Compliance officers in financial services should think of themselves as orchestra conductors, according to Charles Gaddy, co-founder of identity verification service company, Global Data Consortium.
Finextra spoke to Gaddy about the company’s recent report, ‘Avoiding improvisation: a 3-step guide to harmonising electronic identity verification’ and how the cloud-based platforms can be used by financial insitutions to attain and maintain KYC compliance.
As with all areas of their business, financial organisations are reliant on data to meet their due diligence requirements. Electronic Identity Verification (eIDV), verifying the identities of customers through comparing details and documents against official records, is one example of this.
eIDV processes require data sources that are not only accurate but also legal, given the threat of non-compliance with regulation like GDPR.
GDPR has established itself as a model for data regulation that other jurisdictions are looking to emulate. The California Consumer Privacy Act (CCPA) may lead to other US states passing similar regulation, and in time could inspire such data compliance legislation at federal level.
This is where cloud-based platforms are becoming front and centre in data management. Cloud-based KYC/eIDV platforms can be updated more regularly and “keep the data localised”, according to Charles Gaddy, vital for organisations with clients all over the world.
“The beauty of a cloud-based system is that it allows for a centralized access point while extending into countries 1-by-1 or multiple to provide best of both worlds - a centralized access point to a localized solution. Adding countries is centralized in the API, but the data remainders compliant and in country.”
Gaddy believes the cloud-based approach is also attractive to smaller companies looking to grow into more markets, as the expansion of country coverage all happens “underneath the covers.”
He continues: “If you are a growing enterprise - you’re in two markets right now and you can see yourself growing to five or six - you want a system that you only have to implement once. This means you’re not spending technical resources constantly updating it.
“It’s a cloud-based API, so as the cloud’s tentacles grow across the world, adding more coverage and better sources of data, you have that one point-of-entry into the cloud and you’re able to benefit from that scale, as well as all that compliance.”
Pulling the strings
Gaddy believes that the role of a compliance officer at a financial organization is similar to that of an orchestra conductor, guiding and instructing the different groups of musicians to create something unique.
“In financial services, the compliance officer must coordinate the different areas of identity verification in order to avoid fines and reputational damage caused by not following the sheet music of regulation,” he says.
Just as the conductor must ensure that the most capable violinist is playing first chair, it is important for financial institutions to find the best vendors across the different areas of compliance.
“The conductor is the person interpreting the sheet music and knows how the different groups of instruments need to come together.
“It’s important that the compliance officer uses his or her knowledge of the regulation to set out the company’s due diligence strategy and work with partners who will help follow it.”
Gaddy talks about this being a collaborative exercise. There must be an acknowledgement from all parties of the others’ expertise, just as there would be between conductor and the musicians.
“You don’t want sections of the orchestra coming in and telling the conductor: ‘we always play in this key.’
“On the other hand, the conductor shouldn’t tell the musicians that he always wants a certain part of the symphony played in a certain key, because that might sound terrible!
“The conductor needs to trust that the strings know how to play the best way.”
In financial services due diligence, international companies can expect to come unstuck if trying to follow the same method of eIDV for all clients regardless of circumstance. This is where harnessing the expertise of vendors with local knowledge of the data sources is important.
Different verification for different needs
Gaddy explains how his clients will often say they want to use just government and credit sources for eIDV and achieve a pass rate of 70% or higher.
This may work fine in some countries like the US or UK. However, in France, for example, there are little or no government or credit sources available. In this case, telecommunications sources - white pages registries, customer databases, billing and invoice records etc. - are more accessible.
“If you don't understand the nuances of the market and as a function of that you don’t account for those nuances in your pass and match expectations, you can get disappointing results. One of the things we do is give you that layer of data localization in combinations with the understanding of in-country regulations to optimize pass rates.”
The local element of this data helps to educate clients about the nuances of different regions and therefore manage their expectations, Gaddy argues. He uses the accepted conventions of first names and initials in the Netherlands as an example.
“In the Netherlands, we recommend treating a first initial match as required pass metric over given name. This is because Dutch people consider and treat their first initials like a full given name.
“We tell Dutch compliance officers we work with that you can accept a match of ‘C Gaddy,’ as well as ‘Charles Gaddy’. We say to clients, ‘If you always want to ask for a given name match, your match rates will go through the floor, because just using the first initial is the generally accepted practice in that market.”
According to Gaddy and GDC, this is where the compliance officers need to leverage the expertise of eIDV providers to strike just the right note in due diligence.