Know Your Customer (aka KYC) and customer due diligence used to involve little more than comparing names against sanctions and various other types of watch lists. However, in today’s fast-paced environment where technology, customer expectations, and regulations are constantly changing, it is imperative that KYC keeps pace. With tighter AML regulations and the Payment Services Directive (PSD2) in the European Union, which regulates the rules for open-banking, allowing access to customer account data for any third-party service provider their customers approved via a dedicated communication interface (aka API).

With that said, mobile wallets, open banking, and cryptocurrency offer consumers a lot of choices along with real-time information at every touch point to complete a transaction on the spot 24/7.

Former Harvard Business School professor Theodore Levitt stated, “People don’t want to buy a quarter-inch drill. They want a quarter-inch hole.

While this presents major opportunities for financial institutions, Fintechs, and consumers, it puts a lot of pressure on risk and compliance systems to detect and flag actual threats in real time. Also, let’s not forget the increased responsibility for people tasked with keeping a financial institution from being compromised by cyber-attacks or used as a vehicle to launder money.

Therefore, Know Your Customer (KYC) shouldn’t be taken lightly, because, it is more efficient to detect potential bad actors at the onboarding stage than to rely on AML systems to expose bad actors later. However, for small to midsize financial institutions, the cost of KYC is much more expensive in proportion to their size than by larger multinational companies who can spread the cost across many entities.

Like the FinTechs, RegTechs (aka Regulatory Technology) burst onto the scene to help financial institutions meet the regulatory challenges of compliance with the promise of offering more efficient technology solutions that will drive down costs, especially in the area of KYC, which has been costly for banks to execute.

However, the cost of Know Your Customer and Customer due Diligence is having a negative impact on businesses. A 2016 Global Survey from Thomson Reuters states financial institutions spend on average $60 million and some are spending up to $500 million to meet their compliance with KYC and Customer Due Diligence (CDD) obligations. Also, a parallel survey of their corporate customers found that 89 percent had not had a good KYC experience, and 13 percent had changed their financial institution relationship as a result.

Granted, financial institutions tried automating the KYC and Customer Due diligence process, but the technology which financial institutions have invested billions of dollars on has been just as much of a burden than a relief. These rules-based systems generate massive amounts of false alerts that financial institutions felt compelled to try outsourcing and even built offshore entities in India taking advantage of lower labor cost to maintain their systems and check through the millions of alerts.

With nowhere to run financial institutions are turning to the RegTechs for solutions. Many believe artificial intelligence (AI) and machine learning (ML) enabled solutions are the new game changers. Even though, these buzzwords have become a hot topic many don’t even know the difference between the two and use the terms interchangeably. Machine learning refers to a computer system that has the ability to learn how to do specific tasks, in contrast, artificial intelligence enables computer systems to perform tasks done by humans.

While AI can replace many rudimentary tasks, I wouldn’t say that compliance analysts are one of them. Of course, machine learning models can process tremendous amounts of data, but ML systems still need to learn the difference between a false and real alert and that in real-time.  

First, there simply isn’t enough good data at most firms to teach an ML model these differences and second, bad actors are always adjusting and trying new schemas and third, the banking landscape keeps changing all of which would leave ML and AI systems with a knowledge gap. However, appealing this technology might sound to the people watching the bottom-line the reality is that ML requires months and in many cases years of laborious training, as experts must feed vast quantities of well-structured data into the platform for it to be able to draw meaningful conclusions and those conclusions are only based upon the data that it has been trained on.

The Challenges of List Screening

Beneficial Owners

Opaque ownership structures is a real challenge of KYC, criminals, and PEPs, etc. have been hiding behind corporate structures.   

Even though, a company might not be on an official sanctions list, but if its stakeholder(s), has ownership equally to 50 percent (aka the 50 Percent Rule), there is a good chance that the company in question should be treated as a sanctioned entity. Therefore, it is imperative that corporate ownerships be verified when dealing with certain countries and corporate structures to ensure that none of the beneficial owners are prohibited persons under OFAC regulations.

Sanctions Lists

Sanctions lists can be found in all formats and sizes. Some are country-based, often following UN resolutions to promote world peace, human rights, and prohibit certain if not all transactions. Some sanctions are politically motivated at a national level, as is the case with the United States’ economic embargo against Cuba. While others impose targeted sanctions (e.g. freezing assets, travel ban, and arms embargo) upon persons, groups, undertakings, and entities designated on the ISIL (Da’esh) & Al-Qaida Sanctions List.

Of course, sanction lists are fairly straightforward and some are more relevant to the screening process than others. Moreover, many of the national sanctions are based on sanctions imposed under UN resolutions, so many of the names appearing on the UN lists also appear on supra-national lists such as those issued by the EU, as well as national sanctions lists such as the OFAC and HMT lists. The course of action for sanctions is simple – they cannot be dealt with, and a Suspicious Activity/Transaction Report (SAR/STR) should be submitted when confirmed. Many of the national programs are based on sanctions imposed under UN resolutions, so many of the names appearing on the UN lists also appear on supra-national lists such as those issued by the EU, as well as national sanctions lists such as the OFAC and HMT lists.

Even though a company might not be on any official sanctions list you could be required to treat it as a sanctioned entity if a shareholder is on a sanctions list. The course of action for sanctions is simple – they cannot be dealt with, and a Suspicious Activity/Transaction Report (SAR/STR) should be submitted when confirmed.

Watch Lists

Watch lists serve the purpose of assessing clients’ potential risk. For example, being a PEP (aka politically exposed person) does not mean a person is corrupt, but it does represent increased risks owing to the possibility that an individual holding such a position will have far greater opportunities to misuse power and influence for personal gain. Again, a point often overlooked, but really important as bribery convictions reach all-time highs, is the risk that business partners impose because they might qualify as “public officials” based on their company’s ownership structure if fully or partially state-owned.

Law enforcement agencies, security authorities, national and regional agencies also disseminate various lists. These lists (e.g. Interpol’s Red Notices, the FBI’s Crime Alert List, Singapore Investors Alert and IOSCO consumer protection) can help an organization from doing business with a wrong party and from being drawn into a fraudulent scheme.

Lists in General

Many of these lists are available for free, the challenge is these sources have different ways of presenting information. Some offer well-structured information in downloadable XML files, some in CSV or delimited text files, others have online lists across multiple web pages, and some offer only PDFs. Not to mention the URLs are constantly being moved, without notice, to a new URL.

Selecting lists that will benefit all areas of your financial crime program can be a daunting task, here a few factors to consider:

  • Geographical jurisdiction(s) in which you operate
  • Requirements of local and foreign regulators in the area you operate
  • Consult your organization’s risk assessment as a guideline
  • Is an appropriate data structure provided?
  • Are they using technology to provide cheaper ways of data deployment (e.g. Cloud)?
  • What formats are data files available in?
  • Providers have millions of data sets in, their database so how are these duplications being managed!
  • An appropriate update schedule and update by using delta files—are a must have.
  • If an online search function is provided, what techniques are they using to match names?


In many cases and for many reasons an institution’s data will have gaps and inconsistencies “garbage in garbage out”. On the other hand, we’re trying to match against hundreds of lists that have different ways of presenting the information.

Inconsistency in basic things like abbreviations (Sr./Senior, Inc./Incorporated, AG/Aktien Gesellschaft, nicknames, etc.) and translations of words that have the same meaning but are spelled different e.g. Germany (EN), Allemagne (FR), Deutschland (DE) can all impact screening results.


A majority of the relevant lists coming from the US are in a Latin character set, while a good portion of these names originates from non-Latin backgrounds. Therefore, names that are Chinese, Greek, Islamic, Russian and Thai, etc. must be transliterated from their home language to a Latin one.

Moreover, in the Arabian Peninsula Jamal is pronounced Jamal, in Egypt Gamal, and in Algeria Djamal. These are all the same Arabic word, but one that is spelled (transliterated) in various regional ways when written in English.

A further example of transliteration is the voiceless uvular plosive used in Arabic and other languages. It is pronounced approximately like English [k], it’s pronunciation varies between different languages and different dialects of the same language. The consonant is sometimes transliterated into “g”, sometimes “k”, and sometimes “q” in English.

For example, the former Libyan leader’s name can be spelled in various ways:

  • Gaddafi
  • Qadhafi
  • Kaddafi
  • Gadhafi
  • Ghathafi
  • Qaddafi
  • Ghadafi

Fuzzy Logic

Name-matching is not a perfect science and fuzzy logic doesn’t select between true or false but is based on “degrees of truth” to deliver an adequate range of choices to select from. Unfortunately, this can produce a long list of options for the compliance team to analyze (89.7 percent being false positives). However, this exercise is not only time-consuming and costs a lot of money, but by so much into the investigation of false positives bad actors have a better chance of slipping through.

Also, new customers in the account opening process can find this anything but amusing. It’s comparable to being a good passenger being removed from an airplane before departure. In many instances, additional information is available such as addresses, date of birth or passport numbers which can help clear these hits rather quickly. Unfortunately, this additional information is not consistently available, for one-off searches.

Steps to take

– A database built on the principles of good data, properly spelled names, sound data structure, and format will go a long way to improving the identity matching process.

– Live your risk assessment, not just perform it – this is critical in leveraging the understanding of how these risk exposures impact technological decisions and operational areas of the institution.

– Test, test, test – perform random checks to ensure that technology and operational processes are working appropriately and are being consistently applied. Review reports to understand why changes are necessary.

– Maintain records – institutions must provide evidence both for the adequacy of the risk assessment, policies, procedures, and technology, but also the actual remediation/resolution activities for customers. A clear path from risk to policy to execution will provide regulators.

– Create a feedback loop – to maintain an effective program, there should be a clearly defined process to learn and improve the system.

Written by Paul Hamilton

“Top Misconceptions of Cryptocurrency as a Payment System”

Which can be read on Amazon Kindle Unlimited for Free  You can find more interesting articles by visiting us on one of the following platforms: AML Knowledge Centre (LinkedIn) or Anti-Bribery and Compliance at the Front-Lines (LinkedIn)

Photon Photo – Shutterstock

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.