Last October, TD Bank was fined more than $3 billion after pleading guilty to violations of the Bank Secrecy Act and conspiracy to commit money laundering. The unprecedented charges stemmed from the bank’s failure to detect and prevent illicit financial activity. Specifically, it was cited for not implementing robust Know Your Customer (KYC) procedures, neglecting to conduct periodic account reviews for illegal activity, and failing to file suspicious activity reports.
TD Bank serves as a cautionary tale for other financial institutions. Failing to adopt modern, continuous KYC solutions can be catastrophic—resulting in financial losses, reputational damage, and erosion of customer trust. And according to Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research, most banks are dissatisfied with their current KYC systems.
Continuous Checks in Real Time
In KYC Revolution: Automated Solutions Tackle Compliance and Fraud Challenges, a report from Javelin, Pitt found that many banks, in response to the Bank Secrecy Act’s requirement to implement KYC solutions, are simply checking the box by adopting outdated systems. These legacy KYC tools often fail to effectively mitigate fraud and money laundering.
“They’re not doing continuous checks in real time so that they can actually vet their customers,” said Pitt. “What they should be doing is implementing what we call perpetual or continuous KYC solutions. These happen throughout the entire customer lifecycle, not just during onboarding or annually like most are being done.”
Perpetual KYC solutions include a continuous authentication process, which verifies who is gaining access throughout an entire login session. Every action—whether it’s logging in, making a transaction, adding account information or users, or linking new accounts—is re-authenticated in real time. This process runs in the background using automated tools, minimizing customer friction.
Vetting these customers’ actions can strengthen the due diligence typically performed manually through traditional KYC processes. If the bank identifies a customer as high-risk—due to, say, a criminal history— additional scrutiny may be applied using perpetual KYC solutions. These measures are initiated only when the automated system flags unusual activity or detects a higher-risk client.
“They’re literally hiring people to do Google searches for what we call negative news in order to vet their customers,” said Pitt. “If you have financial service professionals typing that information manually, it’s not being done in real time. I could be searching for this person in LexisNexis, trying to find out if they have a criminal history. Today they could be all good, and then tomorrow they could have different information.
“Some traditional banks never check their customers again, or they’re only checking annually,” she said. “That person could change addresses three times in the interim or transact to highly suspect counterparties.”
Reducing the Friction
Ensuring that KYC processes are invisible is an important step toward reducing customer friction and preventing them from feeling like they’re being treated as criminals.
Most financial institutions, following current privacy laws, inform customers about the data typically collected. These can include name, date of birth, Social Security number, and credit history—at the time of account opening. But many fail to communicate what information is continually required throughout the account lifecycle.
“One of the things that that Javelin stresses is the need for transparency by financial institutions,” said Pitt. “What we found is that consumers will be more apt to provide information that’s necessary for KYC if banks are transparent about why they’re collecting the data, what information is being collected and what’s being done with it.
“They need to know if the information is being shared or sold, or if it is just being used to vet the customer,” she said. “That transparency is a key in getting perpetual KYC systems on board. It ensures that the customers are providing the necessary information.”
The Necessity of Collecting Data
The industry has struggled to balance customer friction and privacy with the need to gather sufficient information to vet their customers. The TD Bank scandal served as a tipping point, pushing banks to err on the side of collecting more data.
The criminal charges happened because regulators believed TD was already aware of deficiencies in their program and chose to look the other way.
“The fact that they were criminally charged, that tells you it’s not just oops, they didn’t understand,” said Pitt. “It’s that they willfully chose not to update their programs.
“That was pretty much the first time that any financial institution has been charged criminally for failing to stop money laundering or fraud,” she said. “Regulators aren’t going to idly stand by anymore and let these failures in KYC happen. There’s a higher need to protect your consumers than there is for these privacy regulations.”
Turning to Outside Help
One reason banks have been reluctant to adopt perpetual KYC solutions is that even larger legacy banks would likely need to rely on vendor solutions to implement them. Legacy KYC systems are often incompatible with some of the perpetual KYC processes that leverage artificial intelligence.
“This is a generalization, but traditional banks typically aren’t the innovators of the world,” said Pitt. “It’s fintechs that are the innovators of the world.”
Pitt cites iDenfy, Persona, and Moody’s as three leaders in the perpetual KYC space. These fintech vendors can generally offer perpetual KYC solutions at a lower cost than would be required for financial institutions to adapt their systems and upskill their personnel independently. Partnering with other financial institutions will be key.
In preparing the report, Pitt was struck by how many banks were unaware of KYC solutions in general, let alone perpetual KYC.
“Financial professionals do ourselves a disservice when essentially we try to silo all our products and not share that information with the industry,” Pitt said. “A lot of financial institutions that had no idea that there were even such solutions. Now they are thinking, ‘Oh my gosh, there’s perpetual KYC out there. Imagine if we knew this two years ago.’
“Organizations are going to have to figure out how to get these solutions,” she said. “The TD Bank incident really struck home. It was the industry’s way of saying, whether or not you can afford it, you don’t have a choice anymore.”
