In April 2021, Financial Information Management (FIMA) and WBR Insights released the results of their survey on “The Evolving Role of the CDO at Financial Organizations”. 

Twenty-five CDOs working in each of the four areas of asset management, hedge funds, insurance, and investment banking were surveyed, 99% of whom are the highest ranking members of their data analytics practice, or sharing that position with someone else, as published by data intelligence brand Erwin by Quest.

When it came to know-your-customer (KYC) requirements and mandates, only 32% of respondents categorized it as a primary area of concern, in ninth place behind several other areas of focus, such as the GDPR directive and the Financial Industry Regulatory Authority (FINRA). 

However, KYC at the same time occupied the topmost position in the resource-intensiveness list, with 69% of finance CDOs classing KYC as a primary area of resource consumption.

By contrast, risk data aggregation is a primary area of concern for 70% of CDOs, and yet it is considered resource-heavy by just 42% of them. In other words, although KYC is the biggest area of resource consumption, it is the very last area of concern for CDOs in fintech. 

So, is it time to rethink KYC?

KYC Cannot Be Avoided – But This Is Good

In the financial sector — including fintech companies, digital wallets, banking, lending, microfinancing, investment, brokerages — as well as certain other sectors in some locales (e.g., real estate, iGaming), KYC is mandated by law.

This was kickstarted by anti-money-laundering (AML) and anti-terrorism funding laws in the United States, with the Patriot Act of 2001, as SEON explains in a piece on KYC for fraud, and has expanded worldwide with similar legislation in other countries and locales. In Europe, the European Joint Money Laundering Steering Group is responsible for this type of mandate and guidance when it comes to the EU.

The idea was to be able to catch or stop criminals, or at least make it more difficult for them to launder money. However, this has expanded into catching tax evaders, as well as stopping other types of financial system abuse.

For this purpose, specific protocols were introduced requiring the  organization to request, collect and store specific paperwork that proves the customer’s identity, date of birth and address — all at the time of sign-up or acquisition of a financial service or product. More documents may be mandated or requested; the above mentioned are the bare minimum for KYC.

Also closely linked to this are CDD (customer due diligence) requirements that extend beyond the initial stage, and often require proof of the source of funds to be used or deposited, as elaborated by KYC3 in their guide.

In essence, KYC is great because it both safeguards the economy and individual organizations, and targets and prevents crime.

In fact, despite being non-compulsory in most sectors, several companies throughout the spectrum of commercial activity have decided to use KYC processes, even though they are not obliged to. 

Why? To prevent fraud.  

KYC Can Protect Individual Organizations, Too

Because of its legal beginnings, it is not often that KYC is thought of as part of the fraud prevention arsenal on a micro-scale by your average non-specialist.

However, anti-fraud experts are already employing and improving KYC and pre-KYC tools to protect businesses and organizations. The idea is to use modules that help discover more about each user, in order to know whether they are trustworthy.

There are different levels of KYC, which fall on the hard vs soft KYC spectrum — the former being more intrusive and demanding, and the latter a much lighter touch, normally triggered for users/shoppers/applicants who appear to be legitimate.

Where there is no legislation to demand specific KYC measures, fraud analysts and companies evaluate the situation, gauge their risk appetite and threat landscape, and choose the rules which will trigger each different type of KYC. Will they be asking users for biometric data, proof of address, selfies/video verification sessions? Are they confident letting some through without any of that? And so on.

In this context, an important consideration is friction, which marketing brand Unbounce calls a “conversion killer” for companies. Commercial organizations still want to provide a pleasant and unintrusive user journey, insofar as it does not compromise their security. 

Light KYC is smoother but riskier; heavy KYC is more thorough, but also bothersome for users. Hence, in fraud prevention, KYC combines with other methods of verifying users and gauging their intentions, to send users deemed to be riskier down a different path than those who seem legitimate and safe.

The KYC Privacy Conundrum for CDOs

Naturally, both the government-mandated and the optional, fraud-mitigating KYC processes described above entail dealing with customers’ personal information. 

Information, analytics, and data officers are required to have processes in place to store the data, as well as to be able to remove it after the required period or at the person’s request, per local legislation, and the laws that govern the place of residence of the customer. 

For example, the latter occurs when a California-based online company is handling the data of a French citizen. Despite being outside the EU, this company still has to follow GDPR rules, as explained in a blog post by GRCI Law.

More, and more thorough, KYC checks bring in more sensitive data, thus increasing the demand on resources that the survey responders have pointed out. Importantly, performing a KYC check for every user is expensive, and these add friction to their user journey and can even cause customer insults and churn.

A solution we have for this conundrum comes from running frictionless user verification prior to KYC, in order to determine if KYC is indeed needed, and how intensive it should be.

To this end, the fraud prevention software will examine several bits of information that the user is already offering up via their connection — and some through their email and phone number.

The former include data points like device fingerprinting, IP analysis, velocity checks, browser cache scans, and so on, all giving us a general idea of this person’s intentions and profile. As a simple case in point: If they are found to be using a VPN or a proxy, they are deemed more suspicious, because criminals utilize such tools almost always. 

Even more useful data, still without introducing any friction, comes from reverse email address and phone number searches. 

Searching for these in open-access databases and platforms, including Google and Facebook, for example, can give us a wealth of information that can help us figure out (a) if this user is who they say they are, and (b) if this user is suspicious. Such considerations include:

• Does this email address have social media accounts? How many?

• Has this email been listed in any known data breaches?

• When was the earliest known data breach this email was part of? 

• Does the public information on social media match the user’s provided locale and profile?

• Is their email registered on a free provider?

For example, at SEON we currently gather information from 35+ different social networks and online platforms for this purpose, including everything from Twitter to GitHub and WhatsApp.

Here, we are using starting points that the user has provided (and is expecting to provide to sign up) to find out more about them, without asking them directly and without invading their privacy, as all of this is public information they have chosen to share with the world.

Requested either manually or enriched via automatic modules, this wealth of data points comes together to create a risk profile for each user, complete with a risk rating. From there, different risk ratings will trigger different KYC protocols, if any at all.

Circling Back to Resource Demand for KYC

Finally, we should point out that because the above reduces the number of users who have to undergo KYC, the demands on storage and data management are automatically reduced, for those companies that are not required by law to engage in KYC.

But even those sectors that have to engage every user in KYC procedures can benefit from this strategy. This is because KYC mandates are a minimum, and many choose to add more on top of this, both for reasons of compliance and as a fraud mitigation measure. Moreover, they are not merely protected from legal repercussions but also from fraudsters.

Thus, for CDOs looking to solve the KYC conundrum, pre-KYC verification via lookup and fingerprinting strategies can be beneficial to consider. 

Gergo Varga has been fighting online fraud since 2009 at various companies,  even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager/Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.