Blockchain and KYC: Fighting Fraud and AML

[container section_title=’Container’ fullwidth=’no’ bgtransparency=’0′ top=’20’ bottom=’20’ innerbottomshadowsize=’0′ bordertop=’0′ borderbottom=’0′ collapse=’false’][column type=’12’][/column][/container]

Initiatives concerning BlockChain are numerous. Unlike BitCoin, Blockchain is not “scary”. This technology could even help payment players, banks and FinTech, to fight against fraud and the financing of terrorism, with an open and secure distributed architecture spirit. The purpose of this article is to explore the state of the art and the opportunities offered by the Blockchain in terms of securing contact, and therefore customer knowledge (KYC), and verification of digital identity, especially when entering into remote relationship.

What is the current problem of KYC?

The knowledge of the customer is a well-known problem of banks, Neobanks, regulated subjects such as Payment Institutions or Electronic Money. The cases are complex and numerous: to identify an individual as a customer when opening an account, to identify the beneficial owner of a company, to identify the corporate officers of a company, the managers of an association etc… On the one hand, the world is not 100% composed of honest people (identity fraud, financing of terrorism, tax evasion, theft of means of payment, money laundering, illegal activities), and on the other hand the behavior of fraudsters evolve with the time and the life of the man. A brutal event, a change of personal situation such as divorce or gambling debt, a bad meeting, can lead an honest person into his previous “payments” to switch into fraudulent behavior. AML experts (Anti Money-Laundering) know this human nature, and invest heavily and more and more in what is generically called “compliance”.

Beyond the understanding of these aspects related to “human nature”, are added three additional difficulties:

  • Speed: mobile payments in real time, online payment on the Internet, real-time payment on marketplaces, closing Uber’s door “without the impression of paying”, with debit card pre-registered bank, and soon the Instant Payment
  • The entry in remote relation: via SmartPhone or Internal, it is possible to open a bank account
  • A world “without borders”: at least it is possible to open an account very simply in Europe, or in some countries such as the US, without necessarily living there. The game of cat and mouse between police specialized in cyberattacks for example and fraudsters in the broad sense, is all the more complex: problems of cooperation between countries, problems simply languages between different actors, problems of responsiveness, taking advantage to the “dark side” of the force.

According to a recent Reuters study on KYC (2016), banks take up to 24 days to connect, with low use of electronic signatures and online contracts.

Can we do without KYC?

Let’s forget directly: the Wild West is only in film. Investments in “compliance” are recurrent and are becoming stronger around the world. As well as the associated budgets (average of 60 million dollars a year according to a recent Thomson Reuters study of 2016 carried out with 800 financial institutions), and the fines imposed by the control bodies.

Natural or legal persons who attempt to circumvent the KYC voluntarily are more than “normal” linked to money laundering or tax evasion activities, such as the BitCoin trading activity. As well as illegal activities in a country, or very “on the border” of the regulations in force in one country, while allowed for sale in another country. This is the case for example of certain specialized drugs or sports food supplements. The No.1 rule of the fraudster is to make up his identity, using two methods: the creation of identity documents (we call these fraudsters “artists” or “makeup artists”), or the usurpation of a real identity, by duplicating, copying, or stealing real documents.

The destination of the funds can also be deceived when the true holder of an IBAN. This technique is used for laundering via fund exfiltration companies often scattered in exotic countries, or in Europe to accounts of providers of prepaid bank cards accessible in supermarkets, or bar tobacco, or remote control on Internet.

We can say that a tiny percentage of fraudsters embarrass the honest people who sell second-hand goods between individuals on the Internet, or honest citizens who make home services or exchange services. Maybe, we will be right. But the digital evolution of the world, so fraudsters, makes it necessary that all the actors protect themselves to reduce this risk. And thus fluidify this constraint of KYC. To make it an asset .

In summary, the KYC is mandatory, but it is expensive for financial institutions and annoys users. The aim is to reduce the cost of KYC, and to simplify the implementation of its control without compromising on the quality of the checks carried out.

State of the art

Each financial institution performs its own tasks, sometimes duplicating the work already done by colleagues involved in the payment chains (payer banks, recipient banks, intermediaries, agents, electronic money distributors, partners who sometimes also need documents , websites or marketplaces, etc.).

Each financial institution in the chain of a payment (from the funds of the payer who is debited, use of the funds in an activity, destination of the funds towards the beneficiary or beneficiaries) begins his tasks of documentary verification (outsourcing to some companies), filtering, verification of politically exposed persons, search for beneficial owners, without worrying about any “transitivity”, except for some exceptions in certain countries, for example in Holland. Not that there is no trust between banks, but there is an obligation to perform due diligence and to prove his work of connection through a collection of searchable documents as evidence of the work properly performed. The different financial institutions (banks, payment institutions, electronic money institutions) perform a set of tasks for the same natural or legal person, some of which are similar. There is (yet) no central verification point that holds a “truth” at any given time, concerning a physical person.

A focus on the identity of a natural person (passport, national identity card, driver’s license very much used as an identity document in the US and UK) allows us to note, for example, that there is no central point of digital identity in Turkey. Some European expert corporations have the merit of existing in France: the factor comes to verify the identity of a natural person for free at home, and asks for a piece of identity to establish a visual control. In Holland, the IDIN interbank identity centralization service allows a user to streamline their relationship by trusting the KYC performed in one of its banks. The IDIN logo used is that of instant transfer payment, which is widely used in Holland, and has replaced online credit card payment (IDEAL).

Regarding the filtering AML/CFT: the data of persons under sanction asking for an immediate freeze are public: unique list of freezes of the financial units of countries, public Microsoft Excel format, directly exploitable XML, or PDF, HTML, CSV, etc. Europe consolidates these lists here with the European Commission Financial Sanctions File “FSF”. To consult such public files is interesting: one finds there names, first name, date of birth or approximate date, nationality, reason of the freezes, and sometimes even the number of passport. While data concerning politically exposed persons (PEP) are not systematically recorded (open data initiatives of some governments, concerning certain data). Companies are specialized in maintaining and consolidating the bases of politically exposed people, such as Accuity, or Comply Advantage. Consolidation is simple for public sanction lists. The difficulty comes in the algorithms of detection (exact matching, phonetic matching), the time of screening of the stock every day, the real time for the filtering at the entry in relation, and the treatment of the false positives, numerous for example for the Hispanic names (3 names against 1 in France). The banks do this work in a few days, depending on the difficulty. FinTech like Lemon Way for example, realize it in real time, with algorithms fruit of 12 years of experience in the complex processing of data.

Regarding corporate officers, depending on the country, they are found directly or indirectly in the “identity cards” of companies, which is called for example K-Bis in France ( Infogreffe, ).There are disparities in Europe: for example, eCommerce websites are featured on Dutch “K-Bis”, which are more direct and transparent than French ones. While collecting different papers at Companies House UK to get an idea of the activity of a company, its capital, its shareholders, and difficult to go back to the “Ultimate Beneficiary” with the Memorandum of Association. Sometimes it’s a real treasure hunt, organized by companies not quoted on the stock exchange who have an interest. Concerning the viability of a company, and therefore sometimes the risk of entering into a relationship with a fragile or doubtful company.

Beneficial owners are individuals who are more difficult to identify for associations, large companies, or complex-assembly companies with several overlaps in holding companies, subsidiaries, and holdings in different countries.

Let us remember that there is a difference between the technical validation of an identity document or other document of proof of residence or IBAN or bank statement by a software, and the series of diligences KYC leading to the opening of an account payment or bank account (KYC, risk assessment, AML/CFT filtering, access to means of payment via API for example, selection of the main currency, type of account, extensive knowledge of the client concerning the origin of the funds when certain thresholds are exceeded, etc.)

SWIFT has created an “open” KYC register for its members, based on the declarative, standardized, especially with the exposure of a country risk institution, with a little more than 1 million KYC. This register is not suitable for marketplaces, natural persons, companies not specialized in payment.

What would be the most effective and simple solution?

The simple solution to reduce identity fraud would be a digital identity service offered by Europe, or a European certification of trusted companies in digital identity.

To solve the problem of all the tasks that contribute to the connection, and not just the problem of remote identity control, a distributed solution with revenue sharing and time stamping would make sense. With security of data exchange, without any actor being able to clear itself of any failure of a third party to a control. In other words, each financial institution remains solely responsible for the relationship and the knowledge of the client.

At the same time, Europe is demanding that taxable persons in the Electronic Money Settlement and Payment Institutions be given the right to access account information with a “single customer” area. This will allow at least within the same financial institution, to have to perform only once its entry course in relation to documentary evidence (KYC).

How can Blockchain help?

The Blockchain is “simply” a technology if the actors are working on a closed environment: we could use this technology like any other perhaps less relevant, and we would talk much less about it. This is the private Blockchain . The power of Blockchain comes when it opens up to a consortium (central banks and banks for example, API in FinTech, fight against fraud with a limited set of actors co-opted by N actors in the chain at least) or that it is made public (we speak of Ledger or Smart Contract ), on all or part of the functionalities.

By popularizing and returning to the use of Blockchain and KYC, we can say that all or part of an authenticated knowledge of a counterparty (identity document number 1, identity document number 2, proof of address, bank statement, IBAN, IP address, couple name / first name / Email, person identified as politically exposed or not on a declarative basis, company updating its information on its own initiative) is registered on a Blockchain, by nature tamper-proof and auditable. It can be a part of the customer knowledge (only a verified passport for example) and a type: verification done remotely, or face-to-face, or via a facial recognition video application.

Actors participating in the KYC Blockchain could share the “actions” performed on KYC process parts or complete connections. Knowledge is not centralized: it is distributed. The “pieces of knowledge distributed”, reconstitute the complete KYC.

Operation can only, in my opinion, gain mutual support and trust if the links in the chain are regulated and regulated professionals. The cooptation of links must be done by checking the purity of each link, so as not to bring a weak link that would perform diligences too quickly. It is technically possible to provide a level of trust in the information: declarative, controlled face-to-face, document validated because corroborated by N different actors of the BlockChain, etc. Bringing N to 3 or 4 maximizes the credibility of the information.

The Corda blockchain of the R3 interbank consortium, from the United States, offers interesting Alpha version tests. A 2.4-hour online video course is taking its first steps: We expect a similar initiative in Europe, and regulated.

The GDPR provides a regulatory context on which innovations must be based: what information can be shared within a Blockchain? How to remove personal information from the Blockchain if they are shared by different financial institutions? Can the notions of fraud be shared, or only the digital identity data?

ESMA has published an interesting Discussion Paper on DLT: Distributed Ledger Technology Applied to Securities Markets. Trunomi secures digital identity data with the BlockChain. Innopay develops the logic of partnership between banks around the digital identity, in Holland. Lemon Way reduces the average time to contact less than 30 minutes, and offers within its payment API set a ” KYC as a Service  ” API  that allows the transmission of documents and the monitoring of validation of each document, the complements to be made, then the opening of the account, with an efficient and industrial human control. The next steps are the implementation of the single customer area, then the study of the Blockchain with Smart Contract distributed logic (computer protocols that facilitate, verify and reinforce the predefined clauses by rules or conditions) and a cooperative model. Bank and Payment Institutions; within a technical framework using Blockchain.

There are banks and startups specializing in Blockchain algorithms -but we regret that we do not find a single regulated Fintech like Settlement Institution or Electronic Money. A next challenge for the Finance Innovation cluster? The sharing of the bank treasury KYC is an issue in the creation of an enlarged consortium. Enlargement refers to the bank mix and FinTech, and enlargement to the 29 EEA countries since the payment business is European if not global.

The Blockchain is exciting, including its technological contributions in the coming years in the payment industry (KYC, securing technical payment flows and bank flows, interbank flows, money transfer, fight against fraud), and the regulatory and cooperative issues it poses.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir