What you should know about KYC vs Data Privacy

By Dave Remue (B-Hive)

The development of banks depends, between other points, of how efficient they are in to deal with the balance that pends between data protection and the need of research sensitive customer’s personal data. How the fintechs are developing KYC tools that are also caring about data privacy?

At the heart of its on-boarding process, a bank wants to know if you are a trustworthy person or company to do business with.  Likewise, you, as a customer, want your bank to handle your personal data securely and with respect for your privacy. The implementation of these two principles has become increasingly complex and expensive (and at times even at odds), subject to growing regulations and the expansion of personally identifiable data, calling us to rethink our frameworks of how we deal with identity and trusted data.  Emerging fintechs and blockchain technology hold promise for the right answer.

How a bank validates you as a trustworthy customer has evolved significantly over the past few years.  Whereas previously banking relations were largely established based on personal and on a face-to-face basis, regulators today want banks to perform and document extensive Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) checks.  The potential fines or penalties for non-compliance are not be taken lightly: in 2014, the US levied $13bn in fines against banks for AML violations, including European organisations.  Some AML compliance officers have even been held personally accountable for violations.  Depending on the jurisdiction, the rules to comply with can differ adding to its complexity and to on-boarding times, even more in financial institutions which still operate with silo-ed departments where info is disparate and duplicated.  In a 2016 Thomson Reuters survey, 27% of corporates reported their bank took over three months to on-board them. 

With banks’ due diligence calling for increased transparency and gathering of customer personal data, concerns about privacy and secure handling of sensitive data become more prominent. This is not limited to the financial industry, but also observed in other sectors as our personal ‘digital exhaust’ grows online and through mobile connected devices.  In fact, research at MIT and elsewhere has shown that your unique digital footprint is much more difficult to replicate and offers far better security than password based models.  Fintechs such as Veridu offer banks KYC tools using online data of the customer which is accessed with explicit consent.  The World Economic Forum (WEF) referred in 2011 to personal data as ‘the new asset class’ and brought together different stakeholders – private companies, public sector representatives, end user privacy and rights groups, academics and topic experts – to establish a user-centric framework for a personal data ecosystem where individuals have greater control over their personal data.  
The EU General Data Privacy Regulation (GDPR) which is due to come into force in 2018 brings standardization in privacy laws at a European level and explicitly limits access to personal identifiable data.  Its key principles include mandatory explicit consent of the customer in collecting and processing of personal data, individuals entitled to request and granted easy access to copies of personal data held by organisations, and the ‘right to be forgotten’ if a customer requests an organisation to do so.  Penalties for non-compliance can amount to €20M or 4% of annual global turnover.

Truly privacy preserving personal ecosystems offer individuals transaction-identities which allow the counterpart to validate only the relevant attributes of the individual without affecting the privacy of the core identity. Similar to the situation where a bar owner only needs to know if you are older than 21 to serve you alcohol (and not your exact age of 31 and your name and address mentioned on your ID card), you would have specific transaction-identities which provide sufficient information for transactions in financial services or other goods when online.  Such an ecosystem could limit the damage in case access to specific transaction-identities gets hacked as such transaction-identities only refer to certain attributes and not the full core identity of the individual.  

As further elaborated in a recent publication by MIT researchers (Hardjono et al., 2016) blockchain technology holds much promise to construct a decentralized personal data system which allows users to protect, control and own their data.  Users could upload transaction-specific identities encrypted on to the blockchain – using a privacy preserving algorithm – where they then could be shared with banks and other organisations they choose to.  Dedicated ‘verifying entities’ (e.g. government institution) would be able to verify the authenticity of the uploaded transaction-identities. The core identities of the users, however, would be kept secure ‘off the chain’. Apart from the technological challenges, such a personal data system requires significant efforts from the different stakeholders to align processes and to create a supporting legal framework. The long-run benefits, however, can be immense. 

Banks and fintechs have taken a keen interest in blockchain technology to address the regulatory challenges, long on-boarding times and to allow identities to be managed by their owners.  The key characteristic of a decentralised database offered by blockchain technology, provides significant potential to increase cost efficiencies and transparency in KYC processes. 

A group of B-Hive partners have taken the gauntlet and formed a dedicated Working Group to explore further how blockchain technology can be employed to enhance KYC processes and identity management within financial services and beyond.  After constructing a working demo, a proof of concept is scheduled for delivery after the summer of 2017.   

For further reading:

Thomas Hardjono, David Shrier and Alex Pentland, Trust :: Data, a new framework for Identity and data sharing, 2016

Interesting Video:  David Shrier interview about data framework for identity. Here

About the author

Dave Remue has more than 20 years of international leadership experience in financial services and consulting gained from JP Morgan, MasterCard, SIX, Mitchell Madison, AT Kearney and Cognizant. He is graduated in engineering in Belgium (KU Leuven) and the US (Houston), and obtained MBA in the UK (Oxford). Certificate Interim Management (Vlerick) and Fintech (MIT). Now he leads the blockhain program at B-Hive.