Date Posted: Wednesday, June 20, 2012
KYC stands for “Know Your Customer”. Most people forget that. They think it means
“Collect lots of paperwork” or “Comply with annoying regulations” or “Make it
hard to sign up for a new account”. Most mobile money operators don’t take any
effort to really know their customer and the reasons the customers have for
using the service. All most operators care about is one question, “Do I have
enough documentation about this customer to keep the regulator happy?”
Of course, a mobile money business can’t
operate without a happy regulator, but it’s important to understand the reasons
behind KYC. If we understand the risks we’re really trying to deal with, we can
also see the opportunities to provide a safe service that maximises financial
Before we design a KYC process, we need to
ask why we need “KYC” at all.
The most common answer is, “Regulation”,
usually accompanied by the two words that strike fear into every banker, “Money
Laundering”. But if we delve deeper, we find three reasons for collecting
1) Protect against systemic risks:
regulators want information about customers in order to protect the financial
system against crimes and money laundering.
Customer protection: Customers
must have some way to identify themselves to the operator in the event that
their phone is lost or stolen.
information may be useful to operators, or to their funding partners,
especially if they are receiving any development funding or grant money.
When most mobile money operators talk about
KYC, they’re really only talking about the first step of the KYC process. Anti-Money-Laundering (AML) regulation usually refers to this as “Customer
Due Diligence”. It’s an important step, but it also needs to be followed up
with other actions such as risk rating and transaction monitoring in order to
constitute an effective AML plan.
By thinking about the reasons to know our
customers, it should be possible for operators to design a KYC process that
balances these goals without presenting too many obstacles for the customer or
costs for the operator. But many operators don’t get this as far as this decision;
they panic at the magic words “Money Laundering” and the fear of the regulator
and go straight to an archaic paper-based collection process.
Money Laundering and Terrorist Financing
are definitely things that banks and regulators need to be concerned with, but personally
I think it’s hard to see how well designed mobile money in developing markets
will lead to widespread money laundering. In every single market, it is
attempting to replace cash-based or informal transactions. Every transaction is
recorded in a sophisticated real-time system. The system limits are lower than
the amounts most money launderers would be interested in, even if the criminals
open multiple accounts. Most mobile
money operators have access to technology and reporting systems that are
light-years ahead of the legacy systems with which most banks are burdened.
What self-respecting criminal would choose to travel to ten different mobile
money agents to deposit the money, move their money through a traceable system,
then travel to ten different agents to withdraw it, when they could simply send
the cash in a brown paper envelope instead?
The key international body that sets
international standards for Anti Money Laundering, the FATF (Financial Action Task
Force), recommends risk-based approaches to money laundering and recognises
that financial inclusion is vital to preventing money laundering. Most regulators also recognise risk-based
approaches in their AML regulations, but so far not many have been willing to put
this in practice and make allowances for mobile money. Banks are guilty too, of
not wanting to push the regulators on this issue.
If the mobile money operator is not willing
to adopt a risk-based approach, they will end up mimicking a bank, but in a
very bank-unfriendly physical environment. They collect an application form, a
photocopy of an ID, some passport-sized photos, a signature, a thumbprint, and
possibly a letter confirming an address. These are photocopied on worn-out
machines in dusty rural markets, gathered up by the agents, then sent via
rickety buses and motorbikes to the head office. If the customer is lucky, the photocopies
were clear, the documents pass the quality check, and are scanned, re-typed and
archived in creaking bookshelves for seven to ten years. If the customer is
unlucky, their creased, stained, dark and blurry photocopies are rejected and
sent back for the whole process to start again.
By this time, the documents have probably
passed and been processed by four sets of hands (agent, network manager field
staff, network manager back office and operator back office). In an extreme
case, the customer must wait until all this activity is complete before they
can use their account.
There is some benefit of a risk-averse
approach like this, if the provider has plans to allow international remittance
or other more complex financial services such as savings or insurance that will
require a higher standard of Customer Due Diligence. But it does seem like
overkill for the initial product of a transactional wallet, and it definitely
presents barriers to entry to the unbanked. If anything, requiring stringent ID
requirements will actually force some people to use fake ID or to borrow ID
from a relative instead of opening an account in their true name.
Technology goes a long way to reduce the
risks of mobile money. The use of SIM cards as two-factor authentication is in
many ways superior to the technology of magnetic credit cards or internet
banking. But launching a mobile money business is a risk – it is hard and
expensive to set up your agent networks, your technology linkages, your
marketing campaign. Before launching, providers need to think carefully about
the risks of their customer onboarding process. Understanding this risk in full
should create opportunities for a simpler process that meets the needs of
regulators and promotes financial inclusion. It might not be easy to convince
regulators that your risk-based approach is sufficient to protect the banking
system, but it will be worth it in the long run.
In my next post, I will talk about how
to turn the risk-based approach to KYC into an opportunity for simplification.
- Michael Joyce