Know your customer/client
Author: Valentina Bulatović, Head of the Division for Development and Financial Technologies
The Importance of knowing who You are doing digital business with
The slogan “Know Your Customer/Client” (KYC) is an international standard in the field of preventing money laundering and terrorist financing. In a broader sense, KYC represents a set of procedures that enables the identification and verification of the identity of clients in the financial services sector, but is also applied in other industries. The process usually consists of several mechanisms: customer identification, analysis and verification of the data provided by the customer, and financial institutions are obliged to keep customer information updated and accurate, and to continue to monitor the account. If there are grounds for suspicion of money laundering and terrorist financing, or any other criminal offense of fraud or abuse, a more detailed analysis is carried out based on a list of indicators for identifying suspicious transactions and customers, with further action being taken in accordance with statutory obligations.
Most countries have defined KYC rules and regulations aimed at preventing money laundering and terrorist financing, but the levels of these mechanisms can vary. There are rules for dealing with customers, reporting, data storage, internal control, risk assessment, risk management and communication.
When it comes to Montenegro, the existing regulation imposes the obligation of personal presence when opening an account, whereby banks hand out forms to their customers, with the contents and scope of collected information varying from one bank to another. One of the biggest changes for the new regulation that is being prepared is the additional possibility of opening an account and signing a contract with the bank online. This law will bring new dynamics to this area, introducing innovations such as electronic customer identification and video identification.
With the help of KYC, the counter becomes a thing of the past
The field of KYC is a hot topic globally and offers significant potential for further improvement and development, through digitization processes and the application of modern technologies, that is the establishment of "eKYC". Electronic KYC refers to a fully digitised processes that utilise various technological solutions for the identification and verification of clients' identities. The objective is to achieve a powerful and efficient eKYC that guarantees speed, transparency and especially the security of digital processes and data that are subject to further analysis.
There are different ways and experiences of how electronic processes can improve the KYC procedure. Sometimes, the main focus is on increasing the efficiency and shortening the duration of the KYC process, sometimes on improving the success rate of mechanisms for detecting and preventing financial fraud or on increasing the protection and security of personal data, while some services are more focused on providing assistance to banks and other financial institutions in monitoring and implementing regulatory obligations. Today, there is a significant number of fintech companies specialising in eKYC services and tools.
Objectives, methods of application, and experiences vary across the board. In some countries, eKYC represents a part of a set of electronic services based on the Centralized Register of Electronic Identities of all citizens, which is an excellent basis for creating new digital services in various industries. Thanks to the largest biometric database Aadhaar, financial services providers in India have significantly shortened the time of eKYC procedures and ensured the financial inclusion of a large number of citizens, which can also represent one of the goals of introducing eKYC procedures. In recent years, the practice has been recognising various industry standards focusing on technical requirements, so bank clients are still faced with a variety of procedures, data definitions, guidelines, and standards. At the European Union level, there are processes aimed at establishing fully digitised and harmonised KYC processes that will function in the daily practice of the EU Member States.
This means that once we have completed the KYC process in any of the EU Member State, digital services in other countries will become available without any additional steps with respect to establishing identity. In order to achieve this goal, one of the prerequisites is the establishment of an efficient and reliable technological infrastructure. Regardless of the dynamics of the EU accession, it is necessary to catch up with the described processes.
KYC is only as secure as its weakest link
The digitization process is inevitable and unstoppable. Along with the obvious advantages of applying the latest technological trends that adapt services to the lifestyle of a modern man, there are also new risks and dangers that this development entails.
To begin with, it is important that all participants are aware of various forms of risk and danger, and then to take strong measures in order to prevent and detect various types of abuse.
In addition to the standard methods of cyber protection that predominately focus on preventing unauthorized access, technologically developed societies face another type of fraud, and that is in the area of KYC. This entails creating fake, so-called “synthetic” identities that are used for fraud not only in the area of financial services, but also in some other industries that work with remote identification of clients.
According to the definition, false identity fraud means the use of a combination of personal data to invent a person or an entity in order to commit a crime, i.e. for personal or financial gain.
Synthetic identities falsify basic personal data that are usually submitted when opening a bank account by a new client: name and surname, date of birth, address, personal identification number or tax identification number, and are supplemented with a set of additional information, such as a phone number, e-mail address, ID of the device or its IP address, and the like.
Once formed, a false artificial identity, unlike some other types of fraud, is not easy detected. Namely, it initially exhibits standard behaviour with minimum financial activity, which is similar to a normal behaviour of real users. This is all until the opportunity arises. According to the US FED, in August 2020, two men from South Florida were arrested under the charges of bank fraud, for creating more than 750 false identities dating back to 2017. After a “dormant” period of almost three years, these “synthetic” identities were used during the COVID related inactive measures, to misuse millions of dollars from the emergency loan program.
False identity - a real danger
How to detect false identity fraud? There is more than one indication of suspicious identity. Usually, it represents a combination of several factors that may indicate the need for additional cross-checking. The checks refer both to that account and to accounts that are potentially connected with it, while trying to determine whether there is any lack of logic in the identity data. Some examples of suspicious situations that trigger an alarm and require an additional examination are situations when: a large number of bank users have the same or similar personal data, such as address, phone number, IP address or similar; there is a discrepancy between the client's age and the history of his/her credit activities; a large number of bank users report suspicious, non-existent e-mail addresses; when there is a large number of personal identification documents with a recent date of issue.
Different tools and technological solutions are being developed to check and detect false identities. However, such mechanisms can be bypassed, because they are only as good as the data that was used to “train them” for fraud detection. Created identities are based on falsified personal documents, but are often “supplemented” with fake profiles on social networks, fictitious accounts of utilities’ users, all to create a more credible identity. That is why it is very important that the initial client identification includes the analysis of properly selected parameters, which should provide accurate answers to the question of whether this person really exists. The more data and attributes are analysed, the greater the potential for finding common features.
There are different stages in which identity checks are performed. The first are done at the beginning, when the account has not yet been opened and the user relationship has not been established, that is, during the KYC procedures. These initial checks are also the most important, because after that the detection of forged identities becomes increasingly complex. The next group of checks is carried out within the portfolio to see if there are related accounts - because fake identities are often used to initially carry out regular payment activities and purchases in small amounts, thus creating a payment history and increasing their credit capacity, before committing fraud in a larger amount. The third part of the checks refers to the moment when the potential abuse occurs. And even though it may sometimes seem like a waste of time, because the fraud has already happened, it is still important to carry out full investigation - as the behaviour of possibly related accounts and data analysis can help to identify other suspicious accounts.
The very nature of identity fraud makes it challenging to detect. The application of modern technologies that use different approaches and methods for the detection and prevention can significantly improve the ability of organizations to prevent or mitigate these types of fraud. By applying machine learning, systems identify patterns and generate algorithms based on the analysis of large amounts of real data and statistical models. This is why it is important to have precise identification and reporting of fraud, which would provide greater visibility of fraud trends and could encourage the development of more effective manners of combating and mitigating negative consequences. This is not a fight that can be led by a single institution but it requires a constant joint effort of all parties, exchange of information and raising awareness about different methods of fraud and abuse.