KYC for Mobile Money - Why is it so hard?

KYC stands for “Know Your Customer”.  Most people forget that. They think it means “Collect lots of paperwork” or “Comply with annoying regulations” or “Make it hard to sign up for a new account”. Most mobile money operators don’t take any effort to really know their customer and the reasons the customers have for using the service. All most operators care about is one question, “Do I have enough documentation about this customer to keep the regulator happy?”

Of course, a mobile money business can’t operate without a happy regulator, but it’s important to understand the reasons behind KYC. If we understand the risks we’re really trying to deal with, we can also see the opportunities to provide a safe service that maximises financial inclusion.

Before we design a KYC process, we need to ask why we need “KYC” at all.

The most common answer is, “Regulation”, usually accompanied by the two words that strike fear into every banker, “Money Laundering”. But if we delve deeper, we find three reasons for collecting customer information.
1) Protect against systemic risks: regulators want information about customers in order to protect the financial system against crimes and money laundering.
2)   Customer protection: Customers must have some way to identify themselves to the operator in the event that their phone is lost or stolen.
3)   Intelligence: demographic information may be useful to operators, or to their funding partners, especially if they are receiving any development funding or grant money.

When most mobile money operators talk about KYC, they’re really only talking about the first step of the KYC process.  Anti-Money-Laundering  (AML) regulation usually refers to this as “Customer Due Diligence”. It’s an important step, but it also needs to be followed up with other actions such as risk rating and transaction monitoring in order to constitute an effective AML plan.

By thinking about the reasons to know our customers, it should be possible for operators to design a KYC process that balances these goals without presenting too many obstacles for the customer or costs for the operator. But many operators don’t get this as far as this decision; they panic at the magic words “Money Laundering” and the fear of the regulator and go straight to an archaic paper-based collection process.

Money Laundering and Terrorist Financing are definitely things that banks and regulators need to be concerned with, but personally I think it’s hard to see how well designed mobile money in developing markets will lead to widespread money laundering. In every single market, it is attempting to replace cash-based or informal transactions. Every transaction is recorded in a sophisticated real-time system. The system limits are lower than the amounts most money launderers would be interested in, even if the criminals open multiple accounts.  Most mobile money operators have access to technology and reporting systems that are light-years ahead of the legacy systems with which most banks are burdened. What self-respecting criminal would choose to travel to ten different mobile money agents to deposit the money, move their money through a traceable system, then travel to ten different agents to withdraw it, when they could simply send the cash in a brown paper envelope instead?

The key international body that sets international standards for Anti Money Laundering, the FATF (Financial Action Task Force), recommends risk-based approaches to money laundering and recognises that financial inclusion is vital to preventing money laundering.  Most regulators also recognise risk-based approaches in their AML regulations, but so far not many have been willing to put this in practice and make allowances for mobile money. Banks are guilty too, of not wanting to push the regulators on this issue.

If the mobile money operator is not willing to adopt a risk-based approach, they will end up mimicking a bank, but in a very bank-unfriendly physical environment. They collect an application form, a photocopy of an ID, some passport-sized photos, a signature, a thumbprint, and possibly a letter confirming an address. These are photocopied on worn-out machines in dusty rural markets, gathered up by the agents, then sent via rickety buses and motorbikes to the head office. If the customer is lucky, the photocopies were clear, the documents pass the quality check, and are scanned, re-typed and archived in creaking bookshelves for seven to ten years. If the customer is unlucky, their creased, stained, dark and blurry photocopies are rejected and sent back for the whole process to start again.

By this time, the documents have probably passed and been processed by four sets of hands (agent, network manager field staff, network manager back office and operator back office). In an extreme case, the customer must wait until all this activity is complete before they can use their account.

There is some benefit of a risk-averse approach like this, if the provider has plans to allow international remittance or other more complex financial services such as savings or insurance that will require a higher standard of Customer Due Diligence. But it does seem like overkill for the initial product of a transactional wallet, and it definitely presents barriers to entry to the unbanked. If anything, requiring stringent ID requirements will actually force some people to use fake ID or to borrow ID from a relative instead of opening an account in their true name.

Technology goes a long way to reduce the risks of mobile money. The use of SIM cards as two-factor authentication is in many ways superior to the technology of magnetic credit cards or internet banking. But launching a mobile money business is a risk – it is hard and expensive to set up your agent networks, your technology linkages, your marketing campaign. Before launching, providers need to think carefully about the risks of their customer onboarding process. Understanding this risk in full should create opportunities for a simpler process that meets the needs of regulators and promotes financial inclusion. It might not be easy to convince regulators that your risk-based approach is sufficient to protect the banking system, but it will be worth it in the long run.

In my next post, I will talk about how to turn the risk-based approach to KYC into an opportunity for simplification.

- Michael Joyce