Exploring smart regulation: An assessment of the options for developing a shared KYC utility for the Jersey financial services sector
This report concludes that the Jersey Financial Services Commission (JFSC) should publicly announce its commitment to supporting the financial services industry in the design of a shared ‘know your customer’ (KYC) utility.
The purpose of a KYC utility would be to provide a shared tool for verifying customers’ identity. This could in theory result in reduced costs when taking on new clients, whilst introducing an enhanced degree of assurance for the JFSC as to the quality of these processes.
The JFSC set up a working group in 2019 with representatives of Jersey’s financial services sector, in order to understand appetite for a utility of this kind and to provide a platform to understand any challenges for implementation. The JFSC also had further discussions with individual firms, trade associations and technology providers. This report to the Government of Jersey sets out the JFSC’s conclusions from that process.
The main findings from the working group are:
- There appears to be scope for a shared KYC utility based in Jersey which will underpin effective island-wide combatting of financial crime, while helping the sector to control costs, provided the utility is designed to meet the complex global client base of Jersey’s international financial sector;
- A successful utility will need a strong financial, governance and resource commitment from a core group in the finance sector. This group should preferably cover multiple sectors, for example a bank, a major trust company and a major funds services provider;
- The opportunity for such a core group to form and be successful is optimised if the JFSC commits up front to participate in the design of the utility;
- A period of reflection before the Government of Jersey initiates a further forum or bilateral discussion would be helpful. This will allow the rapid changes in technology to be assessed by the financial sector and for businesses to conduct informal discussions.
This report advises the Government of Jersey that the JFSC will actively engage in the design process of a Jersey-based KYC utility, with a broad based coalition of financial services businesses, with a view to building a utility that conforms to global standards and expectations and which reinforces Jersey’s reputation as a jurisdiction determined to fight financial crime.
2.1 Since the publication ‘Jersey eVID Technical Analysis and Requirements Specification report’ issued in July 2018 where a number of constraints to developing a KYC Utility were highlighted, there have been some notable movements in the Digital Identity space:
2.1.1 In Q1 2020, The Financial Action Task Force (FATF) issued their Guidance in relation to how digital identity systems can be used for customer due diligence. It sets out how governments, financial institutions and other relevant firms should apply a risk-based approach to the use of digital ID for CDD. This is further explored in the next chapter.
2.1.2 Although there continues to be no significant adoption of solutions, a cross-sector of industry participants have or are in the process of adopting digital on-boarding and screening solutions;
2.1.3 Comparatively, there are a number of jurisdictions which have attempted or made operational a KYC utility for financial institutions. This is further explored in Paragraph 2.2 to 2.4 and within Appendix 2; and
2.1.4 A number of products have materialised in the Jersey market which could provide the basis for the start of, or be part of a KYC Utility for Industry. This is further explored in Paragraph 2.6.
2.2 The use of electronic identity outside of financial services is increasing significantly, particularly with regard to the identification of young people, identification for social welfare and travel purposes. Identity cards and passports which include electronic data on identity are now common, but more advanced approaches remain challenging. At this point, there are few jurisdictions that do not have some level of digitisation of identity information, but few jurisdictions which have moved beyond that to a successful electronic jurisdictional scheme covering most or all transactions which require identity verification. If anything, there appears to be an emerging market advantage with such systems often better developed in emerging markets than in advanced economies.
2.3 Many financial institutions are increasing the digitisation of the data they hold and process with regard to identity. There does not seem to be a strong jurisdictional bias in this pattern of development. It is now common for banks and other financial institutions to have bought in or to have developed automated systems covering at least part of their on-boarding process. This can range from biometric systems, facial recognition systems to, more commonly, the buying in of services to check publically accessible databases, for example to identify PEPs. Financial institutions which operate with few or no branches appear to be leading the way in this regard. There appear to be some examples of banks collaborating together to develop utility-like systems. While there is no particular jurisdictional bias in the general pattern of digitisation of on-boarding procedures, there does seem to be a geographical bias in the development of collaborative schemes between banks, suggesting that Government or regulator support may be an important stimulus. However, a second potential explanation is that the high level of overlap in customers between banks serving a single market creates potential network effects which makes the cost of cooperation worth it and perhaps most valuable where banking services are less concentrated but customer overlap is at a high level. This is not clear, however.
2.4 Jurisdictions have considered the ‘Utility’ approach, whereby evidence of identity is collected once and distributed between authorised users to meet their regulatory requirements. These ‘jurisdictional’ approaches have had varying success (Finance Latvia, 2019) and different components regarding a public or private model. Estonia is a notable example of successful development but take up by the global financial services sector seems minimal. In India, eKYC is a process, wherein the customer's identity and address are verified electronically through Aadhaar authentication, Aadhaar being India's national biometric eID scheme. FATF has drawn attention to India, Peru, Nigeria, Mexico, China, Singapore, South Africa, Belgium, Sweden, Italy, the UK, and Estonia as jurisdictions which have taken significant initiatives in this area. There appear to be a number of examples of jurisdictions being unsuccessful in developing such utilities, although the evidence in this regard is mainly anecdotal. See Appendix 2 for further details.
2.5 The evidence from elsewhere suggests that if Jersey is to develop its own approach, there are a number of factors which should be considered:
2.5.1 Leveraging existing providers and technology, rather than ‘building’ a jurisdictional utility may provide additional added-value, particularly with regards to maintenance, updates to regulatory requirements and on-going support;
2.5.2 Considering whether it would be a ‘Government-led’ or ‘Public’ utility, or whether regulated firms would have the appetite to develop a ‘Private’ consortium in order to deal with the ‘take-up’ risk at an early point in the process; and
2.5.3 Deciding whether the utility is to be cross-sectoral.
Jersey’s Electronic Identification Landscape
2.6 As outlined in the Jersey for Fintech Roadmap published by both Jersey Finance Limited (Jersey Finance Limited, 2019) and Digital Jersey Limited (Digital Jersey Limited, 2019), there are also a number of Jersey firms which provide elements of on-boarding solutions using electronic identification or other technology-based solutions to ease friction between customers and regulated firms. These firms include Atam ID Technologies, Vaiie (Jersey Post Digital), Tiller Technologies, Infrasoftech, KYCMe, Touchstone, Puritas and Warm. There has also been a number of firms who have contacted the JFSC directly to showcase solutions focussing on this area. In the event, it has proven unnecessary to do any detailed assessment of the current offerings. This could have been important to specify clearly where the market failure was which it would be appropriate to fill with a public or consortium-led utility and so as to assess any ‘crowding out’ impact on a burgeoning sector. However, as the overall conclusion is not to proceed at this time, that assessment was not necessary. Should it prove to be the case at a later date that Jersey should take an initiative in this area, close engagement with this sector would be appropriate to assess sectoral impact.
2.7 It was also noted that there is an initiative currently being explored by KYC Global in relation to sharing data (in particular more data sharing between agencies inclusive of suspicious activity reports between Government agencies and the JFSC) increasing preparedness for the MONEYVAL assessment.
2.8 Further detail of the landscape is explored within Appendix 3 and details clearly that private sector providers are innovating in line with evolving international best practices and technological advancements. The overall picture is one of a very active market with digitisation and automation of KYC processes going ahead without seeking network benefits. One of the downsides of developing a shared utility is that it would be likely to undermine the diversity of supplier and approach which creates a significant element of resilience in Jersey’s financial system. The global competition and compliance standards advantages of a utility would need to be substantial to outweigh the potential harm to a burgeoning market of providers of digitised on-boarding services in order to justify the interference in the market involved in building a Government-sponsored utility.
3.1 The working group did its work in advance of, but in anticipation of additional guidance from FATF on digital ID. On 6 March 2020, the FATF published its guidance on Digital ID (Financial Action Task Force, 2020) (the FATF Guidance). This guidance provides a different perspective and covers different subjects as it is aimed at jurisdictions in comparison with the JFSC’s published section within the AML Handbook on E-ID which focusses on how regulated firms would be able to use technology to meet their regulatory obligations (JFSC, 2015) (Section 4.2).
3.2 There are areas of strong alignment between the guidance being provided by FATF to jurisdictions and the guidance provided by the JFSC to firms, which can be seen by noting the following features of the FATF guidance:-
3.2.1 Acknowledgement of potential benefits (inclusive of minimising weaknesses in human control measures, improving customer experience and generating cost savings, additional transaction monitoring enhancements, and financial inclusion factors) and risks (identity proofing and enrolment risks including impersonation and synthetic IDs, cyber-attacks, data protection and/or security breaches, authentication and identity life cycle management risks including credential stuffing, phishing, credential interception and Pin code capture and replay and the potential management of these risks using multi-factor authentication measures. Finally, identifying broader issues which may impact AML/CFT efforts and potential obstacles to accessing identity information for ongoing due diligence and transaction monitoring.) Each of these risks and benefits goes into greater detail noting the technological advancements since Section 4.2 had been developed;
3.2.2 Understanding of what a digital ID system involves:
220.127.116.11 The key components of a Digital ID system ((1) Identity proofing and enrolment (with initial binding/credentialing) (2) Authentication and identity lifecycle management and (3) Portability and interoperability mechanisms); and
18.104.22.168 How these components relate to Recommendations 10 and 17 of the FATF Recommendations.
3.2.3 The FATF Guidance draws on internationally recognized assurance frameworks and standards in the United States and Europe which draw links between the existing FATF standards and technology inclusive of NIST within the United States and the eIDAS within Europe.
3.3 It was evident that there is a fundamental alignment between the approach the JFSC had already taken and the subsequent FATF Guidance in that both aim to achieve ‘technological neutrality’, in the sense that both seek to facilitate technological innovation where this does not reduce standards.
3.4 The JFSC went through a session with the Working Group devoted to the current guidance from the JFSC on ‘reliance’ as a key potential regulatory obstacle. However, there was a general consensus that the reliance guidance of the JFSC is facilitative and does not constitute an obstacle.
3.5 Notwithstanding this strong result, it was evident from the review of the current guidance provided by the JFSC that it does not deal specifically with the scenario in which a common utility is built. Any guidance provided by a regulator balances degree of granularity against leaving discretion to market participants as to how they comply. Exactly where this balance is drawn is sometimes referred to as the ‘principles/rules’ debate. This allows entities to set their own standards (within constraints) and bring their ingenuity to bear to controlling compliance costs and making more effective use of data. That balance alters in the event that a utility project is agreed. The JFSC should consider how to provide further guidance to a utility consortium, in the event that one is set up. This would always need to be aligned with the FATF Guidance.
4.1 Following feedback from Industry relating to the use of digital on-boarding and sharing of customer documentation which verifies evidence of identity between regulated firms within different sectors, the Working Group was established, facilitated by the JFSC to consider the options available to Jersey regulated firms.
4.2 The perceptions amongst industry as to why Jersey was not in a position to work together collectively to resolve this issue appeared to range across a range of potential issues: the role of government, project creep in earlier initiatives, the adequacy of market solutions, the limitations on guidance available from the regulator, the focus on domestic rather than cross-border KYC and technological limitations on the available options. As the work of the working group developed, it became evident that most of these factors were not the decisive obstacles to progress. Two issues emerged as key: the potential for conflict between harmonisation of standards within financial groups or harmonisation across the Jersey jurisdiction and, secondly, the continuing lack of a clear working example of data sharing which resolves both the technological and legal issues that may arise.
4.3 The Working Group considered what ‘making Jersey the easiest IFC to do business with digitally’ might mean in relation to on-boarding processes. Firstly, considering the up-take and challenges of using digital on-boarding solutions for non-Jersey customers and secondly, how Industry could share customer information, or make this information available as evidence for other regulated firms for shared customers.
4.4 The following problem statement was agreed (the Problem Statement):
4.4.1 Customers are experiencing a negative experience when they provide evidence of their identity using traditional ‘paper’ documentation multiple times and to varying levels of detail depending on the regulated firm they are dealing with. Some of the reasons for this are:
22.214.171.124 The evidence required by each regulated entity to verify identity is usually in documentation form (rather than data or information as permitted under the AML Handbook) of associated parties, such as directors or beneficial owners and it is costly and cumbersome to arrange to provide this documentation in the current climate, particularly when organising certified copies;
126.96.36.199 Each regulated firm conducts its own review of the documentation provided for each party involved, duplicating efforts for both customers and firms, particularly if there are varying requirements for each firm (as determined by each firm’s customer risk assessment) which is repeated on differing cycles;
188.8.131.52 Many firms are undertaking remediation action to ensure they are continually meeting regulatory requirements in each jurisdiction they operate in, which starts the cycle of collating information for each identified party again.
4.4.2 It was identified that the solution for customers would make the process easier, remove/avoid duplication and be secure in line with internationally recognized cyber-security standards.
For regulated firms:
4.4.3 Regulated firms are also experiencing a negative experience when it comes to meeting their regulatory requirements for identifying customers:
184.108.40.206 There is a high staff cost within AML teams. Ongoing customer due diligence requirements highlight the constant need for monitoring and this means that AML teams within regulated firms are spending a great length of time chasing paper documentation to verify a customers’ identity, rather than spending the time reviewing that documentation.
220.127.116.11 AML teams are able to use data which is available open-source, however this is largely a manual process. Very few providers have automated the data capture steps via robotics. As firms are operating in multiple jurisdictions, each location has different ways of complying with the domestic legislation meaning that the process is increasingly manual in the areas of data collection, data consolidation, data verification and reporting.
18.104.22.168 There are also perceived increased risks with using a different process to what firms are used to today (often determined by group companies or compliance divisions who are more comfortable with traditional collection of documentation for verifying identity) as financial penalties and reputational damage are a potential consequence for those regulated firms who fail to perform this role adequately.
4.4.4 As a result, industry would benefit from the use of a Utility which is cost efficient, quicker and which does not increase risk by being able to trust the evidence of identity that has met the requisite requirements. As a result, regulated firms would benefit from a solution whereby the AML/KYC process is performed once, consistently and made available to multiple industry participants to use. Equally, possible remediation in the future could reduce if a Utility was capable of assisting firms with data collection, consolidation and verification for remediation purposes.
For ‘Jersey PLC’
4.4.5 The Working Group considered that if a Utility was developed or procured which met the regulatory requirements and assisted both customers and firms in the ways outlined above, for Jersey (i) there would be a better quality and consistency of data collection, consolidation and verification, (ii) it would build trust between regulated firms and (iii) instead of duplication of effort across the regulated industry when a new requirement was imposed, the Utility would have the ability to continually improve and be enhanced.
4.5 As part of its external consultations, the working group had heard advice from experts from another jurisdiction to the effect that it was better to begin to build mutual confidence and a mutualised framework for cooperation by sharing data supporting effective transaction monitoring. This is further demonstrated by an initiative recently launched in the Netherlands with a consortium of five banks exploring opportunities to identify unusual transactions they would not be able to identify with only their own transaction reporting (Banken, 2020). However, given the relative importance of customer on-boarding rather than transaction monitoring in Jersey, the working group was not enthusiastic about the mutualisation of transaction monitoring as the starting point of its work and the problem statement above reflects the shared view of the working group that only a KYC utility could gain the enthusiastic engagement of a critical mass of the Island’s industry. Nevertheless, the lesson learnt from this part of the analysis was that there is a strong case for a progressive approach where data sharing is first trialled in a way which may not deliver substantial cost benefits but which will establish sharing protocols and trust, only thereafter seeking to build out the complex cross-border functionality that it is likely to deliver reduced-cost on-boarding for complex customer profiles.
4.6 The problem statement is also significant in that it identified that benefits for customers or cost benefits for firms alone would be unlikely to deliver sufficiently attractive benefits to justify this project. The project is justified only if it delivers benefits for both customers, particularly cross-border customers, and for firms. This adds significantly to the design challenge which would need to able to identify customers by jurisdiction of origin so that the different AML requirements in those various jurisdictions could be respected.
4.7 The working group considered a number of options available, including ‘mutualisation of data’ whereby each regulated entity would collect their own evidence of identity in the form of ‘paper’ documentation and share it with other regulated firms dealing with the same customers. It was considered the regulatory requirements of using reliance to meet their regulatory obligations in this way (given that evidentiary ‘top up’ may be required as part of each regulated entity’s risk assessment) could ultimately result in more friction between regulated firms, rather than less.
4.8 Ultimately, the working group initially concluded that a ‘Shared KYC Utility’ (a KYC Utility), a central organisation which collects, validates and verifies a customer’s documentation as evidence of identity using an electronic solution would provide a better option. The aim would be to reduce the friction for customers doing business in Jersey and better enable data sharing between regulated firms through a utility. This paper considers the options available to Jersey’s financial services industry when considering how to approach the next steps and whether this type of product would best serve the needs of customers, industry and ‘Jersey PLC’.
4.9 There are a number of benefits which a KYC Utility could have for regulated firms. The KYC Utilities described in this regard are two-fold. Firstly, regulated firms can create the utility by outsourcing to one service provider parts of their own KYC processes to ensure that the collection and verification of identity evidence has been completed in a consistent and compliant way. Secondly, the KYC utility would operate like a credit bureau, providing information to its clients (regulated firms) as a service. ‘For example, significant parts of a KYC questionnaire or in the case when a person is put on specific lists (sanction list) or can be associated with higher risk.’ Finance Latvia describes the following benefits to exploring these options (Finance Latvia, 2019):
4.9.1 It increases efficiency of processes as several obliged entities do not have to engage in repeated acquisition of information regarding one and the same subject-matter…it significantly encumbers the “migration” of individuals engaged in unlawful or suspicious activity…creates a platform for the disclosure of the acquired data to the obliged entities with limited resources…. Fourthly, the launch of the shared KYC utility will allow information sharing by the obliged entities therewith cutting the total investments in ensuring the compliance function.
4.10 The working group considered these benefits as the basis for their discussions, as each of the benefits described above would meet the Problem Statement.
5.1 The Utility discussed with the working group focusses on two main elements, with an optional third:
5.1.1 the collection of evidence for the purposes of verifying identity enabling quicker, easier on boarding of non-Jersey customers in a way which is compliant with regulated firms’ requirements and international standards relating to digital identity verification;
5.1.2 the sharing of that information between regulated firms with a focus on security, streamlining requirements and using the information collated and collected by the Utility as evidence in order to meet their regulatory requirements. The purpose of this sharing would be to be comfortable that every regulated firm with similar customers would have access to the same evidence, and customers would only be required to submit documentation once;
5.1.3 a possible enhancement to 5.1.1 by including screening of PEPs and/or sanctions screening, however it was noted that many firms felt this should be an optional add-on, as their screening processes were often determined and deployed by group companies.
5.2 The concept was considered on the basis that approximately 80% of all information collected by regulated entities is similar (albeit with different time scales and with ‘extras’ included for those firms who have risk rated customers in a different way). By targeting this 80%, firms would be able to source the evidence from the same place, trusting that information had been verified by a third party which is able to demonstrate that all elements of the process they are responsible for meet regulatory requirements for this element of the process. This would reduce the need for customers being contacted by multiple service providers for the same information, and would free up compliance resource to investigate red flags, or collect further information in line with their risk profiling, ultimately reducing risk.
5.3.1 Achieve broad adoption by regulated firms, including obtaining consent from group companies for procurement. This should also take into account that a number of businesses have or are in the process of developing bespoke ‘end to end’ digital on-boarding in line with their own risk profiling and requirements.
5.3.2 Attain acceptance by customers of regulated firms.
5.3.3 Establish a [or a number of] strategic partnership[s] that will implement, integrate and operate a fit-for-purpose KYC utility that removes friction for customers, delivers cost efficiencies for regulated firms and is compliant with AML/CFT legislation, codes and guidance, including those contained within applicable other legislation, such as Data Protection and Electronic Communications.
5.3.4 Establish a funding model which is appropriate as a number of regulated firms have confirmed that this is likely to be a significant factor when determining whether or not to use such a tool.
5.4 All of the critical success factors and solutions identified above have been discussed at length, some of which mirror those identified as part of Government’s E-VID project. The problems relating to cross-border customer on-boarding had not, however, been focused on in the way this working group focused on them. In the end, however it became clear that two factors were essential: proving the capacity of current technology to share data safely and legally, at speed and in volume such as would reduce costs significantly (the ‘technology issue’) and, secondly, the willingness of branch and subsidiary structures in Jersey to invest in a Jersey-specific process which might be at variance from a globally emerging group approach (the ‘group issue’).
5.5 Of these two issues, the group issue needs to be resolved before the technology issue can be collectively assessed. A number of the solutions require Industry to determine/weigh up in terms of what they would be prepared to contribute to. Equally, a number of external sources have cited that even though Government-led initiatives have proved popular as a discussion point, they are still in their infancy in comparison to external third-party providers who have progressed beyond multiple trial phases and have live products with multiple customers worldwide, cutting across cross-jurisdictional hurdles relatively seamlessly.
6.1 It was considered at this stage that there are a number of options available for all parties who have been involved in developing the concept of a KYC Utility for Jersey. Given Industry’s continuing interest in procuring and using on-boarding solutions (not necessarily the sharing of information between parties) consistently across financial services. Although there are no restrictions imposed which would prevent Industry from using one or more of the products available today, there is a general request from Industry for the JFSC and Government to further the enablement of the uptake of such solutions.
6.2 Following a number of meetings and informal consultation with regulated firms and their trade bodies, it was considered that the ‘users’ of such a tool should consider which of the options they would support and collaborate to move this project forward (to the extent they want to). To date, only Option 3 (as outlined below) has been supported across the working group.
6.3 Four options have materialised following discussions with the working group and following the publication of the FATF Guidance which are as follows and further explored later in the paper:
6.3.1 Government driven KYC Utility (Option 1): Following the work conducted by all parties on the E-VID project and noting that the landscape has changed since 2015 (when the E-VID project started) and 2018 (when the E-VID project ended). The Government of Jersey could re-engage the project (or through a Government-owned subsidiary) with the working group, to find a solution within the parameters of this project which would meet the needs of the Financial Services sector in Jersey. The working group also considered whether this option would add additional value if the Companies Registry information, when cost-neutral, could be ‘plugged in’. The focus would shift from Jersey residents to non-Jersey residents and would enable a level of credibility of the Utility which would not be apparent in the private sector.
6.3.2 Industry driven KYC Utility (Option 2): Industry continue with the working group, and design and develop a proposal in line with regulatory requirements which would allow for a ‘KYC Utility’. This requires action from a collaboration of firms. A successful initiative would require a strong financial, governance and resource commitment from a Core Group, preferably cross sectoral. This could include establishing a special-purpose vehicle, or procuring the services of one technology provider to service all willing participants. The details contained in Paragraph 1 of Appendix 2 are an example of this collaboration in the private sector.
6.3.3 JFSC to produce Guidance (Option 3): This option may further enable the use of technology for firms wishing to use digital on-boarding solutions. The JFSC could consider whether to publish further guidance or sign-post resources (in addition to the existing guidance on E-ID, or amend that guidance) following the publication of the FATF guidance on Digital ID. The JFSC could provide clearer guidance to Industry regarding the supervisory expectations and procurement of such providers for each firm to consider when undertaking procurement with third parties in this space, either through collaborating as part of these initiatives or by resolving ambiguity identified by Industry.
6.3.4 Business as Usual (Option 4): Continue to allow Industry to navigate the regulatory regime and meet their obligations in line with existing requirements in silos. This is a more passive approach to Option 2, and does not demonstrate any cohesion between firms. The JFSC will continue to support businesses on an individual basis as we have done in the past, particularly those driven by other group companies. Regulated firms (inclusive of professional service providers) may still encounter inefficiencies particularly when it comes to sharing information and meeting their obligations if using reliance. JFSC will continue to update the AML/CFT Handbooks as required.
6.4 Only Option 1 and Option 2 would have the ability to meet all elements of the Problem Statement.
6.5 Option 3 does not meet the problem statement. Furthermore no gaps in the current guidance were identified and no significant lack of clarity on relevant issues was highlighted. For that reason, this option was discounted.
6.6 Given that there are parties currently considering how they could effectively collect and share information (such as those described in Paragraph 1 of Appendix 2), Business as Usual (Option 4) allows each firm the flexibility to consider the options available on and off-Island which have the ability to meet the Problem Statement and their regulatory obligations without a joined-up or jurisdictional approach. It was acknowledged that the JFSC is required to perform its statutory functions and in doing so, is required to have regards to the guiding principles including “the best economic interests of Jersey”. Given the level of activity and competition in this space, to facilitate the development of a ‘one size fits all’ utility in relation to digital on-boarding of customers may be counter to encouraging or fostering innovation.
6.7 Therefore to differentiate between Options 1 and 2, a non-exhaustive list of further considerations have been explored below. High, Medium and Low detail the likelihood of meeting or exceeding those additional considerations.
Government-led (Option 1)
Industry-led (Option 2)
Problem Statement (as described in Paragraph 4.4)
An additional benefit (with no additional cost implications) of having a Government-led initiative, creating a level playing field and the same metrics for all parties wishing to use the Utility. Without Government involvement, the parties who choose to use the Utility would have no independent third party to quality check or provide balance to the differing economic power between the larger players and smaller players.
Ability to continually improve in line with JFSC and international requirements, with ease and in a cost-effective manner.
Will not stifle innovation/competition on-island with regards to KYC providers and their services offered to regulated firms.
Will facilitate innovation within firms where development is driven by IT divisions or parent companies, or allows for deviation of internal policies and procedures. Equally, allowing for firms to demonstrate a ‘competitive edge’ over other firms in the market through their streamlined take-on process.
Will allow for cross-jurisdictional customer on-boarding with confidence to meet all relevant regulatory requirements in each jurisdiction.
Allows for commercial decisions on expenditure to be deliberated and negotiated with third party providers on a case-by-case basis, rather than an economic scale of ‘user pays’ or ‘pay-per-use’.
Trust between regulated firms and third party service providers, as well as trust between parties who have access to the Utility.
6.8 This table suggests that both options are similar in benefits. The working group has provided invaluable insight into the willingness of Industry to collaborate (particularly in professional services and trust and company service providers) as well as identifying similar challenges across financial services in the Island. It however is also apparent that without significant up-take, this concept would not provide the benefit envisaged for ‘Jersey PLC’. There must be a critical mass committed to the project. There was little evidence of a critical mass willing to commit to either option.
7.1 At this time, following engagement with the working group, the JFSC have the following recommendations for consideration:
7.1.1 It is recommended that at this time, Jersey should not be a ‘leader’ in this space, as the critical success factors outlined in Paragraph 5.3 have not been adequately supported to achieve success.
7.1.2 For firms willing and interested in building a coalition to tackle the Problem Statement, a strong financial, governance and recourse commitment should be made by each participant. For maximum benefit, participants should preferably cross sectoral and include all parties who have mutual clients. The Core Group must establish a project governance framework and resolve the Problem Statement as a key initial indicator of potential success.
7.1.3 The Government of Jersey should re-convene an industry consultative working group in one year’s time to determine whether the appetite of parties has changed in consideration of a jurisdictional approach like those outlined in Paragraphs 2.2 to 2.4 and Appendix 2 and whether the options outlined in Paragraph 6 will have/has merit. Such a meeting should focus on establishing whether there is a critical mass of volunteer institutions willing to invest seed money in a project to design a utility. Government funding should only be introduced to match and follow such private sector investment.
7.1.4 It would also be beneficial for the Government of Jersey (supported by the JFSC) to host ‘check-in’ meetings to consider whether the jurisdictional landscape has evolved and if not, whether the thoughts and aspirations of Industry have changed since this review. Such meetings should focus on identifying any evidence of developments in technology and legal frameworks for holding and sharing data as are likely to provide a good model for Jersey in developing a utility.
7.1.5 The JFSC will actively engage in the design process of a Jersey-based KYC utility with a broad based coalition of firms, with or without Government of Jersey support as described in the paragraphs above, with a view to building a utility that conforms to global standards and expectations and which reinforces Jersey’s reputation as a jurisdiction determined to fight financial crime.
1 The following organisations participated in the working group discussions: Alter Domus, Aztec Group, Barclays, Brooks MacDonald, Carey Olsen, Crestbridge, Deloitte, Digital Jersey Limited, Fairway Group, Hawksford, HSBC, IQEQ, Jersey Finance Limited, Jersey Post Digital (Vaiie), JTC Group, KPMG, Oak Group, Ogier, RBC, Sanne Group, Santander International, and Standard Bank. Some of the participants were representing trade associations (such as JATCO or the Jersey Funds Association).
2 A representative of the Government of Jersey was also invited to observe the meetings of the working group.
3 Working Group members attended and participated in the working group and its sub-groups on a best efforts basis. Their role was advisory. The conclusions drawn in this report are drawn by the JFSC, rather than by the working group.
1 For the purposes of this paper, (i) a Public model is described as a shared KYC utility that is maintained and belonging to the state [Government owned], involving the necessity to address the issue as to how it will be administered and what does it mean in terms of liability, (ii) a Public/Private model is described as belonging jointly to the state and private entities. Thus, it is necessary to determine the form of operation of this model in terms of contributions and potential profit sharing, possibly it should be set up as a non-profit entity and (iii) finally a Private model is described as belonging to one regulated firm or a special-purpose vehicle (SPV) which would administer the platform and offer it as a service. In case the platform would be owned by a single regulated firm it would be impossible to use it on a wider scope and ensure complete independence.
2 There are a number of other jurisdictions which have also considered a collective approach to the collection, collation and verification of evidence of identity or Digital ID. Some examples are detailed below:
2.1 United Kingdom (Public): Verify.UK is a safe, quick and easy way to access government services. From a choice of 5 providers individuals are able to apply, check, and update Government-owned projects such as benefits, company tax, driving and transport, employment and pensions. This is not a financial services focussed product and aims to contribute to the UK Government’s e-enablement strategy.
2.2 Singapore (Public): In 2017, the Monetary Authority of Singapore announced its plans for a national KYC utility (MyInfo). It would use the information already available and would be enhanced by information fed into the system by financial institutions. The goal is to link all financial institutions to this validated database which will reduce duplication and improve overall information quality. MyInfo does not address any element of transaction monitoring or ongoing CDD.
2.3 Abu Dhabi (Public/Private): In July 2019, the Financial Services Regulatory Authority of Abu Dhabi Global Market launched an e-KYC utility project in close collaboration with the Abu Dhabi Commercial Bank, Abu Dhabi Islamic Bank, Al Ansari Exchange, Al Fardan Exchange, First Abu Dhabi Bank, UAE Exchange and ADGM. Together they will develop a proof-of-concept to decide the governance framework and the functional requirements of the e-KYC utility, with distributed ledger technologies being considered to underpin core functionality within the platform.
2.4 Nordic Region (Private): DNB Bank, Dankse Bank, Nordea Bank, Svenska Handelsbanken and Skandinaviska Enskilda Banken developed an efficient, common, secure and cost effective utility for sharing confidential customer credentials. The Nordic KYC Utility is privately held by the founding banks and plans to service large and medium sized Nordic corporates.
2.5 South Africa (Private): In 2014, the South African Reserve Bank fined the country’s four largest banks a collective fine of EUR8m for failing to implement adequate anti-money laundering controls and risk measures. In response, in 2016, they launched a KYC utility partnership with Thomson Reuters (Refinitiv, 2016). This service is used by large corporations, hedge funds, asset managers and others as an efficient, centralised service for sharing KYC documents and information through a secure and free of charge web-based portal. The main reason for efficiency is the standardised KYC information collection policy.
3 In JP Morgan’s recent ‘Perspectives’ document, it was highlighted that: KYC Blockchain solutions offer the potential for significant cost-saving, but well-developed alternatives such as SWIFT’s KYC registry already exist (International Finance Corporation, World Bank Group, 2018)….A Thomson Reuters survey in 2016 showed that the ‘average firm’ paid $60mn a year for KYC compliance, with some spending up to $500mn annually. Such Blockchain solutions are still in production phases including Dubai’s KYC data-sharing consortium partnering with KYC blockchain developer ‘norbloc,’ which is planned for 1Q20, with several successful trials including R3’s KYC application partnering with 39 firms concluded. Blockchain technology for KYC processes has the potential to produce the most time efficiencies relative to other use cases. However, we expect progress on blockchain KYC projects to continue to be challenged in areas including multi-jurisdiction hurdles on data sharing and privacy, lack of network effects, and concerns around transferring KYC responsibilities, but not liabilities to third parties (i.e., other institutions on the Blockchain). Further, the availability of alternate solutions such as SWIFT’s KYC registry, which is already used by more than 5k financial institutions and provides substantial time efficiencies (Swift, n.d.), may hinder widespread adoption of a blockchain solution (even if incrementally more efficient)—although we note underlying differences in the technology such as the responsibility for validation. (JP Morgan, 2020).
1.1 In collaboration with Digital Jersey, a group of key players in the funds sectors have launched the first-ever project within Sandbox Jersey, to create a proof-of-concept solution for the fund administration market in Jersey. The technology will facilitate secure sharing of investor evidence of identity between fund administrators, fund managers, banks and law firms (in a decentralized network). The group’s mission is to make Jersey an attractive jurisdiction for fund managers and investors, by creating a frictionless CDD experience for all parties. Providing the investor with full control of each piece of information they have shared, and with whom they’ve shared it, is a core tenet of the group. Sharing of key investor information will significantly reduce the cost of performing CDD on fund participants, help providers better utilize internal compliance staff (helping them attract and retain talent) and speed-up fund launch and fund closing activities. In addition, sharing will strengthen the group’s ability to detect and address risk, since providers on the sharing network will have the most up-to-date and accurate information about fund participants at their fingertips.
1.2 Members include multiple fund administrators, a global investment manager, law firms, a leading banking service provider to funds in Jersey, Digital Jersey as host and co-facilitator as well as Finos Global (Finos Global is a firm based in the Netherlands, further information is available here) the technology provider and co-facilitator. The working group launched in 2019 and are taking an iterative approach to bring this innovation to market. They are utilizing the existing Finos platform as a foundational layer, which brings advanced built-in security and sharing features, significantly accelerating the group’s development efforts. Each month the group meets to receive &review a demo of the latest version of the product, provide feedback and prioritize the next set of features. Plans are underway for the testing phase to start in September, with the goal of having the network live and operational before the end of the year.
2.1 Accenture, a global professional services company presented to the group the concept of developing a Shared KYC Utility as part of a phased approach. Accenture presented that the Utility concept has been explored or trialled by various industry consortia across the world to share the burden of gathering data and documentation for corporate and institutional customers.
2.2 Accenture provided some details of what to expect from a Shared KYC Utility inclusive of the following: use supported by local regulators, stores permitted customer data and is GDPR compliant, good coverage of customer data, unified data source for multiple service providers driving consistent data standards, common digital interfaces and support for straight through processing, unified contact for customers, customer data alerts driven to the relevant regulated firms, information and specification of information to remain with each regulated firm, leveraging new technologies such as AI and analytics for optimisation of process and quality and will set an anticipated risk rating for each customer depending on the risk appetite of each regulated firm.
2.3 Accenture shared some experiences as to why most utilities to date have failed, predominately due to focussing on the wrong areas or too big a picture as a starting point. Accenture’s phased approach focuses on delivering value early, realising benefits, delivering client value upfront, creating additional value, building trust and confidence and maintaining strong governance. The proposed phases were outlined as the following, together with the rationale for each:
2.3.1 PEPs, Sanctions and Adverse Media Screening (A) – frequent changes in screening the regulatory framework is causing many regulated firms to re-evaluate their approach to sanctions compliance. A utility set-up creates a risk-based standardised approach while allowing regulated firms to remain compliant in a cost efficient manner.
2.3.2 Continuous Monitoring (B) – AMLD4 substantially tightens rules on customer due diligence causing many regulated firm to re-evaluate the ongoing customer due diligence process, which tends to be reactive and heavily resourced. A utility based set-up would apply consistent continuous risk score proactively raises reviews/incidents allowing regulated firms to effectively manage ongoing customer due diligence.
2.3.3 Customer On-boarding (C) – regulated firms face increasingly stringent global regulatory obligations, which require the collection, processing and evidencing of more customer and counterparty data than ever before. A utility based set-up creates a central point of entry for data which is captured once and made available to multiple regulated firms to use. Regulated firms would then benefit further from more of the KYC process being shared.
2.3.4 Transaction Monitoring (D) – regulatory expectations for AML programmes continue to expand at the same time transaction volumes are increasing, causing many regulated firms to re-evaluate their approach to transaction monitoring compliance. A utility based set-up creates a risk-based standardised approach to support transaction monitoring and analytics to zero-in on abnormal account and customer transaction behaviour allowing regulated firms to remain compliant in a cost efficient and timely manner.
2.4 Accenture shared their roadmap to a minimum viable product focussing on (A). Their recommendation was that at this time the minimum viable product combines a single technology platform and key elements of customer data. Policies, procedures, processes and people remain separate for each entity utilising the platform.
2.5 The Group acknowledged that even though the phased approach was logical, it did not consider (A) focused on the ‘pain points’ each business was trying to resolve or Problem Statement as identified above, and addressed by (C) directly. A number of firms confirmed that their screening processes and transaction monitoring were largely automated already and were often delivered as part of ‘group’ processes across the organisation – meeting the requirements of multiple geographical regulatory requirements.
Banken, N. V. v., 2020. Transaction Monitoring Netherlands: a unique step in the fight against money laundering and the financing of terrorism. [Online]
Available at: https://www.nvb.nl/english/transaction-monitoring-netherlands-a-unique-step-in-the-fight-against-money-laundering-and-the-financing-of-terrorism/
[Accessed July 2020].
Digital Jersey Limited, 2019. Jersey's Fintech Map. [Online]
Available at: https://1w2nv646rqrk3a2r3a23161t-wpengine.netdna-ssl.com/wp-content/uploads/2019/12/Digital-Jersey-Fintech-Roadmap.pdf
Finance Latvia, 2019. Report regarding KYC Utility. [Online]
Available at: https://www.financelatvia.eu/wp-content/uploads/2019/07/KYC-utility-report-June-2019.pdf
[Accessed 6 September 2019].
Financial Action Task Force, 2020. Digital Identity Guidance. [Online]
Available at: https://www.fatf-gafi.org/publications/fatfrecommendations/documents/digital-identity-guidance.html
International Finance Corporation, World Bank Group, 2018. How a know-your-customer utility could increase access to financial services in emerging financial markets (Note 59). [Online]
Available at: www.ifc.org/thoughtleadership NOTE 59 • OCT 2018
[Accessed 6 September 2019].
Jersey Finance Limited, 2019. Jersey's Fintech Map. [Online]
Available at: https://www.jerseyfinance.je/check-file?file=wp-content/uploads/2019/10/859-JFL-Fintec-map-ARTWORK-interactive-.pdf
JFSC, 2015. Section 4.2: Guidance on E-ID. [Online]
Available at: https://www.jerseyfsc.org/media/1851/section-42-guidance-on-products-and-services-e-id.pdf
JFSC, 2017. Outsourcing Policy and Guidance. [Online]
Available at: https://www.jerseyfsc.org/industry/guidance-and-policy/outsourcing-policy-and-guidance-note/
JP Morgan, 2020. JP Morgan Perspectives: Blockchain, digital currency and cryptocurrency: Moving into the mainstream?. [Online]
Available at: https://markets.jpmorgan.com/research/open/url/t59R6MoBP2TUkWA_itSQBbfUlco1CmYnoNL3dA6WVSm82drJuOYLvdZIqDyuXyp-L4OrVEFw_eAu4UgzicsInqAwjcbKIQHiPfGEjPF2Rt5PKUltFmEKGQaC3DeLBoW7?action=print
Refinitiv, 2016. Data is just the beginning. [Online]
Available at: https://www.refinitiv.com/en
Swift, n.d. KYC Registry. [Online]
Available at: https://www.swift.com/our-solutions/compliance-and-shared-services/financial-crime-compliance/kyc-solutions/the-kyc-registry
 https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual, see also: https://www.nao.org.uk/report/investigation-into-verify/