The coming wave of new Anti-Money Laundering regulations will bring significant changes to the existing regimes. In this sponsored post John Karantzis, founder and CEO of iSignthis Ltd, explains the ‘recency’ effect on online KYC processes and how to prepare for the new rules.
The incoming wave of Anti-Money Laundering (AML) regulations has some significant impact on AML obligated merchant KYC processes. In the US, UK and Australia, regulatory regimes have allowed merchants to create a relatively frictionless onboarding process using historic database data matching.
As such, the use of historic data from data brokers has been a very popular solution for KYC in remote situations, such as online. Until now, the use of historic data has been an appropriate method of ‘identifying’ a customer to meet customer due diligence requirements. Historic data however, falls short in ‘verifying’ a customer under the 4th AML Directive (4AMLD), the CySec June 2016 Directive and the draft 2017 JMLSG, in that it very often cannot be shown to be ‘up-to-date’ and it is insufficient by itself to meet enhanced due diligence requirements.
The challenge with historic data is that it is often compiled as a batch or subject to an infrequent offline process; for example, around election time for updating electoral rolls. Furthermore, not everyone has a credit reference file, or a file that has recently been updated as a result of when a person is granted credit. The credit reference data is generally also third hand, with credit institutions, reporting to credit reference agencies, who on sell to data brokers, who in turn on sell to AML regulated merchants.
Additionally, there is no means for the AML regulated merchant to request an update of information from the source, as the data provision is unidirectional, and based on what “was”, not what “is”.
Historic vs Recent or Dynamic Data
The use of data as a means for electronic verification has been widespread across AML Sector businesses regulated in the UK, US and Australia. However, the reliability of historic data is increasingly coming into question. The ubiquity of social media, the increase in phishing and social engineering, as well as the sheer scale and impact of database breaches and hacks, has exposed to fraudsters personal data that was once secret, or at least non-public, personal data.
Despite a lot of this data becoming increasingly exposed to fraudsters, the inadequate regulation on data brokers and credit reference agencies regarding breach reporting and updating of personal data, has meant that AML sector merchants still continue to use hacked and/or outdated data as part of their customer KYC process.
To add to this, the credit reference agencies who compile this data have a very limited geographical reach, and declining match rates due to changing demographics, resulting in not only a dubious compliance approach due to breaches, but also a poor business case due to lack of coverage and match rates.
Dynamic data on the other hand, particularly bank data, spans 51% of the world, according to McKinsey. As more than half the world is financially included, or ‘banked’, this is a source of data which is able to be used to verify the customer’s present circumstances, and provides merchants with an ‘up-to-date’ KYC profile.
This use of bank data meets the intent of the incoming AML regulations, which also includes a requirement for enhanced due diligence (EDD) of customers where they are remotely on-boarded, unless risk can be shown to be low.
The iSignthis service is an example of the use of dynamic, real time payment data being incorporated into a KYC service in order to meet EDD requirements.
What does the introduction of ‘recency’ mean for merchants?
The 4AMLD has recently been updated to include ‘recency’ or ‘up-to-date’ data and information per Article 13 (1)(d), into its customer due diligence requirements for verifying persons seeking services from European Union (EU) AML regulated merchants.
For example, the Cypriot Securities regulator CySec, June 2016 Directive, Annex IV, paragraph c, states:
“Electronic databases provide access to information referred to both present and past situations showing that the person really exists and providing both positive information and negative information.
and
electronic databases include a wide range of sources with information from different time periods with real-time update and trigger alerts when important data alter.”
Similarly, Australia’s AML/CFT regulator, Austrac, has a requirement in its rules at
r4.10.2 (c) “how the data is kept up-to-date;”
The UK, the home and bastion of electronic verification, is also following suit, with the 2017 Draft UK JMLSG including:
5.3.39A “for example, in relation to data sources used, or recency of information”
5.3.37 “The information maintained should be kept up to date, and the organisation’s verification – or re-verification – of different aspects of it should not be older than an agreed set period.”
Further, the JMLSG requires that customer due diligence incorporating historic data style Electronic Verification be in conjunction with another, up to date verification, per s5.3.71. This includes dynamic payment verification, address verification, or bank login verification in the draft 2017 JMLSG.
The draft 2017 JMLSG also specifically allows for requesting the customer to confirm a ‘secret’, which may have been transmitted into a bank account. This is the approach that iSignthis favours, as it is real time, secure, and allows for convergence of payments and customer due diligence, speeding-up the process.
In short, data brokers and other KYC providers using static data will need to find ways to incorporate ‘recent’ and ‘dynamic’ data in order to stay compliant.
This post has been sponsored by iSingthis, content written and provided by iSingthis. PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting.
It has been drafted by John Karantzis, iSignthis Ltd CEO and Managing Director. John is the founder and Managing Director/CEO of Australian Securities Exchange listed iSignthis Ltd (ASX : ISX). John holds qualifications in engineering (University of Western Australia), law, and business (University of Melbourne), with a broad understanding of international regulatory regimes as they relate to payments, money laundering and identity. John has over 20 years’ experience across a number of sectors including payments, online media, AML, defence and secure communications. In particular, John’s experience includes application of technology to assist with remote enhanced due diligence, across a number of FATF legislative model jurisdictions. Areas of relevant expertise include the identity verification requirements for eIDAS, 3AMLD, 4AMLD, JMLSG and CySec. John has previously been Managing Director/CEO of Australian Securities Exchange publicly traded ReelTime Media Ltd (ASX : RMA) and Director/CEO of Data & Commerce Ltd (ASX : PNW).
iSignthis would be pleased to discuss our Paydentity™ services with either merchants or data brokers, who may be seeking a solution to the 4AMLD. For more information please contact sales@isignthis.com or head to www.isignthis.com.