Expect Blowback if KYC Rules Are Expanded

Register now

The uncovering of an alleged $200 million credit card fraud scheme has triggered calls to expand know-your-customer rules. Those who prescribe ever-greater surveillance should be careful what they wish for.

In what was described as a sprawling criminal enterprise stretching across dozens of states and numerous countries, fabricated identities were used to obtain credit cards and doctor credit reports to borrow large amounts of money. At the heart of the alleged scheme were the merchant processor accounts used to accept and process the cards with stolen identities, authorities announced on Feb. 5. ATM withdrawals involve video surveillance and direct purchasing of merchandise doesn't yield cash. So the fraud ring allegedly used merchant accounts, mostly those of jewelry stores, since it is easier to obtain cash in a bank account using a fictitious sales transaction.

In some instances, sham companies were created and then those businesses established the direct relationship with the merchant processor and purchased the credit card terminals, the FBI said. Involving 25,000 fraudulent credit cards, 7,000 fake identities, and 1,800 "drop addresses," the conspirators allegedly wired millions overseas to Pakistan, India, the United Arab Emirates, Canada, Romania, China, and Japan.

For the duration of the probe, account information was known about the senders of international wire transfers, but not much was known about the recipients.

That is why experts are now pointing to this alleged scheme as justification for the expansion of Bank Secrecy Act and anti-money laundering regulations to include the identification and scrutiny of the recipients of funds associated with high-risk transactions.

Micah Willbrand, director of AML and compliance for LexisNexis' North American Financial Services Markets, told a trade publication, "Laws and regulations today only require that the bank have KYC [know your customer] in place for the sender, not the receiver of money."

"But card fraud schemes demonstrate why it's imperative to have KYC controls in place for both senders and recipients," he adds. As a result of the Foreign Account Tax Compliance Act, "all countries are realizing we need to know more about who's receiving the money. We need to be more transparent about how money is moving around the world, and that is something everyone is coming around to." 

That is a very optimistic assumption, especially since considerable resistance already exists regarding global standardization of information-sharing. Ultimately, compliance would require a lot more legwork and due diligence on the part of banks, and financial institutions have been reluctant to move in this direction. If banks were required to replicate the current KYC controls for recipients as well as senders, the jurisdictional challenges would be complicated and expensive.

Willbrand justifies the investment cost in a subtle advertorial “article”: "The implementation of FATCA will guide financial institutions … globally by providing them with a reference on what verification is required of their customers and the level of due diligence required from them based on their asset transfers. FATCA will, therefore, enable FIs everywhere to create a standardised customer onboarding process that will clearly define risk tolerances and accepted practices for engaging with customers."

Expanding KYC guidelines to include the recipient of funds would require a massive uniform international process that is continually monitored and updated. Additionally, the cross-border sharing of customer information could realistically lead to equally determined calls for reciprocity on the part of U.S. financial institutions. U.S. banks that act on behalf of the recipients of international funds could find themselves swarmed with overseas requests for KYC information prior to any funds transfer.

For Willbrand, it's a Big Data problem of not enough domestic and international information available to detect anomalies and potential risks earlier. Automated third-party systems are more efficient than the manual review systems in place at some banks today. Willbrand says, "Data about identities is not combined internationally. The only way to get an accurate profile is by cross-checking public records with utility bills and bank accounts around the world."

Willbrand's call for expansion of money transfer surveillance powers represents an overreach that merely attacks the symptom of the problem. Privacy and data security rules vary, and sometimes conflict, in the many jurisdictions around the world. Big Data might be the answer, but it should be Big Data at the front end, during the credit card account opening process and the determination of spending limits – not Big Data that extends privacy violations worldwide.

Jon Matonis is an e-money researcher and crypto economist focused on expanding the circulation of nonpolitical digital currencies. His career has included senior posts at Sumitomo Bank, Visa, VeriSign, and Hushmail. Currently, he serves on the board of the Bitcoin Foundation. Follow him on Twitter.

For reprint and licensing requests for this article, click here.
Law and regulation