Blockchain and Compliance: Taming the Regulatory Beast

How Blockchain and Distributed Ledger Technology can transform digital identity, KYC, and AML for efficient regulatory compliance

Over the last few years, blockchain and compliance have garnered a lot of attention from companies operating in highly regulated industries.

And for good reason.

Ask any compliance officer about the current regulatory environment and they will likely tell you that we have entered a time of unprecedented risk, uncertainty, and complexity.

Compliance teams face what can only be described as a perfect storm of challenges and are searching for solutions.

A steady increase in regulations combined with unpredictable shifts to existing laws has resulted in an uncertain operating environment. Compliance officers are overloaded, fatigued and struggling to stay abreast of the latest requirements.

Compounding the regulatory uncertainty are greater operational risks. With many companies now operating globally, compliance teams must deal with a broad range of international regulations.

The digitization of global commerce has introduced additional headaches. As consumers shift their activities from the physical to the digital world, the volume and complexity of transactions have significantly increased.

Crimes like fraud and money laundering are reaching epidemic levels and corporate identity management systems, vital to KYC and AML compliance, are proving to be outdated and ill-equipped.

At a time of increased operational risks, regulators have also made it clear that any shortfalls in compliance will result in harsh penalties for companies.

Compliance officers are under the spotlight too.

Increased personal liability stemming from misconduct and negligence has become a top priority for governments following the disastrous 2008 financial crisis.

The decision to hold individuals account for wrongdoings has exacerbated an already severe shortage of experienced compliance officers.

A general tightening of company compliance budgets and a refusal by many corporations to replace inefficient compliance systems has not helped either.

In the face of such profound and wide-ranging challenges, companies that continue to invest in inefficient legacy systems and ‘band-aid solutions’ will find it increasingly difficult to operate, access vital cost savings, develop new products and deliver efficient digital services.

Compliance officers and the companies they work for must confront a different reality that demands more effective and efficient ways of tackling regulatory compliance.

Put simply, the time has come to tame the regulatory beast once and for all.

No more short-term fixes, no more excuses.

But, there is some hope.

Blockchain and compliance are a great match. The technology is showing much promise to fundamentally transform the way companies conduct their compliance-related activities, and as a result, deliver the robustness and agility needed to survive and grow in a more complex digital world.

Meeting security & privacy regulations by offloading control of identity data to customers

The current model of digital identity management, whereby corporations control, verify and store the identity credentials of their customers in siloed, centralized databases is broken and ill-suited to the demands of the digital world.

The digitization of global commerce and the proliferation of technology are changing the demands of identity systems and making it harder for companies to establish and verify identity.[1]

Companies are having to interact with their customers through a range of digital devices resulting in in-person transactions becoming less common and more transactions than ever before involving entities without established relationships. [2]

As companies find it more challenging to establish and verify customer identity, they risk running afoul of strict KYC and AML regulations.

But that’s not all.

The vulnerability of customer information is a major concern as well. Insecure centralized servers used by corporations to store customer data have proven easy targets for criminals to exploit.

“In an increasingly borderless and digital world, privacy and security cannot be ensured through the construction of walls around sensitive information. Identity is the new frontier of privacy and security, where the very nature of entities is what allows them to complete some transactions but be denied from completing others.” – Professor Stephen Saxby, University of Southampton

Massive data breaches and epidemic levels of identity theft and fraud have impacted customers and companies across the world. From Yahoo, and Walmart to Sony and Target, sensitive customer data is being exploited on an unprecedented scale.

“The centralized servers of identity providers like Google and Facebook are honeypots of data, so they’re economically valuable for hackers to attempt to crack.”[3]

So, how can blockchain & distributed ledger technology solve these problems?

Blockchain & distributed ledger technology can replace centralized, corporate-controlled digital identity management systems in with a decentralized infrastructure that increases security and gives control, ownership, and responsibility for identity information to individuals.

This is achieved by shifting trust from corporations, and other third parties to a network agreed incorruptible database. [4] In doing so, companies free themselves from having to issue, verify and store identity data, as the essential element of trust and verification is provided by an immutable and transparent distributed ledger.

Companies can instead verify a customer’s identity by quickly and cheaply checking an industry-specific or nationally distributed ledger. The immediacy and transparency inherent in the technology also mean that any changes to information within a ledger are available in near real time.

With data always under a customer’s control, many of the security and privacy risks that afflict corporate identity providers are eliminated along with most of the costly backend compliance activities.

Why profound change is needed now – offloading a growing burden

We are rapidly approaching a time where the burdens of being an identity provider and data owner outweigh the benefits.

As the volume and complexity of digital transactions increase, corporate verification and identity management systems will increasingly fail and penalties will begin to mount. Outdated identity management systems are set to expose companies and their compliance officers to unprecedented liabilities and reputational damage.

“The upcoming reliance on billions of internet-of-things devices makes it untenable to have all those devices controlled by a centralized identity provider, since a breach of this provider would prove catastrophic to not only digital but also physical infrastructure.”[5]

There are grave concerns about privacy as well. Consumers are becoming wary of security vulnerabilities and are getting increasingly frustrated with companies collecting and selling their data to other unknown entities.

New data protection laws like the EU General Data Protection Regulation (GDPR), set for implementation in 2018, reflect these widespread public concerns and will place companies under a prohibitive new regulatory framework.

“The market opportunity here is precisely this huge because so many organisations are dealing with the digital-identity management challenge according to old ways of thinking. It’s the organisations that can learn to look at digital identity in new ways that will be the winners.” – James Ryan, Consultant, and Co-Founder of Litmus Logic

Rising customer expectations for seamless, omni-channel service delivery will also mean outdated identity management systems will continue to frustrate customers and get in the way of the provision of online services.

Companies that don’t offload the management and control of identity data to customers will find themselves exposed to greater risks and bogged down in more costly and time-consuming compliance related processes.

But the impact could be even worse.

As the volume and complexity of digital transactions increase and new regulations like GDPR take effect, companies that don’t relinquish control of their customer data could, in fact, find their ability to operate diminish to unworkable levels.

Reducing manual compliance processes and eliminating data reconciliation

Know Your Customer (KYC) compliance forms an integral part of the broader anti-money laundering (AML) procedures and regulation set.

Despite the centrality and widening scope of KYC to operations in the global digital economy and the growing risks of non-compliance, companies continue to use outdated and disparate systems.

These systems have made KYC & AML compliance expensive, inefficient and a major hindrance to the delivery of streamlined customer experiences.[6]

“Compliance with AML, Know Your Customer (“KYC”) and sanctions requirements continues to be a key focus area for management, and firms must ensure they are following appropriate compliance procedures to meet the increasing regulatory demands. Firms operating on a global scale must also demonstrate a robust compliance framework, ensuring that each territory has sufficient management oversight and that AML requirements are being adhered to at both a local and global level.”[7]

Today, KYC requirements dictate companies complete several tasks and steps as a part of the onboarding process for new clients. This includes the collection, validation, and verification of key documents such as proof of identity, address, birth, and certificate of incorporation. [8]

It requires compliance officers to manually check and share enormous amounts of data with third parties as well as internal due diligence teams and in some cases can take several months to complete. [9]

Fragmented IT and data architectures have made reconciling data sets across departments a huge headache, especially for large complex organizations.

Banks, for example, do not have a unified KYC system, rather a number of isolated systems which each cover a line of business, such as wealth management and brokerage. [10]

As compliance officers can attest, the management, organization, and integration of these outdated systems are very costly, resulting in companies spending vast sums of money on compliance and causing needless errors and duplications.

The customer onboarding experience is also impacted negatively.

A blockchain of verified customer data would eliminate the need for many of these manual processes as identity data would already exist in a secure and tamper-resistant database. [11]

The existence of a shared ledger would also end the need to conduct costly data reconciliation and reduce errors and duplications as all data is unified.

Any changes made to customer data within the ledger are distributed in almost real time to all members of the network, keeping the information up to date and accurate.

Members would also be able to instantly access certification records of a potential customer by relying on the work another company has already completed. [12]

By reducing the need to conduct manual compliance processes and eliminating data reconciliation, companies can experience a dramatic reduction in compliance costs, including the need to hire costly compliance personnel.

There are huge gains in efficiency to be made, as the time necessary to conduct mandatory KYC and AML compliance processes diminishes.

Compliance teams gain efficiencies in regulatory reporting

A slew of regulations such as Basel II, BRRD (UK, EU), Dodd-Frank (US) and the Bank Secrecy Act (US) are forcing financial firms to dedicate vast resources to ensure compliance and placed an enormous burden on compliance officers.

These regulations and others like them necessitate intensive reporting of counterparty exposures and transactions and the maintaining of customer records to be audited by the government.

Aggregating and automating the large volumes of data required by regulators is, however, problematic and time consuming due to disparate legacy IT systems and siloed record keeping. [13]

“Financial supervision is increasingly driven by data, with regulators requiring data of a greater granularity and at a greater frequency. The type of data needed to assess compliance with the majority of prudential regulations is called “risk data,” which are typically quantitative and need to be of a high quality: structured, well defined, accurate and complete.”[14]

Both industry and regulators win

Blockchain and distributed ledger technology have the potential to remove a number of pain points for both corporations and regulators.

It provides a unified platform to store and record all transactions, a single source of truth that is easily accessible, transparent, unchangeable and tamper proof.

When transactions are executed and validated on a blockchain, they get timestamped and added to an unchangeable chain of blocks in chronological order.

With all transactions documented in a distributed ledger and each time-stamp including a previous time-stamp, a permanent audit trail is created.

The technology ensures that regulators can become part of the transactional process for the first time. With access to all transactions in real time, the process of regulatory reporting is completely transformed.

“By creating a full front-to-back view, banks can better understand the lifecycle of a financial asset and/or contract in a recording-keeping construct that cannot be altered. This full history certainly intrigues regulatory authorities, as it provides full transparency in areas such as “know your customer”, anti-money laundering and transactional data.” [15]

Regulators will not only experience an immediate and more systemic view of transactions, but compliance teams will also be relieved of the burden of having to aggregate data and continuously report their activities. [16]

Perhaps even more profoundly, by providing transparent and immediate access to regulators, blockchain and distributed ledger technology could enable a reduction in systemic risk throughout the financial system and the return of trust to the financial industry and other regulated industries as well.

Smart contracts can automate AML monitoring processes & provide real-time updates

For regulated businesses like financial institutions to remain compliant with anti-money laundering regulations, they are required to assess new clients during the onboarding process and also consistently screen transaction information for any suspicious activity throughout the lifetime of a customer.

The requirement to continuously screen client transactional information requires constant vigilance from compliance officers and make AML monitoring extremely time-consuming and resource intensive.

Beyond the time and monetary costs dedicated to AML compliance, there are also growing questions about the effectiveness of current compliance systems.

In 2014, KPMG estimated that global spending on AML compliance was approximately $10 billion dollars. [17]

Yet according to the United Nations Office on Drugs and Crime, global money laundering transactions remain relatively widespread, making up an estimated 2-5% of global GDP per year. [18]

One of the main reasons for the continued proliferation of money laundering stems from the siloed and disparate information storage systems used by companies today.

These siloed systems that lack basic levels of interoperability result in compliance officers having a piecemeal view of customer activities which severely limits their ability to find and track suspicious activities in a timely manner.

Smart contracts run on a blockchain have the potential to help compliance teams completely automate parts of AML compliance, eliminating many manual and time-consuming processes and improving the accuracy and timeliness of monitoring activities.

With rules hard-coded into a smart contract, companies can ensure automatic compliance with specific regulations and enable an alert for compliance teams for any predefined suspicious activity. [19]

Alerts could even be programmed to automatically produce a Suspicious Activity Report (SAR), which financial institutions must file with the Financial Crimes Enforcement Network. [20]

“Smart contracts represent a next step in the progression of blockchains from a financial transaction protocol to an all-purpose utility. They are pieces of software, not contracts in the legal sense, that extend blockchains’ utility from simply keeping a record of financial transaction entries to automatically implementing terms of multiparty agreements.” [21]

Additionally, smart contracts run on an immutable distributed ledger produce an easily accessible audit trail that regulators and internal due diligence teams could view in real time. [22]

Execution risks could be reduced or even completely eliminated, as the immutable nature of the technology prohibits manipulation and nonperformance.

As operational risks and transaction complexity increases and regulators crack down on compliance, the ability to conduct efficient and effective AML monitoring has become more important than ever before.

Companies that do not employ more effective and efficient ways of conducting AML monitoring will not only continue to drain their resources but also incur costly penalties and severe reputational damage for non-compliance.

Unprecedented risk, uncertainty, and complexity are an unstoppable tide

The high levels of risk, uncertainty, and complexity mean corporations must either make deep transformations to their compliance processes or face an extremely turbulent future.

It is by no means an overstatement to say that compliance challenges now hinder the ability of many companies to develop new products, access important cost savings and deliver efficient digital services.

Faced with the prospect of far-reaching reform and uncertainty over the next few years companies must proactively seek out and implement more effective and efficient ways of tackling regulatory compliance or experience reduced competitiveness in the longer term.

It is no longer enough to spend money hiring more compliance officers or continue investing in outdated systems that cannot handle today’s compliance demands.

“Our survey shows that the old approach of doing the minimum to achieve compliance will no longer be sufficient. Indeed, the findings suggest that banks that fail to take a proactive approach to compliance will be penalised. Although a bare bones approach might save money in the short term, the longer-term impact is that more resources and management time are consumed.” – The Economist Intelligence Unit

The perfect storm of challenges faced by compliance officers requires nothing less than deep technological transformations like those delivered by blockchain and distributed ledger technology.

By helping compliance officers meet looming data security and privacy regulations, reducing manual compliance processes and delivering game-changing efficiencies in regulatory reporting, the technology ensures sweeping benefits. [23]

Armed with supercharged regulatory compliance systems and processes, companies can free themselves from the regulatory burdens associated with identity management and transform their compliance operations into a competitive advantage.

Explore other areas beyond blockchain and compliance by clicking the links below –

Anthony is the head of content and research at Intrepid Ventures. He has spent the past several years researching and analyzing technologies and working with a diverse mix of blockchain companies to help them gain insight and develop authoritative content.

Realizing the revolutionary nature of blockchain technology and the existence of a significant knowledge gap among entrepreneurs, industry, and government, Anthony now concentrates his time on creating educational content, researching potential use cases and analyzing the impact of the technology on global industries.

Also published on Medium.