By Gergo Varga
Some ecommerce platforms wear their customer due diligence (CDD) practices like a government-mandated albatross around their necks, yet they don’t consider how AML and KYC checks might actually be increasing their margins.
Understandably so, really.
The ocean of AML and KYC checks is deep, and any company with a multinational footprint will find it hard – and costly – to navigate. Let’s dive all the way into these ideas and try to identify them, then see how pre-KYC checks can help your company rise to the surface.
First, Some Groundwork
Certainly, some of the confusion around AML policies is due to terms that get used interchangeably. To give yourself the best shot at understanding, we first must define both KYC and AML.
AML, or Anti-Money Laundering, has its roots in the 1970 Banking Secrecy Act, dictating that American banks had to actively work with the US government to stop criminal banking activities. The modern form of AML was realized with the Patriot Act of 2001, and was a direct measure to squeeze the funding of terrorist groups. It broadly requires financial institutions to collect identifying information about their customers, including names, addresses and dates of birth, and use those identifiers to reference lists of sanctions, such as OFAC’s Specially Designated Nationals List.
In 2021, the AMLA refined these requirements for US-operating firms to identify the beneficial owner – Harvard Law defines this as the entity actually controlling 10% to 25% of the money – as well as expanding the legislation to bring cryptocurrencies and crypto-wallets under the umbrella. Fines for non-compliance were also raised.
Know Your Customer protocols are just one facet of AML. Part of CDD requirements, KYC is a verification process that helps bring a company into AML compliance at onboarding.
With the understanding that this process presents a challenge to any institution regardless of available resources, international mandates allow for at least some form of third-party verification.
Here is where a company offering hard KYC checks comes in. Typically for the user, this process will include submitting a genuine, physically present ID in order to confirm their name, age, and address. It might include uploading a photo or connecting to a video stream, or even require digitally notarized identification documents. These are then authenticated or denied by the system, which often involves a human sign-off.
This form of KYC is generally efficient in terms of closing opportunities for fraud but presents a huge expense to the company. In an article on KYC, SEON explains how it is far from foolproof without at least some data enrichment, whilst each manual document review costs the issuing company an average of $1 – ostensibly a small number, until it’s scaled out to cover an entire customer base, including those who will be blocked as fraudulent too. For businesses whose options are limited by slim profit margins, this scale of KYC coverage is totally unfeasible.
The Delicate Balance of Onboarding
Any onboarding process that includes KYC compliance will inevitably increase friction, and the longer the path towards legally-mandated due diligence is, the more likely a customer is to abandon it altogether, increasing opportunity costs.
Thus, the best KYC-compliant onboarding system is one that is optimized to allow the customers to input the bare minimum of information, without compromises to organizational safety. For example, Brazilian digital banking giant Nubank cites simplicity, convenience, and intuitiveness – all shorthand for low-friction onboarding – as its core growth tenets.
It is also, by the way, Latin America’s largest banking fintech, boasting 40 million users. The President of Brazil awarded the company its banking license himself. There is not necessarily a correlation but in terms of a frictionless customer journey, a report from HBS includes a JP Morgan study showing Nubank’s onboarding process takes 20 minutes, receives credit approval within two days, and a working card in eight.
In such an onboarding where friction is as low as possible for good customers, conventional wisdom would suggest that it also makes it easier for fraudsters to gain access. However, with advancements in fraud detection technology, this does not have to be the case.
This is achieved by leveraging pre-KYC checks on new users. Rather than forcing all customers, including honest ones, through the same high-security, high-cost gateway, a system of dynamic friction offers the smoothest experience for both ends. Unfortunately, the current fraud climate is one where an identity is easy to pilfer and use maliciously, allowing bad actors to bypass the average light KYC checks, particularly without the aid of an anti-fraud pre-KYC check.
How Do Pre-KYC Checks Work?
In a fraud prevention suite set up to follow a strategy of dynamic friction, pre-KYC checks look at certain data points of a new customer to ascertain their validity, before that customer has reached KYC.
Some data points that pre-KYC might gather are essentially invisible and frictionless to the new user. For example, their device fingerprint showing a safe and typical or potentially suspicious setup are gathered upon arrival to the website.
Another common data point can be as simple as a new user’s email address – usually an acceptable amount of friction, as most users are accustomed to giving out at that information at sign-up. Starting with an email address or phone number as our primary data, we can source hundreds of useful data points that help us reach a great deal of confidence about the legitimacy of the customer. This is particularly true if the email is old, has been involved in data breaches, and is registered to a good network of social media services. Why? Because small or large, every real email address has a digital footprint online, while fraudsters’ accounts are set up in the dozens, and will not be found on social media, instant messaging, or web service platforms.
A manual review of this data, even by a qualified digital security officer, would take an unfeasible amount of time and resources for a company moving at the speed of ecommerce. When automated into pre-KYC checks, these real-time data analyses go beyond convenience to necessity.
Dynamic Friction, Explained
Think of these pre-KYC checks as the digital equivalent of a metal detector gate in terms of the friction they offer. This metal detector has been finely tuned to weed out the company’s definition of a nefarious user, homing in on known dangerous touchpoints and applying artificial intelligence. One of three things can happen at this stage:
- Good customers walk through this metal detector, get a green light and a beep, and are welcome to shop and interact. They can be trusted. They are very low-risk users. If an organization is required to run KYC checks by regulation, the bare minimum can be applied – the same experience the customer would get with any competitor.
- Potentially fraudulent customers walk through and get an orange light. They get asked to step aside and submit to a thorough pat-down: A hard KYC check, where a frictionless experience is less important than asking more involved identifying questions.
Why an orange light? These customers represent medium-risk. There are data points that have been flagged indicating this person is a fraudster, but the possibility of a false positive is still considered. Faced with the decision to deny their custom or potentially put the company in harm's way, the pre-KYC check has shown us that this course of action, even with the added friction, is the safest route.
- Customers akin to Neo and Trinity in The Matrix approach the gate, armed to the teeth with automatic fraud weapons. They pass through the detector and the red light turns on: a high-risk user. We are certain these people are a risk, so they are blocked from proceeding. There is no need to run any type of KYC on them, which means we have saved the cost of a KYC verification check.
This quickly adds up. The more bad actors are blocked, the better the returns in profit margins. Pre-KYC checks allow a company to drastically cut down on the number of tedious liveness, biometrics or documentation verification checks, and their associated costs.
In fact, in all three of these scenarios, pre-KYC has saved the company money. Not only in terms of the sheer volume of KYC checks but also in the potential cost of having a fraudster running amok in the system. Meanwhile, good customers are treated to a low-friction experience and can be a part of the company’s economy.
Also consider false positives: A portion of those customers who got the orange light will be legitimate customers, and others will be fraudsters. Some more aggressive systems are likely to block all of these individuals outright, which means a bad experience for those good customers who set off the orange light, resulting in both a hit to company reputation and losing the custom they would bring.
Another cost-saving measure facilitated by KYC is when a customer passes the onboarding stage and reaches checkout. Each company can look at its customers and decide whether or not the security checks were strong enough to allow them to bypass 3DS authentication. This form of authentication is required by SCA and PSD2 regulations linked to card-not-present payments.
Typically this appears onscreen as a separate applet from the credit card issuer, asking for the data on your card – and is a common pain point for both customers and confusing for businesses, with cart abandonment rates often spiking at this stage. This represents another huge opportunity cost.
However, if data from pre-KYC is confident enough, Visa notes that there are exemptions from putting a customer through this process, and it is up to the company to enforce both SCA and the exemptions. Their PSD2 charter even includes that this low-friction approach, without 3DS, is to the benefit of all parties.
Summing Up
It is important to keep in mind that international KYC mandates are not in place just to be a headache for financial institutions. Rather, they are meant to protect a healthy economy where businesses can make money without worrying about financing crime and terrorism.
It seems inevitable, however, that cybercriminal enterprises will diversify and learn to profit as fast as the fintech industry, so both legislation and security will always have to move forward to stay in place, fighting new forms of fraud with new layers of pre-KYC.
Nevertheless, a company that has a watertight KYC process, including pre-KYC checks, will very likely have low losses to fraud as well, and be a positive contributor to a safe financial ecosystem.
Gergo Varga is product evangelist at SEON Technologies, a fraud detection and prevention software company. Varga has been fighting online fraud since 2009 at various companies – even co-founding his anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies - SEON Special edition.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Comments
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.