify the end customer’s identity.

Data Recency

Australia’s AML regulations introduce the concept of data ‘recency’, whereby the age and update frequency of data needs to be considered when incorporating data as part of a customer due diligence decisioning process.

It appears the December 2016 consolidation of the Cypriot CySec Directives starts to consider ‘recency’ as well, and addresses this under Annex IV, section 1(C) ‘electronic verifications’:

i. electronic databases provide access to information referred to both present and past situations showing that the person really exists and providing both positive information and negative information.
ii. electronic databases include a wide range of sources with information from different time periods with real-time update and trigger alerts when important data alter.

The CySec directive is consistent with the requirements for ‘continuous and ongoing’ customer due diligence

These three words of ‘continuous and ongoing’ will pose a very practical problem for legacy data brokers.

Until now, there has been no requirement for data brokers to deliver and assure ‘present and past’ records with respect to any customer in their database.

Data brokers usually only present the ‘latest’ data, which is subject to say a mortality database check and an update by the end customer when either the registering to vote, or, if the credit reference data changes provided that data is reported in a timely manner by the Credit Reference Agency or end customer.

It is this reliance on an end customer trigger of a database update that will become problematic for regulated operators seeking to use electronic verification to meet the ongoing and continuous requirements for customer due diligence.

4AMLD

The introduction of the 4AMLD by the European Union (EU) last year will require KYC providers to adapt and change the way they perform cascading KYC checks, if their regulated operator customers are to stay compliant.

Some of the major changes include:
• The introduction of ‘lifetime’ rather than ‘annual’ KYC thresholds for eMoney operations
• For eMoney and prepaid card operations, significantly lower KYC thresholds from EUR 2,500 annually, to EUR 250 or even EUR 150 applicable when customer surpasses the lifetime aggregate.
• Tighter restrictions on application of Simplified Due Diligence (SDD) for eMoney,
• Expanding circumstances when Customer Due Diligence (CDD) should be re-done and changing the rules about high-risk jurisdictions.
• Expanded definition of high-risk situations to encompass online services, with application of enhanced due diligence to remote transactions.

Dynamic is Present, Static is Past

Legacy KYC providers biggest challenge is the requirement to have a dynamic element that demonstrates present information on the customer, and not just historic information, in order to meet the enhanced due diligence requirements, set out by the 4AMLD and CySec.

iSignthis have developed the means to augment legacy historic based KYC checks with a solution to meet the 4AMLD. We achieve this via our unique Paydentity solution, which converges payments, payment data + metadata and identity information, to provide an up to date KYC profile to satisfy enhanced due diligence.

Paydentity can unlock the identity from payments based on a regulated payment instrument to satisfy AML and CFT requirements, independently of any historic database lookup process. This means that we can assist with remote enhanced due diligence on a customer located almost anywhere in the world, reaching up to 3.5Bn persons who can pay remotely.

KYC data broker providers such as W2 are already preparing for this by partnering with iSignthis, to deliver the lowest friction on-boarding process to operators, whilst meeting the preconditions for compliance. W2 and iSignthis will be able to provide their customers with enhanced cascading KYC checks, to meet the 4AMLD requirements.

XM.com will be the first to go live in the coming weeks with this cascade service provided by iSignthis incorporating W2 data for UK residents, with Paydentity for rest of world.

For more information about how your company can benefit from iSignthis Paydentity solution contact sales@isignthis.com. 

John Karantzis B.E. LL.M, the CEO of iSignthis, will be discussing the 4AMLD and its requirements at London’s ICE Totally Gaming on Wednesday the 8th of February at 11 am at the Regulation Clinic, and also at 11.30 am on the 9th February at the ACAMS Symposium in Limassol, Cyprus.

About John Karantzis

John is the founder and Managing Director/CEO of Australian Securities Exchange listed iSignthis Ltd (ASX : ISX). John holds qualifications in engineering (University of Western Australia), law, and business (University of Melbourne), with a broad understanding of international regulatory regimes as they relate to payments, money laundering and identity.
John has over 20 years experience across a number of sectors including payments, online media, AML, defence and secure communications. In particular, John’s experience includes application of technology to assist with remote enhanced due diligence, across a number of FATF legislative model jurisdictions. Areas of relevant expertise include the identity verification requirements for eIDAS, 3AMLD, 4AMLD, JMLSG and CySec.

About iSignthis

iSignthis Ltd (ASX : ISX) is the global leader in delivering payment solutions converged with dynamic, digital AML/CFT KYC identity proofing. Our Paydentity solution incorporates real time electronic verification to converge remote payment authentication and KYC identification. This delivers automated customer on-boarding with a global reach of any of the world’s 3.5Bn financially included persons, no matter where they are located. iSignthis’ unique solutions protect both online customers and merchants from fraud and identity theft, and thus increase confidence and trust by all parties involved in remote transactions.