During the latest meeting of AFP’s Treasury Advisory Group (TAG), Austin O’Brion, co-founder of identity verification technology firm Token of Trust, discussed the risks banks are taking by collecting mass amounts of personal data from companies to comply with know-your-customer (KYC) regulations.
The KYC conundrum
It’s been well documented that KYC compliance causes major headaches for corporate treasurers. But now it’s becoming clear that these strict requirements also open companies (or, more specifically, employees) up to data theft. With corporates providing sensitive information to multiple financial institutions, one hack at one bank could compromise a lot of people.
Potential solutions have arisen—organizations like Thomson Reuters and KYC.com have been developing utilities that simplify the process. But these entities have had trouble catching on with corporates since you’re essentially replacing one problem with another—instead of supplying KYC information to multiple banks, you’re supplying it to multiple utilities. Perhaps the only way to get mass adoption from corporates is to create one centralized repository, where you only need to give over the data once.
All of this got the TAG group thinking. What if there was a centralized KYC repository that only collects information that is absolutely necessary to prove that employees aren’t engaged in any criminal activity, or one where only that information is visible? As O’Brion noted, much of the data banks collect for KYC isn’t actually necessary to identify and prevent illicit activity. Moreover, many banks are gathering more information than what regulators are requiring them to, in an effort to cover all the bases.
The key to corporate adoption?
If corporates only had to give over their information once—and only information that is absolutely required by the Financial Crimes Enforcement Network (FinCEN)—I believe that we could see mass adoption for corporates. They wouldn’t be putting their employees at risk by handing over superfluous information like driver’s license numbers and they wouldn’t have to turn over the information multiple times.
There is, of course, a risk that a centralized repository could be hacked, and some of that KYC data that would be collected there is still sensitive. But isn’t that much better than where we are right now—turning over intimate details on employees to bank after bank and just hoping that all of them have top-notch security? It’s true that cybercriminals attempt to breach banks far more than corporates and retailers, yet we hear about it a lot less because banks are typically prepared for it and have better controls in place. But all it takes is just one breach.
So, to recap, here are a few key takeaways to ponder:
- While KYC compliance is a major pain point for corporate treasurers, various KYC utilities that have been developed have yet to gain a lot of traction with corporates.
- A centralized KYC repository might see greater corporate adoption, but it would also create a potential treasure trove for hackers.
- If corporates only had to give over their information once to a repository, and only information that is absolutely necessary to prevent illicit activity, mass corporate adoption might become a reality.