Written by Rainer Osanik
Idea Leader of “KYC as cross-border service” at AccelerateEstonia project
Only large companies and corporations are able to allocate sufficient resources (what we are talking about is billions of euros alone within the territory of the European Union), in order to perform the Know Your Client (KYC) procedure and subsequent business relationship monitoring at a level that allows for money laundering to be detected and thereby also prevented. There are many different service providers on the market who take care of KYC for companies, although such services are not cheap.
In Estonia, only one-tenth of those companies that are required to carry out the KYC procedure, within the meaning of the Money Laundering and Terrorist Financing Act, do so in practice and to the extent and in the scope reflected in regulations. Certainly one of the reasons for not doing so is a lack of the pre-requisite knowledge and skills. On the other hand, SMEs also lack the necessary resources, which is why KYCs are performed like they were during the previous century – by collecting and scanning papers.
What has happened to digital innovation in this field?
I have heard of instances where an individual who is required to comply with the anti-money laundering regulations prints out the business register cards of his corporate clients every six months. He is forced to print because machine-readable commercial register data is unavailable. But in reality, he does nothing with these printouts. Those hundreds of pages of printouts are simply placed in a folder. Formally, the requirements arising from their own internal rules have been met, and a ‘checkmark’ has been made, but no substantive analysis and comparison of the printouts takes place and no risks are prevented or mitigated.
Or, for example, when performing a financial transaction in the presence of a notary, the relevant anti-money laundering form must be completed. On paper! Among other things, the questionnaire asks for information on the sources of funding and the origin of the money, but the notary has no means of verifying the information in the form. And so this form simply ends up in a folder, without any meaningful analysis or even the opportunity to analyse it. Formally, requirements have once again been met and the ‘checkmark’ made; however, doing so is not accompanied by any actual prevention of money laundering and terrorist financing.
Cases similar to the ones above are found in every sphere of life. To put it bluntly, we mimic compliance with anti-money laundering rules, but in reality the risks remain and not enough attention is paid to them.
What is responsible for hindering the digital exchange and collection of KYC data?
I often hear claims that Europe’s General Data Protection Regulation (or GDPR) does not allow for, or even prohibits, the collection or exchange of KYC data. At the same time, money laundering and terrorist financing prevention are outside of the scope of the GDPR and are not subject to the GDPR regulation. In addition to the above, KYC data is still collected today, often on paper, entered by hand, then analysed and archived.
It is also argued that KYC data cannot be moved across national borders, since European Union regulations restrict such activity. Yet, data is moved across borders on paper, officially and legally. Indeed, regulations such as these date back to a time (the last century) when digital data exchange had yet to be born and the only strong piece of evidence was a paper document.
I know a striking example, where an Estonian citizen tried to open an account at a bank in Spain because he had acquired real estate in Spain. To do so, he had to collect more than 50 pages of documentation in Estonia, on paper, which he then had to have translated into Spanish by a sworn translator and then stamped with an apostille, which cost substantially more than EUR 1000. There are also examples of the opposite; cases where non-residents and also e-residents want to open a bank account in Estonia, and end up having packages containing documents and evidence delivered here, are everyday occurrences. However, all of these documents and the data contained therein are digitally available somewhere.
Are the reasons for not making data machine-readable national protectionism, a state monopoly, or just being old fashioned?
The methods by which KYC procedures are still implemented and checks are performed, date back to the last century. A significant amount of data is collected on paper, scanned and entered. A significant share of KYC data is collected through third-party sources, and in order to be sure of its accuracy, it is compared (verified), in turn, with alternative sources. Significant resources are spent, i.e. both time and money, but in essence this activity does not prevent money laundering or terrorist financing. Energy is spent on complying with formal requirements; however, in the case of substantive analysis, which would help to find the actual instances of money laundering or terrorist financing, resources are simply no longer available.
Although the requirements arising from the Money Laundering and Terrorist Financing Prevention regulations for performing KYC apply equally to all obligated persons – regardless of their turnover, profits, the size of the company or number of employees – it is only feasible for rich companies with today’s methods and technical capabilities. The problem is not limited to Estonia, with the situation being similar in all countries. For small businesses, the proper performance of KYC is prohibitively expensive everywhere.
Countries have the opportunity here to do a great deal to help make performing KYC simpler and smoother. For example, enabling access to direct sources (for example, national databases) and issuing data that is machine-readable, as well as doing away with disproportionately high data inquiry fees. A situation where, on the one hand, the state, through its rules against money laundering and terrorist financing, is required to perform KYC but, on the other hand, collects large fees for doing so (i.e. for requesting data from the register that is required to perform a KYC), seems neither logical nor reasonable. Otherwise, instead of actual prevention, you will be stuck dealing with illusory activities and ticking ‘checkboxes’.