Has the UK’s light-touch approach to KYC nurtured an environment of world-leading fraud?

It’s time we had a serious discussion about the risk-based system… 

A fraud epidemic is sweeping the UK. 

Criminals bilked UK victims of a record £1.3 billion in 2021, according to new figures by top industry lobby group UK Finance. The numbers were so bad that publication of the report was delayed for banks to consider their response. 

Approximately 91% of identity fraud cases reported to UK authorities in 2021 were carried out online. Although anyone can fall victim to online fraud, tackling it is not a priority for law enforcement, according to the government. Instead, firms are being asked to do more to protect their customers and themselves or run the risk of heavy fines or even criminal sanctions for non-compliance. 

The year of 2020 saw a record-breaking £9.2 billion in penalties for KYC and customer identification failures, which triggered a demand for outsourced services and better technology, with automation of key onboarding processes deemed as particularly vital.   

Digitization has revolutionized the finance landscape and left manual ID verification processes firmly in the past; customers no longer want to wait days or weeks for their accounts to be approved, and they want to be able to do all this through their phones. 

Speaking to IDnow on condition of anonymity, the Head of Operational Risk at a mid-tier UK investment bank said: “I believe, and I am not alone, there are significant problems, weaknesses with how external auditors check over all applications manually. It’s just too time-consuming, expensive and prone to errors. We are looking at how we can automate more and it’s the same issue whoever you ask up and down the street.” 

Lost in the wash 

The advanced payments infrastructure, almost zero policing of fraud-related crime, and use of the world’s most widely used business language, has made Britain the global incubator for scams

Money launderers exploit the poor standard of identification checks, the weaknesses in manual processes and physical documentation requirements to slip through the net.  

Just two years ago, Commerzbank’s London branch was fined more than £37 million for a series of compliance failings, including outdated customer onboarding processes. The bank allowed a queue of 2,350 accounts awaiting background checks to build up, but some were able to trade freely, in clear contravention of the Financial Conduct Authority (FCA) rules.  

Despite the near-constant updates to anti-money laundering and counter-terrorist financing (AML/CTF) laws, knowing exactly who their clients are appears a problem for many UK financial services firms. 

The risk-based approach to Know Your Customer (KYC) processes favored by the UK, but eschewed in most other developed nations, is gatekeeper to an environment where fraud continues to run rampant.  

In the Western world, it is almost impossible to find a major, global bank that has not been sanctioned for AML or other financial crime failings in recent years.

Now that AML-related concerns and failings have resulted in many large banks being sanctioned, regulators are beginning to pay increased attention to other areas of financial services.

Malin Nilsson, Managing Director, Financial Services Compliance and Regulation at Kroll

For example, regulators have started to implement guidance for digital identity verification, such as in the EU’s 5th Anti-Money Laundering Directive released in 2020. In it, it states that an obliged entity must identify the customer, either through traditional documentary evidence or information obtained from a reliable and independent source, including electronic identification means. Those electronic identification methods must comply with Regulation (EU) No. 910/2014, which sets out criteria for identity verification services. 

Outdated processes 

Before assessing the risks associated with a customer in relation to money laundering or financing of terrorism, financial institutions must first verify the individual’s identity. This is done via the KYC process, which involves scrutiny of government-issued identification documents, such as a passport or driver’s licence, or other means, such as utility bills or bank statements to ensure the customer or client is who they say they are, and to prevent illicit activities. 

What that process looks like differs around the world (which creates complications of its own), but there are a set of general guidelines overseen by a global group of regulators from various jurisdictions sitting as the Financial Action Task Force (FATF).  

The UK’s interpretation of these rules requires firms to take a risk-based approach, which means assessing the specific threats the business is exposed to, such as banking vulnerable or politically exposed individuals.  

The current rules and regulations were originally created to address the risks and controls associated with retail banking, which has unintentionally created regulatory barriers and AML complications for non-banks like PayPal, alongside other fintechs, and sectors like online gambling and crypto trading companies. A “low risk” for a bank may be a “high risk” for another sector. 

As legislation around anti-money laundering and risk-based-approaches was largely written in the pre-digital era, access to the data that helps firms calculate risk was limited. Ironically, there is now almost too much data to handle, with many organizations struggling to take advantage of the insights and technology available to them. 

A Thomson Reuters investigation into KYC challenges impacting financial institutions and their corporate clients found rising onboarding costs, lengthy onboarding times and sub-par ongoing maintenance of client records.  

Costs are spiralling, with resourcing and the need to hire more staff a major concern. It still takes too long to onboard customers, and the time taken to refresh client data is torturous.  

Multinationals face further complications dealing with the UK’s risk-based approach, which allows more time to make decisions on threats and has no international standards to follow. As regulations can be interpreted differently, banks also often request inconsistent things from their clients, which results in inefficient operations of their own.  

One of the most common issues that IDnow hears from financial leaders responsible for supervising KYC and AML compliance within their organizations is the disconnect between their work and the business functions of the institution.  

Making sense of the exponential amount of data and documentation required for KYC and AML checking can be tough and, due to complicated and inefficient processes, can halt processes such as onboarding. 

Watchdogs like the FCA say cryptocurrencies and crypto assets are only magnifying the fraud problem, despite the growing sector working hard to shake off its reputation as a haven for bad actors. 

New school thinking 

Ironically, the answer to avoiding ever-tougher controls, circumventing inflexible processes, and improving both standards and efficiencies in the KYC process may come from an unlikely source: the world of crypto.  

Virtual asset service providers (VASPs) must also keep detailed records of beneficiaries, complete further enhanced due diligence of politically exposed persons (PEPs) and appoint an individual to oversee compliance and regulatory issues in the wider financial space. 

KYC is one of the biggest roadblocks that cryptocurrency firms face, especially given the nature of digital tokens to protect or shield the identity of the owner.  

Cryptocurrency firms have an opportunity to give regulators and customers confidence, outshine competition and demonstrate credibility by implementing industry-leading compliance practices.

Ben Luddington, Director at PwC UK. 

Unburdened by years of legacy system upgrades, bolt-ons and software changes, alternative finance companies have automated large swathes of the KYC process and built systems that can process a much wider source of data. This has created faster, safer and more robust paths to verification than in place at traditional banks and financial institutions.  

Configurability is essential to addressing the challenges faced by firms operating in multiple jurisdictions, but rigid technology stacks at many financial organizations jam up KYC compliance workflows. Indeed, every bank, insurance, accounting and law firms will likely have dusty rooms full of photocopied identity documents clogging up the filing archives of the business. 

Challenger finance apps and crypto exchanges have also advanced the integration of Multi-Factor Authentication systems based on SCA (Strong Customer Authentication), Liveness checks, and other forms of biometric-based authentication. These types of identity verification processes, which sometimes require little more than a selfie and a PDF of a household bill, dramatically improve the customer’s onboarding experience. 

How intelligent technology enhances the KYC process 

Document verification determines if something is genuine or fake through a series of checks, but the quality of the process varies wildly. Field-to-field consistency, data validations and font anomaly detection, among others, are popular, but where smaller, nimbler services beat the larger incumbents is by combining the identity verification document check with biometrics.  

These platforms have also made good use of electronic signatures to communicate with their customers, further allowing them to promote additional financial products and services. 

The smartest solutions have AI-based face and emotion recognition capabilities, or the ability to scan the internet for negative sentiment, making KYC procedures more cost-effective, accurate and customer-friendly. 

All firms must turn to technology to bolster KYC frameworks and accelerate the detection and mitigation of financial crime, Luddington said. This may be a build vs buy decision. 

“Deciding which processes will benefit from what technology requires considerable and careful thinking, but this will bear fruit in the long run,” he said. “We’re already seeing the FCA using analytics to innovate its regulatory approach and recognizing the importance of technology in driving financial crime compliance.” 

Risk management has become more challenging over time as regulations tighten, and financial institutions have faced larger fines where compliance programs have failed. 

Banks have long struggled to balance fraud prevention and customer service, and existing paper-based and risk-based processes are simply ill-suited to the demands of modern finance, while advanced, intelligent identity proofing developments are proving critical. 

“It’s more important than ever for financial services firms, particularly those in the UK, to understand the benefits of automation and apply them to the KYC process in order to truly manage fraud.

Regulators should do more to create robust identity verification guidelines and set expectations that firms leverage better technology in order to stop the unwanted headlines about bank fraud. 

Rayissa Armata, Head of Regulatory Affairs at IDnow

For more information about how automated KYC solutions can enable organizations to offer a safer, more secure, and more efficient verification process, check out our ‘What is KYC’ page

By

Has the UK’s light-touch approach to KYC nurtured an environment of world-leading fraud? 1

Jody Houton
Content Manager at IDnow
Connect with Jody on LinkedIn

Questions?

Let's talk!
Play