Potholes Encountered on Recent KYC and AML Journeys

By Rupert D.E. Brown, CTO Evidology Systems

Continuing attempts to improve Know Your Customer (KYC) processes and Anti Money Laundering (AML) controls would appear to be very fragmented and not done in collaboration with businesses and the representatives which must operate within them.

Target Organisations

Established UK High Street banks and their more recent “challenger” new entrants to the market seem to have focussed their efforts solely on creating new “sole trader” accounts. These accounts often promise a quick account onboarding process that can be completed solely on a mobile phone.

These new systems are almost fully segmented from their established customer base, especially small family businesses and not-for-profit organisations that may span several generations and have directors and authorised signatories dispersed throughout the UK.

Behind the scenes, some of the Big 4 High Street banks have been replacing their CRM systems as well as reviewing the commercial value of their business account base. To achieve this, they have made the decision to force their customers to completely re-enter their business details, including director and shareholding information that is electronically available from Companies House. A number of small businesses have gone through this process only to find that, once cut over to the new CRM system, statement addresses became completely garbled after decades without issue. This poor data quality has been reported to the FCA on many occasions, but it has yet to take enforcement action.

Companies House

Whilst Companies House has provided API access to its Director, Shareholding and Annual Return information for some time, it admitted in a Freedom of Information request earlier this year that it kept no records of which organisations were using its service or the growth/volume of usage. Small businesses who have complained to the High Street banks about problems with repapering and inconsistent use of Companies House data have received admissions from bank staff that their current usage of Companies House data is largely manual and sporadic.

Identity and Technology

Banks and Governments have placed significant faith in AI and Encryption technologies, particularly hoping that they will deliver much more concrete identity verification. But who can be a definitive owner of identity — commerce or the state? The new generation of KYC systems mentioned earlier have significant teething problems — users cannot be confident when they upload a passport scan from their mobile phone only to be told the file is too big, an occurrence which has happened to this author on more than one occasion. Disabled customers with mild cerebral palsy or early stages of Parkinson’s disease have significant problems keeping a mobile phone steady whilst a “live” camera picture is compared with a scanned ID photo.

Two factor authentication is inconsistently designed, implemented, and deployed by banks — many people these days have multiple mobile phones or replace them regularly due to damage or market/tariff churn. At least one UK high street bank has a synthetic password hash generator tied to a single device which entails a significant reinstallation process when the phone or SIM is changed. Another gives away a dedicated PIN generator device that is tied to a specific user with a sealed battery — what use is this if a business has multiple branches or the battery runs out ?

Longevity and Obsolescence

The Covid pandemic has been a significant catalyst for reducing cash transactions in all areas of UK society. It is now possible to buy a contactless payment terminal with a merchant contract for less that £20. However, the recent shutting down of the 3G mobile signal by most of the UK telecoms providers has rendered many of these devices and utility smart meters obsolete. How long should we expect the next generation of KYC and AML services based on mobile devices to last and what contractual obligations are in place to maintain them?

Mobile and Wireless Ubiquity.

As we enter the first full summer of outdoor events and festivals after the pandemic, the need for reliable contactless payments is still a challenge, especially for smaller organisations that rent venues and must rely on the availability of sufficient WIFI or mobile signal to enable electronic transactions. If we are really to achieve a cashless society, there needs to be both a measurable standard and certified/accredited testing regime to facilitate this.

In summary

KYC and AML proponents continue to place significant faith in technology, especially in a world of a highly mobile consumers and “always on” connected devices. However, in reality technology is the easy (and cheap) part of the KYC and AML journey — thorough service design, testing, operational resilience and rigour, coupled with proactive customer service, continue to need significant work.