Nigel's Eyes

20230217 is pKYC new wine in old bottles?

PerpetualKYC, or pKYC, is a recently adopted term amongst RegTech companies.

Let's debunk it.

1. There is nothing new about the regular, even frequent, monitoring of a customer's activity. But we should go further. The idea of ensuring that KYC information is up to date and accurate was one of the planks of financial crime risk and compliance systems I designed in the 1990s. The bigger the organisation, the more they resisted. Why? The cost of checking the personal information of millions of retail customers far exceeded the account fees that could be charged. They didn't accept the concept of graduated risk until someone gave it a name "risk-based approach." Then they turned my idea on its head saying everyone was low risk unless proved to be high risk. Nope: that's the wrong way round.

2. Repeated identification and verification is essential for the most basic of reasons: people and businesses die. In 1995 I found a company that had been struck off was still operating a bank account and party to significant international transactions. In 11977, I came across another that the police alleged was being used in a money laundering scheme (charges were laid and withdrawn in the absence of useful evidence).

3. If RegTech companies are pushing "pKYC" then it's for their own benefit, right? Well, of course, they want companies to refresh their data and they want them to run transaction and other analysis of past activity against today's known norms and, depending on the RegTech company's business model, more searches and more analysis equals more money


It is only extra expenditure because regulated businesses have not been doing it when they should have been. And at last regulators have noticed. True some banks (HSBC UK is a prime example) have made a total pig's ear of updating their information (they called it "safeguarding" so it was obviously designed by someone with the focus on something other than risk and compliance). But there are, around the world, hundreds of thousands, if not more, of businesses that never recheck the information they took when an account is opened.

So, ignore the buzzword and call it "periodic re-verification" which is what it really is.

And do it.

If you don't, the regulator will notice on its next inspection and as we know fines and penalties for KYC failures are rising at a terrifying rate.

pKYC is not new wine in old bottles. It's old wine with a new bottle and a new label.