Onboarding new customers challenge asset and wealth managers globally. Manual processes for Know Your Client (KYC), Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening checks on investors and distributors can lead to compliance failures. These failures can result in fines, criminal sanctions, or even jail terms.
In addition to the risk of compliance failure, manual processes make for a lengthy onboarding experience. Read on this article for information on how to improve the efficiency of your screening process and reduce risk.
Funds can be bought and sold efficiently, but Know Your Client (KYC), anti-money laundering (AML), Countering the Financing of Terrorism (CFT), and sanctions screening checks on investors and distributors remain manual.
Read on this article for information on how to improve your screening process and reduce risk. You’ll learn:
- Why KYC and AML checks are expensive, manual and off-putting.
- The regulatory risk of non-compliance.
- The way forward, improving efficiency.
Table of contents
Funds can be bought and sold efficiently, but Know Your Client (KYC), anti-money laundering (AML), Countering the Financing of Terrorism (CFT), and sanctions screening checks on investors and distributors remain manual. As a result, they are increasingly expensive in terms of both direct and indirect costs, and a major source of customer dissatisfaction.
Yet compliance failures in KYC, AML, CFT, and sanctions screening checks can result in fines, criminal sanctions, and even jail terms for company officers. For funds distributed across borders, this risk is magnified by variations in laws and regulations between jurisdictions. Risk is further increased when relying on assurances from third parties.
Reliance on third-party assurances helps to control the cost of work that is hard to automate. It is important to weigh the risks posed by individual clients and adjust preferred procedures to local nuances. Documents sourced from disparate and often unstructured databases owned by the public and private organizations must be verified, cross-checked, authenticated, classified, and stored. Since data ages, checks on individuals and firms also must be repeated regularly.
Checks are also duplicated within and between firms. This has led to calls for pooling of KYC, AML, CFT, and sanctions screening information. Imbalances in the data contributions of large and small firms, concerns about the confidentiality, security, and privacy of data shared, technological shortcomings, lack of data standards, jurisdictional differences in requirements, legal liability for information, and the need to secure consent from clients to reuse data, all weigh against data sharing.
These obstacles can be overcome by filtering shared information to exclude commercially sensitive data, use of a common questionnaire, data mapping, and rewarding firms that contribute data. The efficiency of checks can be improved dramatically using unique, re-useable digital identities that are controlled by clients but based on documents authenticated by government-licensed vendors working to approved international standards. Provided the various databases are inter-operable – and work on data standards is underway – any user could access information from any database.
Digital identities adequate to the task of complying with the obligations of multiple jurisdictions will take time to evolve. Market forces alone are unlikely to drive their development, so it will take regulatory intervention (or at least the threat of regulatory intervention) to spur progress.
SS&C is improving those aspects of the KYC, AML, CFT, and sanctions screening process that it can affect directly. Steps taken by the firm include risk-based acceptance of uncertified documents, intelligent questionnaires to exclude searches irrelevant to particular respondents, the introduction of a single data collection process to capture elements common across jurisdictions, re-configuring data held in different formats to raise levels of automation, and automatic updating of out-of-date information.
KYC and AML checks: expensive, manual, and off-putting
Over the last 20 years, transfer agency has changed dramatically. Increasingly, funds are not sold directly to investors or their advisors. Instead, they are distributed through fund platforms that serve the wealth managers and private banks that own the relationships with the end investors. By aggregating multiple orders into one, fund platforms have driven substantial increases in the efficiency of buying, selling, and switching funds. In Europe, nearly nine out of 10 fund transactions are now fully automated, driving costs down and customer satisfaction up.
Unfortunately, the level of efficiency with which distributors and investors open accounts with fund managers, transfer agents, and fund platforms to trade funds – the “onboarding” process – has gone in the opposite direction. This reflects the increasingly onerous regulatory obligations laid on the industry in recent years to affirm the identity of clients (Know your Client/KYC) to ensure they are not laundering money (anti-money laundering/AML), funding terrorism (Countering the Financing of Terrorism/CFT) or breaching sanctions against individuals or organizations (sanctions screening).
Obtaining the documents needed to validate the identity of a client, getting them certified by a trusted party, and verifying that the identity belongs to the individual claiming it, is a largely manual and paper-based process. As fund distribution has institutionalized, a cumbersome Know Your Distributor (KYD) process has also proved necessary for fund managers, transfer agents, and fund platforms to secure assurances from distributors that their underlying clients are not laundering money, financing terrorism, or breaching sanctions. It is also manual and paper-based.
One result is increased cost for all parts of the industry. A leading fund manager estimates the direct cost of KYC, AML, and sanctions screening at five per cent of payroll. A major institutional transfer agent reports that the number of staff involved in onboarding has increased six-fold in the last four years. These costs do not even consider the indirect costs imposed by delays in the investment of monies, or the partial or total loss of sometimes substantial investments by clients exasperated by a burdensome and intrusive onboarding process.
Dissatisfaction with onboarding is well attested. Longstanding customers are confused when firms they have worked with for decades ask them to prove their identity, newer customers are irked by invasions of privacy that even extend to investigating the original sources of investment monies, and corporate customers are alienated by the persistence of investigations designed to look through layers of intermediaries to uncover the ultimate beneficial owner.
Delays can lead to adverse changes in the price of the investment. Fund managers complain about unhappy clients and delayed receipts of funds. Those who are rigorous are told their competitors are happier with less information, and that other jurisdiction are not as demanding. Even institutional distributors, which share the burden of compliance, lack patience with an onboarding process characterized by repeated calls for documents and delays.
Most investors suffer inconvenience in order to prevent a small minority of terrorists, money launderers, fraudsters and sanctioned states and individuals investing in funds. Managing the discontent this creates adds to the burden of compliance borne by fund managers, transfer agents, and fund platforms. However, they cannot pass the extra costs on to their customers because the customers are not willing to pay more to police the funds industry. They still expect the checks not only to be thorough but their thoroughness to be tailored to their differing appetites for risk. After all, that risk is inescapable, because it is regulatory in nature.
The regulatory risk of non-compliance
The risk of compliance failure in KYC and AML checks is significant. One study has calculated that in the 10 years to 2018, regulators around the world fined financial institutions a total of US$27 billion for KYC, AML, and sanctions violations.
Fines cause reputational damage, which can cost a fund manager or transfer agent or fund platform customers unwilling to deal with a tainted firm and can even lead to the withdrawal of their regulatory licence to operate. Fines are also levied on individual officers – typically the Money Laundering Reporting Officer (MLRO) responsible for AML policies, procedures, and systems. For grave violations, MLROs also face the threat of criminal sanctions and even imprisonment.
This discipline, though imposed by national regulators, reflects the approach taken by the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog established by the G-7 in 1989. Effectively, every jurisdiction is now committed to implementing the 40 Recommendations on AML and CFT, which were first published by the FATF in 1990, comprehensively revised in 2012, and now updated regularly. The funds industry is expressly included in the advice the FATF has issued to the securities industry on how to apply the Recommendations in practice.
The Recommendations include an insistence on initial and continuing KYC checks of customers and beneficial owners (Recommendations 10 and 12), the maintenance of records about KYC checks (Recommendation 11), and KYC checks of trust companies (Recommendation 22) and corporate customers and beneficial owners (Recommendations 24 and 25) as well. For the funds industry, the overriding imperative of these Recommendations is to identify the beneficial owner of any investment in a fund, including investors obscured by layers of intermediation.
Indeed, countries are expected to maintain open registers of the beneficial owners of companies to make Recommendation 24 effective. These registers – which are now available in Ireland and Luxembourg, the two largest fund administration centres in Europe in terms of assets under administration (AuA) – are proving useful to fund managers and transfer agents conducting KYC and AML checks. In this way, the FATF Recommendations are prompting helpful changes.
What the FATF Recommendations cannot provide is a global standard that would make KYC and AML checks more efficient. The FATF allows countries to adjust the application of their Recommendations in line with their own perceptions of the risk around money laundering, terrorist financing, and sanctions violations posed by other countries, as well as by various types of customer, product, and chains of intermediation.
This means different jurisdictions implement the Recommendations differently. As a result, fund managers that distribute funds across national borders, and the transfer agents and fund platforms that service funds and work with distributors in multiple locations must adapt their KYC and AML processes to multiple local requirements.
There is limited consistency in the KYC and AML guidance issued by national regulators, and their enforcement practices vary. Some regulators are content to rely on assurances from auditors about the KYC and AML processes of regulated firms, while others make unannounced visits or conduct random examinations that might result in fines or other sanctions.
Regulatory uncertainty of this kind encourages reputable fund managers, transfer agents, and fund platforms to incorporate the highest and most costly tests into their KYC and AML processes, increasing the amount of time and money needed to onboard a client. Yet time and resource pressures mean there is inevitably a degree of reliance on information about clients, and clients of clients, that is supplied by others.
In the funds industry, most fund transactions are intermediated by institutional distributors. Fund managers, transfer agents, and fund platforms tend to rely on assurances from these distributors that their KYC and AML controls are sufficient to prevent money launderers, financiers of terrorism, and sanctions violators from gaining access to funds.
This practice incurs a risk. A fund manager or transfer agent that relies on assurances from a fund platform, for example, is in practice relying on assurances given to the fund platform by the fund distributors that service the underlying investors. Few fund managers or transfer agents seek evidence directly from the underlying investors.
The FATF Recommendation 17 permits this reliance on third parties, and distribution agreements are written to oblige third parties to meet certain standards in KYC and AML checks. But the regulatory risk remains always with the fund manager, the transfer agent, or the fund platform. This is imprudent, but the alternative (directly conducting checks on underlying investors) is impractical.
The nature of the problem
In the United Kingdom, an industry working group coordinated by The Investing and Saving Alliance (TISA) has estimated that it already takes 24 days on average to onboard a new client, that each check on a customer costs the industry between £10 and £100, and that the exasperation of customers has reduced conversion rates by a quarter.
If all parts of the industry also ceased to rely on the assurances of third parties and began conducting KYC and AML checks of their own throughout the funds transaction chain, the volume and cost of the work would overwhelm the current system.
This is because KYC and AML processes remain overwhelmingly manual. Documents proving identity must be certified by a trusted third party, obtained, and authenticated. If they cannot be authenticated, queries must be raised. In a complex case, in which the beneficial owner is obscured by layers of trust and nominee companies, it can take weeks to complete the paperwork.
Even in simpler cases, documents often fail to arrive promptly, because KYC and AML checks are never a priority when onboarding a client. In some jurisdictions, documents also need to be translated. Once an investigation is complete, and the full sets of documents are validated and verified, the collections of papers then must be classified and indexed before they can be filed and stored.
The onboarding team at a fund manager or transfer agent that operates in multiple jurisdictions has to dedicate staff to keeping abreast of changing KYC and AML requirements in each locality by sourcing, translating, and reading official documents continuously and consulting colleagues in compliance and external counsel. Though KYC and AML policy and procedures are always laid down centrally, adjustments or additions to accommodate local nuances must be recorded and incorporated into the procedure every time they apply.
In practice, onboarding teams attach different risk weightings to investors and distributors based in different jurisdictions. These can create additional problems. In some jurisdictions, for example, these cause conflict with local fund platforms or distributors, which resist the application of global policy or procedure if it exceeds local regulatory requirements. Requests for information that are routine in Europe can seem onerous in Hong Kong.
Local nuances are not just cultural or regulatory. They include differences in the way the same information is classified and stored. The way that different jurisdictions classify meta-data – the data that describes and gives information about the data useful to a KYC and AML investigation – is an effect as well as a cause of manual, paper-based processes.
When information about the same element in a KYC or AML investigation (such as the first or second name) is described differently in different national databases, it becomes difficult to code KYC and AML documentation requirements into digital systems and apply them to specific countries and client types. Human judgment is still required, which means employees must be trained on when to use the system and when to override it. The scope for genuine robotic process automation (RPA) remains correspondingly low.
Firms have preferred to manage the costs of manual KYC and AML screening by offshoring and outsourcing to specialist firms rather than by investing in technology. Although artificial intelligence (AI) and machine learning (ML) could, in theory, expand and accelerate the scanning of websites and screening of documents, the quality of the data available is too poor to permit this.
Contradictions and gaps between sources mean KYC and AML checks require at least two and often three separate sources of data per customer, and the number of sources required multiplies with the number of countries in which funds are distributed. A transfer agent servicing a fund manager selling funds in 50 countries might need 150 data sources.
Web searches produce unstructured data and even the multiple databases (these include commercial data vendors, lists of politically exposed persons [PEPs], sanctioned states and individuals, registers of beneficial owners, and registers of limited companies and partnerships) can use different data formats. In some countries, the necessary data is not readily accessible at all. The searches are intricate, awkward, and often prolonged.
A search is never a one-off exercise. The risk-based approach recommended by the FATF means that identities must be re-checked regularly. Typically, a fund manager or transfer agent will re-check customers in high-risk locations once a year, those in medium-risk locations every two years, and customers in low-risk locations once every three or even five years. A “trigger” event (such as a merger leading to a change in the name of an account) might or might not prompt a special review.
Yet, ironically, much of the KYC and AML checking and re-checking process is already duplicated, not just between firms in the funds industry – they are, after all, often checking the same customers – but within them too. A fund platform, for example, may buy a Luxembourg- domiciled fund on behalf of its clients in both Asia and Europe, yet be subjected to KYC and AML checks separately in each region even though it is in both cases effectively the same entity buying into the same umbrella or master fund, even if the local feeder sub-fund is de jure a separate legal entity. It is this duplication of work that prompts an obvious question: why not share the workload?
Obstacles to progress
Considered superficially, the case for fund managers, transfer agents, and fund platforms to share the information they collect and create when running KYC and AML checks appear to be settled. The work is duplicated. It is not clear that KYC and AML processes yield any competitive advantage to firms that do them thoroughly. The only competitive differentiator is whether the job is done badly (which exacerbates what is always a poor client experience) or well (which mitigates what is always a poor client experience). Customers would certainly prefer the opportunity to be checked once, rather than repeatedly, not just by each of the firms they transact with but sometimes by the same firm.
There are obstacles to the sharing of KYC and AML data. One is that commercial economics are not helpful. The savings from ending the duplication of work cannot be achieved without an immediate investment with uncertain returns. Large fund managers, transfer agents, and fund platforms object that they will contribute more data than smaller ones, and so extract less value than they put in.
A second obstacle is the absence of a standard questionnaire for KYC and AML checks. Different firms ask different questions, and apply different KYC and AML risk weightings to the same jurisdiction or customer, so investigations by some are more thorough than those of others. As a result, there is considerable variation in the range and quality of the information that can be shared. This makes it difficult to draw up a fixed-price schedule for the same type of data from different firms. Some potential contributors frankly state that they would prefer to commercialize the information they hold themselves.
Identities must be checked regularly:
- High risk – once a year
- Low risk – every three or five years
- Trigger events – special review
More are concerned by the risk of sharing commercially valuable or sensitive client information with a competitor. Anxiety about the security of information shared with or held by third parties reflects regulatory obligations as well as commercial considerations. Within the European Union (EU), for example, the General Data Protection Regulation (GDPR) means that any company that collects and processes information faces substantial fines if they fail to protect personal data.
There are technical obstacles too. Legacy technologies make it hard for firms to share their data, necessitating an off-putting investment in technology or purchase of middleware. Technology is one reason why data sharing has proved elusive even within the same firm because the unique identifiers that enable a firm to ascertain if it has previously run KYC and AML checks on a customer are yet to be developed. In addition, work on the same customer might be divided between an in-house team in one jurisdiction and a transfer agent in another, making it hard for them to pool the information.
Other obstacles to sharing data lie outside the control of fund managers, transfer agents, and fund platforms. The most obvious is the persistence of jurisdictional differences in KYC and AML laws and regulations. The PwC Financial Crime Guide Tool, which compares the requirements between jurisdictions, finds sufficient differences to make it worthwhile profiling 97 separate countries.
Although the differences can be small – the test for establishing beneficial ownership of a company, for example, is set in Ireland at 25 per cent, while in the Cayman Islands it is only 10 per cent – even minuscule differences mean information adequate to onboard a client in one jurisdiction may not be adequate in another.
These differences reinforce an understandable reluctance to rely on KYC and AML checks conducted by others. Users are bound to worry that the information is not just inadequate but out of date, prepared to a lower standard, or to satisfy a less demanding regulator, or even fake. Those who share data are further concerned it may create liability if the information proves to be an inaccurate and financial crime is committed.
Ultimately, any data repository will insist liability remains with the source. However, establishing the identity of the source that is liable may not be easy. It is intrinsic to the sharing of data that extended information chains will build-up, as the first user shares the data with the second, and the second with the third, and so on. The difficulty of tracing faulty information to its source is another obstacle to data sharing.
Obstacles to sharing data:
- Commercial disincentives
- Data confidentiality concerns
- Investor consent
- Absence of standardized data formats
- Technological shortcomings
- Mistrust in third-party data
- Potential liability for misleading information
- Differences in jurisdictional requirements
But the most intractable obstacle is the need to obtain the agreement of investors to reuse their data. This is particularly true of retail investors. If they agree that the data they gave to one fund manager, transfer agent, or fund platform can be shared with another, it precludes the risks associated with breaches of data privacy obligations such as GDPR. It is also the right thing to do. It gives the customer control over who can access and use their data, and the purposes for which it is used.
The way forward
The obstacles to sharing data are certainly many and varied. They include commercial disincentives, concerns about the confidentiality of client data, the absence of standardized data formats, technological shortcomings, lack of confidence in data gathered by others, awareness of potential liability for misleading information, differences in jurisdictional requirements, and the need to secure the agreement of investors to share their data.
These problems have persuaded many people in the funds industry that a more efficient way of running KYC and AML checks will remain forever elusive. The obvious way around them – a KYC utility from which only those who contribute can benefit – is tainted by numerous failed or partially successful attempts by industry consortiums to build one.
With a bewildering array of vendors now pushing ahead with technological quick fixes as well, a degree of cynicism has set in. Yet a solution is possible if expectations of a single, grand, and all-encompassing solution are set aside in favour of a gradual, cumulative approach.
The obstacles to data sharing can certainly be overcome. Shared information can be filtered to ensure it contains nothing of value to a competitor prospecting for clients, solving concerns about breaches of client confidentiality. Institutions of different sizes already share information in this way. In the United Kingdom, for example, banks, retailers, and energy and water utilities share data with credit reference agencies on the basis that they receive the same level of data that they contribute.
The variation in the thoroughness of KYC and AML data gathering by different institutions could be countered by agreement on a standard questionnaire. Documents of this kind are being used by the payments and securities industries, in both cases still leaving room for individual variation. A variety of industry groups and trade associations are now working on a funds industry equivalent of the Wolfsberg AML Principles questionnaire used in private and correspondent banking. A questionnaire that covers, say, 80 per cent of the verifiable data points required to onboard a client is eminently achievable.
That is because there is a great deal of commonality in the data required to complete a KYC and AML investigation, irrespective of the demands of different jurisdictions and internal KYC and AML processes. This is true whether an investor is a retail (typical details include name, address, date of birth, passport, driver’s licence, electoral register, and utility bill) or corporate (requiring e.g. entries on a company register, tax codes, audited accounts, bank statements, and lease agreements). The remaining 20 per cent leaves ample room for individual firms to add their own requirements and for adaptation to jurisdictional differences.
Nor should the technological shortcomings of existing systems be allowed to obstruct data sharing. The constraints imposed by legacy technology can be overcome by drawing up a data dictionary and mapping its terms against the proprietary data sets so that flat or plain text files can be converted into the right format. Shared data can also be secured against cyber- attacks or data breaches using orthodox data security and anti-hacking methods.
Fund managers, transfer agents, or fund platforms that believe they will contribute more (or more valuable) data can be rewarded by variable fees. This means only two obstacles remain. The first is the liability for the quality of the information, which is scarcely a new problem. Existing providers of KYC and AML information are not liable for the quality of the information they collect and share, or for decisions that are based on it. The problem of liability is contractually soluble.
Overcoming the second and final obstacle (the need to secure the agreement of investors to the reuse of their data) requires a less familiar solution – a digital identity (digital ID). Digital IDs are unique, reusable identities based on documents submitted by investors that are authenticated by a trusted service provider, ideally working to an agreed global standard of verification.
Digital IDs put investors in charge of maintaining their data and granting access to it. It is their responsibility to update the information on which their identity is based when some component of it (such as their name or address) changes. They would choose which fund managers, transfer agents, fund platforms, and fund distributors can access their digital ID through their service provider. In other words, their agreement to the use and reuse of their data is built into the process every time they invest, irrespective of the fund or the jurisdiction.
This is especially true of retail business, but digital IDs need not be restricted to retail investors. They are just as viable an idea for corporate distributors. In fact, retail digital IDs would be helpful to major fund distributors because they would make it much easier for them to prove to a fund manager, transfer agent or fund platform processing their aggregated orders that their KYC and AML procedures were sound.
Digital IDs that work in this way would save fund managers, transfer agents, and fund platforms time and money. More importantly, they would improve the customer experience. Investors would no longer have to repeat the KYC and AML checks every time they purchased a fund. Since they would control their own data, they would also control the degree of intrusion they are prepared to tolerate, especially in investigations that require layers of intermediation to be probed in pursuit of an underlying beneficial owner.
However, the growth and success of digital IDs depend on regulatory support in every jurisdiction where funds are bought and sold. Support means certification by regulators of digital ID service providers and of the systems they use to verify identities. After all, if digital IDs are generated and maintained on a purely commercial basis without regulatory endorsement, they will have no greater validity than any other form of assurance by a third party.
It is now becoming evident that this lack of support for digital IDs from regulators is one reason why the funds industry has not endorsed them. In the United Kingdom, for example, the funds industry is one of the use cases identified by the TISA Digital ID Project, which has the support of the regulator (the Financial Conduct Authority), the central bank (the Bank of England) and the government (HM Treasury and the Department for Digital, Culture, Media, and Sport).
Other national regulators are now likely to support digital IDs, following the publication of FATF guidance on how digital IDs can be used to meet FATF Recommendation 10. Recommendation 10 requires national regulators to ensure regulated firms can identify customers and underlying beneficial owners for AML and CFT purposes using “reliable, independent source documents.”
A second obstacle to widespread adoption of digital IDs is that onboarding teams are not convinced that a digital ID is an adequate substitute for a full set of KYC and AML checks. Many of the components of a KYC and AML check (typically, proof of address, beneficial ownership of a company, citizenship, country of residence or occupation) are not always parts of a digital ID.
In addition, the documents used in a KYC and AML investigation will still have to be certified by the physical signature of a trusted individual. This will be true until there is a change in risk assessment procedures and/or more widespread use of electronic or even digital signatures secured by public and private keys.
Users of digital IDs will want to be confident that digital ID service providers are collecting these certified proofs rather than relying on assertions. Setting “assurance” standards by which the reliability of digital IDs can be judged is worked the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) are undertaking.
One reason global standards are required is that digital IDs are bound to remain national in origin. Few fund managers have substantial retail client bases across borders, and nor do many distributors. Even within the EU, investors tend to invest locally. 70 per cent of assets under management in EU funds are held in funds registered for distribution in their national market only, and only 37 per cent of UCITS and three per cent of AIFs are even registered for distribution in more than three member-states.
Another reason global standards are needed is that digital IDs are also likely to be generated by more than one provider in each country. A centralized database in each jurisdiction, which gathers the documentation once only, stores it in an accessible online repository, and charges fees to access it, is a good idea in theory. The Findel Group report of July 2016 called for a utility of exactly this type. However, it is too lavish a project to execute and maintain and is more vulnerable to cyber-attacks.
A decentralized model, in which the digital ID documents are held in multiple databases, and investors are responsible for updating them, is a safer and less ambitious alternative. The GOV.UK Verify digital ID scheme in the United Kingdom already makes use of multiple “certified companies” to verify identities.
Importantly, a decentralized model is better suited to building investor control of their data into the process. Investors would not have identities set up without their knowledge. They would update documents to keep their digital ID current. Users would access the information with the agreement of the investor only. This need not be a repetitive process. Investors can be persuaded to agree to reuse at the point of onboarding because they know it will make future purchases less burdensome.
With digital ID databases scattered nationally and internationally, delivering a global digital ID service for fund managers, transfer agents and fund platforms depend on the ability of multiple databases to inter-operate. Inter-operability will be driven by the consumers of the digital IDs, including fund managers, transfer agents, and fund platforms.
As long as the consumers of the data are not satisfied that digital IDs are an adequate substitute for a full KYC and AML investigation, inter-operability would also have to encompass document databases such as passport offices, issuers of drivers’ licences, electoral rolls, company registers, lists of PEPs and sanctioned states and individuals, anti-fraud databases, and commercial sources of information. Inter-operability of that scale and extent depends on the development of data standards.
Standards are notoriously hard to devise and enforce, especially among smaller market participants, and at a global level, but the work has begun. In the United Kingdom, the Electronic Transfers and Re-registrations Market Practice Group (UKETRG) is working to standardize market practices and information exchanges in the fund’s industry.
If standardization is extended to databases of KYC and AML information, the gains in terms of cost reduction are potentially enormous. The standardization of terms within multiple databases would not only make it easier for onboarding teams to source documents: it would also minimize adoption costs by allowing data to be mapped rather than systems replaced. As confidence in the accuracy of standardized data increased, entire KYC and AML processes could be automated.
Over time, inter-operability between databases would also drive a gradual convergence of the market practices by which identity is validated (obtaining evidence of claimed identity, such as a passport or driver’s licence) and verified (checking the identity belongs to the person claiming it by asking knowledge-based questions or matching a photograph to an official document). The World Economic Forum began standardizing these processes four years ago by labelling them as attribute collection (capturing and storing user attributes) and authentication (linking users to the attributes).
In addition, the ISO is working with the IEC, which develops standards for electrical and electronic technologies, to finalize a global standard for digital ID systems. They are building on the work done by the National Institute of Standards and Technology (NIST) in the United States and under the Electronic Identification, Authentication, and Trust Services Regulation (eIDAS) in the EU to set standard “assurance levels.” This measure the level of confidence that users can place in the reliability and independence of different digital ID systems.
Making it happen
The vision of a more efficient KYC and AML screening process for onboarding new funds industry clients and checking the credentials of existing ones is becoming clear. It is one in which digital IDs replace complex, manual, and paper-based KYC and AML processes. The digital IDs will be issued by the regulator-certified service providers who will verify the identities claimed by retail investors and institutional intermediaries.
The holders of the digital IDs will store them and the supporting documentation in accounts at databases they control, and which cannot be accessed without their agreement. Holders will also take responsibility for keeping their digital IDs accurate and up to date. Importantly, the scope of digital IDs will over time expand to encompass those parts of a KYC and AML process that are not essential to verify a claimed identity, but which are important to establish that fund investments are not being made with laundered money or to fund terrorism.
It is a vision that is plausible precisely because its realization depends on steady rather than spectacular progress. Yet it must still be made to happen. Though its benefits in terms of cost savings are large, they depend ultimately on network effects, which will accrue incrementally rather than suddenly and will be felt more at the level of the industry than at the level of the individual firm. So, market forces alone are unlikely to create sufficient momentum for change.
Regulatory intervention can play a role. In India, where digital IDs have progressed rapidly and a national KYC repository is now in place, the government has mandated change. In other countries, the threat of mandatory reform might be sufficient. In the EU, for example, where memories of the disruptive effect of the second iteration of the Markets in Financial Instrument Directive (MiFID II) are still fresh, the fund’s industry might respond expeditiously to a clear statement by regulators on the KYC and AML infrastructure they would like the industry to develop.
But the mere threat of regulation carries with it the spectre of multiple standards emerging, allowing individual jurisdictions, fund managers, transfer agents, and fund platforms to comply with the stated vision in their own way. This effect is already visible in the different ways that the FATF Recommendations are being implemented. It would be better if regulators told the global funds industry exactly what to do, and by when. If this happened, the industry would likely come together to deliver it.