So, your company has decided to embark on an update of its legacy Know Your Customer (KYC) system. You’ve completed your internal diligence and collected the various internal signoffs and approvals. Now, it’s time to present your new KYC technology solution to your regulator. 

No regulator will “approve” or endorse a vendor solution—instead it will review the new system to ensure it is commensurate with the risk profile of the institution and that it complies with regulatory requirements as well as the institution’s internal policies and procedures.

Using artificial intelligence (AI) and robotic process automation, the new technology can often achieve higher auto-approvals and reduce false positives compared to a legacy system. In addition, KYC technology can mine billions of publicly available data points to provide a complete applicant profile and use facial recognition software to compare an applicant’s submitted mobile phone selfie to an identification photo.

Financial institutions have been among the most eager first adopters of ever-evolving KYC technology, applying tools that improve their ability to screen and verify loan applicants. But new tech can serve other industries as well: Casinos and online gaming platforms can use KYC tech to screen customers who might appear on sanctions or other watchlists, while online marketplaces and social networks use tech to weed out fraudulent vendors and scam artists. Really, any business seeking to verify the identity of a customer might find some value in applying KYC technology to screen low-risk applications so its investigations team can focus its attention on the smaller, high-risk slice of the pie.

Begin at the beginning

According to Jason Somrak, chief of product for AML & Advanced Analytics at Oracle Financial Crime and Compliance Management, the process of onboarding your KYC tech with regulators will take between 18 months and two years. Somrak’s division works with banks to use advanced technology to fight financial crime and modernize risk and compliance operations.

“People won’t be penalized for trying new things,” he says. “But I think regulators will expect that firms won’t throw everything away and start fresh.” There will be a transition, where regulators will want to see that the new KYC technology provides better results than the firm’s legacy system.

“Regulators want to see your work; they want to see the long division and know that the bank understands how the system technology works—why it flags or alerts, why/how are the decisions being made,” says Kimberly Hebb, who spent 20 years as a commissioned bank examiner with the Office of the Comptroller of the Currency (OCC) and is now chief risk officer of BillGO, a bill payment provider. “Many FinTech companies think that their technology is special and needs to be in a ‘black box’ system and don’t want to discuss their processes.”

Regulators want to hear from the financial institution that is planning to utilize new KYC technology—not the vendor, she says.

They also want to understand the impetus driving the move to a new KYC solution. Is the proposal to use new KYC technology part of a planned strategy for growth or a reaction to a deficiency, violation, or past pattern or practice?

Whichever KYC program your institution uses, it “should be commensurate with the risk profile of that institution,” Hebb notes. “It’s not that regulators don’t appreciate the need; there is still the expectation that the bank knows its customer base and provides internal controls.” They also want to know that the new tool has been customized for the financial institution in question, that the results are being actively monitored, and that the processes are being updated as needed.

Regulators ‘leaning in’

With KYC technology becoming a focus of many industries, several regulators, including the OCC and the Commodities Futures Trading Commission (CFTC), are having to adapt regulations.

“Regulators have gotten more comfortable with new KYC technologies, including machine learning and robotic automation, but they require clear understanding of the model used.”

Piotr Jastrzebski, Director of Technology Product Management, Wolters Kluwer

“We are seeing regulators lean in, even though they’re not recommending particular tools or vendors. We are seeing a very strong adaptation of complicated analytics,” says Johnny Ayers, co-founder and senior vice president of Socure, a FinTech company that provides digital identity verification and KYC solutions through AI, advanced logic, and machine learning.

“Regulators have gotten more comfortable with new KYC technologies, including machine learning (ML) and robotic automation (RA), but they require clear understanding of the model used. While stratifying data may be an easier model to verify, the large number of alerts can only be tackled effectively using ML and RA techniques,” adds Piotr Jastrzebski, director of technology product management for the Financial Crimes Control group at Wolters Kluwer, a risk management and regulatory compliance consultant to U.S. banks and credit unions.

In 2017, the OCC established its Office of Innovation, which was tasked with helping financial institutions large and small to sample FinTech solutions. The agency’s support of “responsible innovation” attempts to balance innovation with prudent risk management.

The agency has formed partnerships between financial institutions and FinTech vendors through an Innovation Pilot Program, created “to support the testing of innovative products, services, and processes that could significantly benefit consumers, businesses, and communities, including those that promote financial inclusion,” OCC Chief Innovation Officer Beth Knickerbocker said in testimony before a House committee in 2019.

Similarly, LabCFTC helps “promote responsible FinTech innovation to improve the quality, resiliency, and competitiveness of our markets” as well as accelerating “CFTC engagement with FinTech and RegTech solutions that may enable the CFTC to carry out its mission responsibilities more effectively and efficiently.” The Consumer Financial Protection Bureau also has an innovation program that attempts to “promote innovation, competition, and consumer access within financial services.”

Regulators in other countries have similarly embraced KYC technology. In 2019, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) announced it would allow for the use of digital documents to authenticate an individual’s identity. This new policy allows individuals being vetted to supply their financial institution to scan their “government-issued photo identification document using the camera on their mobile phone or electronic device.” The individual would then be required to take their own photo with their device and submit it to the institution.

But in order to verify the selfie and the photo on the identification match, the bank or credit union must have the technology to “apply facial recognition technology to compare the features of that ‘selfie’ to the photo on the authentic government-issued photo identification document,” FINTRAC noted in its 2019 directive on identifying individuals and corporations.

“The tech demonstrated it was feasible,” said Zac Cohen, chief operating officer of Vancouver, Canada-based Trulioo, a FinTech vendor that “delivers trust, privacy, and safety online through scalable and holistic identity verification.” KYC tech vendors were able to prove to regulators the technology was accurate and produced verifiable results, he says.

European regulators seeking to sign off on KYC technology at companies that must comply with the General Data Protection Regulation have sought to understand the “context” of its decision making—that is, how an AI tool arrives at its decisions, without focusing on the individual decisions themselves.

Factors such as the urgency of the decision, its impact, and significance might outweigh a data subject’s wish to know more about the decision-making process, suggesting that a “one size fits all” approach to explaining AI-generated results is unworkable, according to U.K. data regulator the Information Commissioner’s Office.