As stricter, more complex, requirements in relation to anti-money laundering are implemented in the EU, distributed ledger technology (“DLT”) might offer an answer to streamlining know your client (“KYC”) processes and reducing the frustration around data sharing. In this article, Ami Amin and John Binns discuss what DLT is, what the current issues with KYC are and how blockchain technology (a type of DLT) could offer a solution to the issues presented by traditional KYC processes.

Distributed ledger technology

DLT is a type of technology that allows the sharing and updating of records in a distributed and decentralised way. It enables participants to the DLT to propose, validate and record information to a synchronised ledger that is distributed across all participants.

DLT has certain common features, the most relevant being[1]:

1. Data distribution – the participants in the ledger have a copy of the ledger and can access the data stored on it.
2. Decentralisation – participants are permitted to update the ledger, subject to the extent of control and processes that have been agreed.
3. Use of cryptography – this is used to identify and authorise participants, as well as confirm data records and facilitate consensus.

Blockchain is one of many distributed ledger technologies gaining momentum in the incumbent technological revolution. Best known as the technology behind Bitcoin and other cryptocurrencies for transferring and storing money, blockchain has several distinctive features. At a very high level, blockchain technology can be explained as a series of blocks of data that are: i) decentralised, ii) cryptographically stored, and iii) immutable.  It can be used like any conventional database to store large volumes of data to show “who did what and when”.

Blockchain is already being used by financial institutions in many ways, including to reduce the inefficiencies suffered by financial institutions and other regulated organisations in meeting KYC and anti-money laundering (“AML”) obligations. Blockchain technology can allow multiple parties to work together to share and/or rely on data that is essential to the KYC process, such as information about a customer’s identity.  However, the adoption of blockchain technology to reorganise and restructure the way in which KYC processes are conducted is still very much in its infancy.

How does blockchain work?

When a participant to a blockchain network inputs data for the first time, this initiates the process by creating a “block” (i.e. the data stored cryptographically). That block is then verified by all computers that are participants to the blockchain, making the block immutable. Each block of data is bound to another using cryptographic technology, meaning that it cannot be tampered with or changed once another block is added to the chain. The data stored within a chain is visible to all users of that blockchain and the actions of each user are permanently stored on the chain, facilitating complete transparency and accountability.

Blockchain can function on different levels, most commonly on a public permission-less level (such as that used for Bitcoin). However, it can also be effective on a private permissioned level, where only people with permission would have access to the blockchain data. It is the permissioned blockchain that would be more suited for KYC purposes.

What are the current issues with KYC?

Financial institutions and other regulated firms undertake KYC procedures to verify the identity of their customers, to assess their suitability and assess risk to comply with AML requirements.

Meeting these requirements involves collating, tracking and storing personal information and business data from customers. Where individuals are acting on behalf of another party, the ownership structure of an organisation must be established, and the beneficial owner must also be identified. In some cases, enhanced due diligence will be required, for example, when dealing with individuals from high-risk third countries or politically exposed persons. Immediately, there is a clash of priorities between the customer and the regulated entity at the outset of the onboarding process. Customers are instantly burdened with having to provide documentation to validate their identity, while the regulated entities are concerned with meeting their AML requirements. Despite being a critical function in assessing customer risk, KYC processes often lack consistency across institutions and take up a lot of customer time, resulting in high levels of customer dissatisfaction.

A study conducted by Thomson Reuters in 2018 revealed that some financial institutions are spending up to $500m annually on ensuring compliance with KYC and customer due diligence rules. Time spent by organisations on information gathering can divert attention away from the important task of analysing risk, reducing KYC checks to a mere tick-box exercise.

Where does blockchain come in?

In a scenario where you have multiple regulated entities working together with a common interest, blockchain technology offers a potential solution to avoid cumbersome and repetitive KYC processes. At present, every new customer partaking in a transaction with a regulated entity is required to go through a multi-step KYC process, involving extensive document and information gathering, and verification. The cost of cross-institution client verification could be significantly reduced if all KYC data were privately and centrally stored for those with the necessary permission to access it.

For example, if all driving licences were stored on a blockchain network owned by the DVLA, upon onboarding a new client, a bank could seek to verify a customer’s identity directly with them, subject to permission being granted to access a copy of the relevant document. The fact of this verification would be stored on the DVLA’s blockchain network. The bank could then store a copy of the customer’s driving licence on their own blockchain network, effectively stored as a cryptographic block in the chain.  That same information could then be relied upon by any other organisations wanting to conduct KYC for that client, subject to obtaining permission to access the private blockchain network to access/verify the relevant information. Any subsequent KYC verifications would also be recorded and tracked.

The immutable and immediately accessible nature of the information on a private permission-based blockchain, enhanced by encryption, offers a unique service while maintaining customer privacy. Blockchain technology should ensure the accuracy of customer records and facilitate the instant sharing of information. By offering a flow of digital customer information, the time spent in the early stages of the KYC process can be significantly reduced allowing multiple institutions to rely on the same checks and information. Furthermore, all actions undertaken by participating institutions and customers are recorded and tracked, leaving a permanent record to show where relevant checks have been conducted (and where they have not).

Larger financial institutions such as banks and insurance providers are the most likely to benefit from blockchain-based KYC processes. There has already been considerable testing of such technology within the industry, including by a multinational investment bank and financial services holding company.

From the perspective of a bank with various subsidiaries around the world, each subject to different regulatory regimes, blockchain-based KYC processes could bring universal organisation and structure while removing the risk of inconsistencies in the process. The same technology would also assist cross-bank transactions, particularly for monitoring transactions or facilitating the sharing of information across different organisations.

What are the challenges?

Using permissioned blockchain technology to synchronize the KYC process does present its own challenges. For the technology to work effectively, industry collaboration would be required. However, financial institutions and other regulated entities are more accustomed to not trusting each other and it is difficult to envisage a scenario where such organisations would readily share customer information, despite the obvious cost saving benefits.

Another major concern will be in relation to maintaining client confidentiality of the data stored on the blockchain, as well as the right to have data deleted once it is no longer needed. The right to have personal data deleted is also known as the ‘right to be forgotten’, and this effectively means that individuals can ask organisations that hold data about them to delete that data in certain circumstances, including when that data is no longer needed by the holder. The immutable nature of blockchain creates a tension here between the law and technology and the issues around this are perhaps the content of another article.

As with all technological advances, the incentive to users and their trust in the technology will be central to blockchain’s success as an effective KYC tool.  In a world where artificial identities and customer credibility is increasingly becoming a problem, blockchain appears to offer a distinctive solution worth pursuing.

[1] Cryptoassets Taskforce: final report – October 2018 (HM Treasury, FCA and Bank of England), 2.3.