Fintech R&R☕️🪪- NatWest's Digital ID innovation and BAaaS (Banking Authentication-as-a-Service)
NatWest and other banks stepping into the Digital ID space and yet another benefit of Open Banking
Hey Fintechers and Fintech newbies 👋🏽
It’s been a back-to-back 4-day week for many in the UK, and I hope that folks are refreshed because, in this week’s edition of Fintech R&R, I’m talking about a very serious topic.
Identity.
Of course, this is still a fintech product newsletter, so it won’t be that heavy and I’m steering well clear of identity-related subjects such as Identity Crisis, Identity Politics, Mistaken Identity or Corporate and Brand Identity. Although most of these would make the puns and movie references relatively easy (I was already thinking of The Fugitive and Minority Report).
The identity subject in question is Digital Identity and Identity Verification (IDV).
It’s not an area that sees regular updates, but there was a bit of news, some of which went a bit under the radar, that made it an interesting few weeks. One was the introduction of mandatory VoterId for individuals looking to vote in local elections. But I won't go into that as I want to keep this a politics-free zone!
The two more interesting reads that went under the radar were Sweden’s BankID launching a new version of their Digital Identity service. It’s essentially a full DigitalID card in an app for Swedish citizens, created and owned by several Swedish and Scandinavian Banks.
And the announcement of Natwest’s Customer Attribute Sharing service, a service which will provide “customers with a secure method to verify their identity online”. The service looks like it intends to provide two-pronged value. One is to give this service to business customers, especially those looking to switch to digital experiences, making that transition easier. But also by using existing bank and IDV information speed up the verification process for customers.
This not-so-recent news (the announcement was over a month ago now but hasn’t had any in-depth write-ups) also coincided with work I did for a growing and very cool Know Your Business provider which involved going down a very deep regulatory rabbit hole and thinking about wider questions.
Like, “Why haven’t banks done this for their business customers sooner, considering they’re obliged to perform KYC on their customers?”. And “What benefits does a centralised digital ID and IDV process give to customers?”.
I will try and answer those questions through the course of this week’s edition as well as include a spattering of interesting news, puns, movie references and a semi-obscure analogy:
The regulations behind for Identity Verification & KYC
Natwest’s ID and steps towards one-time portable IDV/KYC
Benefits to customers and businesses of portable IDV/KYC
The key issue of Trust when it comes to IDV/KYC porting
Why it’s taken banks so long to take a piece of Digital Identity
Don’t forget to subscribe you haven’t already to have future editions land directly in your inbox and share it with your fintech and non-fintech friends!
Now, let’s get into it!
Regulation, but not for regulation's sake
I can’t jump straight into Identity Verification and Know Your Customer without first talking about the main reasons they exist. Rest assured this will be a detailed but quick dive into regulatory drivers.
The EU introduced the first formal regulation in 1991 and named it the First Anti-Money Laundering Directive (1AMLD). This and further directives set out the minimum standards for anti-money laundering and counter-terrorism financing measures that EU member states, including the UK at the time, had to implement.
1AMLD, the first set of dedicated regulations, was primarily for banks, financial institutions, and bureaux de change. This was the first formal introduction of KYC and Identity Verification into UK law (the UK Law initially called Money Laundering Regs 1993) and EU member state law.
Here is an extract of the text from legislation which I, as a non-lawyer, call ‘legalese’:
Member States shall ensure that credit and financial institutions require identification of their customers by means of supporting evidence when entering into business relations, particularly when opening an account or savings accounts, or when offering safe custody facilities - EU Council directive 1991
“Require identification of their customers” = KYC
“By means of supporting evidence” = Identity Verification
Subsequent additions were made to these regulations in 2001 and 2005 by introducing the second and third Anti-Money Laundering Directives (2AMLD & 3AMLD).
These broadened the scope of the regulated entities to include companies like e-money institutes, accountancies, law firms and other companies that could facilitate money laundering activities. Crucially 2AMLD and 3AMLD also introduced some of the key tenets of AML, which including KYC and IDV look like this:
KYC & IDV
Screening (identifying High-risk and Politically exposed individuals)
Risk Assessments (assessing the risk of taking on a customer)
Customer Due Diligence
Enhanced Customer Due Diligence processes (EDD) for Politically Exposed Persons (PEPs) and High-Risk individuals
Record Keeping and Ongoing Transaction monitoring and reporting
In recent years the fourth and fifth directives (4AMLD & 5AMLD) have come in and increased penalties for non-compliance, including unlimited fines, increased the requirements for EDD processes, added virtual currency providers, custodian wallet providers and art dealers to their list of regulated entities and introduced an explicit risk-based approach requiring entities to tailor the AML procedures according to risk level (essentially tiering different customers and checks based on the riskiness of doing business with those customers).
While the new additions are beneficial, the first three directives delivered the core components that form most of the KYC, KYB and AML processes performed by regulated entities today.
And with that, you’ll be glad to hear the ‘Whistle Stop tour of EU AML directives’ part of this newsletter is officially done 😌
I Am Whoever I Say I Am 🎙
Whilst all components of the anti-money laundering process are critical to adhere to the AML laws imposed by countries, KYC and the Customer Identity Verification process are slightly more important.
Why?
KYC/IDV is where key data points about individuals are captured (name, address, ID number), and any relevant documents and usually government-issued physical IDs are uploaded. Then, those data points and documents are verified, and only then will customers be allowed to ‘enter the building’. For example, anyone who has ever applied for a bank account has had to take a photo ID and proof of address into a branch or upload it via an app as part of the account onboarding process, and KYC is the reason why.
It’s important because it’s the first line of defence against ‘bad actors’ and fraudsters looking to use financial and other services to launder money. It’s also vital because KYC is not cheap in terms of the cost of performing checks and the potential cost to companies if bad actors are let into the system.
It’s why your ID is checked at the door when you go to a club. Or when you fly, your boarding pass is scanned, and only relevant parties move on to the next verification stage. The dreaded and time-consuming security checks. Because of the cost and implications of letting bad actors into the system.
Although there have been significant technological strides when it comes to the KYC, IDV and AML process with companies like Onfido, ShuftiPro and Kyckr providing ID and Face Scanning technology with the ability to spot fake IDs and inconsistencies in the verification process quickly, some still face issues with this fundamental process and end up dealing with the consequences.
Here are some that have faced the wrath of regulators due to non-adherence to KYC and AML regulations:
Deutsche Bank fined £163 Million: In 2017, Deutsche Bank AG was fined 163 million pounds by the FCA for failing to maintain appropriate AML control policies between 2012 and 2015. The investigation revealed that Deutsche Bank failed to correctly identify their customers, which led to over $10 billion of unknown origin being transferred from Russia to offshore bank accounts, and the bank failed to control the actions of the department responsible for KYC Verification.
ABN AMBRO fined $574 Million: Fined $574 Million after regulators identified the Dutch bank had inadequate Know Your Customer (KYC) checks and risk classification, lacked customer activity monitoring and failed to report suspicious transactions.
Santander fined £107.7 Million: In December 2022, the Financial Conduct Authority (FCA) fined Santander Bank £107.7 million for repeated anti-money laundering compliance failures. These included inadequate systems and processes for verifying customer information regarding the banking business they would be carrying out.
NatWest fined $264.8 Million: In December 2021, NatWest was fined 264.8 Million for three offences of failing to comply with money laundering regulations. The charges covered NatWest’s failure to adequately monitor the activity of a commercial customer, Fowler Oldfield, a jewellery business based in Bradford.
Whilst the fines NatWest received weren’t directly related to KYC, it’s clear that the use of cash deposits and the manual nature of some of the checks in the deposit process caused these issues that led to a fine.
From a bank’s point of view, any tool or service they can provide to business banking and retail customers to help with the transition to digital should reduce the likelihood of running into hefty fines like this again.
NatWest’s CAS and benefits it brings
So what is NatWest’s Customer Attribute Sharing service (the name could be catchier, by the way), what benefit does it give customers, and what does the bank get from this?
The service, or NCAS as we’ll refer to it, is part of a partnership with digital identity company OneId. OneID is an identity verification service similar to Onfido, and others mentioned previously that verifies and validates documents covering the crucial KYC and IDV parts of Money Laundering regulations.
The partnership means that businesses using OneID for verification and onboarding customers who have already gone through an onboarding and KYC process with NatWest will be able to onboard customers faster, more efficiently and with fewer data inaccuracies from manual data entry. They do this by connecting to NatWest’s customer data after customers give explicit consent (using Open Banking Authentication), and NatWest then shares key data points required for KYC through their Customer Attribute Sharing Service.
REAL EXAMPLE
I am buying a house and using a new solicitor (real estate lawyer in the US) to help with the purchase. Solicitors are regulated entities under the Money Laundering Regulations, so they must perform KYC, IDV and other active and ongoing AML checks.
Traditionally, I’d have to go into their office with at least a photo ID (Passport or Driving licence), proof of address (something like a utility bill or bank statement) and three months of bank statements. They’d also ask me to fill out an onboarding form where I’d write down key personal details, which they would validate using the documents provided, and they would then be able to take me on as a customer.
Using NatWest and OneID I could use the online or mobile service to authenticate myself as a NatWest customer (using the same login details I’d use to check my balance). NatWest would then handover key data points, at the very least the same ones I would have to manually enter via a form, and if needed I’d use OneID to scan and verify the legitimacy of my licence/passport and also perform a face scan to complete the identity verification.
Of course, there is a bit of a jump between manual and digital verification, but even comparing the NatWest/OneId journey to an existing digital KYC journey, NatWest’s would come out on top. Here’s why.
Benefits
Time saving and reduced ‘fat finger’ entry ⌨️ ⌨️ ⌨️
Porting data once the customer has been authenticated is a huge time saver. Even through existing digital solutions, customers have to type in several data points, which opens up the possibility of accidental incorrect data entry leading to inconsistencies when verifying data and delays in onboarding genuine and legitimate customers. There is also an upfront time saving as obtaining verified data via an API is faster than having the customer type it in.
Cost for businesses 💰 💰 💰
Time is money, right? Theoretically, the time and effort saved using this digital KYC and onboarding solution should translate into cost savings for businesses like the solicitors in the example and a resource reallocation, especially if NatWest’s new solution converts businesses performing manual KYC into a digital one. Giving customers a digital avenue to onboard and a faster onboarding time also means a wider sales funnel. This is a bit speculative, but it’s logical speculation.
Data updates and record keeping 🗄 🗄 🗄
One of the most challenging parts of AML rules is keeping records up to date after initial KYC and onboarding. And it’s essential when businesses are engaged in an ongoing relationship with customers. For example, suppose the customer has a change of address. In that case, the business is responsible for ensuring the address is up to date in their system while there is an ongoing relationship. Maintaining these records is tough because customers have to update their data in multiple sources and often won’t cover every base. Using the NatWest/OneID method, customers can also consent to have their data automatically updated in all downstream sources of the NatWest data. So a customer can update their details and records once and have that ripple to all other listeners of that service, ensuring data accuracy.
Obtaining verified customer data from a trusted source 🔐 🔐 🔐
Because of the regulations outlined at the top and the consequences for banks if they don’t comply with regulations (fines, examples of which I provided earlier), banks are incentivised to get KYC and IDV right. They’ve had over 20 years to refine processes and build models to spot anomalies and inaccuracies in data points. So in terms of porting KYC checks and key data points, getting them from a bank is the logical step.
A toast! To clean, accurate and verified data 🥂
Although ported IDV for things like onboarding, document verification and age-related verification services is a step in the right direction and brings a few benefits, it’s not perfect.
Banks are a great source of verified data because they have had to do it to prevent fraud and money laundering, BUT many banks, including NatWest, have been fined because of issues with their KYC and AML processes.
Trust is going to be the main factor when it comes to adopting this porting of key identity data points, and here’s a little leftfield analogy to demonstrate why.
Everyone is familiar with the popular habit of clinking glasses and saying cheers, but only some know the origins. A standard theory is that it originated in the medieval days when wine was often spiked with poison. If a host wanted to prove that the wine was free of poison, they would pour part of the guest’s wine into their glass and drink it first. If the guest trusted their host, they would clink glasses when the host offered their glass for a sample and over time, they did away with the sampling of wine and just clinked glasses to indicate they trusted each other. Hence, clinking glasses has become a sign of trust, honesty and a toast to good health.
To build this trust and encourage the adoption of IDV and KYC porting services, banks must supply clean, accurate, verified, aka ‘unpoisoned’ data points for businesses to use via this porting service. For a period, businesses will still have to ‘taste and verify’ the data they receive. However, trust will be built over time, and businesses will rely on the data that comes via this service without having to spend the time and effort verifying it each time which is when the value of the process is truly realised.
Hopefully, the clinking glass example wasn’t too tenuous and clarified what needs to be done to create adoption for this new service. Essentially, if they really want to own a piece of the digital identity space, which it seems like they do, increasing trust in their identity verification and KYC processes will be critical.
NB: The glass clicking theory has been disputed by some historians but frankly it’s cool and interesting so I’m sticking by it
Things banks can do to increase trust and improve their own KYC/IDV processes
Improve and automate processes: Carefully implement more automation in areas such as data capture, identity verification and ongoing transaction monitoring. As well as regularly review and update procedures, rules, and the technology that supports them. Because it’s the stale and inadequate procedures around KYC that lead to the biggest fines for banks.
AI KYC support model: AI is so hot right now. It has a role to play initially as support for existing technologies (or people), but if it’s going to play a central role in bringing down the cost of KYC for banks and, by extension, the businesses and customers that use those banks, then AI KYC models should be brought in now and put in the passenger seat to start learning the ropes and start acting as a failsafe for existing folks responsible for KYC and customer onboarding.
Use additional sources for data accuracy: Keeping the data up to date after initial onboarding is also essential. Using data sources like DVLA and land registry to refresh the identity data record ensures that any data ported over to other businesses is always up-to-date and relevant.
It’s worth noting that it’s not just NatWest that sees the benefit of a portable digital identity. Lloyds, the UK’s biggest bank, has recently invested £10 million into digital identity company Yoti to develop a reusable Digital ID.
Lloyds say reusable Digital ID. I say portable Portable ID. Potayto Potahto.
Although Lloyds and Yoti haven’t explicitly said the partnership will result in portable KYC for financial services onboarding, similar to the NatWest/OneId proposition, there’s no doubt that’ll be on their roadmap.
A big question remains, though. With the importance of KYC and Identity Verification sitting with banks and with a knock-on effect on the retail and commercial customers of banks, why’s it taken them so long to try and own part of the Digital ID space?
Banks starting to read the room 🤓
There are some legitimate reasons why banks like NatWest and Lloyds have taken this long to enter the Digital ID space but are finally waking up to the benefits with more likely to follow suit.
Cost-effectiveness
When the formal regulations were brought in at the start of the 90s, banks relied on teams of people reviewing forms, checking identification, and reviewing transactions, all quite manually and not cost-effective. Now technology startups have proven that KYC, IDV and ongoing AML can be profitable, and banks are waking up to a tech-first and human-supported model.
Matter of time before Digital Identity record keeping is mandatory
This is semi-paired with the first one. At present, the money laundering regulations don’t explicitly state that storing KYC information digitally is part of their mandatory requirements. But banks are reading the room. They know this regulation is inevitable and that all onboarding and KYC records will be digital. And if they are, then they may as well port this digital identity to benefit their customers.
Embedded Finance
I’ve spoken about Embedded Finance in about four of the nine newsletters I’ve written so far, and with good reason. There are lots of fintechs doing great things in the space, giving finance to individuals and businesses who might not have known about the option or their eligibility for the service. Revenue-based finance for Shopify stores, for example. But one area of friction is still onboarding and KYC/KYB. It’s still required for finance providers and many other regulated entities, not just banks. Banks have seen the growth of portable authentication providers like Google, who allow the use of their service to port key personal details and quickly and securely onboard onto other platforms. They see themselves as the authentication service providers for future embedded finance services. The banks that don’t see that should!
Statistically, traditional banks are still the most popular option for consumers and businesses despite the growth of neobanks. This means that right now, banks are best placed in terms of the number of customers they’ve onboarded and the amount of data verified to provide portable Digital Identities.
And in the future, a bank providing a Digital ID that can be used, like Google Authentication, to unlock other financial services will be a driving factor in the retention of customers giving them access to other services where needed whilst keeping their deposits on the banks’ books.
Digital Identity is inevitable, and the traditional banks that don’t take this opportunity to own this space will see it as a big regret a few years later…
Favourite bits of news
Bank of England plan to reject Revoluts banking licence application - In a week where I talk about regulation, I can always rely on some Revolut Regulation Revelations. This week, in news that will shock no one, they’ll likely hear that their banking licence application is to be rejected after their own accountant said risk revenues were 'materially misstated'
Revolut also talks about potentially buying a BNPL provider - This news comes straight from the CEO himself while on stage at WebSummit. And a couple of weeks after my write up about them being the only real financial superapp. Notice I said superapp, not bank
Ramp Launching AI Savings tool for businesses - Ramp, the corporate card and finance automation fintech, announced a range of AI-powered tools to help businesses called Ramp Intelligence. Including a software contract analyser that uses GPT-4 to analyse the contract and let the company know whether they are getting a good deal or not and can renegotiate the contract with vendors if not. And an advice centre where customers can ask questions about reducing costs like ‘ How can I cut operating costs?'. It’ll then analyse the business's transactions and come up with suggestions. This is the first ‘proper’ implementation of AI that seems logical, brand-aligned and is actually helping customers with real problems. Watch this space 👀