KYC: a compliance challenge requiring increasingly innovative technologies
Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) which is restricted by European regulations, mobilises increasingly sophisticated digital technologies. For banks, the challenge involves mobilising them as effectively as possible, in particular in connection with Know Your Customer (KYC) procedures. Bertrand Bouteloup, Deputy CEO of IDnow, a company specialised in automated digital identity solutions, offers a few explanations.
Since 1991, the European Union has adopted a multilateral approach to combating money laundering with an initial directive stating that Member States must introduce customer due diligence and know-your-customer (KYC) procedures. Ten years later, following the terrorist attacks on the World Trade Center in New York, a second directive added the aspect of combating the financing of terrorism.
How do things stand in 2022, when technological developments offer more opportunities for compliance? “We are now at the sixth European directive,” states Bertrand Bouteloup. Financial institutions need to comply with the requirements of their national regulators, which transpose the directives according to their interpretation of them and their own level of requirements. As a result there is very great diversity in the services and processes implemented.”
PVID, a regulatory framework developed by France that inspires the EU
France is one of the Member States that impose a high level of requirements for remote consumer onboarding by financial institutions. For a long time, there were no remote identification solutions that could be deployed. The qualified electronic signature process was based on a remote interview not really suited to the digital world. Another alternative involved carrying out a micropayment to check the proof of identity, showing that the individual already had an account at a bank.
The situation has changed since last year, as the Deputy CEO of IDnow explains: “France, and more specifically the National Agency for Information Systems Security (ANSSI), has defined a standard for requirements: the Remote Identity Verification Service Providers (PVID). It specifies all of the elements that a service must include to offer face-to-face equivalence. This approach prompted the EU to work on a European standard, ETSI TS 119 461.” These two standards now make it possible to assess the strength and performance of a remote identification service, and offer financial institutions reliable services that meet the challenges of their regulators. Furthermore, it is possible to envisage that remote identification solutions in Europe will eventually be standardised, in line with the revision of the eIDAS regulation. “The experts are starting to discuss defining the technical specifications, and we are gradually managing to standardise the identification solutions”.
Different types of KYC processes available to establishments
For banks and financial institutions, the PVID standard involves checking the authenticity of an identity document and comparing it with the physical identity of the holder. The standard requires the technologies for automatic document verification and biometric verification (facial recognition, liveness detection) to be completed. For equivalence with face-to-face identification, this is made possible by a systematic manual review of the identity document and the liveness video by certified officials. “We do not yet totally trust the technology, and rightly so, but this hybrid method is not suitable for financial institutions,” states Bertrand Bouteloup. Their customers, in particular younger ones, want to be put in contact immediately, which is not compatible with manual processing which takes five minutes on average. “The identification services that we see developing, although they reinforce security, are a real constraint in terms of the digitisation of services. This process, which combines manual and automatic elements, does not favour adoption of the services by banks and financial institutions.”
The alternatives to PVID services are still well thought of by certain players in the finance vertical. The French Prudential Supervision and Resolution Authority (ACPR) defined guidelines in February 2022 validating micropayment by bank card in addition to verification of the identity document. Establishments can therefore use an automatic verification process for identity documents accompanied by a micropayment. A process far more suited to the digital world, which can be completed if necessary by a liveness solution, but without any obligation for compliance with PVID. In this case the liveness detection solution is seen as an anti-fraud measure rather than a due diligence check under the French Monetary and Financial Code (CMF).
Third possibility: a qualified electronic signature based on a less demanding process than the ANSSI PVID. “This method involves going back to qualified electronic signature journeys rather than deploying a PVID service,” explains Bertrand Bouteloup. “The advantage of this solution is that it is less restrictive for users, both at the technological level and as regards the documents accepted, and in addition it can be exported to other Member States…”.
Open banking and 2D barcodes to certify documents
Although more reliable solutions exist to prove user identity during customer onboarding, fraud does not only occur when accounts are created. Complexity also arises later on, in procedures that include the authentication of documents, for example to grant a loan. Most of these documents, such as pay slips and tax notices, are not standardised. Solutions exist: a tax database accessible to listed players to obtain a certain amount of information about the tax household; open banking, to retrieve information directly from the bank with the user’s consent… “To overcome the problem of automated processing, open banking will make it possible for financial institutions, provided they have the customer’s consent, to directly download monthly bank statements and identify the salary paid by the employer.” What are the limits? Acceptance by customers, who may have reservations about sharing access codes to their bank account with a third party. “In general, final customers are reluctant to use these systems,” notes Betrand Bouteloup.
Regarding tax notices, the state has approved the inclusion on them of a 2D barcode, a QR code aimed at securing the data and making them impossible to forge. The public authorities have put IDnow in charge of this mission, which will be launched for 2022 tax returns.
In future, an electronic portfolio for all European citizens
Several possibilities remain to be explored to favour automated customer onboarding processes and to limit the risk of fraud: use of 2D barcodes for more of the documents involved in the relationship between establishments and their customers; or initiatives such as Archipels, which uses a blockchain to check and certify access to online services, and is used by EDF, Engie, La Poste and the Deposit and Consignment Office. “The next generation of KYC tools is promoted by the European Commission,” concludes Bertrand Bouteloup. “It is aimed at giving all European citizens an electronic portfolio containing in particular their digital identity, as well as verified credentials such as proof of domicile and a pay slip.”
According to the Deputy CEO of IDnow, the technological developments in KYC compliance go well beyond the scope of digital confidence: “It is above all an issue linked to the transformation of a market, marked by the rapid rise of fintech. For banks and financial institutions, the challenge is to offer flexible and highly automated journeys to stay attractive. For the public authorities, it involves above all ensuring that digital identities remain managed and supervised by the national authorities.”
