Blockchain in compliance

Regulatory challenges

The burden of compliance activities on FIs pertaining to Know Your Customer (KYC) and Customer Due Diligence (CDD) show no sign of abating, but rather to the contrary. Non-compliance risk, which can be both costly and catastrophic to FI’s reputation, presents a strong business case for investing heavily in this area.
Based on an analysis carried out by regtech firm Encompass Corporation into global AML breaches, a total of $8.1bn (€7.2bn) of fines were issued for a total of 58 AML-related breaches in 2019. Of these, US regulators issued 25 penalties, approximately €2bn in total, followed by the UK with 12 fines worth €344m, while the largest single monetary fine was $4.5bn in France against Switzerland’s UBS, which also clearly signalled that FIs would be punished severely if they misbehaved.

In addition to the financial burden, compliance obligations may also delay customer on-boarding and transaction processing, which may potentially take months and involve numerous interactions, hurting client relationships. Customer experience, as a result, also suffers, adversely impacting business, possibly prompting customers to change their service providers altogether. Furthermore, KYC requests potentially result in duplication of effort across FIs, implying further industry-wide inefficiencies and customer dissatisfaction, creating an ideal climate for the rise of fintech challengers.

Blockchain: An enabler

But a number of potential answers do exist. A myriad of compliance procedures, tasks and steps could be eliminated if the information is already lodged and accessible in an existing and secure, tamper-resistant database.

Such technology may be practical in the form of a Blockchain. However the inherent technology within blockchain has posed a considerable barrier to a coherent dialogue around its basic characteristics, at times causing confusion over its application and resulted in many inflated expectations. Realistically the use of blockchain in financial services has been narrowed-down to a handful of use-cases.

Blockchain and Distributed Ledger Technology (DLT) have generally been associated with processes involving exchange of money, although the technology may not necessarily involve a digital currency. From a business perspective, it is helpful to think of blockchain technology as a next generation business process improvement application, built around transparency and auditability, and one that has the ability to deliver an indisputable ‘proof-of-process’. Whatever happens to cryptocurrencies - and that is in question – blockchain technology is here to stay, and will likely gain traction in key areas in financial services, including compliance.

SWIFT KYC registry

A main concern hovering around blockchain technology relates to privacy of data or sharing of customer information. In reality, sharing of customer data may already be the norm. External to the blockchain debate, SWIFT’s KYC registry is an example where pooling of customer information within trusted domains is already a practice. In fact the Registry has been designed in collaboration with a community of banks from across the globe to address KYC and CDD challenges, and provides the facility to share sensitive customer information between FIs. The approach may be replicated on a broader, blockchain-enabled ecosystem for compliance activities, targeting the public at large.

Private Ecosystem Blockchain

In a ‘Private Ecosystem Blockchain’ participation is bound by invitation from a centralised ‘high trust’ authority. It is community-based consortium, governed by a single entity, potentially a regulatory authority and whose responsibilities would include setting-up the application, issue certificates or identification keys and designate access-rights to participants, maintaining rules, storage, as well as carrying out an independent system audit. In this way KYC data is maintained centrally and rigorously, and shared collaboratively in near real-time.

Of course, a private ecosystem does not lend the distinct, decentralisation advantages of DLT, although it mimics similar security processes through cryptography, and blocks of transactions are validated using consensus mechanisms, hence maintaining higher levels of data integrity than conventional, shared databases.

A changing landscape for regulators?

This approach implies that regulators may see a shift within their traditional roles in the process - from customers, to participants. Industry-wide inefficiencies resulting from duplication of effort in carrying out KYC checks are also mitigated, as well as create a level playing field for FIs, while potentially also reducing barriers to entry for challenger banks.

Blockchain technology provides an opportunity for disintermediation of compliance activities. Entries into the blockchain are immutable, verifiable and traceable, providing an indisputable audit trail, including records of procedures and tasks undertaken for each client, as well as documents shared, providing a single source of the truth through DLT, but owned centrally by the governing entity. This achieves the ultimate objective of ensuring that a FI has acted diligently or otherwise, potentially making inroads into criminal activity.

Furthermore there may be value-added opportunities through process automation, leading to fewer compliance errors. Combined with the application of ‘smart contracts’, blockchain technology could, for instance, block transactions on behalf of clients unless adequate KYC completeness has been attained.

Security and privacy

As already outlined, while pooling of customer information may already be a reality within trusted domains, the technology provides an additional layer of privacy, cementing ‘real-world identities’ to ‘cryptographic identities’. Transactions on the Blockchain will merely be a reference point, protected by a digital signature or cryptographic hash. This achieves privacy hallmarks, and also seems to be aligned with GDPR regulations.

Challenges with blockchain exist within the areas of performance and security, which may pose considerable barriers to adoption of the technology. Notwithstanding, it is fair to say that blockchain is widely considered as more secure than a conventional database and specifically designed to ensure data integrity across the network consistently, although more robust infrastructures are prerequisite to widespread adoption.

*********

Over the years RegTech has played a key role within the compliance domain, and increasingly regulators expect FIs to harness technology to their internal regulatory tasks and procedures. Blockchain technology may be an enabler, and potentially achieves core aspirations for stakeholders within the ecosystem. It provides an opportunity to re-shape, streamline and alleviate the strain of regulation on FI’s IT systems, reducing compliance costs, upscale quality and accuracy, and also reduce errors. It also provides an opportunity for regulators to stay on top of changes in process and technology. Aspirations towards a national (and potentially EU-wide) blockchain-based KYC registry may sound ambitious. Pilot-programmes and proof-of-concept activities might spear this ambition.

About the author

Ivan Camilleri is a Manager within the Consulting service line at Deloitte Malta.