Criminals can learn quickly how to exploit automated KYC checks, even biometric ones, to open hundreds of accounts. Firms believe their marketing is bringing in new customers, but a sudden acceleration in account openings can be attacks by criminals taking advantage of an on-boarding weakness, said Uri Rivner, chief executive at Refine Intelligence in Tel Aviv.

“Everything is digital, and we rely on identity checks that are mostly based on data, especially if we want to make it very quick and frictionless,鈥� Rivner said. 鈥淏ut even the more advanced systems that do a video interview or facial recognition 鈥� there are ways for criminals to bypass that.”

Mule accounts

Transparency International Russia (in exile) recently 聽showing the ease by which mule accounts from payments firms authorized by the United Kingdom鈥檚 Financial Conduct Authority (FCA) could be bought on the dark web. And it was reported that Mercuryo.io, another FCA-authorized firm, was to “maximize customer pass rates globally, to expand as fast as they could.”

Financial firms can easily be deceived by stolen identity documents if they do not have proper scanning measures, authentication, and biometrics. There are databases of fake and stolen identification documents against which customers’ documents should be checked to avoid being exploited by criminals opening accounts to sell on as mule accounts.

“The bottom line is if a company is doing a lightweight KYC process without any other controls, and they’re under attack, they were asking for it,” Rivner said, adding that many firms, especially in the US, have implemented behind-the-scenes biometrics and advanced analytics to catch these attacks, while other companies still opt for the high-end, sophisticated identity verification tools.

Electronic KYC is a valid way to on-board clients from a regulatory perspective, but it is unwise to market easy KYC, because that will attract criminals who will quickly exploit it.

Kathryn Westmore, senior research fellow at the Centre for Financial Crime and Security Studies at the Royal United Services Institute in London, agreed. “If you look at the wording of the guidance from the Joint Money Laundering Steering Group, it’s permissible to rely on these third parties to do electronic verification so long as you are comfortable with that,鈥� Westmore said. 鈥淭he real question is: how robust are these companies?”

Criminals can learn quickly how to exploit automated KYC checks, even biometric ones, to open hundreds of accounts.

Not all companies offering these KYC and identity verification tools can deliver, however. Some banks are聽聽that overpromised on the effectiveness of artificial intelligence tools but did not deliver.

The UK’s Payment Systems Regulator (PSR) 聽last year showing nine smaller payment firms were among the top 20 highest receivers of authorized push payment (APP) fraud. The worst performer was Dzing Finance, which saw that 187,695 per 1 million of its transactions were APP fraud. The FCA imposed restrictions on Dzing a few days after the PSR published its data.

“There is a whole range of these firms that continue to operate despite having received [anti-money laundering] AML fines in other jurisdictions or [that] have clear links to Russia or other countries,” Westmore said. 鈥淪ome are advertising accounts that can be opened instantaneously with minimal checks. They’re appealing to people who are wary about big banks and don’t want to give away their information to anybody or to people who want to abuse their facilities.鈥�

Identity verification, not KYC

Some frictionless customer on-boarding tools are not really KYC, they are identity verification 鈥� and there is a difference, Rivner said.

“Banks are supposed to understand the customer, not just know the customer,” Rivner explained. 鈥淏anks knew the customers but also knew the life story of the customer. They knew why the customer was doing what they’re doing. They understood the context around those activities. This knowledge has been deteriorating over the years with the move to digital.鈥�

Identity verification may confirm a customer’s identity, but it does not provide transactional behavior insight to distinguish between suspicious and legitimate activity. This knowledge gap could lead to accounts being frozen too frequently or unnecessarily while the firm investigates transactions. Indeed, these delays can be more detrimental to a customer relationship than cumbersome on-boarding.

While it is important to strive to make financial institutions more accessible, it is fundamental to the prevention of fraud to adhere to the standards set by regulatory agencies.

In order to onboard customers digitally in less than 24 hours, some banks rely tools that verify identity based on聽existing information. These verification tools use customer addresses, credit bureau information, previous bank account details聽to risk-score applicants. Some banks do not ask for photo identification, like a driver’s license or a passport, for customers deemed to be low risk.

Banks can take this approach, because, in the United Kingdom at least, there is no minimum standard for KYC checks. The U.K. takes a principles-based approach and some anti-financial crime professionals believe that is a mistake. Experts said there should be a minimum KYC standard for low-risk customers and principles to apply for high-risk customers.

Reactive controls

Firms should get more information from customers and take more time to conduct checks prior to onboarding, even if it is more expensive. They should then use technology,聽such as artificial intelligence, to build their understanding of customer behavior to detect the difference between legitimate transactions and actual money laundering.

Transaction monitoring is a reactive AML control, according to聽Ray Blake, a director at podcast in London. “[The controls] kick in only when the bank absolutely has to do something. Whereas proactive controls that took time out when there wasn’t a sense of urgency, when something didn’t need to happen to unlock a transfer, for instance, could be going on in the background, and could actually create huge wins down the road, but because we don’t earn those wins today, we’re not going to do it,” Blake told .

To save time and money, firms do minimal KYC checks, but then hire hundreds of people to wade through alerts, most of which are false positives. “What we’ve done here is we’ve said this front-end [KYC] process we’ll do as cheaply as we possibly can. It means that we have a problem, but that’s not today’s problem,鈥� Blake explains. 鈥淭hat’s a problem later down the line when we get more alerts than we need. So now that we’ve got more alerts than we need, we’ll get extra people in to wade through all of those alerts and find the ones that we really need.

“Guess what? The main focus of the technology that’s being introduced is aimed at reducing your false positives by looking at that large pile that you’ve generated and getting rid of some of them for you. Now, is it me or would it be more effective not to create that large pile in the first place?” Blake adds.

Friction in the process

Following up on transaction monitoring alerts can take an average of two weeks, because either bank branch or call center staff are tasked with contacting customers to query suspicious transactions, said Uri Rivner, chief executive at Refine Intelligence, an AML software company in Tel Aviv.

Branch staff at one of Refine’s customers were able resolve suspicious transaction alerts without contacting customers in only 12% of queries. The rest 鈥� 88% of queries 鈥� required multiple calls between the AML team, the branch and customers to resolve.

“Chasing customers over the phone for such inquiries is very high-friction, very costly, and often inconsistent. One person in the branch may run the inquiry in a different way than other people, or one investigation officer may ask different questions than another investigation officer,” Rivner says.

Contacting customers digitally is more effective at resolving queries more quickly. Some 85% of customers contacted digitally complete the process and provide information about source of funds, the relationship of the beneficiary and the nature of the transaction. The process usually takes a few minutes, Rivner notes.

Continuous KYC, modeling the good

Financial services firms treat on-boarding as a procedure that happens once a customer opens an account. KYC processes are a hurdle to entry into the firm, but once the customer is onboarded, information collection for AML purposes, in effect, stops. Bearing in mind that customers can stay with a bank for decades, it is a false economy to minimize the cost of KYC while speeding up the process. Firms should keep learning about their customers because learning more about them, more often, will minimize friction in the relationship, Blake said.

Banks have lost their “KYC superpower” because few in-branch staff have personal contact with regular customers now that most conduct their business online and use digital onboarding to open accounts. Customers’ interaction with their banks is very one-sided now. They make transactions, but the bank has no context because it does not know its customers. Losing the two-sided interaction has led to a sharp decline in a bank’s ability to know a customer, Rivner said.

“Most of the AML alerts, I would say 99%, don’t have that context; so, approaching the line of business does make sense, but the manual approach used today is simply inefficient and bias-prone,” Rivner says.

Good AI and machine learning tools can use data sets that help the financial crime analyst see the difference between money laundering and a customer paying cash for a car.聽That means collecting demographic and transaction data to model common life events involving financial transactions. Is this customer a grandparent sending a cash gift to a grandchild for university graduation?

“Why is the customer moving a lot of funds into the account and doing a big international wire transfer? A good AI model will tell you that the most common explanations are perfectly legit real estate or investment activities. Why is the customer pulling thousands of dollars in cash from their account all of a sudden? The top reasons are related to buying a vehicle or doing a renovation project, where contractors ask to be paid in cash,” he adds.

This approach permits firms to “green flag” transactions. It also requires tapping into a labelled data set of confirmed genuine, falsely flagged anomalies and their legitimate explanations, Rivner said.

Firms should model what good or normal transactional behavior looks like, not just the bad, to get the context with regards to customer behavior.