Financial institutions play a key role in the fight against money laundering and terrorist-financing. As such, the Wwft (implementing the EU’s AML Directive) requires banks to know their customers (KYC), which holds for existing as well as new clients. Hence, at the start of a relationship a so-called initial customer due diligence (CDD) is carried out, whereas for existing customers the client’s behavior is continuously monitored. While the benefits to society speak for themselves, it does put a heavy toll on the banks operational expenses. Indeed, the CDD process is labor intensive as it involves the exchange and interpretation of multiple sources of non-standardized information. This blog discusses the potential offered by the European Payment Service Directive (PSD II) to partially automate this process.
Know your customer (KYC)
In essence, KYC means that banks understand with whom they are about to engage or maintain a business relationship. For example, banks should know whether or not they are dealing with a politically exposed party (PEP), whether the client has criminal ties, etc.
Sourcing high-quality KYC information has historically been a tedious, difficult and unreliable task.
Even so, financial institutions around the world have been required to do this for the last few decades. Not only is this required by law, lending money to or servicing clients involved in illegal activities can also be extremely damaging for the bank’s reputation.
KYC involves documenting and keeping relevant records on all clients, including their business type, the nature and size of their transactions, as well as the source of their funds and the reason of the existing business relationship.
There are four primary objectives when gathering KYC information, using a risk-based approach:
While there are various free sources of information, such as search engines or public databases, finding exactly what you need from this vast range of resources is incredibly time-consuming. This simply isn’t a feasible long-term approach for any business that values and/or requires speed, efficiency and scalability. Furthermore, verifying the validity of information found on the web can be non-trivial.
Fortunately, the development of open banking allows financial institutions to complement these existing sources with a standardized and highly trustworthy kind of data, namely a client’s payment data.
Open Banking (PSD2)
PSD2 is an EU Directive regulating payment services and facilitates, amongst others, the adoption of open banking with the EU. It was introduced in the Netherlands in February 2019. One of the things it does, is that it obliges banks to give firms access to your payment data, assuming you have given your consent.
In practice this means that with an account holder’s consent, a third party may retrieve transaction data across the various bank accounts of this person up to two years back in time. Technically this process is very straightforward and highly efficient (using APIs of the banks involved).
The use cases for transaction data are manifold. For example, it has led to the introduction of various mobile apps that can help people organize their own finances, from budgeting to getting control over all their paid subscriptions. However, we foresee that the biggest beneficiaries of PSD2 will be the banks themselves: all of a sudden banks are able to access and gain insights based on a client’s full transaction data, that is including the transactions serviced by other financial institutions. Not in the least, it can prove extremely useful in obtaining high-quality KYC information for new clients.
Over the past years, we have developed the RiskQuest Navigator: a cloud-based tool to analyze transaction data. While, the tool has originally been developed for real-time credit scoring of natural persons and corporates, it is also very useful in the context of KYC.
For example, the payment data can be used to validate a person’s address (e.g. by description of rental payments, mortgage payments, municipal taxes, etc.), determining whether or not a client is part of certain network (e.g. is the person related to someone on a sanctions list or PEP). Next to validating a client’s identity or profile, the RiskQuest Navigator also allows one to retro-actively apply transaction monitoring. This can be in the form of elementary warning signals, e.g. by building indicators for cash, crypto, gambling, or other high-risk transactions; or one can take it one step further by applying an anomaly detection model on top of this (or even a bank’s internal transaction-monitoring model). A high-level summary of the current and future capabilities of the RiskQuest Navigator is provided in the below table.
Note that the assessment can be applied at the origin of a client relationship but also during the relationship or monitoring phase (though the clients’ specific consent would be required). Furthermore, unlike documentary information, payment data cannot be manipulated.
If you like to know more about the use of the PSD II based RiskQuest Navigator tooling for KYC purposes, please contact Hans Heintz (+316 81509088) or Tabor Smeets (+316 23611491).