Banks’ “Know Your Customer” Process: Does it even work? Is our information safe?

The Bangko Sentral ng Pilipinas (BSP) is imposing stricter know-your-customer (KYC) protocols over financial institutions in light of the recent scandalous Bangladesh Bank heist where $81-M of the funds found its way to the Philippines through a commercial bank. Does KYC work? And is our information safe within the banking system?

Prior to the digital age, KYC was very relational. A bank manager and his team personally knew their customers because transactions, mostly over-the-counter, meant that the customers themselves had to come to the branch to transact. It allowed the bank officers to keep track of their clients’ businesses and develop closer relationships. With digital technology allowing clients to transact via online banking and through mobile apps, depositors do not even have to show up at the branch after account opening. This makes KYC even more important when it comes to monitoring bank transactions.

General Information Collected

BSP Circular 706, issued in 2011, itemized some of the information that banks need to have on hand to “know their customer”. Section X806.2.a provides the average types of information to collect from individuals:

  • Name
  • Present address
  • Place and date of birth
  • Nature of work, name of employer, or nature of self-employment/business
  • Contact details
  • Specimen signature
  • Source of funds
  • Permanent address
  • Nationality
  • Tax Identification Number, Social Security System number or Government Service Insurance number, if any
    Name, address, present address, date and place of birth, nature of work and source of funds of beneficial owner or beneficiary, whenever applicable

Customer Information Forms (CIFs) are standard forms that one should expect to fill up when opening accounts.

It is one thing though for banks to gather what are considered crucial KYC information they need to conduct their business well; it is another thing to over-collect and draw out too much information from clients. With cloud storage and online databases being the norm, there are greater dangers from hacking, phishing and other cyber threats targeted at personal information online. Offline, there are similar risks when access to such information is not too secure.

Client Information is at Risk from Data Breaches

Just look at this interesting, interactive infographic on the world’s greatest data breaches. I filtered the infographic to include categories where individuals are likely to have personal information. You can go to the source infographic and do your own iterations. For 2016, the Comelec leak is highlighted as one of the biggest global data breaches.

worlds-biggest-data-breaches
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Yahoo! recently admitted that its database was breached in 2012. Other global hacks have exposed personal information given by individuals to gaming sites, credit card companies, apps companies, and more.

Too much information?

Some banks have revised their CIF and are now collecting so much more information compared to what they used to collect. One bank showed me their new CIF — two pages back-to-back (4 pages in all). A cursory look at some of the additional information being asked made me very uncomfortable because it meant almost “baring it all” while not knowing if it would be adequately secured by the gatekeepers at the bank.

Some questions have been nagging me…

What does the bank really do with that CIF?
I wonder about this because the most common reason I get when I am asked to fill up a CIF is so that it won’t be an audit exception. Is it being collected then only for audit purposes and compliance? Is the CIF actually validated in some way by the bank or is it accepted at face value? To what extent does that CIF have a role in the actual KYC process?

Where and how is the information from the CIF stored?
My own experience has shown that many banks file these in paper form in their own branch. I have accounts in two branches of a certain bank and each branch asks me to fill out the same form. This tells me there is no central repository. Of course, this may not be the case with other banks that have more sophisticated management information systems (MIS).

For banks that maintain a client’s paper-based CIFs in their different branches, how would they know if the client’s information is consistent, accurate and complete across all the copies? Where are those forms kept and who gains access to them? Are there security protocols in place to identify people and authenticate requests to access this information?

For banks that have a centralized customer information system, whether kept onsite or on the cloud, how robust are their security systems? Are there also security protocols to identify and authenticate people requesting access?

Who has access to clients’ personal information? Who monitors what these people do with the information?
This concern deserves a story. One day, several years ago, I got a cold call from a bank I used for decades. The person was offering a personal loan. I declined the loan but in succeeding months, I kept getting calls from different people, supposedly representing this bank, offering me the same product. Finally I interviewed the last caller and this is what I found out. One, he was a telemarketer (third party!). Two, he was calling on behalf of the bank’s sister company – a savings bank (I did not maintain any account with the savings bank). So the big question was – how did my information travel from the main bank where I had an account to its sister savings bank to the telemarketing company? I did not give explicit consent for this when I opened my bank account.

I complained to my main bank several times and requested an audience with their customer service representative. All my requests fell on deaf ears. I terminated my relationship with that bank. I found out later that the bank brought their marketing services back in-house.

How many of the savings bank and third party telemarketers saw my information (and that of the other bank clients) before the main bank took marketing calls back in-house? I do not know…but that incident raised a red flag that there were weaknesses or loopholes in maintaining client information private.

Does KYC even work?
It should, but the implementation of this process is what often falls through the cracks. The recent corruption cases involving government officials who have used the banking system to squirrel away supposed public funds is an example.

If KYC was really at work, shouldn’t alarm bells have been sounded much earlier as large sums of monies, often transacted in cash, moved through the system?
Aren’t government officials automatically considered “high-risk” as a result of their positions and access to public funds?
Why is so much information required of ordinary depositors, and yet, the process does not seem to catch and flag substantially material transactions of “high-risk” clients?

The Data Privacy Act

The implementing rules and regulations of the Data Privacy Act are out but under Section 5.d (Special Cases), the provision specifically states: “Nothing in this Act shall be construed as having amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA)”.

In addition, Section 5.e also states: “Information necessary for banks, other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and other bodies authorized by law, to the extent necessary to comply with Republic Act No. 9510 (CISA), Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act, and other applicable laws.

Clearly, banks are still protected by this Act when it comes to KYC.

Each sector needs to look at KYC with a new set of eyes

For bank customers – You need not answer everything just because it is in a form handed to you. The bank has a right to ask you questions to validate who you are and what your general work and life circumstances are. But once you feel uncomfortable about certain information, start asking why it is being required and how that particular information is expected to improve their KYC. Help your bank know you better by developing a better and personal relationship with your bank’s officers and staff but know when to draw the privacy line.

For banks – We need to see a stricter implementation of KYC – one where the system can clearly flag suspicious bank transactions on the basis of client profiling. Some banking websites have clear and comprehensive privacy statements; others have very short and motherhood privacy statements; still others have only security tips for depositors and are silent on their own accountability over client information. I think it is high time to require banks to have commonly worded privacy statements that are clear and have accountability. It also behooves banks to focus even harder on data and network security as well as offline access to client information. So much can go right with a good KYC system; a lot can also go wrong if client information entrusted to a bank falls in the wrong hands.

For Bangko Sentral ng Pilipinas – Consider defining the information that banks would need to comply with KYC so that banks do not over-collect. Check that the KYC process is being implemented the way it was intended. The KYC process needs to be so tight that it effectively helps raise red flags that could eventually lead to investigations by the Anti-Money Laundering Council (AMLC). I would also like to see clear penalty provisions for banks found wanting in securing client information or have been less discreet with who has access to them.

 

This post is supported by a writing grant from the Philippine Center for Investigative Journalism (PCIJ)