Identity theft is on the rise. According to recent data, financial crime related to identity theft rose more than 300% between 2019 and 2020, and with more transactions than ever taking place online, malicious actors are constantly looking for new ways to compromise and capture user identities.
For instance, consider the uptick in "ghosting," which sees identity thieves targeting the identities of the recently deceased to reduce the risk of detection even as they carry out fraudulent transactions — criminals now compromise the identities of more than 2.5 million deceased individuals each year.
To help reduce the risk of fraudulent financial transactions, the Financial Industry Regulatory Authority (FINRA) introduced Rule 2090 — know your customer (KYC). This rule requires financial institutions to "know and retain" information pertaining to a customer's identity before carrying out actions such as creating accounts, transferring money, or making investments.
As a result, creating and implementing effective customer identity verification processes is now a top priority for organizations to both reduce the risk of fraud and ensure regulatory compliance. However, the complex and evolving nature of digital identity often makes this a moving target, in turn creating potential roadblocks that can limit the reliability of these solutions.
This piece will tackle six common KYC challenges and offer six actionable solutions for improved KYC outcomes. Let's go.
KYC: Past, Present, and Future
Before diving into challenges and solutions around KYC, it's worth breaking down the history and evolution of this framework.
The first version of KYC requirements were introduced in the early 1990s as a way to reduce the risk of money laundering. In the wake of increased geopolitical tensions — and the attacks on U.S. soil on September 11th, 2001, more robust KYC processes were introduced under the Patriot Act. Now, FINRA Rule 2090 clearly defines the expectations around KYC compliance to help standardize the process across institutions.
It's also worth understanding the distinction between KYC and anti-money laundering (AML) regulations. Described under the Bank Secrecy Act (BSA) and further defined under the FINRA Rule 3310, AML obligations focus on reducing the risk that banks and other financial firms inadvertently facilitate the act of money laundering.
In practice, KYC is best thought of as a subset of the larger AML framework, containing the Financial Crimes Enforcement Network (FinCEN) customer due diligence (CDD) rule. Customer due diligence requires banks to assess the potential risk posed by customers themselves and their transaction requests.
Moving forward, businesses can expect KYC to focus on both specialization and automation that leverages digital resource availability to provide on-demand customer identification and evaluation. For example, consider the disparate KYC needs of a large, multinational bank versus an online gambling organization or a new cryptocurrency trading program. Specialized KYC solutions will allow companies to find best-fit options that offer precisely what they need — and nothing they don't.
Organizations should also anticipate the rise of automation across identity verification software solutions. Equipped with more robust machine learning (ML) and artificial intelligence (AI) tools, providers are now building KYC tools capable of removing most manual processes, in turn increasing accuracy and reducing overall risk.
Understanding the Customer Identity Verification Process
Companies must deploy a comprehensive customer identity verification process to achieve KYC compliance. But what does this look like in practice?
The goal of identity verification (IDV) is to ensure that customers are who they say they are — and that their risk to organizations is low. As a result, the first step in identity verification is determining what proof of identity your organization will accept and how this data will be verified.
KYC regulations require companies to collect — at a minimum — four pieces of data: Name, date of birth, address, and identification number. How this data is collected is up to you. Some businesses choose to have customers attend in-person with their documents or send notarized copies via registered mail.
However, more organizations are now turning to online identification verification systems that allow customers to submit digital documents, "selfies," and biometric data for digital approval.
Once this data is collected, companies must compare it to government document databases long with regularly-updated resources such as politically exposed persons (PEP) lists and Financial Action Task Force (FATF) blacklists and greylists.
If identification can be confidently verified and risks are low or negligible, companies can then approve customers for actions such as opening new accounts or transactions such as sending money or making new investments. Risk assessments can also be shared across FIs to prevent fraudsters from being onboarded in the first place.
Finally, companies must ensure they can securely collect data without compromising customer privacy. For example, if data is being stored, this must be clearly and directly communicated to clients, and businesses must also create a plan for eventual data destruction.
6 Common KYC Challenges (And How to Solve Them)
While identity verification tools and technologies are becoming more common as the sheer volume of online transactions and the number of companies that conduct these transactions increases exponentially, challenges remain in effectively deploying KYC and IDV frameworks.
Here are six of the most common — and how to solve them.
Challenge 1: False Positives
False positives are some of the biggest challenges faced by companies trying to implement KYC. If IDV solutions return substantive risk results that upon further inspection are incorrect, organizations will inadvertently turn away prospective customers through no fault of their own.
Even more worrisome? If false-positive frequency continues to increase, your organization may earn a reputation for these errors, in turn negatively impacting your reputation. These false positives can also cost your team time and money to identify and resolve.
Solving this challenge requires IDV solutions that leverage multiple data sources and databases to reduce the risk of false positives. It's also worth putting a "human in the loop" to regularly review false positive (and negative) data to ensure solutions aren't trending too far in one direction or the other. In a previous post, we’ve written about strategies for selecting the best identity verification software to support your organization’s needs.
Challenge 2: Limited Detail
Risk-based decision-making requires detail. And the greater the risk, the greater the detail required. For example, consider a customer looking to open a new, local bank account. Here, basic IDV processes may be sufficient — checks of PEPs lists aren't likely to offer any insight.
When it comes to a customer looking to make a substantial, international transaction to or from an area of the world where money-laundering rates are high, in-depth risk analysis is essential. The challenge? Many free or low-cost IDV solutions don't capture the depth of detail required to make compliance-driven decisions.
Here, the solution starts with provider evaluation. Before selecting and implementing an identity verification solution, ask potential providers how they collect data, what databases they use for comparison, and what risk matrices they leverage to assess results.
Challenge 3: Undetected Risks
PEP lists, blacklists, and greylists constantly evolve in response to political and social change. As a result, one ongoing challenge for KYC processes is undetected risks — if IDV solutions can't keep pace with changing conditions, the results can lead to increased risk.
Solving for undetected risks means building or buying a solution capable of automatically updating and consolidating data from multiple sources to ensure threats are accurately reported.
Challenge 4: Siloed Data
In much the same way that IT operations now affect all aspects of your business, customer identity verification and risk assessment also play a role in multiple decision-making processes. In this situation, siloed data presents a significant problem: If companies can't quickly share and compare data across departments, the results could be different risk decisions for the same customer based on various data sets, leading to increased confusion and complexity.
Visibility is the key to effective decision-making. As a result, companies need to prioritize tools capable of delivering digital identity portals that can be accessed based on permissions and authorization with the organization rather than department role.
Challenge 5: Manual Processes
Manual processes in KYC both limit the speed of results and introduce the risk of human error. Here, even minor oversights can lead to substantial risks — if manual data reviews miss reg flags, non-compliant transactions could be approved, in turn leading to potential audits and investigations.
Automation is critical to provide the level of review necessary to ensure data sources are verified for quality, accuracy, and timeliness. Machine learning predictive scoring can be used to prioritize alerts for your fraud and AML team, helping you focus on what's most important.
Challenge 6: Poor Consumer Experience
While the goal of KYC compliance is to verify user identity, companies can't forget that these users are ultimately customers. As a result, too complex or cumbersome processes may result in customers reducing their total transaction volume or taking their business elsewhere.
In this instance, software that balances service and security is critical for success. Customers should be guided through the process of submitting their documents and notified ASAP when decisions are made. Most importantly, onboarding should be frictionless and simple for the customer, while still ensuring adequate security.
The Value of Continuous Process Improvement
Put simply? KYC and IDV aren't static frameworks. PEP lists, greylists, and blacklists are continually evolving, as are government regulations around acceptable ID documents, the type of data organizations are required to collect, and how this data must be stored and handled.
As a result, companies must prioritize regular process review and improvement: What's working? What isn't? What's on the horizon regarding KYC compliance and IDV expectation?
While it's impossible to anticipate every trend or account for every change in real-time, organizations can stay ahead of the compliance curve by creating a framework for continuous review and evaluation.
Ready to improve your customer identity verification process? Connect with Unit21 and see how we can help solve your KYC challenges.