Claus Christensen at Know Your Customer Ltd identifies four e-KYC models in use across the world, but says that harmonisation and consolidation of these schemes is likely.
As FinTech innovation and virtual banking continues to gain global traction, customers’ expectations of fully digital experiences have expanded to every corner of the financial services realm. To reflect this shift, over the past few years regulators have been slowly introducing new e-KYC guidelines to allow financial institutions to perform KYC checks and approve customer applications electronically.
Now, the current Covid-19 pandemic is proving a further catalyst. On 1 April, the FATF (Financial Action Task Force) issued an official statement encouraging “the use of technology, including Fintech, Regtech and Suptech to the fullest extent possible” in light of social distancing measures, including for digital customer onboarding.
On a national level, many regulators have already issued revised guidance on remote customer verification to help financial institutions ensure business continuity and compliant client onboarding during lockdowns. For instance, New Zealand reporting entities are being directed to accept scanned copies of documents instead of originals and to perform electronic verification to avoid face-to-face contacts with customers.
Similarly, SEBI (Securities and Exchange Board of India) is now allowing foreign portfolio investors to provide scanned versions of the required documents upon registration, while the Philippine central bank has temporarily lifted the requirement for the presentation of a valid ID card during client onboarding (however this only applies to small transactions).
Earlier in the year, the Bangladesh Financial Intelligence Unit (BFIU) released new guidance instructing financial institutions to follow a risk-based approach to e-KYC. Depending on the risk associated with the customer, either simplified or regular e-KYC procedures should be followed. Although regular e-KYC requires more steps of information gathering, both procedures should adhere to one of two biometric-based models, either using fingerprint-matching or face-matching technology.
In a sense, the Bangladeshi rules build on regimes from other jurisdictions to introduce an additional level of specificity regarding the type of RegTech that should be used.
Looking at the commonalities and differences between existing e-KYC schemes around the world, it is possible to trace most of them back to a limited number of models. As it’s often the case, these models should be seen as sitting on a spectrum rather than representing defined, iron-clad categories. However, for the sake of clarity, it might be useful to utilise the following four groups.
Identity Authentication & Matching: The Hong Kong model
Early e-KYC regulations seem to have in common a slightly vaguer approach in their requirements. Instead of mandating specific technologies or processes, they provided general guidance and remained open to analyse and approve/reject specific procedures by financial institutions on an ad hoc basis.
In this sense, Hong Kong is an interesting example. Hong Kong’s Anti-Money Laundering Ordinance and Counter-Terrorist Financing Ordinance (AMLO) – first published in 2011 – is the city’s principle piece of legislation covering customer due diligence and record keeping requirements. It includes special requirements for when customers are not physically present for identification purposes but maintains a somehow high-level approach.
In February 2019 the HKMA (Hong Kong Monetary Authority) released an updated circular on “remote on-boarding of individual customers”. The new guidance does not provide a specific checklist of actions to follow, but states that technology adopted for remote onboarding purposes should cover both identity authentication/verification and identity matching (e.g. facial recognition, liveness detection).
Variations of this Hong Kong model include Malaysia and the overall European Union guidance. In December 2019, BNM (Bank Negara Malaysia) issued draft requirements for financial institutions looking to implement e-KYC, including the use of biometric technology, fraud detection and liveness detection.
The upside of this flexible model – which relies on identity documents plus liveness detection – is that it results in a broad ecosystem of solutions that is not prone to any one attack that could work across the whole financial system. A downside would be the uncertainties that relatively vague requirements cause for responsible compliance teams that want to adopt innovative new technologies.
Video Verification: The German model
Another – somehow more traditional – way to prevent fraudulent impersonation during the e-KYC process is to replace in-person meetings with two-way video calls.
One of the first jurisdictions to adopt a video verification approach was Germany. BaFin, the German regulator, responded to demands for more convenient onboarding processes in a 2014 directive that was updated in 2017. For the first time, it enabled customer identification and verification via a live two-way video link with a compliance professional.
Other notable examples include the RBI (Reserve Bank of India), which in January 2020 announced it would allow video-based KYC as an option to establish a customer’s identity. In India, the financial industry has long sought permission to perform video KYC to address the high costs of physically reaching out to customers in remote locations. Similarly, in 2018, the MAS (Monetary Authority of Singapore) explicitly suggested that real-time video conferencing for identity verification must be “comparable to face-to-face communication”.
Video verification has the advantage of preventing some versions of identity theft and is easily understood as simply a digital version of traditional face-to-face onboarding by regulators and financial institutions alike. But it places a huge burden on the team managing the flood of incoming video calls and doesn’t have any advantage in scalability compared to traditional in-person onboarding.
Digital ID Schemes: The Swedish and Indian models
Arguably one of the more radical approaches to e-KYC involves the creation of either federated digital IDs or centralised KYC utilities. This model mandates the creation of a trustworthy official source of information – often, but not always provided by the government – that financial institutions can refer to when checking the identity of a prospective customer.
India, with its Aadhaar e-KYC system, was one of the pioneers of the centralised variety of this model. Launched in 2009 and seen as the global eID archetype, Aadhaar now counts more than 1.21 billion users. Put simply, Aadhaar is an individual identification number issued by the Unique Identification Authority of India (UIDAI) for the purpose of establishing the unique identity of every subscribed individual.
Unfortunately, a centralised scheme is prone to huge risks from hacking attacks or implementation faults. Aadhaar has seen exactly this happen in January 2019, when the Indian government announced that millions of complete biometric records of Aadhaar users were leaked, prompting a temporary halt in any non-governmental use of the system.
In Singapore, the government introduced a digital personal data platform known as MyInfo in May 2016 to streamline identity verification during online transactions. Since its introduction, the MAS does not require financial institutions that have been given access to a customer’s MyInfo data to obtain additional documents to verify the customer’s identity. Singapore has been more successful in protecting the MyInfo user data by designing a highly secure system that works without distributing said data in multiple places.
Sweden presents another interesting example of the other variety of digital ID schemes: a federated digital ID scheme first introduced by banks, but the eIDs thus created are now accepted as a form of identification also by government authorities. A group of large Swedish banks – including Danske Bank, Länsförsäkringar Bank and Swedbank — introduced the BankID system in 2003. It is estimated that 80% of Sweden’s population are now consistently using it. The identity data in this scheme resides with the bank of the user, not in a centralised place and is therefore less prone to hacking attacks or insecure implementations.
Enhanced vs Simplified Due Diligence: The UK model
While most KYC schemes and AML requirements take a risk-based approach (advising different levels of scrutiny based on the potential risk associated with a prospective customer), the Financial Conduct Authority in the UK takes matters to the next level.
The Joint Money Laundering Steering Group (JMLSG) is the body tasked with producing guidance to assist financial services providers with their obligations in terms of UK AML/CTF legislation.
Under the current JMLSG guidance, low-risk customers are eligible for simplified due diligence (SDD). Under SDD, financial institutions can verify customers’ identities by simply collecting name, date of birth and residential address information and verifying the provided pieces of information against official sources (e.g. electoral register, court judgements, credit institutions).
Under JMLSG rules, the criteria for verification is called 2+2 as it requires financial institutions to match 2 data points given by the customer to 2 data points from a trustworthy source. For example, the name of the person plus their date of birth, or the name plus their address. With its simplified vs enhanced due diligence, the UK model might have been a key source of inspiration for the Bangladeshi regulator when preparing their newly introduced e-KYC requirements.
Interestingly, in the time that separates the codification of the first e-KYC regulations from its more recent counterparts, it appears that regulators’ understanding and willingness to adopt RegTech on a large scale has increased vastly. Familiarity with functionalities such as facial comparison, AI-powered ID verification and liveness detection has increased, and, as a result, references to such innovations are being explicitly included in regulations around the world.
Of all the analysed models, the ones that I anticipate will represent the most popular standards are the ones adopted in Hong Kong (identity authentication/matching) and Singapore (digital ID). By embracing cutting-edge RegTech solutions, the Hong Kong regulator demonstrated in practice its commitment to innovation without mandating overly restrictive limitations on what software to use or precise procedures to follow.
At the same time, digital ID schemes have proved incredibly useful to standardise customer identification for financial institutions, cutting costs and simplifying internal processes to a high degree. Although the introduction of digital ID schemes powered by new technologies (e.g. blockchain) might still take some time, the success of programmes using more traditional technology should not be undervalued.
As more countries introduce new guidelines of the use of technology to facilitate KYC and AML compliance, it not unthinkable to expect a further harmonisation and consolidation of e-KYC schemes around a smaller number of models. At the same time, we expect even greater effort from regulators to promote RegTech adoption and strengthen AML risk prevention.
Especially on a regional level, where cross-border business relationships are more frequently established, it is definitely in the best interest of all stakeholders involved – including customers, regulators and financial institutions – to create a golden e-KYC standard powered by RegTech innovation.
Claus Christensen is CEO at Know Your Customer Ltd.