Blockchain is a polarizing technology – some people argue that it is all hype and lacks true use cases; while others are convinced that it will radically revolutionize certain areas of business. For many, blockchain was originally synonymous with Bitcoin and other cryptocurrencies. However, in the past two years, an increasing number of commentators are now waking up to the fact that blockchain technology can be deployed to solve friction inherent in certain business functions. One of those use cases is using blockchain to improve KYC/AML compliance regimes.
Banks, insurance companies and other financial service providers (collectively, FIs around the world allocate substantial resources to “Know Your Client” (KYC) and “Anti-Money Laundering Laws” (AML) compliance programs. According to a 2016 Thomson Reuters report, FIs individually spend anywhere from US$60 million to $500 million annually on KYC/AML compliance.1 Furthermore, as regulatory regimes around the world become more complex and penalties for regulatory non-compliance become increasingly punitive (both from a cost and reputational standpoint), these compliance costs will continue to rise. Existing compliance costs are at least partly driven by inefficiencies in compliance programs, which are generally paper-based, require substantial manual human input, and often result in the duplication of work both within and between FIs.
In addition to the massive costs of KYC/AML compliance, FIs are increasingly under client pressure to facilitate transactions in an expedited manner. Unfortunately, in many cases, current compliance programs are manual, fragmented and slow, all of which impedes the client’s business and can potentially damage the client relationship.
Not all blockchain platforms are appropriate for all purposes; some are better suited for certain enterprise use cases. In the case of managing and interacting with FIs and their data, it is increasingly clear that the private, permission-based model offered by distributed leger technology (DLT) (a type of blockchain) is best suited for handling KYC and AML compliance. FIs have invested substantial amounts of time and money in the development of DLT, and have completed a number of successful “proof-of-concept” tests using this technology. For example, in June 2018, Synechron and R3 (which represents more than 300 partner members across multiple industries and jurisdictions) tested a KYC compliance system built on DLT. This proof-of-concept completed 300 KYC transactions involving 39 participants across 19 countries.2 FIs, as part of this proof-of-concept system, were able to request access to a customer’s KYC test data, while customers could approve requests and revoke access to personal data at their discretion. Customers were also able to update their test data, which was then automatically updated on the DLT platform, where all FIs that had permission could access it.
The existing KYC/AML processes used by most FIs contain certain inefficiencies, including (1) information asymmetries between FIs and regulators; (2) the duplication of KYC/AML compliance work completed within and between FIs; and (3) FIs spending a disproportionate amount of time and resources on manually validating and coordinating the completion and reconciliation of KYC/AML documentation, as opposed to assessing client risk.
1. Information Asymmetries between FIs and Regulators
Because FIs are mandated to prepare and submit compliance reports to regulators, many aspects of the existing KYC/AML workflows between FIs and regulators require FIs’ employees to review and manually reconcile a substantial amount of paper documents, resulting in significant labour costs, and increasing the risk of human error and frustrating the client. DLT would: (i) reduce the use of paper documentation; (ii) reduce the time spent manually reconciling documents; and (iii) increase the speed of verifying the KYC data.
2. Duplication of Compliance Efforts Between and Within FIs
FIs do not typically share KYC/AML information with either each other, and often fail to share that information among different divisions within the same FI. Therefore, where a transaction involves multiple banks (or a client uses multiple banks for different banking needs), each FI independently expends resources to validate the KYC/AML data of that client without any cooperation, coordination or information sharing between each FI. Additionally, some FIs do not maintain central internal databases of a client’s KYC/AML data. Consequently, some clients have to re-submit their KYC data (i.e., proof of address, identification documents, etc.) to the same FI on multiple occasions when applying for services from a different division of the same FI. This separate and independent replication of KYC/AML diligence is extremely costly, inefficient and slow.
The duplication of compliance efforts results in FIs spending substantial resources on investigating “false positives” (transactions flagged for non-compliance with KYC/AML rules that turn out to be legitimate and legal). According to IBM, some FIs reported that up to 98 percent of transactions flagged for KYC/AML non-compliance turned out to be false positives.3 For each flagged transaction, an FI must conduct costly, manual due diligence to determine KYC/AML compliance. To put this in perspective, if a client is working with five FIs on a particular transaction, and each FI undertakes its own KYC/AML diligence, and such diligence then uncovers multiple false positives that are independently investigated by each FI, it is easy to understand how compliance costs rapidly escalate.
3. Most Resources are Spent Validating Documents as opposed to Assessing Risk
KPMG estimates that FIs currently spend 80 percent of all KYC/AML resources on reconciling documentation, and only 20 percent on assessing the KYC data and assessing client risk.4 By adopting DLT, more human resources could be spent analyzing the risk of the underlying KYC and transaction data, while relying on DLT to automate and streamline the organizing, sharing and validating of the KYC data.
According to BIS Research, a US-based market intelligence firm, using DLT in KYC/AML compliance programs could reduce an FI’s administrative costs associated with KYC/AML compliance by 90 percent, generating total aggregate cost savings for all FIs of between US$6 billion to US$8 billion dollars per year.5
DLT promises to address some of the current inefficiencies inherent within an FI’s KYC/AML compliance program by using a technology platform that allows FIs (with the consent of the client) to share a client’s KYC/AML data: (i) internally among divisions of an FI; and (ii) with other FIs, in each case using a secure and private DLT platform. Unlike a public blockchain like the Bitcoin blockchain, a private, permission-based platform built on DLT is comprised of and only accessible by a group of selected parties. Using this technology will enable FIs to rely on the same shared, secured and auditable source of digitized client information, instead of having to collect and verify the information individually and repeatedly.6
DLT could also streamline information flows between FIs and regulators. Using a private, permission-based DLT platform, regulators could have secure and direct access to an FI’s compliance system, and pull compliance reports from FIs themselves. This sharing of information would enable FIs to demonstrate their regulatory compliance in real-time, thereby improving transparency with regulators and dramatically reducing FIs’ compliance costs.
The following discussion provides a high-level example of how KYC/AML compliance could work using DLT.7 For your reference, this explanation is also diagrammed in Figure 2, below. It is important to note that FIs would rely on DLT, ensuring that only approved entities would have access to the system and the data stored thereon. Once an FI or regulator is approved to participate on the DLT platform, further restrictions can be added to limit the entities’ access to specific data contained within the platform.
1. Step 1: Client Creates a Profile on the KYC/AML DLT System
When an FI first launches a DLT-based KYC/AML compliance system, a client will have to complete a one-time set-up of their digital profile (Client Profile). The Client Profile contains (among other items) proof of the client’s identity (i.e., driver’s licence/passport information) and completed versions of required KYC/AML regulatory documentation (KYC Data). Once uploaded, the KYC Data is accessible by the applicable FI for verification. The location where the Client Profile and associated KYC Data are stored is customized for each system. Storage options include using a centralized, encrypted server operated by a third party, storing data solely on an FI’s own private servers, or uploading documents to the DLT platform itself.
2. Step 2: Client Engages in Transaction with FI #1
When the client engages FI #1 for a specific transaction, the client grants FI #1 access to the Client Profile. FI #1 then manually verifies that the KYC Data hosted on the Client Profile is valid (using its existing KYC/AML compliance processes).
Once FI #1 verifies the veracity of the KYC Data, it saves a copy of the KYC Data on its own server (not on the DLT platform – accordingly, the KYC Data is deemed to be stored “off-chain”), and uploads to the DLT platform a “Hash Function” (a code consisting of letters and numbers used to identify and represent such piece of KYC Data) to the DLT platform. Finally, FI #1 transfers digital copies of the KYC Data (which is embedded with a Hash Function that matches the Hash Function uploaded to the DLT platform) to the Client Profile.
It is important to note that the Hash Function does not contain the contents of the KYC Data (it only represents the code name of a specific file). Figure 1 below shows how KYC Data from the client’s digital profile appear only as Hash Functions on the DLT platform.8
Figure 1 – How a client’s confidential information appears to FIs on the DLT platform
If KYC Data (which is stored on the Client’s Profile) is altered in any way, the corresponding Hash Function of such KYC Data (which is stored on the DLT platform) would immediately change. Therefore, other FIs, where permitted under applicable law, could have the ability to rely upon the review of the KYC Data by FI #1, as opposed to having to review the KYC Data themselves. Furthermore, if the KYC Data is ever altered, the equivalent Hash Function of such KYC Data will not match that posted on the DLT platform, causing the system to automatically alert the other FIs to such change.
3. Step 3: The Client Engages FI #2 in a Separate or Related Transaction
FI #2 requires the client to complete the same KYC/AML documentation required by FI #1. Upon receipt of such request from FI #2, the client would grant FI #2 access to the Client Profile. FI #2 would then review and compare the KYC Data (and the Hash Function embedded therein) with the Hash Functions uploaded to the DLT platform by FI #1. If the two Hash Functions match, then FI #2 knows that it has received the same, unaltered KYC Data already validated by FI #1.
If the Hash Functions do not match, then FI #2 would need to manually validate the KYC documents (in accordance with its standard KYC/AML processes). This could occur as a result of the client altering the KYC Data initially uploaded to the Client Profile or uploading additional KYC Data to the Client Profile.
4. Step 4: The Client Uploads Updated KYC/AML Documents onto the Network (If Applicable)
If the client obtains a new driver’s licence or passport (or the KYC Data originally posted to the Client Profile changes), these documents must be uploaded and validated in the system. This creates a potential inefficiency for participating FIs. For example, does each FI now need to individually validate the new documents and update their systems accordingly? To avoid this, FIs can leverage smart contracts to automatically update their systems when the client provides new documents. Specifically, the client submits the updated documents to only one FI who then validates and attests to its authenticity. The FI then broadcasts this change (in the form of a new Hash Function) through the blockchain to the other participating FIs.
Figure 2 – Example of a Blockchain-Based KYC/AML Compliance System
Prior to implementing blockchain-based KYC/AML systems, FIs must identify and address the following challenges:
1. Standardizing KYC/AML Documentation
To develop a KYC/AML compliance system that can be used and shared by multiple FIs, the participating FIs must agree upon certain standard KYC/AML forms and processes that will be acceptable to them. This will be difficult to accomplish, as each FI will have their own internal risk profile and procedures that they are comfortable with. Furthermore, even if the FIs can agree upon a certain standard, such standards and documents will then need to be interoperable with the various legacy systems of each FI, and be compliant with any applicable laws or procedures mandated by applicable regulators.
2. Data Privacy Concerns for Data Stored on the Blockchain
There are a number of issues related to data privacy to consider.
(a) Protecting clients’ confidential information is a top priority for FIs. At a high-level, the design of blockchain-based KYC/AML systems addresses these concerns in three ways. First, a “self-sovereign” system (as discussed above) allows a client to authorize who can view its private information. This authorization is fluid and can change at the discretion of the client. Second, because blockchain allows for FIs to share KYC Data, the client will only have to make the KYC Data available once (or less frequently), which reduces the chances of the KYC Data being compromised. Lastly, FIs protect clients’ confidential information by storing documents outside of the DLT platform, and only uploading Hash Functions onto the DLT platform.
(b) FIs may not be comfortable with regulators pulling information directly from their systems at their discretion. Therefore, FIs must collaborate with regulators to ensure that access is provided in a manner and at a time that the FI is comfortable with, while also ensuring regulatory compliance.
(c) FIs must ensure their systems comply with relevant data privacy legislation. For example, the EU’s General Data Protection Regulation (GDPR) provides for the public’s “right to be forgotten”. This appears to conflict with the fundamentally immutable nature of blockchains (i.e., once data is loaded into the blockchain, it cannot be deleted). Accordingly, further legal analysis is needed to understand whether the GDPR applies to specific client information identified by a Hash Function.
3. Ensuring the Validity of Verified KYC/AML Data Stored on the DLT Platform
As discussed above, a major benefit of blockchain technology in KYC/AML compliance is that it eliminates the duplication of multiple FIs validating the same set of documents. Although efficient and cost effective, this system creates the possibility that fraud or mistakes in validating documents will not be detected by other FIs on the DLT platform. This requires that (i) all of the FIs agree as to the necessary steps needed before KYC Data is validated; and (ii) substantial trust is established in each of the network’s participants to properly verify client documents. DLT mitigates this issue by creating a permanent record and audit trail of when and who validated each document (i.e., the identity of an FI employee that validated a specific document) and therefore promotes accountability in the system.
4. Incentivizing the Sharing of Information Between FIs
FIs must be incentivized to share KYC Data on a DLT platform. The more FIs that contribute to the platform, the greater the cost savings for participating FIs.
One emerging solution for incentivizing FI participation on the DLT platform is by paying an FI to validate the KYC Data. FIs that perform the original validation of client KYC/AML Data could be compensated by each FI that accesses and relies upon the validated KYC Data. This motivates participating FIs to both protect client information and to properly attest KYC Data. If this is not done, an FI could lose out on earning incremental revenue from other FIs choosing not to rely upon the KYC Data attested by such FI. Alternatively, an FI could be removed from the platform altogether for non-compliance with the network’s specific data integrity standards.
In today’s interconnected world, people are sharing their personal information at an unprecedented rate, which will likely continue due to the arrival and adoption of 5G, IoT, open banking and other technological advancements. Organizations are and will continue to be expected to obtain, process and verify this personal information in a quick and efficient manner, while at the same time safeguarding such information from being hacked and complying with KYC/AML legislation. DLT is a tool that could be utilized by FIs to satisfy these foregoing requirements.
This article was co-authored by Jesse Collins-Swartz a summer law student in the Toronto office.