Getting to Know You-tility: The Emergence of Jurisdictional KYC Utilities

“Complicated,” “messy,” and “manual” are words often used to describe know your customer (KYC) compliance procedures. Most descriptions are far more bitter and pessimistic, and some are simply unprintable.

KYC is becoming a major cause of concern for financial organizations, especially following more stringent onboarding requirements from regulations such as MiFID II, which will take effect in January 2018. The industry knows it must up its KYC game before this deadline.

A utility model is often suggested as one solution that could help to ease the KYC burden for firms, with promised benefits of lower compliance costs, better efficiency and data accessibility. In fact, utilities already exist that aim to help firms deal with KYC: for example, the kyc.com utility, a joint venture between IHS Markit and Genpact, which standardizes and centralizes client onboarding and due diligence operations; the Clarient Entity Hub; Thomson Reuters’ Org ID; as well as Swift’s KYC Registry. 

Kyc.com started in 2014 and now has 12 of the largest global banks, more than 2,200 buy-side and corporate clients, and 113,000 legal entities registered with it. Swift’s KYC Registry, which launched in December 2014, recently surpassed 3,000 financial institutions signed up. Although these utilities have been a great help for some banks and financial institutions, some say they are not gaining critical mass fast enough. 

“Ideally, industry-established utilities would be better, primarily because they would (theoretically) be more efficient and market-driven. But industry-established utilities have been slow to gain traction and critical mass—neither of the two key players have achieved a critical mass of participants, and they have been in existence for a while,” says Steve Goldstein, vice chairman of regulatory and compliance technology provider Opus Global and former chief executive of Alacra, the KYC and reference data management platform vendor that Opus bought in September 2015. 

“Ideally, industry-established utilities would be better, primarily because they would (theoretically) be more efficient and market-driven. But industry-established utilities have been slow to gain traction and critical mass—neither of the two key players have achieved a critical mass of participants, and they have been in existence for a while.” Steve Goldstein, Opus Global

One answer to achieving critical mass may be jurisdictional, or mandated or national utilities, with local regulators working together with the banks.

Goldstein says regulatory mandates are critical to accelerating regulatory compliance and ensuring that quality standards are met. However, he notes that while financial institutions are typically not keen on mandates, the creation of jurisdictional KYC utilities that require everyone’s participation will ultimately save money for firms.

The Monetary Authority of Singapore (MAS), Singapore’s central bank, is in the process of creating a national utility to “ease the burden and pain” of dealing with KYC, though this is more focused on digitizing and sharing individuals’ data among banks, and will not handle financial institutions’ data yet. 

“The pain is pervasive because KYC and identity authentication are involved in so many financial services, from opening a bank account to making a payment, to making an insurance claim,” said Ravi Menon, managing director at MAS, in a speech at last month’s Singapore FinTech Conference. KYC processes are costly, laborious and duplicative, and an infrastructure solution is needed, Menon added. 

The regulator will leverage MyInfo, a personal data platform developed by the Ministry of Finance Singapore (MOF) and the Government Technology Agency of Singapore (GovTech), the lead agency for digital and data strategy in Singapore, which contains government-verified personal details such as the national ID number and residential addresses. It allows Singaporean residents to provide their personal data just once to the government, and then retrieve their details for all subsequent online transactions with the government.

Next year, MAS will start the MyInfo pilot program together with three banks in Singapore—OCBC Bank, DBS Bank and Standard Chartered Bank—to expand the MyInfo service to the financial industry for a more efficient KYC process.

The national KYC utility will involve several layers of identity verification, depending on the purpose of the transaction, the extent of information involved, and the degree of rigor required.

“The MyInfo service is still a personal data service, and whether or not it will be extended to entities is still up in the air. This could be where legal entity identifier (LEI) registrations come into play,” says a risk practice director at a risk and regulatory technology provider, who requested anonymity.

India is also implementing a new system to ease the process of opening new accounts with financial intermediaries like banks and mutual funds. In 2012, the Securities and Exchange Board of India (Sebi) launched the KYC Registration Agencies (KRAs) to ease the client onboarding process for both investors and financial institutions by creating a centralized pool of investor KYC details. 

Then in mid-July this year, Sebi mandated all financial market intermediaries—including brokers and mutual funds—to make new KYC submissions to online registry the Central Registry of Securitization and Asset Reconstruction and Security Interest of India (Cersai) instead. Cersai was authorized by the Indian government to set up the Central KYC Records Registry (CKYCR), with which reporting entities would need to share KYC information. The centralized KYC idea has been a work in progress for the Indian government, and was implemented on Aug. 1. 

Sebi has given mutual funds until March 31 next year to complete the uploading of KYC data, while other intermediaries must upload clients’ KYC details by Dec. 31 this year. However, this model is not without issues: Sebi has voiced concerns with the Indian finance ministry that the new system has disrupted the common KYC process that has been implemented through existing KYC Registration Agencies (KRAs). Since intermediaries would now have to only report directly to Cersai, the role of KRAs has seemingly become redundant. Also, implementing the new system could create duplicate records, since it requires intermediaries and investors to upload KYC data and documents previously collected under Sebi’s KRAs. 

Like the “no LEI, no trade” rule for firms wanting to continue trading with Europe under MiFID II rules, no investor in India will be allowed to trade unless they are central-KYC (C-KYC) compliant. And with the Dec. 31 deadline looming, industry bodies such as the Association of National Exchanges Members of India (ANMI) are seeking an extension, complaining that the deadline is not realistic for them to upload all their client KYC documentation. 

Even though the Indian and Singaporean utilities will not initially address financial institutions’ data, they could be the first step for other jurisdictions in Asia to follow suit, before possibly later expanding to include financial institutions and make the jurisdictional KYC utility a reality.

A spokesperson from the Hong Kong Monetary Authority (HKMA) notes the increasing interest in using technology for better efficiency and effectiveness of the customer due diligence process, with KYC utilities being a part of that discussion. “The HKMA, similar to other overseas regulators, is actively exploring ways to facilitate the greater use of technology, including KYC utilities, in the banking sector, and we have already started dialogues with the industry,” the spokesperson says. 

“Other regulators are looking closely at the activities in Singapore and India. There are two models that are emerging—one of ‘competitive’ design of a similar utility in the region (perhaps with slightly different design principles), or the potential for wider collaboration between regulators to solve for a pan-Asian utility,” says Dominic Mac, global head of business development at Thomson Reuters, adding that regulators’ involvement in such initiatives is critical to their success, both from a policy alignment perspective, and also in terms of encouraging wider adoption from domestic and international banks.

This would initially be easier to achieve in terms of a single jurisdiction rather than across multiple regions. “The Pan-Asian model, however, remains the ultimate vision,” Mac says.

Goldstein agrees that regulators’ involvement will be key to ensuring critical mass and widespread adoption. “A good corollary is the adoption of the LEI: where there has been a regulatory mandate, there has been wide adoption. And where there has been a regulatory recommendation, there has been limited adoption,” he says. 

Know Your Challenges

Thomson Reuters’ research into KYC in North Asia and beyond shows that banks are inefficient about conducting KYC processes, Mac says. “It takes far too long to open accounts and trade. Operationally, they individually conduct KYC on their clients (who are often multi-banked), and do so with very different processes and at different points in time.”

For example, financial institutions often prefer to contact the client as an initial source of information, rather than exhausting available data sources to build a KYC profile of the client, making the documentation process inefficient.

A jurisdictional utility would solve this problem by centralizing the operational process on behalf of all subscribing banks. By opening up regional data sources in a more scalable and technology-driven manner, there is opportunity to create a better client experience by creating fewer low-value touch points with the financial institutions, by leveraging data—rather than merely documentation—thereby minimizing the requests to end clients, Mac says. 

Of course, establishing a utility is no walk in the park. And not least, there must be a confluence of thought processes between the regulator and the industry as to how one would work operationally. 

“It is, in fact, challenging. In Singapore, the utility model has been in discussions between the regulator and the industry for some years. And while there has been some progress, it has yet to be rolled out,” says Nizam Ismail, co-founder at RHT Compliance Solutions, and partner and head of the regulatory practice at RHTLaw Taylor Wessing.

For example, creating a utility would require addressing legal and regulatory issues on banking secrecy, client confidentiality issues, outsourcing and technology management risks, and also requires a mindset shift on the part of financial institutions to share what would be sensitive client information with other financial institutions, Ismail says. “And careful thought needs to be given as to what sort of information is to be shared, and the sort of technology platform that should be adopted to facilitate this,” he adds.

Singapore has seen heightened focus on anti-money laundering (AML) and counter-terrorism financing investments among financial institutions this year. The MAS’ revocation of licenses of the Singapore branches of Swiss-based BSI Bank and Zurich-based Falcon Private Bank for failing to control money-laundering activities connected with the 1Malaysia Development Bhd (1MDB) fund—which is under investigation for money-laundering in several countries including Switzerland, Singapore and the US—is testament to this. 

On Dec. 2, the MAS fined the Singaporean branches of Standard Chartered and private bank Coutts & Co S$5.2 million ($3.65 million) and S$2.4 million ($1.68 million), respectively, for breaches of AML requirements around their handling of 1MDB-related fund flows, and has also said it will issue a prohibition order against Tim Leissner—former director of Goldman Sachs Singapore, who was responsible for managing the relationship with 1MDB when Goldman Sachs was engaged to arrange three bond issuances for 1MDB from 2012 to 2013—for making false statements on behalf of Goldman Sachs Asia without the bank’s knowledge or consent. 

Thomas C. Brown, senior vice president of global market development and US commercial markets at LexisNexis Risk Solutions, says creating a utility is a challenging task. But a recent survey conducted by the vendor showed that 78 percent of respondents globally felt that the benefits of a customer due diligence utility would outweigh the hurdles. Respondents from Singapore felt even more strongly about it, with 85 percent indicating that the benefits will outweigh the hurdles, he adds. 

There are also issues around the specific type of technology and linking analytics that are required to create a national utility. For example, LexisNexis Risk Solutions works with structured and unstructured data in various languages, and has its own proprietary and open-sourced big data technology and patented and proven analytic linking technology. “Big data technology is a requirement, but perhaps more important is the ability to link people to people, and people to businesses. And that is not an easy task,” Brown says. 

Besides regulators, there must also be a confluence of thought processes between market participants. “If you get five banks in a room to talk about how a utility should work, you will get five different opinions, five different funding models, and five different governance models. Utilities require cooperation among entities that in other arenas are fierce competitors,” Goldstein says.

But setting up a utility should require relatively little effort in practical terms, because the blueprint has already been completed, with operational utilities up and running in South Africa and other regions, Mac says. 

“Certain vendors in the marketplace have already built the necessary core technologies, operations, and datasets to repeat these models in other regions. One example is Thomson Reuters, which set up the world’s first corporate and investment banking utility in South Africa between Barclays Africa, Standard Bank and RMB,” he says, adding that the design principles of this utility can be seen in many elements of other utilities being considered in Europe and Asia. 

But if jurisdictional utilities take off, how will this impact existing KYC utilities like Swift’s KYC Registry, Org ID, kyc.com and Clarient Entity Hub? LexisNexis’ Brown says it is “highly probable” that financial institutions will use one or more utilities. While firms may be required to participate in a local utility, he says that in certain niche segments it would be pragmatic for financial institutions to participate in a pre-existing utility, given the efficiencies it can provide in that particular segment. 

However, he says this does not preclude the need for a utility to address other segments and to reap efficiency gains, adding that unless the national utility is mandated, there is no reason for multiple utilities not to co-exist in the same financial institution’s ecosystem. 

Coexistence of utilities would also require cooperation, and for national and international utilities to share information—a whole separate can of worms, but not without precedent: the recent memorandum of understanding (MoU) between China and Australia to share AML/counter-terrorism financing information indicates an appetite and willingness to collaborate where it serves the national interests of the parties involved. 

Signed on Nov. 2 in Beijing between the Chinese Anti-Money Laundering Monitoring and Analysis Center and the Australian Transaction Reports and Analysis Centre, the MoU will enable the two countries to cooperate on the collection, analysis and exchange of financial crime-related information. 

Regional utilities will have the potential to provide standardized KYC processes and if regulators are actively involved, participants can be assured that they are fulfilling their onboarding obligations consistently. It will then be up to those national and international utilities to share data in a way that addresses the international risks that good KYC practices are designed to prevent.