Opinion Piece
—
Monday the 24th of April 2023 was a sad day for banking customers in Sweden; even though the vast majority of us would not immediately appreciate the negative news. The latest effort of Swedish banks to create a Know-Your-Customer (KYC) utility had failed spectacularly.
—
But why should banking customers care about KYC and utility efforts?
—
As a brief background, KYC is the process during which banks identify their customers, individuals and business alike. It is a process aiming to prevent proceeds from illegal activities entering the banking system. It is also a process that requires a lot of information from the customers to be shared with banks on a regular basis and for banks to review that information. At norbloc, we ran a bottom-up analysis of KYC processes in Sweden in 2017 together with two of the leading banks and the results were disheartening. For businesses, it took on average 5.5 mandays to onboard a bank and approximately the same time to renew their data every 1-3 years. That is the amount a company spent per bank. Now consider that a company not only has multiple banking relationships, but it also must do the same process with its lawyers, accountants and auditors.
An approach to solve that enormous duplication of efforts on the customer but also the banks’ side is to create a utility. The utility will allow customers to give their information once, irrespective of counterparties, and it will validate the information once, for all banks and other institutions that want to consume that information. In other words, an enormous saving in terms of costs, time and frustrating conversations at branches.
In 2019, six Nordic banks decided to create such a utility and call it Invidem. On April 24th, 2023 they also decided to cease its operations and terminate its operation. Four years and EUR ~60mn later, according to the Swedish press, that effort came to a sad conclusion. How is that possible?
Taken from the Invidem website.
The official announcement is rather cryptic stating that “the decision comes as recent regulatory and technological developments have altered the prerequisites for the business, making the task more complex than anticipated […] achieving the desired scale benefits has become more challenging”. The undertone of that message shows there were fundamental flaws in the design of that utility from the start; flaws that could have been avoided if any lessons were learned from past efforts in Singapore, S. Africa etc.
—
So, what went wrong?
The KYC Utility is a concept that has gained significant traction in the last 6-8 years. norbloc research indicates that there have been at least 27 pilots of KYC utilities around the world, 18 on centralized and 9 on decentralized architectures.
—
Centralized Utility; the case of Invidem
This design is essentially a hub-and-spoke approach. A new entity, like Invidem, is created or employed, whose sole function is to collect and validate customer data.
A customer new to the ecosystem must provide their data for validation to the Centralized Utility and once validated, they can share that data with any financial institution in that ecosystem.
Any updates are done again with the Centralized Utility which subsequently shares the new data with financial institutions that have already been granted access to it by the customer.
—
Decentralized Utility
Here the Utility is not a separate operating entity; instead, a network is created between financial institutions that share validated customer data between them at the request of the client.
For example, if a customer onboards Bank A, then that bank creates a KYC file for them. If they want to onboard also Bank B, then they “push” that newly created file to Bank B, which now receives the customer data as it did previously but also accompanied by the validation stamp of Bank A.
Essentially, banks provide validation services to each other instead of a validator providing that service to them (Note: a decentralized Utility can also include a validator participant that banks can use to validate customer data selectively)
—
Centralized vs. Decentralized Architecture & Invidem
—
The two approaches have several similarities:
- Governance: In both approaches, there is a need to create a standardized KYC dictionary that is shared by all participants. Additionally, participants need to align on the validation process that is followed, either by the central entity or each of the banks, as well as remedial practices in cases of errors and omissions (NB the data standardization exercise is more straightforward than it sounds given our experience in 5 jurisdictions in Europe and Asia)
—
- Network effects: The more institutions participate, the higher the value of the services offered to ecosystem entities and their customers where a decentralized utility is involved.
–
- Liability roll-over: In both centralized and decentralized utilities, liability towards the regulator for validation of an obliged entity cannot be rolled-over to the utility. Instead, the obliged entity and the utility must cover these eventualities in their service contracts.
—
But there are also significant differences:
- Complexity: Central utilities tend to be less complex from a governance perspective than decentralized efforts. Whereas in both cases all participants must agree on common KYC dictionaries and validation processes, enforcing those agreements is a considerably more complex process when multiple parties validate data.
The key aspect where Invidem would have an edge vs. a decentralized approach seems to have been not utilized. Unless the centralized utility runs under the auspices of a regulatory body, it is difficult to enforce governance and take crucial timely decisions with multiple banks of equal negotiating sway. Hence the active involvement of Finansinspektionen could have helped avoid the conclusion Invidem experienced.
—
- Implementation costs: Centralized utilities involve the migration of considerable operations performed by typically hundreds of employees to a new entity. The investment required on relevant systems and personnel can be prohibitive. In contrast, decentralized utilities do not require the establishment or contractual involvement of any new entity and the set-up costs are confined to the technological implementation in each institution.
In the case of the Nordics, a new company (Invidem) was created to handle the utility task. That company procured systems and employed KYC professionals to perform validation tasks. The magnitude of the effort is underlined by the EUR 60mn investment that is believed the participating banks made towards that effort.
—
- Customer interface: Centralized utilities in some cases require customers of the participating banks to interact with the Utility directly for the provision of KYC data. In those cases, the customer will have two parties to interact with (Utility and Bank) instead of previously one (Bank). Additionally, any updates caught by banks during the normal course of business will have to be transferred back to the Utility. In a decentralized model, the customers of institutions interact only with one party (Bank) and any updates from many banks are by technological protocol transferred to other institutions with access to that data.
The user journey design in the Nordics required companies to register some data with Invidem and then another dataset to be shared directly with the banks. Note that some of the data for companies used in the KYC process is already held centrally relevant corporate registries, i.e. Bolagsverket in the case of Sweden
—
- Monetization potential: Providing attestation/validation services can generate significant revenues. In the case of the centralized Utility, these benefits are accrued typically only by the central Utility. In contrast, decentralized designs allow any full ecosystem participant to monetize on the validation efforts they expend, thus creating a new revenue stream for banks in a trust-based service
There is no indication that banks would monetize on the validation efforts of the dataset that they would review once Invidem was operating.
—
- Data security and business continuity: Here the clear “winner” is a decentralized approach. Centralized utilities are a prime target for security breaches as they hold the entirety of the ecosystem customer data. Decentralized efforts allow participants to hold only the data they held before and with at least the same security provisions
—
- Vendor risk: In both architectures, there is reliance to a vendor; but the high set-up costs of a centralized utility make the operational and financial risk of that reliance much higher than in the case of a distributed utility.
—
Is it worth pursuing a Utility?
The fact that creating a utility requires significant design and governance thinking and shift in how KYC is approached does not negate its vast operational, monetary and regulatory benefits. And those benefits are tangible in utility efforts around the world, e.g., in Greece through its governmental portal for individuals and in UAE through its decentralized KYC ecosystem. The operational demands to perform efficient and effective KYC will be additionally vastly amplified once Central Bank Digital Currencies (CBDCs) and Tokenized deposits become a reality. Those will need to be held on citizen or company electronic wallets. And without error free KYC, these efforts will nurture, rather than minimize, financial crime.
—
…
—
—
—
Astyanax Kanakakis
Co-Founder & CEO, norbloc
Caveat
The views outlined below are solely the views of the author and are based on proprietary norbloc research across various jurisdictions. Any reference to Invidem is based only on publicly available data.