The Roman emperor Vespasian already stated that “Money does not stink” (in terms of the tax received from the use of public toilets), and so far money is what revolves the World and the desire for money, whether honest or dishonest, has existed since the beginning of time. If for centuries the world fought against counterfeiting, nowadays money laundering has become a big problem, where they are trying to “clean up” money that has been earned dishonestly or illegally in various transactions and make it legal. Money laundering is not an purpose itself, but is part of a fraudulent chain that often starts with bribery, drug trafficking, corruption, and so on. Money laundering has become a particularly acute problem at the beginning of this century, when it has become larger, more international and more complex.
Several international organizations, including the European Union and, of course, all countries themselves, coordinate the fight against money laundering and establish relevant rules. At the same time, a large part of money laundering prevention and control activities has been placed on the shoulders of private companies and financial institutions (so-called obliged entities), who have to identify their customers (conduct KYC – know your customer procedures) and monitor their business relationship. KYC procedures are the first prevention barrier that should identify a potential money laundering risk. The existence of a risk does not in itself mean that it is always money laundering, but, for example, if it is established that a person is politically exposed, this is a sign of the need for additional due diligence measures to ensure that the proceeds are not result of corruption. It often seems to a bystander that doing KYC is a simple and routine procedure where an employee surfs the Internet and databases and collects information about the person. However, how can you be sure that the data that can be found on the Internet is still correct and has not already been manipulated, or that you can identify the parties with whom that person may be related?
We are still in the last century with KYC procedures
With this, we come to the problem that brought me to Accelerate Estonia. In fact for me it all started much earlier. Namely, in 2018, the DIGINNO project was launched in the countries along the Baltic Sea, led by the Ministry of Economic Affairs and Communications. Prior to the project, various studies were carried out and it was found that one of the problematic issues common to all countries around the Baltic Sea is the collection and exchange of KYC data. The DIGINNO project found that for the most part, KYC data is not collected electronically, is not collected from national databases, is not machine-readable and is not moved across borders. As part of this same project, an international working group, led by a signatory, set out a vision of what the ideal KYC should look like in the future to also work across borders. The goal of DIGINNO was not to find a real solution but a theoretical game with ideas and visions.
When Accelerate Estonia’s idea gathering was announced last summer, it seemed a logical continuation to try to realize the idea as a real result. Estonia is one of the leaders in digital innovation in the world, we have a well-developed digital infrastructure and a high level of digital awareness, so if we can prove that KYC can be implemented differently, more cost-effectively but also more efficiently, rest of the World will looks at us and will learn from us. In the case of KYC, this is a complex problem where the private sector itself cannot create a well-functioning and effective solution, but cooperation between the state and the private sector is necessary, and it is a cross-sectoral and cross-ministerial problem, thus a suitable topic that Accelerate Estonia started to unravel.
What is a KYC data exchange service
Our goal is to create a fast, secure and reliable data exchange platform that transmits data from national databases to obliged entities on the basis of predefined profiles. It is not a database, but a tool that mediates data between original sources and obliged entities, with KYC collecting and exchanging data being based on the person’s own consent, which allows him or her to control his or her own data sharing.
If at the beginning of the project we simply called it the “KYC service”, then during the development of the project we came up with a nice name KYCer.
KYCer’s operating principles are characterized by the following cool animation, which can be seen here
KYC Animation 1 from DIGINNO BSR on Vimeo.
What does this data exchange service do differently?
– It uses national data, which generally have a higher probative value
– It does not store or process this data and thus the risk of data manipulation is minimized
– It exchanges data with the person whose data is requested under his or hers consent and the person can manage his or her consents himself or herself
– It does not assess the person
– The data exchanged is machine readable
– It always transmits the most up-to-date data in real time
From idea to solution
Last autumn we only had an idea and a vision of how KYC could be implemented in the future, but we did not have the certainty that it would actually be possible to do so. We assumed that the state had most of the data needed to make KYC, but we did not know why that data was not already available.
First, we began to analyze what data the state has collected about its people in various databases, whether this data is technically available and whether it is machine-readable. Then we started to compile the so-called KYC profile, ie. the list of the data that is the minimum necessary to perform the KYC procedure, and we identified where this data is located. We carried out a thorough legal analysis to find out how to legally access and use this data and how to ensure compliance with anti-money laundering rules. And on the basis of the above, we drafted a package of legislative changes with explanatory notes, which will create the possibility for such a data exchange service to emerge. At the height of the Covid-19 crisis, when everyone was in home lockdown, we conducted a 4-day virtual design sprint, which resulted in a visual prototype.
Over the past 9 months, we have moved from a vision to a real solution and are convinced that Yes, KYC can be done in a completely different way, more efficiently, more cost-effectively and in such a way that the person himself has control over what is done with his data.
The state has most of the data that obliged entities (eg banks) collect from their customers to make KYC. It seems all the more incomprehensible why these data have not already been made available for making KYC and why do obliged entities ask for the same data over and over again?
Part of the reason for the above is the fact that so far the state has not considered it necessary or rather seen a reason for various registers and national databases to release data at all in order to make KYC. Each register has certain purposes and their statutes also set out the purposes for which the data are issued. Unfortunately, there are no indications in the statutes of the registers that the data may be issued for the purpose of conducting the KYC necessary to prevent money laundering. On the other hand, the regulation on the prevention of money laundering in force in Estonia does not provide for the possibility to use the data exchange service for making KYC. For the purposes of the Money Laundering and Terrorist Financing Prevention Act, the obliged entities must perform the KYC either himself, ie. it also collects or can purchase the entire service (the so-called transferable service), but the situation where the data is transmitted to the obliged entities through a third party and the obliged entities does not have to collect them every time again, is not regulated.
Why is there no such service already on the market
It seems logical that if it is known what and how should be regulated in order for such KYC services to enter the market, then the innovative and efficient state will soon enforce the respective changes, but unfortunately we have come to the conclusion that the public sector is not as quick to react as decade ago. We often heard the words “this can’t do” or “this is not possible” when talking to an officials or public agency. The reason was not that it is not really possible, but mostly because they were not oriented towards a solution, but rather considered that, as everything is already, it is more convenient for them. At the same time, we also met a number of officials with whom new ideas and approaches to one or another nuance were born.
At the moment, in order for the KYC data exchange service to emerge, quite minimal changes in Money Laundering and Terrorist Financing Prevention Act and some accompanying laws are needed. Here the key role is played by the Ministry of Finance, whose drawer already contains a package of legislative changes with explanatory notes.
One of the serious obstacles to the emergence of the KYC data exchange service is certainly the high fees and charges paid to the state for obtaining data from it. In other words, the state sells my own data for money. Sounds like a Facebook case? For example, Estonia has one of the highest fees in Europe for obtaining data from the commercial register and the criminal register. In most countries, data for the purpose of making KYCs are available either free of charge or for a very small fee, but the Estonian practice is the opposite. The above is also one of the reasons why KYC is performed in Estonia many times less than it should actually be done, and why the majority of obligated persons do not do KYC at all, and thus also increase the risks of money laundering. There are solutions to these problems too, but they are political, but at the moment there is no political will to change the current situation.
In conclucion I can say that, here is a clear market need for a KYC data exchange service. Today, the private sector spends nearly 40 million euros a year on KYC procedures. In a situation where the KYC data exchange service enables faster and machine-readable retrieval of data, which reduces the need for additional data collection, scanning or manual input, the current costs can be significantly reduced per year. In addition, such a service helps to collect the necessary data for those obliged entities who do not know or know how to do KYC today, despite the fact that the law obliges them to do so. The more effective is the ex-ante control of money laundering, the more reliable the state is. So at the end everybody will win.
It will take about 6 months to bring the KYC data exchange service to the market, most of which belongs to programming and design. Thus, if the Parlament enters into force the necessary amendments to legislation, it is expected that the first KYC data exchange service provider can be seen on the market within following half a year.