IDnow sits down with Alex Pillow, Director, Market Strategy at Moody’s Analytics KYC to discuss the merits of risk-based vs one-size KYC approaches; the impact of upcoming regulatory changes on outdated processes; and the importance of matching the right people with the right technology.
What are some of the major issues/ challenges with the current KYC process for UK financial services?
The major challenge this year has been sanctions compliance. Russia’s invasion of Ukraine under Putin’s leadership has become the topic. I’ve been at conferences where practitioners and leaders of Sanctions departments, AML departments, and KYC departments are saying they’ve had staff in tears because of the workload, and the pressure and responsibility they feel to get this right.
When you look at how sanctioned oligarchs and sanctioned entities operate and get around regulations, it’s invariably through networks, and control of other entities and people. So, you’ve got to have the data, the technology and the expertise in place that can ensure your sanctions screening and sanctions programs go beyond the lists to truly understand your sanctions exposure.
Another challenge is that many organizations are still very siloed; one team may be responsible for screening the list, another team is looking at ownership, another looking at payments, and another group is looking at identity verification. How do you ensure all the risk signals are combined into a coherent profile and narrative so you can understand the risk of a customer, a third party or a supplier? Systems must be synthesized, and with the current stressors, my sense is that compliance and operations professionals are realizing this more than ever.
How does the UK’s risk-based approach to managing AML and KYC risk compare with countries like Germany that have more stringent, comprehensive ‘one size’ checks in place?
There are advantages and disadvantages to both approaches. If you think about risk-based strategies and the problems with those, it really relies on the judgment of individuals and their respective firms. Sometimes, it’s a committee of people, and sometimes it’s just one person; it depends on the company and their governance structures. Again, if you think about risk-based strategies, regardless of the size of your compliance team, having the right risk assessment strategy and tool of solutions are critical to getting compliance right. That’s where my colleagues and I at Moody’s spend all of our time as I’m sure many of IDnow’s team do as well.
It’s important to remember if you are relying on judgment, you must also rely on effective enforcement when that judgment is wrong. So, this often leaves room for doubt, which can be a problem because what one person calls satisfactory, another will call inadequate. Where you draw that line is naturally subjective despite the best efforts to be objective.
When you go to one size on anything, you are giving information to the opposition.
A risk-based approach allows for some intelligent risk taking or calculated risk taking, which can lead to benefits for the vast majority of legitimate customers, third parties, and business people.
Customer onboarding processes remain a much fought-over area of a service provider’s customer’s experience. How can a financial institution balance its customers’ desire to be onboarded in the automated and digital-only manner that they have become accustomed, while complying with local regulatory and KYC and AML requirements?
People and technology. If you don’t have the right experts, then you’re not going to understand the regulations and requirements very well. You need people who understand the risk, know what they need to do and need to ask. They also need to be able to work with your technologists, product managers, and commercial people, so they can understand the implications. For instance, can they work with your marketers so they understand what claims they can and can’t make, and be accurate in what they say to their customers?
Then there are always new risks, regulations, target demographics, risk typologies, and criminal typologies to which they’ve got to react. So, can you move to an agile development process? Can you make iterative changes? Can you have a perpetual KYC process so that you are staying current when analyzing your risks?
You’ve got to have people that can understand it, know how to measure it, and how to assess its performance.
Also, I think there’s a lot of available technology that’s not being used well nor enough. This is partly due to KYC vendors and customers who are typically not skilled at presenting the benefits to CFOs or COOs, arguing the need to increase budgets to achieve measurable return on investments. That ROI may well come from better mitigation of risk, or perhaps from improving customer experience via reduced onboarding times, more conversion and ultimately more revenue. More often than not, the business case should be a combination of these.
How important are identity verification and customer onboarding solutions in contributing to safer and more secure crypto exchanges?
In a word, very. I don’t see how they’re going to be able to do it without these sorts of technologies. Many of the “cypherpunks” from the whitepaper days and crypto originals might not like to hear it, but you must balance the rights of privacy with the right of society to protect itself.
If a crime has occurred, investigators need to be able to go to the entity that has, perhaps unwittingly, facilitated this and gather information to find out the identity of the customer.
Preparing for the known: Operating in a world of crypto regulation.
With increasing focus from the FCA and UK government on regulating the crypto industry, how do you foresee the near future of crypto in the UK? What challenges and obstacles do you envisage?
People often talk about London being the one place where the lawmakers, financiers and technologists all exist in the same place, often within a 20-minute walk of each other.
We saw it with the fintech boom and how that mix basically made London the centre of gravity for fintech. We are seeing a similar development with the crypto community; having companies here in the UK means there will generally be ways to collaborate, or when a new regulation comes in, there’ll be very smart people working on it.
I expect the industry will evolve with regulations. There are several large crypto companies that have been pushing for tighter regulation, as they believe it will help contribute to the classic adoption curve. When people know things are regulated and the authorities are involved, they will likely feel far more comfortable participating. I also think there’ll be a period of evolution and adaptation. There may be those that decide not to operate here [in the UK], and go elsewhere, potentially somewhere perceived to have more lax regulations and enforcement. However, that may indicate to third parties and customers the priorities of that business.
If you are going to adapt and evolve, you’ve got to retain the right people with the right expertise, who can communicate effectively with regulators, and who can understand what the vendors are offering. Technology is how you’re ultimately going to comply with regulations. You’ve got to have the right systems, processes and controls that match your policies.
Of all the recent, and upcoming regulatory changes (MiCa etc), which do you think poses the highest potential for disruption to outdated KYC processes and systems?
In this case, I don’t think it’s necessarily about crypto. I go back to the broader fintech market, in which I’ve often categorized crypto. I think traditional banking learns from the fintech market. If you consider the changes they’ve made in their onboarding process, the investments they’ve made in their apps, and their decreasing investment in bricks and mortar, I think it can at least partially be credited to the growth of fintech and other types of financial services (including crypto).
A lot of fintechs market their onboarding, which is effectively their KYC process – “Get onboarded in five minutes, rather than hours or days.”. They are marketing onboarding, and banks never did that before. Now, UK banks talk about customer service and experience, and I wonder if some of that is driven by trying to prioritize that over benefits like sign-up bonuses. They say, convenience is king and that certainly applies to this market.
What are some of the major UK and European fintech trends that we can expect in the coming years?
I’ve read a lot about the fintech market being like the “dotcom” bubble. The signs look similar. If that is the case, then I think we should embrace it; you can’t change macroeconomics on your own, but you can learn from what’s gone before and embrace the challenge.
We’ve certainly had easier times of on-tap venture capital money; now it’s more difficult. Business models are going to be vetted, profitability is going to be key. So, it can’t just be, “We’ll do everything,” anymore. It’s, “What do we do well? What are people willing to pay for? How can I finance my own growth rather than just raise another round?”
The fintech bubble bursting may be a good thing for the long-term health of the industry, because just like the dotcom bubble, only the “good” viable companies will survive. The ones that will remain will be good for consumers, third parties and the ecosystem at large.
With increasing importance placed on fintech [partly due to pandemic-induced acceleration], what are some of the dangers and challenges associated with banks and financial institutions rapidly implementing fintech and regtech solutions?
The major challenge is whether you can change your mindset. Are you committed to working fast? To experimenting? Are you willing for something to fail, iterate on it, and then go again, rather than say “the project didn’t work, kill it, let’s go back to what we know”?
There’s a saying that perfection is the enemy of excellence. I think a lot of traditional organizations are so focused on doing things correctly that they’re prepared to move slowly. Some call it “analysis paralysis.” But you can work more efficiently, if after you’ve failed at something, you take what you’ve learned, and just go again. With that mindset, you can be on your second, third or fourth attempt while a more conservative team or company is still doing research.
That also goes for implementing initiatives, partnerships, producing your own products and innovating. That’s the big lesson and it’s a challenge. If you can’t move quickly, then those third party fintechs and regtechs who don’t have the same time horizon as a larger, more established player will.
There must be a happy medium between breakneck speed and 15+ committees to make a decision. People have to be willing to make mistakes, accept those challenges as part of the process and fail fast, and ultimately move on.
Alex Pillow hosts Moody’s Analytics’ podcast devoted to the latest KYC issues and trends, KYC Decoded.
Interested in more Fintech Spotlight Interviews, and more insights in how to operate in a crypto world? Check out our interview with Brandi Reynolds, CAMS-Audit, CCI, CCCE at Bates Group.
Content Manager at IDnow
Connect with Jody on LinkedIn