Financial services firms that are marketing super-fast customer on-boarding processes are vulnerable to account-opening attacks and exploitation by money-mule account providers, industry experts have warned
Payments firms, fintechs, and crypto companies are touting nearly instant on-boarding with minimal checks to attract customers. Firms are increasingly using shared know-your-customer (KYC) platforms, low- or no-document on-boarding that use open banking application programming interfaces (APIs), and other digital tools to boost the percentage of customers that can pass KYC.
Criminals can learn quickly how to exploit automated KYC checks, even biometric ones, to open hundreds of accounts. Firms believe their marketing is bringing in new customers, but a sudden acceleration in account openings can be attacks by criminals taking advantage of an on-boarding weakness, said Uri Rivner, chief executive at Refine Intelligence in Tel Aviv.
“Everything is digital, and we rely on identity checks that are mostly based on data, especially if we want to make it very quick and frictionless,” Rivner said. “But even the more advanced systems that do a video interview or facial recognition — there are ways for criminals to bypass that.”
Transparency International Russia (in exile) recently published a report showing the ease by which mule accounts from payments firms authorized by the United Kingdom’s Financial Conduct Authority (FCA) could be bought on the dark web. And it was reported that Mercuryo.io, another FCA-authorized firm, was using a customer on-boarding system to “maximize customer pass rates globally, to expand as fast as they could.”
Financial firms can easily be deceived by stolen identity documents if they do not have proper scanning measures, authentication, and biometrics. There are databases of fake and stolen identification documents against which customers’ documents should be checked to avoid being exploited by criminals opening accounts to sell on as mule accounts.
“The bottom line is if a company is doing a lightweight KYC process without any other controls, and they’re under attack, they were asking for it,” Rivner said, adding that many firms, especially in the US, have implemented behind-the-scenes biometrics and advanced analytics to catch these attacks, while other companies still opt for the high-end, sophisticated identity verification tools.
Electronic KYC is a valid way to on-board clients from a regulatory perspective, but it is unwise to market easy KYC, because that will attract criminals who will quickly exploit it.
Kathryn Westmore, senior research fellow at the Centre for Financial Crime and Security Studies at the Royal United Services Institute in London, agreed. “If you look at the wording of the guidance from the Joint Money Laundering Steering Group, it’s permissible to rely on these third parties to do electronic verification so long as you are comfortable with that,” Westmore said. “The real question is: how robust are these companies?”
Criminals can learn quickly how to exploit automated KYC checks, even biometric ones, to open hundreds of accounts.
Not all companies offering these KYC and identity verification tools can deliver, however. Some banks are skeptical of financial crime tech companies that overpromised on the effectiveness of artificial intelligence tools but did not deliver.
The UK’s Payment Systems Regulator (PSR) published a report last year showing nine smaller payment firms were among the top 20 highest receivers of authorized push payment (APP) fraud. The worst performer was Dzing Finance, which saw that 187,695 per 1 million of its transactions were APP fraud. The FCA imposed restrictions on Dzing a few days after the PSR published its data.
“There is a whole range of these firms that continue to operate despite having received [anti-money laundering] AML fines in other jurisdictions or [that] have clear links to Russia or other countries,” Westmore said. “Some are advertising accounts that can be opened instantaneously with minimal checks. They’re appealing to people who are wary about big banks and don’t want to give away their information to anybody or to people who want to abuse their facilities.”
Identity verification, not KYC
Some frictionless customer on-boarding tools are not really KYC, they are identity verification — and there is a difference, Rivner said.
“Banks are supposed to understand the customer, not just know the customer,” Rivner explained. “Banks knew the customers but also knew the life story of the customer. They knew why the customer was doing what they’re doing. They understood the context around those activities. This knowledge has been deteriorating over the years with the move to digital.”
Identity verification may confirm a customer’s identity, but it does not provide transactional behavior insight to distinguish between suspicious and legitimate activity. This knowledge gap could lead to accounts being frozen too frequently or unnecessarily while the firm investigates transactions. Indeed, these delays can be more detrimental to a customer relationship than cumbersome on-boarding.
While it is important to strive to make financial institutions more accessible, it is fundamental to the prevention of fraud to adhere to the standards set by regulatory agencies.