The evolution of "Know your transaction": Why KYC alone is not enough

By Antonio DeLorenzo | 14 February 2017

Legacy technology, integration issues, a lack of secondary attributes in payment transactions, and a dearth of uniformity on how Know Your Customer (KYC) is handled are crucial issues for the financial services industry. We examine these problems and suggest how a financial institution can achieve greater clarity through expanding due diligence past KYC by introducing Know Your Transaction (KYT). KYT is about a financial institution having a callable, more complete and granular data-set specific to a transaction.

Terms used to describe compliance processes are painful, tedious, complicated, challenging, and cumbersome. Difficulties retrieving data and weak accountability around due diligence, or checking of transactions, leads to an exacerbated set of circumstances for financial institutions. Coupled with this is the friction in processing payments. This is due to the manual nature of transactions and the reality that legacy payment systems inherently cause a substantial loss of information, once a financial message is created for transport.

New solutions are starting to emerge in regulatory technology. These assist banks in on-boarding clients, conducting due diligence and sanctions tests. However, there is still a void as to how financial messages associated with transactions can carry information relevant to the transaction, such as regulatory documents, clearances or invoices. Simply keeping track of the counterparts to a transaction can prove difficult. In addition, there may be a need to track these messages with a record for auditing at a later stage, either for AML or other investigative purposes.

KYC is not enough 

KYC requirements for financial institutions are stringent and adhere to a global set of guidelines agreed upon by a collective of jurisdictions. Even though there is a uniformity in what should be known about a customer, there is no specificity detailing these requirements as an internationally acceptable standard. Some jurisdictions have been prescriptive, while others have left it up to the market participants, to be able to fit to the letter and the spirit of the law.

Today, most KYC processes are manual and tend to be static in nature - once a KYC due diligence has been performed, there is little to no follow-up. Often times, once a client is on-boarded, the extent of the file upkeep on that person or company is ensuring it is present in paper form, for however long the law requires. The reality is that things in the world of business are constantly changing. This means that continuing due diligence becomes another issue for the banks. How are banks supposed to efficiently and effectively conduct continuing due diligence on its entire customer base?

As technology plays a heavier role in the financial services sector, the onus on financial institutions will continue to grow. Financial crime compliance will be an area of greater focus. Regulators will become more detail-oriented as innovation continues and they learn more about how markets and their participants can be increasingly transparent. Lawmakers are motivated to keep investors safe, markets fair and efficient, assist in countering the financing of terrorism and fighting money laundering. Knowing not just the customer but also each transaction is going to be an inevitable facet of future regulation.  

New technology, standards and schemes

Interbank payment messaging is a concept that was conceived over forty years ago. Remarkably, the programming language used at the outset, which is nearly obsolete, is the same used today. In practice, this limits the type of messaging and information that bank systems can receive and process. For example, in a payment audit, non-payment related information is very hard to find. It generally resides across multiple systems and those systems, or their archives, have to be mined to collate relevant data. Compounding the problem are the many information gaps, such as who conducted a KYC on the transaction, or who at the correspondent bank processed it. Further, if it has been more than six or seven years since the transaction, there is a high probability that there will not be a complete centralized record of all related information. 

With the advent of the ISO 20022 standard and its MX messages, it has become possible to carry more remittance data in each payment message. However, for the purposes of financial crime compliance and the attaching of transaction-related documents, there is not much in the MX world of financial messaging that is completely useful.

Here's why: interoperability issues between the existing MT and the new MX messages with most of the world is still using the MT standard. Implementation of MX messages means tweaking core banking systems, linking compliance information through databases - and that means even more tweaks. Tweaks are expensive and time intensive. Tweak all you want but you end up using MT converters to reach international correspondence, rendering all that extra info useless!

What makes matters worse is that the recipient bank needs to have its systems configured to pick up the information that a sending bank worked so hard to transmit. This means adherence to Market Practices. There are National Market Practice Groups at a local level and there is a global Payment Market Practice Group. Despite an effort to standardize payments, financial messages are still used in different ways in different markets. SWIFT created a community tool 'MyStandards' as a global reference point which has been very successful. However it is limited to the ISO 20022 standard and MX messaging.

We end up in a situation where banks rely on the tried and tested methods of exchanging information about payments: email, fax, phone, snail mail or couriers.

What next?

The industry is trying to progress. SWIFT, and over 80 banks at the end of 2016, have agreed to pilot a scheme called the Global Payment Initiative (GPI). It is based on a multilateral agreement between participants to give preference to GPI messages. This scheme helps track payments as they move along the correspondent chain over SWIFT and allow customers to see where their payments are at a given point. This is a much needed evolution in correspondent banking. It will address carrying extra remittance information but perhaps not enough to satisfy current regulation on financial crime. 

The real issue is building systems that satisfy both today's regulatory requirements and the potential issues of tomorrow. Banks need to think about introducing systems that can capture information at a level granular enough to assuage the fears of Financial Crime Compliance and Risk Management in the future. 

Know your transaction

At the core of all financial transactions is the need for clarity around the counter-parties involved and the purpose of payment. These constitute the most basic requirements. Complicating matters, if a corporation is making payments to another corporation for example, there may be additional documents required. These may include bills of lading, tax withholding documents, regulatory documents, proof of identity or even proof of residency. Sometimes even more granular detail is necessary, such as who reviewed which document in what step of the process. 

Therefore, the benefits of having information at the transaction level, where that data is centralized and easily referenced, are manifold. Moving to a model where banks know more is key to industry leadership.

KYT is that model. The automated enrichment of messages with accurate and relevant information coming directly from original sources of the data, rather than manually, is the ideal scenario. It creates enhanced trust between affiliates and correspondent banks, reduces operational cost and heightens security, with a streamlined compliance process that counterparts can trust. 

This is not to suggest that customer information would be shared between trusted parties and potentially violate data privacy/protection regimes. Rather it is to say, you are a trusted correspondent bank who can prove you hold necessary KYC documentation. It also means that the information can be evidenced and is irrefutable, due to controls in place. These conditions should be sufficient to satisfy risk parameters at the sending or receiving bank.

Establishing security, accuracy and transparency enhances bank governance and regulatory oversight. This allows bank to focus on core business competencies and generate client satisfaction, while compliance and control for financial crime become a differentiating factor, rather than a costly burden.