Demystifying blockchain: what it means for KYC
Hardly a day goes by without a news item concerning the use of cryptocurrencies for money laundering. In June the Financial Action Task Force (FATF) told countries to tighten oversight of cryptocurrency exchanges amid growing concern among international law enforcement agencies that cryptocurrencies are being used to launder the proceeds of crime. Countries will now be required to register and supervise cryptocurrency-related firms such as exchanges and custodians, which will
have to carry out detailed checks on customers and report suspicious transactions. Many governments are already acting on this; for example, on 5 August the Thai government announced that it would bring cryptocurrencies under existing financial regulations, monitored by its
anti-money laundering office, AMLO. In a statement to the Thai press, Police Major General Preecha, secretary-general of the Anti-Money Laundering Office (Amlo), neatly summarized the
current lack of visibility over the issue, saying, “We may not find any clue, but that doesn’t mean the wrongdoing does not occur.” Elsewhere, there have been successes. Earlier this year, Europol broke up a Spanish drugs cartel that laundered cash using two crypto ATMs, machines that issue cryptocurrencies for cash. The concern is that cryptocurrencies can be used to transfer money across borders, break down large criminal money transfers into smaller amounts that are harder to detect, and to make payments on the dark web. And while some of this money laundering activity is still conducted using well-known cryptocurrencies, notably bitcoin, criminals are increasingly switching to more anonymized
cryptocurrencies. Yet, while cryptocurrencies are further complicating the AML landscape, it has been argued that the very technology supporting them – blockchain – may contribute massively to reducing the costs and
the challenge of know your customer and anti-money laundering (KYC/AML) through what has already been dubbed the KYC blockchain.
The cost of KYC
As is well known, Know Your Customer (KYC) is hideously expensive for banks. The cost of conducting KYC due diligence investigations of a company or individual can run into tens of thousands. KYC processes provide the backbone of financial institutions’ efforts to combat the financing of terrorism and to detect and prevent criminal behaviours around the world, such as trade-based money laundering (TBML). According to recent estimates, in excess of US$25 billion is spent each year on financial crime risk management in the banking sector, the majority of which is due to KYC. The reason for the high cost is simple: KYC at many financial institutions is extremely inefficient, involving labour-intensive manual processes, duplication of effort and a high risk of error. Up to 80
percent of the effort associated with KYC is dedicated to information gathering and processing, and only 20 percent to assessing and monitoring that information for critical insights. It can take weeks or even months to identify a beneficial owner by locating and validating the relevant physical and computer records. Moreover, the work is typically done many times over, even for the same customer. Each Line of Business (LoB) within a bank performs its own customer checks. The legal entity – be it an individual or an organization – typically provides KYC documents each time it requires services from different LoBs within the same institution. It is difficult or impossible for LoBs to share the information in a secure and easy manner while protecting confidentiality and privacy. Poor customer experience and high operational costs for the bank are not a good business model in a competitive environment. In other articles we have considered how machine learning – a subset of artificial intelligence – may help to address this challenge, but a key problem remains, which is that the trail of transactional records that is required to identify money laundering is typically spread across multiple LoBs, financial institutions and legal jurisdictions. And this is precisely where blockchain, the underlying technology for bitcoin and other cryptocurrencies, could reduce inefficiencies and duplication of effort in KYC information gathering
between legal entities within a large financial institution or even between competing banks.
The Singapore trial
But how realistic is such an approach? A prototype tested in Singapore in 2017 involving OCBC Bank, HSBC, Mitsubishi UFJ Financial Group (MUFG) and the Infocomm Media Development Authority (IMDA) was the first KYC blockchain in South-east Asia and the most public trial to date. It was
claimed that the prototype could solve the current practice of collecting and verifying personal information from customers repeatedly, reducing the costs by 25-50%, according to KPMG. Like cryptocurrencies, a KYC blockchain prototype operates on a distributed ledger technology and
enables structured information to be recorded, accessed and shared across a distributed network using advanced cryptography. With the customer’s consent, LoBs can share information accurately and efficiently with a clear audit trail generated on the blockchain. With a KYC blockchain LoBs can securely search customer information, generate requests for KYC
documents from other LoBs that have already verified customers, store validated customer documents and re-use them where required. The infrastructure can also be used for sharing customer profiles and alerts, which can trigger mitigation procedures when required in response to
alerts. The Singapore prototype reportedly remained stable even with a high volume of information, was resistant to tampering and maintained data confidentiality. Some fintech companies have now built their own blockchain technology-based distributed ledger systems.
Self-sovereign identity systems
A further development of blockchain-based technology that may reduce KYC costs is “self-sovereign identity” (SSI) systems. Through the use of distributed ledger technology, SSI enables individuals to retain control over their data while at the same time being verifiable for banks and other relying parties through the public recording of verified claims. SSI could be the next step in identity management, combining traditional means of identification with new technology-based systems (such as asymmetric key, one-time password, biometrics) in a distributed system. Its relevance to KYC is that it adds a layer of security and flexibility allowing the identity holder to reveal only the necessary data for any given transaction or interaction. Under existing practice, a bank has to access highly centralized pools of data time and again in order to verify identity. This has a high degree of dependence on data sources that are vulnerable to hacking. Data vulnerability is potentially damaging to both the bank and the bank’s customers, whose identity may be stolen and either used to carry out fraudulent transactions or to provide that identity to another person, who
can then use it for (among other things) for the purpose of money laundering. SSI could reduce the bank’s dependence on a centralized data pool and processes that were not designed for a decentralized, distributed and instantly connected world. An identity blockchain in which a bank has node status would provide a solution that resolves the conflicting demands of financial security and personal privacy. Such solutions for managing self-
sovereign digital identities are already in a fairly advanced stage of development.
How much of this is hype?
While there are similarities between the technology behind bitcoin and the proposed systems to assist with anti-money laundering, we should be careful that we are not blinded by the hype. As
Investopaedia recently reported:
Compare that open, permissionless blockchain to the “private” or “permissioned” blockchains that established tech and financial services players, along with a gaggle of start-ups, are developing on their own or through consortia. Rather than a trustless network of thousands of strangers, they propose to build small networks of known, vetted actors – or in some cases, to keep the blockchain to themselves. The result makes compliance with [AML and KYC] laws easier … but at some point, these purported blockchains have little to do with the innovation that underpins bitcoin. The truth is that technological change tends to be incremental and evolutionary, building on earlier advances. In the case of blockchain, this “revolutionary” technology is based on the successful combination of several pre-existing technological approaches: primarily, decentralized networks, cryptography, and consensus models. Blockchain makes it possible to exchange values in a decentralized system. Cryptocurrencies and the proposed KYC blockchains have this in common, but the commonality ends there. The blockchain hype cycle has peaked and is now in what Gartner terms the “trough of disillusionment”. This is inevitable. No new technology has ever solved more than a small fraction of the problems faced by humankind (well, not since the wheel). Blockchain (we will increasingly see the terms distributed ledger systems or hyperledgers) will bring benefits in many areas of human endeavour, including AML and KYC, but it will be no “silver bullet”. Doubts remain about its scalability, and the competitive nature of the market, concerns about confidentiality etc. will set limits on its application. That said, there is no question that these technological developments are highly positive. The bottom line? A realistic assessment is that KYC blockchains and SSI-supported onboarding will
not fundamentally transform due diligence processes but, especially if combined with other technologies, they could reduce the cost of KYC by something in the range 20%-30%. That will have a significant impact on banks’ ability to combat common forms of money laundering.
Any major financial institution would jump at that!
Join us @ LinkedIn https://www.linkedin.com/groups/8196279/ to stay up- to-date on financial crime topics affecting your industry.