Bank KYC/AML compliance is broken, and blockchain can fix it
Not only is decentralisation the best solution, it might be the only solution.
One of the least-sustainable trends in existing financial services is hidden away in the background. Compliance costs, which refers to the cost of handling legal obligations such as Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations, are a growing stone in the shoes of financial services.
And it's growing extremely quickly. According to Thomson Reuters, the number of compliance professionals increased 3.5 times from 2016 to 2017, while financial institutions are pouring billions into transaction-monitoring systems designed to target suspicious behaviour, like frequent large cash deposits.
No one's entirely sure where these investments will end. At a time when new technology is cutting costs across the financial sector, compliance and security costs are skyrocketing year on year, with no end in sight.
"There's no finite view of these costs," said David Cassidy, CEO of the Kyckr KYC firm. "It's an endless pool of investment."
The endlessly growing costs of transaction-tracking software, staff training and the hiring of compliance experts are half the problem.
The other half is that they perform terribly by almost any real metric. On top of the costs of implementing these solutions, financial institutions still need to budget for the fines and reputation damage incurred when they fail.
The extraordinary rate of false positives in transaction-tracking systems doesn't help. Despite all the efforts, about 95% of system-generated alerts are false positives, and only 2% of alarms culminate in a suspicious activity report.
Former Europol head Rob Wainright has pointedly said that Europe is losing the fight against dirty money.
"The banks are spending $20 billion a year to run the compliance regime … and we are seizing 1 percent of criminal assets every year in Europe," he lamented.
"The current processes used by financial institutions to handle regulatory compliance are broken and highly ineffective in preventing money laundering," agrees OECD Special Advisor and Shyft chairman Joseph Weinberg.
The unpleasant cherry on top is that society has quickly entered the age of mass targeted cyberattacks. Globally, almost 2 billion records were lost or stolen in the first half of 2017, an increase of 164% over the previous six months. The obligation to gather information on a customer's identity, the cost of securing it and then the cost of almost inevitably failing to successfully do so, are one more compounding layer on top of the other costs.
The system is broken. Financial institutions are pouring money into the black hole of compliance obligations in a way that not only fails to effectively address problems, but actually manages to raise more problems in the process.
The heart of the problem
Many bank efforts have so far been focused on more effectively tracking transactions, flagging suspicious behaviour and creating systems that can automatically draw pointless lines between people who deposit $10,000 at a time and those who deposit $9,999.
The reason all efforts are failing so hard is because transactions aren't the problem. At its heart, it's all a matter of identity.
There have been efforts to shift the focus to identity. After all, KYC stands for "know your customer." But resource limitations and vague legal obligations are preventing banks from effectively investigating, and actually knowing, their customers. For example, a bank might investigate the identity of a high-risk customer more thoroughly than a low-risk customer. But it doesn't actually know who the customer is until it investigates, so the entire process gets built on an erroneous foundation.
This kind of problem is extremely widespread.
In at least one case, Cassidy says, "we found up to 17% of the companies on the bank's books are unregistered."
The problem is compounded, he says, by the way financial institutions are "pushing the books together" during mergers and acquisitions, or when data is bought, sold or otherwise changes hands. A bank doesn't have the resources to effectively vet all its own customers, let alone the thousands of new customers that arrive on the books simultaneously after an acquisition.
All things considered, the sorry state of AML/KYC compliance at financial institutions should come as no surprise. It's nothing but new problems, old problems, unforeseen problems, solutions that cause more problems and an endless pool of legally required investment in these problems all the way down.
Why blockchain is the solution
Financial services need an identity solution. Simply monitoring transactions, and many other AML measures, are a bit pointless without one.
There are a range of systems emerging around this, and distributed ledger technologies (DLTs) like blockchain certainly don't have a monopoly. For example, "actor-centric hybrid threat modeling" aims to help banks reduce their rate of false positives by cross-referencing factors such as bank location, customer base, product type and others. Or a bank might pursue a thorough strategy of data cleaning and remediation, coupled with new data management practices going forwards to essentially create a more hygienic information environment.
These aren't permanent solutions though, and they're still quite susceptible to manipulation by clever money launderers.
The blockchain certainly isn't a magic bullet for everything, but it can get pretty close when properly used for identity management.
First, it can accommodate a wide range of exceptionally personal data, right down to matching an individual with biometrics, their financial history, red flags and any other digitisable data points. Businesses can also get a similar digital fingerprint and identity, including their previous dealings and management. These data points can be cross-referenced, analysed, linked with machine-learning algorithms and managed in many other ways.
It can essentially function as an enormous database of a lot of extremely detailed information on individuals and businesses, which actually makes it feasible for banks and financial institutions to conduct detailed investigations on every single customer, and automatically get red flags like someone who hasn't been verified in a long time.
The "magic bullet" element comes with the fact that much of this data does not necessarily need to be made available to banks, or publicly available to anyone except the individual or institution itself. Barring some other creative technological leap, decentralised systems are the only feasible way of simultaneously providing a wealth of necessary, verifiable personal identity information and of respecting the confidentiality of information.
How is that possible?
Decentralised systems are not in control of any one individual or organisation. They're typically open source, freely-accessible systems which can be verifiably immune to hacking or outside attacks. But being open and freely-accessible doesn't mean everyone can get at everything on it.
These kinds of systems can also serve as extremely high-security lock boxes for personal data and a kind of library of personal information that an individual can hold under their secure control. Business information can be held in a similar way, with multiple parties such as regulatory bodies or individuals having access to certain parts. For example, the financial department might be able to see the finance while the CEO might get access to everything, or a nonprofit might make its financials publicly accessible.
In essence, it's all about letting each individual take secure and absolute ownership of their own personal data, rather than providing personal information to other entities and then feigning surprise when they sell or lose it. It's the only type of system that's good enough to create a persistent digital identity that can move with someone from birth to death.
This also opens the door to interesting possibilities, like giving information to someone without actually providing it. For example, someone could give proof of age in the form of a data point which simply confirms that they've been verified as over 18, rather than sending over a complete copy of their driver's licence.
A bank could request the specific data points from an individual or an organisation which are required to satisfy their compliance obligations.
The data itself is also more reliable than what's offered by existing systems. Just because someone can access their own data doesn't mean they can adjust it freely as desired. It can also be added to at specific approved times. For example, a driver's licence might only get added when issued by the appropriate government body or otherwise formally approved as legitimate.
Once again, all this can be done largely automatically and without the data itself actually being accessible to anyone except the individual who "owns" it.
A fairly straightforward example of this can be found in the Enigma (ENG) data analysis system. It lets users run computations on certain data sets without actually revealing any of the data in those sets.
A more complex example, specifically for the purposes of identity management, can be found in Civic (CVC).
Blockchain ID systems aren't necessarily the best solution for businesses currently, but they "certainly [have] longer term capabilities" than most alternatives, Cassidy says, and it will only improve "as different parties engage in use of blockchain architecture."
What it looks like in real life.
There are a number of highly-developed examples in addition to the above.
Shyft, which published its whitepaper on 2 May, might be a particularly interesting one for banks, due to its specific focus on leveraging blockchain technology for KYC/AML solutions rather than in a more general way, and its intention to integrate with existing bank systems.
It works by letting banks and financial institutions operate as "trust anchors." They can upload customer data collected the usual way, and upload it to the system off-chain. Here, it can be crosschecked and assessed alongside other information. This solves the problem of doubling up on expensive customer verification processes and helps ensure that data is kept more secure and up to date than it would be on a centralised database.
A machine learning system, dramatically named the "Shyft conservator," will automatically crawl and cross-reference available data to better ensure data integrity.
In this way, decentralised systems can allow for the automation of confidential data analysis where it previously wasn't available. For example, it might highlight individuals whose data hasn't been verified in a long time or highlight registered companies where the owner's identity has not been properly verified.
For the specific purposes of risk assessment, Shyft also introduces the idea of "creditability," which is a kind of reputation score for individuals, based on available data without compromising the data itself.
Decentralised systems open the door to a much wider range of data collection and storage, but actually collecting it for use as a global standard is a separate challenge. Various governments and organisations are moving towards a global standard in their own way.
On the government level, for example, Taiwan is digitising citizen ID cards on a distributed ledger system. A decentralised ledger is the only type of system that's secure enough to handle such sensitive information.
On the global scale, the Decentralised Identity Foundation might be the current forerunner. It aims to roll out the one and only universal system to put data in the hands of its actual owners, comprised of data and systems securely collected by partners.
Most people will probably notice a lot of familiar names in its partnership roster. ID2020 is one of the less well-known, but it serves as a useful example of how expansive this system will be, bringing in billions of people around the world who have previously gone entirely without any kind of formal identification, digital or otherwise.
The concept of a private, persistent digital identity for every single person on the planet, which allows for secure processing and analysis of a previously unthinkable amount of data, all without compromising privacy, sounds too good to be true. Yet it's already being made a reality.
Financial services aren't just about transactions, and security and compliance isn't just about monitoring transactions. The outdated, inaccurate, expensive and painfully inefficient KYC/AML practices of yesteryear are a problem to be solved, and distributed ledger technologies like blockchain aren't just the best way of solving it, they might be the only way.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VEN, XLM, BTC and XRB.
- Brace for impact: Cryptocurrency industry faces heavy regulatory blow
- Blockstream unveils Liquid Securities: Security tokens for Bitcoin sidechains
- Bitcoin astounds by rising $1,000 overnight
- Deloitte: The blockchain debate is over, and blockchain won
- Bitcoin bears and altcoin bulls took a thrashing this week