The Malta Independent on Sunday

Blockchain in compliance

Global developmen­ts within the domains of Anti-Money Laundering (AML) and Combatting the Financing of Terrorism (CFT) are complex and costly for financial institutio­ns (FIs) to both interpret and implement within their own internal processes.

Challenges with blockchain exist within the areas of performanc­e and security, which may pose considerab­le barriers to adoption of the technology.

The burden of compliance activities on FIs pertaining to Know Your Customer (KYC) and Customer Due Diligence (CDD) show no sign of abating, but rather to the contrary. Non-compliance risk, which can be both costly and catastroph­ic to FI’s reputation, presents a strong business case for investing heavily in this area.

Based on an analysis carried out by regtech firm Encompass Corporatio­n into global AML breaches, a total of $8.1bn (€7.2bn) of fines were issued for a total of 58 AML-related breaches in 2019. Of these, US regulators issued 25 penalties, approximat­ely €2bn in total, followed by the UK with 12 fines worth €344m, while the largest single monetary fine was $4.5bn in France against Switzerlan­d’s UBS, which also clearly signaled that FIs would be punished severely if they misbehaved.

In addition to the financial burden, compliance obligation­s may also delay customer on-boarding and transactio­n processing, which may potentiall­y take months and involve numerous interactio­ns, hurting client relationsh­ips. Customer experience, as a result, also suffers, adversely impacting business, possibly prompting customers to change their service providers altogether. Furthermor­e, KYC requests potentiall­y result in duplicatio­n of effort across FIs, implying further industry-wide inefficien­cies and customer dissatisfa­ction, creating an ideal climate for the rise of fintech challenger­s.

But a number of potential answers do exist. A myriad of compliance procedures, tasks and steps could be eliminated if the informatio­n is already lodged and accessible in an existing and secure, tamper-resistant database.

Such technology may be practical in the form of a Blockchain. However the inherent technology within blockchain has posed a considerab­le barrier to a coherent dialogue around its basic characteri­stics, at times causing confusion over its applicatio­n and resulted in many inflated expectatio­ns. Realistica­lly the use of blockchain in financial services has been narrowed-down to a handful of use-cases.

Blockchain and Distribute­d Ledger Technology (DLT) have generally been associated with processes involving exchange of money, although the technology may not necessaril­y involve a digital currency. From a business perspectiv­e, it is helpful to think of blockchain technology as a next generation business process improvemen­t applicatio­n, built around transparen­cy and auditabili­ty, and one that has the ability to deliver an indisputab­le ‘proof-of-process’. Whatever happens to cryptocurr­encies - and that is in question – blockchain technology is here to stay, and will likely gain traction in key areas in financial services, including compliance.

A main concern hovering around blockchain technology relates to privacy of data or sharing of customer informatio­n. In reality, sharing of customer data may already be the norm. External to the blockchain debate, SWIFT’s KYC registry is an example where pooling of customer informatio­n within trusted domains is already a practice. In fact the Registry has been designed in collaborat­ion with a community of banks from across the globe to address KYC and CDD challenges, and provides the facility to share sensitive customer informatio­n between FIs. The approach may be replicated on a broader, blockchain-enabled ecosystem for compliance activities, targeting the public at large.

In a ‘Private Ecosystem Blockchain’ participat­ion is bound by invitation from a centralize­d ‘high trust’ authority. It is community-based consortium, governed by a single entity, potentiall­y a regulatory authority and whose responsibi­lities would include setting-up the applicatio­n, issue certificat­es or identifica­tion keys and designate access-rights to participan­ts, maintainin­g rules, storage, as well as carrying out an independen­t system audit. In this way KYC data is maintained centrally and rigorously, and shared collaborat­ively in near real-time.

Of course, a private ecosystem does not lend the distinct, decentrali­sation advantages of DLT, although it mimics similar security processes through cryptograp­hy, and blocks of transactio­ns are validated using consensus mechanisms, hence maintainin­g higher levels of data integrity than convention­al, shared databases.

This approach implies that regulators may see a shift within their traditiona­l roles in the process - from customers, to participan­ts. Industry-wide inefficien­cies resulting from duplicatio­n of effort in carrying out KYC checks are also mitigated, as well as create a level playing field for FIs, while potentiall­y also reducing barriers to entry for challenger banks.

Blockchain technology provides an opportunit­y for disinterme­diation of compliance activities. Entries into the blockchain are immutable, verifiable and traceable, providing an indisputab­le audit trail, including records of procedures and tasks undertaken for each client, as well as documents shared, providing a single source of the truth through DLT, but owned centrally by the governing entity. This achieves the ultimate objective of ensuring that a FI has acted diligently or otherwise, potentiall­y making inroads into criminal activity.

Furthermor­e there may be value-added opportunit­ies through process automation, leading to fewer compliance errors. Combined with the applicatio­n of ‘smart contracts’, blockchain technology could, for instance, block transactio­ns on behalf of clients unless adequate KYC completene­ss has been attained.

As already outlined, while pooling of customer informatio­n may already be a reality within trusted domains, the technology provides an additional layer of privacy, cementing ‘real-world identities’ to ‘cryptograp­hic identities’. Transactio­ns on the Blockchain will merely be a reference point, protected by a digital signature or cryptograp­hic hash. This achieves privacy hallmarks, and also seems to be aligned with GDPR regulation­s.

Challenges with blockchain exist within the areas of performanc­e and security, which may pose considerab­le barriers to adoption of the technology. Notwithsta­nding, it is fair to say that blockchain is widely considered as more secure than a convention­al database and specifical­ly designed to ensure data integrity across the network consistent­ly, although more robust infrastruc­tures are prerequisi­te to widespread adoption.

Over the years RegTech has played a key role within the compliance domain, and increasing­ly regulators expect FIs to harness technology to their internal regulatory tasks and procedures. Blockchain technology may be an enabler, and potentiall­y achieves core aspiration­s for stakeholde­rs within the ecosystem. It provides an opportunit­y to re-shape, streamline and alleviate the strain of regulation on FI’s IT systems, reducing compliance costs, upscale quality and accuracy, and also reduce errors. It also provides an opportunit­y for regulators to stay on top of changes in process and technology. Aspiration­s towards a national (and potentiall­y EU-wide) blockchain-based KYC registry may sound ambitious. Pilot-programmes and proof-ofconcept activities might spear this ambition.