The Data Challenge of KYC

A major problem highlighted at Sibos was the challenge of managing specific data. And that specific data was the information needs for the all-intrusive and ever more mission-critical Know Your Customer (KYC) experience.

One of the major issues at Sibos was the question of data. We were bombarded with slogans ranging from Big Data downwards. We were frightened by mention of the data requirements of the Patriot Act, the EU’s third Anti-Money Laundering (AML) Directive or Dodd-Frank. We were shocked by the scale of the issue with SWIFT’s 8000 banks having around a million relationships. And we were depressed by the proliferation of rival Know Your Customer (KYC) data depositories, with 10 already operating across the globe.

But a major problem highlighted at Sibos was the challenge of managing specific data. And that specific data was the information needs for the all-intrusive and ever more mission-critical KYC experience.

From my own chairmanship of the International Securities Markets Advisory Group (ISMAG), I have been amazed at the emotions aroused by talking of data and especially standard data and standard delivery of data. Within ISMAG, where we focus on the data needs of the international securities markets, we agreed that there were around 130 data elements needed to ensure efficient markets.

Howls of protest arose from lawyers at the risks of translating their carefully crafted, semantically demanding and nurtured phrases into anything as precise and indisputable as a data element. There was wailing and gnashing of teeth at the concept that such data could be sent in predetermined formats over approved networks. The reasons are beyond me but remind me of the days when proprietary message formats were seen as a competitive advantage and the idea of standards capturing the complexity of corporate actions was seen as a pipe dream. Interestingly enough, many of the vocal proponents of those bygone philosophies appear to have exited the business!

KYC has a similar feel about it. I have worked in organizations with a direct presence in over 70 markets. I have had the pleasure of dealing, mainly on a friendly and collegiate basis, with regulators in those markets. I have sat opposite lawyers from all the magic circle in many continents, and we have rarely raised our voices in anger. But mention KYC and tempers fray, arms are crossed, the “we shall not be moved” position is adopted.

And there is no reason for this. Taking the existing needs of most of the markets with which I have worked, there are a finite and consistent set of data elements required for KYC. Some are intelligent, some are banal, and some are downright illogical. But, irrespective of my opinion on their value to the process, the reality is that the bulk of markets require a consistent and set number of data elements in order to satisfy the KYC process.

Now standards are hardly exciting. But they need to be logical, and we need a single standard. That does not happen by osmosis, and so we need a regulatory driver to ensure ownership of the standard (but not its usage) by a single entity. I am not saying that should be SWIFT, but the structure of ownership should follow the template used in the ISO messages managed by SWIFT.

And we do need agreement on the KYC database. Like many, I have struggled with the challenge of the SSI databases of Omgeo and others. They are only as good as the information provided by the owner, or originator, of the data. But, if there were a regulatory obligation to keep such data up to date and a given standard for KYC data, we would be in a new and billion dollar saver world. I cannot understand why it should not be a regulatory obligation of all entities in our securities world (as well as colleagues in other disciplines) to maintain up to date KYC information in one of a limited number of approved data warehouses.

And then there is the question of the content and evidencing of data. I cannot see everyone agreeing on this. We need to start with a subset of markets. If the key markets, through their regulators, could agree on the data needed for KYC, the acceptability of holding data in electronic form only and the treatment of such data in approved warehouses as a golden source, then we would be in a brave new world. We have to recognize that all entities gathering data are dependent on the owner of the data, the legal entity with whom they deal, providing them with accurate and valid information. The data warehouses, if they were regulated, and the data originators, at least in financial markets, being regulated, should have liability for the accuracy of their data. The primary responsibility of the data owner would be to ensure that, at all times, their data was accurate and complete. The responsibility of the data warehouses would rest in the integrity of their process to ensure that data was never corrupted and always reflective of the latest update of the data owners.

I appreciate there is more to be done. There should be alerts to users of data when data changes, adaption of data reports as regulatory or market change demands, agreement on use of secure networks to transport data, interoperability of data warehouses and an interesting cost debate for the different, but hopefully not too numerous, warehouses. And my suggestions only cover the regulated financial markets; the corporate and private client segments have their own different challenges.

But we need to move ahead. In the financial sector, is it a job for IOSCO or for a subset of regulators such as ESMA and the SEC with perhaps a nominee from one of the Asian markets? The cost of managing KYC is now exorbitant. The penalties for noncompliance are outrageous. The need for regulatory action is critical. And the action needed is well within the intellectual and functional reach of the regulators. So please could they take a leadership role in this area before they kill us with fines!