The Race to Build a Know-Your-Customer Registry
The KYC Registry is the next flagship in financial crime compliance, delivering on our commitment to provide community-wide solutions for the industry, says SWIFT CEO Gottfried Leibbrandt.December 11
Markit and Genpact Limited have debuted a new "know your customer" service to help banks deal with heightened regulatory challenges and risks. The product was designed in collaboration with Citigroup, Deutsche Bank, HSBC and Morgan Stanley.May 22
The theory of multiple discovery holds that independent people tend to make the same breakthroughs almost simultaneously. Alexander Graham Bell is widely credited as the inventor of the telephone, but he was beaten to the punch years before by Italian immigrant Antonio Meucci and narrowly edged out another inventor, Elisha Gray, who went to the patent office on the same day in 1876. Three different doctors developed polio vaccines, and Isaac Newton and Gottfried Leibniz separately drummed up calculus in the 17th century.
This phenomenon helps explain how the financial industry hive mind has landed on a common solution to the unwieldy process of vetting customers' identities. In an effort to help banks manage compliance with know-your-customer rules and other regulations, multiple organizations are launching centralized registries that store, authenticate and share corporate clients' information.
Industry-owned groups Swift and the Depository Trust & Clearing Corp. each have their own registries, and commercial companies like Thomson Reuters, Strevus and a joint venture between Markit and Genpact have also gotten in on the action. But it is yet to be seen which will emerge as the Alexander Graham Bell of the field and whether the idea will take off in the first place.
"There are a lot of people who are saying, 'Who's going to win this race and where's it going?'" said Virginie O'Shea, a senior analyst at Aite Group.
Banks and their corporate clients tend to agree that the current know-your-customer system is due for an overhaul. Banks spend a lot of money and manpower hunting down and authenticating clients' financial information, legal records and scores of other data to root out money laundering, terrorist financing and other criminal activities. Meanwhile, customers resent the process because each new bank they do business with requests the same information over and over again. Sometimes separate departments within the same institution ask them to resubmit paperwork.
"I can't tell you how many times over my long banking career I've had a client say, 'We already provided that information,' or 'I went to another bank and provided it one place and then they turned around and asked it somewhere else [in the same institution],'" said Stephanie Wolf, a managing director in Bank of America's global transaction services business who supports efforts to build common registries.
The registries are an attempt to create a more efficient system. The basic idea is that clients will voluntarily submit their own information via standardized forms, which the registries then compile, verify and release to individual banks with the client's permission. The services aim to spare clients the hassle of submitting redundant information and allow banks to cut straight to determining how the clients fit into their risk policies theoretically helping institutions trim costs and open customer accounts faster.
But critics are quick to point out potential pitfalls of the concept. Not the least of which is the question of whether having multiple registries defeats their intended purpose.
"The clients that contribute documents want to go with as few parties as possible if there are 12, there's no advantage," said O'Shea, who wrote a white paper on the subject commissioned by the DTCC. "It's going to be the clients who dictate who wins. Others will exit the business, since you can't make money unless you've got enough people on the platform."
O'Shea expects no more than two or three services to ultimately emerge as victors. The registries offered by Swift, Thomson Reuters, the DTCC and Markit/Genpact are some of the larger players now in the running, she says, although future entrants may also have a shot. Swift's registry for correspondent banking went live last week. Thomson Reuters' Accelus Org ID service, which debuted in March, is intended for participants in the capital markets and in commercial banking. The DTCC's Clarient, currently in its soft launch phase, caters to broker-dealers and their clients, while the Markit/Genpact venture, now live, focuses on institutional banks.
As long as the registries are complementary, there's no problem with banks and clients toggling between multiple databases, according to Luc Meurant, head of banking markets and compliance services at Swift.
"What doesn't make sense is if you have competitors going after the same market segments," said Meurant. "We believe that over time, we'll end up with a number of providers, each focused on areas that can bring distinctive value. The issue is large enough for all providers to find a sweet spot."
Big banks are already partnering with Swift and DTCC to develop their registries, which would seem to signal the industry's willingness to collaborate with one another to improve the vetting process.
Credit Suisse, Goldman Sachs and JPMorgan Chase are among the founding banks behind Clarient, while 20 banks have signed onto Swift's registry including JPMorgan, Citigroup and HSBC. But some industry experts argue that banks will ultimately prove reluctant to give up their edge over the competition by sharing the same resources.
"I do think compliance is a competitive advantage, done properly the ability to execute on regulations, giving confidence to your customers that you'll be processing transactions that are appropriate," said Richard Yorke, executive vice president and head of the international group at Wells Fargo. "If you can do that better than others, especially in transactional banking, that's an advantage. Customers need reliability and certainty."
Banks that are good and fast at compliance can pull ahead of their peers, the people behind the registries acknowledge. But they argue that a financial institution can make use of their services while maintaining an upper hand.
"The real risk management comes from the bank consuming the [client] information," Meurant said. "It needs to look at its own information and risk policies to see if [the client] is in line with its risk appetite."
"The banks won't share the work they've done [in assessing risk]," Meurant continued. "There's no appetite for that."
Moreover, it's in banks' best interests to make the process of gathering information about clients more straightforward and consistent, according to Wolf. Her employer, Bank of America, is among the institutions that agreed to jointly develop and use Swift's registry.
There are still opportunities for banks to differentiate themselves from the pack if they "find ways for internal processes to flow in a more streamlined way," Wolf said.
Even if banks are willing to cooperate on the registries, other hurdles remain. Regulators' level of comfort with the emerging pack of KYC managed services is also subject to debate.
"I don't think the regulators would allow a common utility," said Wells Fargo's Yorke. "In regulators' view, banks have to take personal responsibility around compliance and risk management. I struggle with concept of outsourcing that."
Anna Mazzone, the global head of KYC managed services at Thomson Reuters, begs to differ. Her company's Accelus service collects corporate clients' information, categorizes it according to an estimated level of risk and reviews the company for changes in its legal structure, board members or other developments that could affect its status. She says she's discussed the service with a wide range of regulators.
"Regulators by and large are supportive because of the fact that [the utility] creates a standard, and having standards particularly for Americans is a much better way for them to be able to go in and do an evaluation of a company," Mazzone said. "They want the banks to be spending more time analyzing the legal entity, not turning this into a check-the-box exercise of just collecting documents and stuffing them in a file."
Trade repositories, which collect and maintain records of derivatives, have also helped regulators become accustomed to the idea of third parties storing data, according to O'Shea.
"I don't think regulators will be too worried," she said. "They will insist on a high level of security and a lot of discussion about resilience and recovery plans. That will put pressure on [the third parties] to make sure they're doing a good job of protecting information."
That said, the security concerns raised by the prospect of storing large quantities of sensitive customer data in a single database or portal are not to be dismissed, according to technology consultant Dave Birch.
"I have a slight worry that if you build a big database of this stuff, it becomes a single point of failure or compromise," said Birch. "The case study I would use for that is [South] Korea, which decided to build a big database with everybody's IDs. The database was compromised by criminals and the whole thing had to be scrapped."
The crowded playing field of registries has also given rise to technology that helps clients and banks move between the options as needed.
Strevus offers both a registry and a platform that acts as a "connective tissue" between other services, according to Ken Price, the firm's vice president of business development and alliances. The firm's dashboards allow banks to view their clients' profiles in different registries.
A mobile application by Trunomi, a compliance software provider, works across registries to let bank clients provide consent to share their information with financial institutions and other regulated entities.
The technology could have broader implications for retail banking down the line, according to Trunomi founder and chief executive Stuart Lacey. Customers who have control over their digital documents could submit them to multiple institutions while applying for mortgages and credit cards, he said, potentially helping them to receive more competitive offers.
Customers' digital identities would "have the portability of phone number," Lacey said. "You're not beholden to any one provider because they sit on your data set."
The registries offered by the DTCC and Thomson Reuters also have uses that go beyond KYC compliance, according to the organizations' representatives. Both claim that their services can help institutions and their clients navigate a wide range of regulations, including the Foreign Account Tax Compliance Act, which requires banks to collect Internal Revenue Service forms from their clients to sniff out tax dodgers.
Clarient is "a broader mechanism for improving relationships to exchange data and documentation. It's not just about KYC," said Mathew Keshav Lewis, head of client engagement, integration and partnerships at the company. "When we've spoken with the large dealers and our founding banks, we see there's a long line of regulation that's still coming."