Can KYC plug this $2 trillion hole in digital finance?
Necessary evil or necessary friction?
Just last week, I read a BBC report about an FBI agent facing criminal charges for allegedly helping a wealthy Russian oligarch “get off the sanctions list”. It got me thinking about two things -
Russia’s economy is suffering because of these sanctions, but politically, western governments believe these sanctions are the best lever.
These levers only work because the global banking system faces the long stick of compliance.
When Russia invaded Ukraine in February 2022, the Western bloc immediately responded by imposing sanctions. In practice it looks like this - governments (US, UK and European countries in this case) publish PDFs that contain lists of individuals/businesses who need to be frozen out of the global banking system → banks, fintech companies and literally anyone else in the financial services industry must figure out how to comply.
Compliance in the financial services industry largely comes in the form of KYC and AML procedures. To do anything in financial services, you need to Know Your Customer (KYC). It’s the law. The Reserve Bank of India’s fines can go up to Rs 1 crore and above for flouting KYC norms.
Since 2008, globally, regulators have issued over $403 billion in penalties for KYC/AML violations.
The temptation to blame banks is real, but it’s more complicated than that.
There’s the Financial Action Task Force (FATF) on a global scale with 39 member nations - it’s the body that sets customer identification requirements under the Prevention of Money Laundering Act, 2002 (PMLA).
Then, comes additional regulatory requirements from sectoral and local regulators (think RBI and SEBI).
Then comes the KYC/AML norms that Regulated Entities (REs) set up as part of their customer due diligence (CDD) procedures.
KYC/AML norms are exhausting, but can hardly be questioned. Their impact on the global financial system is worth discussing - multiple estimates put the total amount lost to money laundering and economic crime annually between $800bn and $2trillion. On the low end, that's the GDP of Indonesia; on the high end, it's nearly the GDP of France. More importantly, I want to discuss its effectiveness today.
Know Your Customer, but does your customer know you?
More often than not, the larger audience is incapable of understanding all the interactions that go behind establishing the identity of the customer or the business. More importantly, most customers don’t know how effective these norms even are, since much of this information sits behind closed doors. At the same time, it’s the friction introduced by these norms in the customer journey that often becomes a sore point in making onboarding effective and efficient.
What happens behind closed doors?
To prevent bad guys from doing bad things, the best way is to exclude them from the system. How do banks decide that? Not giving them an account in the bank based on -
Basic details declared by the customer
Government-issued legal identity and address proof (passport, PAN, Aadhar*)
Other risk-related details like income proof, education, occupation
Once these documents are collected, they’re checked for suspicious activities and economic crime -
Money laundering (criminals moving money)
Sanctions evasion and corruption (like the Russian oligarch and the FBI agent)
Fraud (attempts to steal or scam money from someone else)
(this is an oversimplification, but helps with broad categorisation)
*(Aadhar is not a legally required KYC document - only the owner of the Aadhar card can decide whether or not to use it as address/identity proof, REs can’t mandate anyone to show their Aadhar card as proof. It certainly serves as a valid proof of identity and address but other documents such as Voter ID cards and passports work too.)
Sounds tedious, but it is also ineffective for several reasons -
It excludes millions of people from the formal financial system. The World Bank estimates that over a billion people don’t have proof of identity - KYC norms then mean that many (who don’t have ill intentions) will continue to be outliers of the formal financial system.
Most estimates put the cost of physical KYC for a bank at Rs 250-300 and Video-KYC might cost 10% of that but KYC/AML compliance cost runs in billions globally - this includes
Hiring people to manage physical and Video-KYC
Monitoring onboarded customers through periodic checks (suspicious activity and transaction screening)
Performing periodic checks on own and third-party flows
A study by LexisNexis, (True Cost of Compliance™ Study 2022) that surveyed 253 financial institutions in India, pegs the average cost of financial crime compliance for each medium and large-sized organisation at $17.77 million now, 13.2% higher than in 2020. 71% of respondents to the survey said that crimes involving digital payments have increased
3) It’s also a data problem - A Mckinsey study says data quality problems account for up to 26% of operational costs. Data exists in silos - each bit of data is a clue but the orchestration layer I keep harping about (the infrastructure), is lacking. Like a detective looking for clues in blood spatter patterns, phone records, or CCTV - it’s not enough to have transaction details and a photo ID. It’s a combination of that plus everything else. The more data we have about a person, device, about their behaviour paired with good infrastructure that ensures all this data comes together to provide actionable insights through carefully designed workflows, can help prevent false positives.
4) This brings me to my next point - friction. Sometimes good customers have one or two blocked transactions and suddenly they’re bad guys, this creates friction. Despite an uptick in digital KYC methods like e-KYC using Aadhaar, C-KYC etc, onboarding remains confusing and inconvenient for customers. Regulators' attempts to balance security and customer experience result in inflexible mandates and lengthy onboarding times, causing frustration for both product managers and customers. Customer Due Diligence (CDD) processing takes several days for all customer types, creating a waiting period for those who need immediate access to financial services.
The true cost of compliance survey also revealed the following -
90% of respondents say that financial crime compliance has had a negative impact on customer acquisition (up from 66% in 2020).
81% said that increased compliance burden has had a negative impact on productivity.
Take a look at the table- this basically looks at how different lenders do the KYC procedures for their pay-later products. At its simplest, Minimum KYC is only proof of identity (which as you can see from the table is mostly done by banks that have their own pay later product) and Full KYC involves either physical KYC or Video KYC (which as you can see from the table is mostly done when REs have lending partners).
Who is a lending partner? It can mean anything from another bank, NBFC to more predominantly - fintech companies. Partnering with fintech companies means digital lending, a whole other creature with many, many heads (read recommendations from RBI)
Full KYC, with proper policies in place for customer protection, is absolutely necessary, but it means a higher Cost of Acquisition and Turn Around Time for customer onboarding. In a world where customers expect a Netflix-like experience from banking, KYC can really water down the stickiness.
The friction V revenue trade-off
A Mckinsey survey estimates that banks with top customer-experience scores have significant advantages, including a 3% growth rate, 15% revenue increase, and a –4% efficiency ratio.
More recently, KYC documents were mandatory for buying new health, motor, travel, and home insurance policies. A Business Standard report says agents on the ground have seen a 30-50% dip in the motor insurance segment, specifically in rural areas; while aggregators like policy bazaar have seen an increase of about 25%. The report adds -
“Under the new guidelines, submission of PAN or Form 60 has been made mandatory. Agents indicate that in most cases, it is the non-availability of PAN in rural areas that is derailing the process, while reluctance to share Aadhaar details is also responsible.”
This brings me to my final point - inconsistencies
Indian regulators want multiple types of address proof - current, permanent, and residence. This leaves out the migrant labour population and even the bottom of the pyramid population that can’t check any/all of the address proof boxes. Such people would struggle to produce Officially Valid Documents (OVDs) such as utility bills, and tax receipts to signal their ‘current’ address or even have a valid identity document to prove their permanent address.
Video and the different e-KYC methods have aided the financial services industry greatly but the inconsistencies lie in how a) resource intensive Video-KYC is b) not every bank/NBFC/co-operative has the tech capability to carry out digital KYC c) internet infrastructure is still a challenge in most rural areas d) Only REs and companies with a KYC User Agency (KUA)/Authentication User Agency (AUA)/ e-KYC User Agency license can carry out KYCs and e) The limits on loan amounts after completing KYC are limiting and arbitrary in nature. These caps do not meet the credit needs of many individuals who may have high creditworthiness.
This isn't an anti-KYC rant, if anything I’m pro-KYC. In fact, a solid KYC programme can help build customer relationships that last. Today’s budget speech has allowed for convenience
One-stop solution of reconciliation and updating of identity and addresses to be established using Digilocker service and Aadhaar as foundational identity
Digilocker will simplify the KYC process, esp with PAN as the common identifier
DigiLocker will also be expanded for businesses and hence, might aid in business and MSME KYC for financial services use-cases
The RBI has also made KYC simpler with
a comprehensive set of OVDs,
a provision for e-KYC
KYC via video call
I’m a believer in regulations, but I’m a bigger believer in the power of technology for good. What banks need to think about is how to build a scalable KYC programme. It's easier said than done, but my starting point is usually three-pronged -
Infra-ready: Solid rails that help siloed data communicate and dynamic business rules
No-regret technology: Automating certain KYC processes like case management, policy management and workflows can help increase capacity.
Good design: optimize for customer experience by designing good customer journeys.
Dynamic KYC and journeys: Adaptive journeys and KYC modules that comply with all the regulations while reducing the burden of friction on the end-consumer
Public infrastructure: Public frameworks such as AA etc. can also help pull KYC much more easily with the right technological and legislative banking from central registries.
The nature of governments is to try to centralize everything in their jurisdiction. I’d like to think that the nature of technology is also similar. On the other hand, privacy and data ownership are decentralized by nature and hence, fragmented.
Isn’t it time we figure out how to make two ends meet?
In the meantime, I would recommend reading this comprehensive guide on KYC for digital lenders - A digital lender's guide to KYC: The what, why & how of digital gatekeeping. The devil is in the details and this guide goes into the depths to bring you a handy KYC checklist, a one-stop-shop for all your KYC questions.
I’d love to hear your thoughts!