Interview with Jean-Louis Schiltz on digital onboarding

As digital identity and trusted data have become popular topics on every risk management conference agenda, we sat with Jean-Louis Schiltz, a tech law advisor and senior partner at SCHILTZ & SCHILTZ, to discuss about onboarding new customers and managing digital identities.

During RiskConnect you have presented a brief history of KYC. Could you share with our readers some timeframes and important milestones achieved so far by KYC?

KYC was actually born at the end of the 20th century. This was KYC 1.0: Know Your Customer. The old-style KYC procedure was guided by the “paper only” principle. Information were very limited, and the Courts and prosecutors were hardly involved at the time.

By 2010 or a little before, tech-assisted KYC procedures started to develop. KYC 2.0 was still largely paper based, but for the first-time certain KYC checks were operated automatically. Sanctions lists for example have been digitalised in the meantime. This was the beginning of the automation. A welcome text message or email sent to the client for verification purposes or 1 cent wire are just two examples of the innovative features of KYC 2.0.

On or around 2015, tech-driven KYC 3.0 came into play. This was when regulators in certain countries - among which Germany and Luxembourg - started to become receptive towards camera onboarding as one element of the KYC. Banks and others had to perform. Certain basic conditions for camera onboarding, such as for example the requirement of the customers’ consent, the condition that the passport must be readable, the person on the picture must be recognizable, etc. have been set up in the meantime. Security and storing requirements are standard features for camera onboarding today.

KYC 4.0 would amount to recognising full value to digital onboarding solutions with no need for further steps to be taken, except human validation. This would mean - if I am taking the example of camera onboarding - that the onboarding via camera equals the KYC process and vice-versa, and the whole process would be 100% outsourced. KYC 4.0 is in its infancy today. There are also regulatory obstacles to its full deployment.

KYC 5.0 would be the full digitalisation and automation of the process. This is what we call automated digital onboarding or ADO. No need for a human intervention anymore. I do not think that we are fully there yet. Machine-learning and artificial intelligence automated solutions play a key role here.

Despite the fact that the KYC processes have improved over the last decade, there are still issues associated with insufficient online KYC programs. Could you name some of these impediments and advise us on how to overcome them?

True. One example here is that fully automated digital onboarding, albeit technically possible, are not fully recognised. There is general scepticism to trust the machine, the machine only. Regulators in many jurisdictions still require a human intervention. Someone needs to physically push the button. If not, the process cannot be completed. I am not sure this is really what we should do or at least not in all instances. Legislation needs to define this and other aspects. This would be a task for the Financial Action Task Force of the OECD. We should move towards the international recognition of KYC-utilities. KYC is a job in itself today. Banks are not super good at it because it is not their core business. We need highly specialized KYC providers to do the job.

In order to achieve the ideal Identity Platform there are a few legal challenges such as data protection, AMLD 4 and 5, Informational Self Determination. Could you please briefly explain them?

Well, there are actually many challenges.

Legal developments on AML are tough to follow and even more so to abide by. I do sometimes have the impression that in Europe we are enacting one new rule per day. This does not contribute to a stable environment. The balancing act between AML compliance and trustful and quick payments is something on which we will have to continue to work in the years to come.

GDPR is another challenge. Under GDPR, I am telling no one anything – all information is private – and under AML, I need to know everything all the time about my client and share such information with the authorities when being asked to do so – and I need to do so immediately.

Unfortunately, GPDR is not going as far as it could have on control over personal data or, to put things differently, it is not very clear here. The Windhover Principles for Digital Identity and Trust could serve as an inspiration for future action; these principles, which go back to 2014, advocate in favour of individuals and groups having full control over their digital personal identity and their personal data. This is the principle of data sovereignty.

If we want to further complicate things, let’s talk about informational self-determination. This is roughly speaking about the protection of individuals against so-called unlimited collection and storage of personal data. In Germany, this is a principle which carries the same weight than a rule enacted in the country’s Constitution. What do you do if someone is arguing that his or her personal data are protected under the Constitution and that therefore AML rules should give way? This will be particularly challenging when the legal basis for a given AML-rule comes from a non-binding international text. Does the constitutional principle prevail here? I think it would.

How will tomorrow’s KYC process look like? What main elements will dominate it?

KYC tomorrow will be about digital identity. A digital identity needs to be global, portable and automated. It needs to include optical and vocal recognition elements and robotic automation processes. Machine learning and artificial intelligence will make it a success. For Europe, KYC 6.0 must be part of the Digital Single Market. We do not need new laws and regulations, but we must apply the existing ones.

About Prof. (hon.) Jean-Louis SCHILTZ

Jean-Louis Schiltz is the Senior partner at SCHILTZ & SCHILTZ and Professor (hon.) at the University of Luxembourg. He is a tech law advisor and regular speaker at various conferences.

He serves as a member of boards of companies and non-profit organizations. From 2004 to 2009, Jean-Louis served as Cabinet Minister in Luxembourg.

About SCHILTZ & SCHILTZ

SCHILTZ & SCHILTZ was initially established in 1932 by Tony Biever, MP. Jean-Louis and Franz Schiltz have established the new structure of SCHILTZ & SCHILTZ in 1994 and transformed the firm in a “société anonyme” in 2018. The law firm has five partners today. SCHILTZ & SCHILTZ is a recognized actor in Business law, Innovation as well as Regulatory and Compliance. For any further information, please refer to our website www.schiltz.lu