Combining KYC, AML and data-privacy regulations

Each year, the total amount derived from drugs, terrorism, robberies and other criminal acts is estimated at more than $1.5 trillion. Banks are the guardians of the financial system and obviously have a huge responsibility to prevent financial crimes. In this context, they have worked hard to establish Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) policies, procedures and systems.

According to a Burton-Taylor International report, global spend on AML, KYC and related financial crime and compliance activities has increased 17.5% to a record $905 million in 2019. However, despite these spends, the return on investment has been so far unsatisfactory and some data-privacy related issues also appeared.

New technologies were supposed to help banks rapidly detect and prevent illicit transactions. The disappointment is quite high when we notice that only about 1% of laundered funds are detected and confiscated each year. To address this issue, financial organizations need to be concerned with more than making profits. They need to be able to correctly identify whom they’re doing business with, which means verifying customers’ identities and meeting KYC and AML guidelines. Under the Markets in Financial Instruments Directive II (MiFID II), many firms have to report trade data to regulators, including dozens of reference data fields. In the specific case of financial institutions, the topic is even more important. They must do everything possible to maintain the integrity of their institutions while also performing their initial functions and staying efficient for their clients.

Over the past years, regulators from United States, Middle East and Europe have tried to find solutions and fight fraud. Market experts value that regulators have levied more than 26 billion dollars in financial penalties in the last ten years. One of the most commented event concerned the dutch bank ING which was fined 900 million dollars in 2018 for failing to meet AML compliance. In this heavy regulatory climate, financial institutions have been obliged to react and strengthen their KYC and AML procedures. Unfortunately, by increasing the amount of information needed to open an account or to sign a transaction, they impacted their customer experience and also went against data-privacy regulations such as GDPR.

How could they implement effective KYC and AML while being compliant with data-privacy regulations and creating a friction-free customer experience ?

Banks take an average of 24 days to completely register and onboard a new customer, and we may think that it would get worse as regulations continue to increase. In the same time, not being compliant with those regulations is extremely risky for financial institutions that could receive costly fines and lose customers. To avoid potential issues, banks need to know more about their customers. They need to perfectly know their activities, their history and their profiles. This Customer Due Diligence is becoming critical for financial institutions to better understand with who they are working. To do so, sufficient personal data is absolutely key and information-sharing among institutions, organisations and governments seem to be a must. However, no bank want to share its client’s list with its competitors and the need for more data sharing also clashes with the trend that consist in reinforcing data privacy standards. Hardening data privacy standards like GDPR impose strict limits on the processing and sharing of data and are slowing and restricting the performance of KYC/AML procedures. We could argue that analyzing only a part of available data isn't obviously the best way to get a bigger picture and detect potential risks.

By definition, KYC/AML and data privacy could appear contradictory. Indeed, KYC and AML obviously depend on the sharing and analysis of large quantities of data. Privacy implies limiting and controlling the use of personal data. Indeed, some AML procedures could seem in violation with the initial idea behind the GDPR regulations, but we could also focus on the content of this regulations. As an example, The Fourth Anti-Money Laundering Directive requires institutions to share their clients data with foreign entities, but GDPR aims to limit and forbid data-sharing with third countries. Of course, GDPR allows data transfers for important reasons of public interest, but this specific point is not really detailed nor explained and creates a regulatory vacuum. Also, many financial institutions outsource their AML or KYC processes to third parties, which may not be GDPR compliant.

Fortunately, anti-fraud regulations and privacy regulation are not necessarily incompatible. New technology solutions based on encryption are appearing and making KYC and AML effective. As explained by many experts in cyber-criminality, the use of specific technological tools linked to business intelligence, machine learning and automated digital solutions to share information between institutions at an international level would clearly improve the existing ways of doing and increase the amounts of frozen illicit funds each year.

Privacy-enhancing technology (PET) is a new way for financial institutions to share and compare confidential data without compromising competitiveness or data privacy compliance. Solutions using PETs can enable organizations to map personally identified information within their systems, effectively manage data access and perform analysis on encrypted sensitive data to prevent it from undue exposure.

Although our regulatory landscape may seem demanding, KYC and AML processes remains excellent solutions to protect companies and their customers. Developing and implementing concrete IT solutions such as PETs or other modern technologies can simplify the necessary KYC and AML checks. By doing so, financial institutions can avoid the expensive fines for non-respect of security procedures and deliver a frictionless user experience for their teams and their clients alike. Moreover, these solutions will enable financial institutions to show that their focus is on lawful business and will allow them joining forces on business-critical topics while remaining compliant with data-privacy regulations.

Thibaut Griboval

AION Consulting


Daniel Allen; ; 2015

Rachel Wolley; ; 2018

European Commission; ; 2018

International RegTech Association;