European legislators and supervisors are often seen as the ‘bad guys’ that burden banks with more and more regulatory requirements. This is especially the case when looking at the Know-Your-Customer (KYC) requirements regarding detecting and preventing money laundering and tax evasion. Banks are in fact forced to act as a gatekeeper and perform investigation tasks that are usually done by law enforcement agencies like the police and prosecutors, but then without support in getting the right equipment to do so. It seems that banks can only lose: If they do not adhere, fines and reputation damage will follow. If they do adhere, heavy compliance investments are needed that cannot be allocated to (digital) innovation. How to overcome this everlasting dilemma? Have you ever thought about leveraging the opportunities that regulations like PSD2 and eIDAS bring to the table? We did and invented The KYC Platform, that brings together several technological possibilities mentioned in our earlier blogs and brings Compliance and Innovation together.
Open Banking (PSD2) and Digital Identification (eIDAS)
Open banking means in essence ‘Banking as a Platform’ (BaaP), in which networks are key and interactions take place between users on a (digital) platform. In open banking it is no longer about owning (customer) data, algorithms, employees etc., but about sharing and providing your key assets to the network. Open banking is driven by several forces: The Payment Services Directive 2 (PSD2) requires banks to provide Access to Accounts (XS2A) for the TPPs and technological innovations make collaboration easier. Regarding the first, banks will need to build new interfaces and update / design the (customer) authentication procedures to support XS2A. The XS2A can be facilitated by Application Programming Interfaces (APIs). For more information about open banking and how to use APIs to support this, see the report of Capgemini about the Open Banking Solution.
But PSD2 did not come alone, there is another complementary European regulatory invention: The Electronic identification and trust services for electronic transactions regulation (eIDAS). PSD2 and eIDAS are a match made in heaven and both are regarded building blocks of the Digital Single Market. As PSD2 aims to revolutionize the digital payments market by requiring XS2A, eIDAS provides the tools necessary to meet the obligations regarding security, authentication and verification. eIDAS ensures the legal validity of electronic trust services, like electronic signatures, electronic seals, time stamp, etc. In the draft Regulatory Technical Standards (RTS) of the European Banking Authority (EBA) on strong customer authentication and secure communication under PSD2, it is mentioned that the identification of TPPs and ‘normal’ banks when communicating (via an API), could be based on certificates issued by a qualified trust service provider under eIDAS.
However, eIDAS is not only relevant in the context of the communication between TPPS and banks but can also play a crucial role in the communication between the bank and its customers. More specifically: in the KYC process. It can facilitate the use of e-identity schemes and the verification of electronic trust services like e-signatures. This allows banks to identify customers digitally at a distance and thus eliminating the necessity for face-to-face (physically or via webcam) contact. This enables working cross-border, without physically being present in the foreign country. These possibilities of eIDAS within the KYC process are also mentioned in the Green paper on retail financial services from the European Commission (2015) and the fifth Anti-Money Laundering Directive. There is even a ‘Commission expert group on electronic identification and remote Know-Your-Customer processes’ to explore the opportunities of e-Identification for KYC purposes (read more).
The KYC Platform
As banks are forced by PSD2 to work together with TPPs and provide them access to payment accounts anyway, why not use this created network for other purposes as well?
In the picture below, you see our vision for the KYC platform, inspired by the open banking principles fostered by PSD2 and the identification opportunities brought to live by eIDAS. The characteristics are:
- KYC is no longer a process that takes place within a bank but within the network;
- KYC information is shared within the network;
- ‘normal’ banks and FinTechs (like TPPs) are part of the network;
- onboarding and (transaction) monitoring of customers is done by a KYC service provider, founded by the network or already existing and incorporated in the network;
- filing suspicious transactions reports and reports about possible tax evasion is done by the KYC service provider;
- the KYC Platform makes use of the latest technological possibilities: Robotic Process Automation, Data analytics and e-Identification.
The KYC Platform has three main advantages:
- Higher quality KYC process and process outcome (risk profile, FATCA/CRS status, suspicious transactions etc.) as a dedicated KYC service provider is performing the checks. Also, customer and transaction information can be reused within the network, which makes it easier to verify if the information is correct.
- Improved customer experience, as the customer does no longer need to provide the same information to several financial institutions.
- Lower compliance burden on individual banks.
The competitive advantage of being compliant
Being compliant, in the broadest sense of the word, should be one of the top priorities for banks. Not only to prevent fines and keep the supervisor happy, but also because a trustworthy reputation is the competitive advantage banks have in comparison to FinTechs. Due to the severe regulatory requirements, we see that customers often consider banks as more reliable (source: report by Capgemini: Innovatie in de financiële sector: wat wil de consument?, Februari 2017). FinTechs may seem ‘sexier’, but they are not the preferred banking partner. Therefore, it is important not to think too lightly about the KYC Platform from a legal standpoint. Because although the KYC operations run through the platform, the compliance obligations do not. The bank is still accountable. The risks arising from this KYC platform must therefore not be overlooked. One of the risks is (partly) ceding control over customer data. Data breaches and misuse of customer data can lead to reputational damage and fines. Therefore, the importance of the General Data Protection Regulation (GPDR) cannot be stressed enough. This means that running your KYC activities via the platform and within a network can only take place if the customer agrees to this way of working.
Bringing the KYC Platform to live
In our view Compliance and Innovation are not mutually exclusive. For the KYC process banks can achieve successes in both areas if they apply the building blocks of open banking and start building the KYC Platform, together with other banks, TPP (FinTechs) and KYC service providers. However, the accompanying (privacy) risks should not be taken too lightly.
Up for the challenge? Capgemini Invent can support and guide you on this innovative road to the next KYC era.