The perils of relying on static third-party databases
There is an old Russian proverb, ‘Doveryai, no proveryai’ (Trust but verify), which Ronald Reagan was very fond of quoting back to the Soviets during their nuclear non-proliferation negotiations. He used it so much that Mikhail Gorbachev even teasingly accused him of saying it at every meeting they had. This need for verification is crucial in business KYC (KYB) as well.
kompany operates a global live network to official commercial registers that provides real-time access to 110 million companies in over 200 jurisdictions This means rather than maintaining databases, we supply bullet-proof business verification information in real-time, directly from the primary source itself. kompany serves a wide range of regulated entities from small fintechs to established global banks. But all our customers tell us the same thing: it’s getting tougher out there!
New regulation is continuing to increase the burden of proof on companies to show their business KYC (KYB) checks are based on original and up-to-date data. Clients often share with us the fact that while they were confident their processes were audit-proof (after all, which self-respecting Compliance Manager wouldn’t?), that didn’t always extend to the quality of the data itself upon which these processes were based.
For us, and increasingly for global regulators, audit-proof means data from a primary source, time stamped with a full guarantee of its integrity. Instead of just trusting their data, compliance teams need to go much further and verify it’s truthful. This has never been more important than today.
The 4th Anti-Money Laundering Directive (AMLD4), implemented in 2017, was relatively vague, ruling that due diligence must be based on information from a ‘reliable and independent source.’ ‘Reliable’ assumed that the data had not been altered, but the risk was always there, that if you relied on third-party databases, there’s no guarantee that their information is exactly the same as in the original primary source register.
AMLD5 (to be implemented in January 2020) is much stricter. KYC processes must use data ‘regulated, recognised, approved or accepted by the relevant national authorities.’ And within this tighter framework national law makers have already been defining their more robust requirements.
According to the UK’s Joint Money Laundering Steering Group (JMLSG):
‘Firms should recognise that some electronic sources may be more easily tampered with, in the sense of their data being able to be amended informally and unofficially, than others. If suspicions are raised in relation to the integrity of any electronic information obtained, firms should take whatever practical and proportionate steps are available to establish whether these suspicions are substantiated, and if so, whether the relevant source should be used.’
(Guidance for the UK Financial Sector for the prevention of money laundering, Part 1, Section 5.3.45).
Global fines for KYC violations totalled almost US$ 4 billion in 2018. No doubt many compliance managers in those impacted companies were left wishing they had taken a leaf out of President Reagan’s book: Trust is good, but verification is better!