KYC/AML at a tipping point as US weighs reform, firms opt for light-touch checks

Know-your-customer (KYC) and anti-money laundering (AML) efforts are at a tipping point as the United States considers Banking Secrecy Act (BSA) reforms and firms globally increasingly opt for light-touch customer checks.

These developments follow warnings by the US Office of the Comptroller of the Currency on BSA/AML compliance risks, as well as its actions against 13 banks in the past 18 months for serious failings, including an absence of BSA compliance programmes.

The UK’s Joint Money Laundering Intelligence Taskforce (JMLIT), meanwhile, has issued an amber alert on the use of artificial intelligence (AI) to bypass the automated KYC systems widely used by financial services firms globally.

“Onboarding needs to be not frictionless, but friction-right,” said Joe Biddle, UK markets director for Trapets, a financial crime prevention technology platform. “As a law-abiding citizen, youʼre more than happy to go through a few checks just to make sure that the bad actors are being weeded out.”

BSA reform

US deputy secretary of the Treasury Michael Faulkender last month sketched out “guiding principles” for BSA modernisation, which included streamlining suspicious activity reports (SARs) and currency transaction reports (CTRs).

The planned BSA reforms will seek to lower compliance burdens on smaller low-risk banks while refocusing the industry’s financial crime efforts on threats to national security, Faulkender said.

Project 2025, trend for anonymity

More broadly, the Trump administration, driven by Project 2025, has sought to curb anti-financial crime and corruption controls.

One of US attorney-general Pam Bondi’s first moves at the Department of Justice was to curtail the criminal division’s Foreign Corrupt Practices Act (FCPA) unit and refocus AML efforts on transnational crime organisations (TCO).

In March, the US Financial Crimes Enforcement Network (FinCEN) removed Corporate Transparency Act (CTA) requirements for US companies and US persons to report beneficial ownership information (BOI). These controversial requirements were challenged by campaigners suspicious of government collection of businesses’ data.

There is a view that this information is used by banks to offboard clients whose businesses they find problematic — gun shops, for example.

“Anonymity is becoming a new phrase in our lexicon as it relates to banking,” said Steve Marshall, director of advisory services at AML solutions provider FinScan, in Pennsylvania.

“It’s all around the notion that banks, broadly defined as financial institutions, were or are opting to not bank individuals that are in the minority, but are the loudest when it comes to ‘My rights are being violated by having to give this information’.”

He added that banks are still required to collect beneficial ownership and KYC information, regardless of FinCEN dropping the reporting rule. Customers who refuse to supply KYC information will find themselves unbanked.

OCC sees BSA/AML risks

At the same time, the OCC’s semiannual risk perspective, published on June 30, noted that “elevated fraud levels” and new business models mean BSA and AML compliance risk remains high.

As banks adopt new technologies and partner with fintechs to expand services, some may lack the expertise or resources to manage related risks. This can affect a bank’s BSA/AML or sanctions risk profile, especially as business models evolve or global events unfold, the OCC said.

Despite these concerns, the OCC, the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) issued an order to exempt banks from having to obtain taxpayer identification number (TIN) information from a customer before opening an account. A bank or credit union may now use an alternative collection method to obtain TIN information from a third party.

It is a small step and some experts have debated whether the TIN is a valid way to verify identity.

OCC BSA/AML actions

Since January 2024, the OCC has taken action against 13 banks for risk management and compliance failures that included BSA/AML violations.

It found banks large and small — Summit National Bank, City National Bank & Trust, Blue Ridge Bank, Bank of America, TD Bank, Clear Fork Bank, Wells Fargo Bank, USAA Federal Savings Bank, Axiom Bank, Patriot Bank, and Slovenian S&LA of Franklin-Conemaugh — violated 12 CFR 21.21 of the BSA. This requires every national bank and savings association to have a written, board approved programme that is reasonably designed to assure and monitor compliance with the BSA.

First FS & LA of Lorain failed to implement effective BSA/AML internal controls and to conduct ongoing customer due diligence.

Transaction monitoring

Many of the banks were required to perform SARs, fraud or transaction monitoring lookback exercises after the OCC found serious deficiencies in their transaction monitoring systems and processes.

Blue Ridge Bank, for example, had a breakdown in its policies, procedures and processes to “identify, evaluate and report suspicious activity”.

It included a “systemic failure to ensure that its transaction monitoring system had appropriate thresholds for determining when transaction alerts should trigger a case investigation”; a “failure to ensure sufficient resources dedicated to case investigations”; and “noncompliance with the SAR filing requirement”, said the OCC.

According to Marshall, the value and volume triggers on which current transaction monitoring rules-based systems are based arenʼt tied to underlying factors that would necessarily be indicative of financial crime. These systems should be calibrated to pick up on predicate offences to money laundering. For the most part, they still generate too many false positives, he said.

These rules-based systems always “bring out a lot of noise” needing human intervention, he added. “Even with the human intervention, there is still a high likelihood that whatever suspicious activity report or suspicious transaction report is filed, it will not necessarily be of use to law enforcement.”

Onboarding risks

Criminals are increasingly using AI to create accounts, according to the UK JMLIT’s amber alert. JMLIT interviewed financial institutions, cryptocurrency exchanges and third-party experts, and found there is a growing sophistication and scale of these AI-driven “tools” to create fake identity documents, deep-fake videos and face swaps (using AI to change a face on an identity document).

In addition, recent enforcement action by the UK’s Financial Conduct Authority (FCA) against Monzo, Starling Bank, and Metro Bank for financial crime systems and controls failures all highlighted weaknesses in client onboarding.

Firms that open accounts using little more than an email address or phone number simply are not doing enough, said Biddle at Trapet, and regulators and customers should be wary of firms that use ultra-low-touch client onboarding systems.

“I get it, people donʼt want to fill in lots of forms, take photos of their driving licence or passport and show bank account statements just to open an account. But there needs to be something more [to identity checks] — otherwise itʼs leaving the company wide open to reputational damage if they let in the bad actors,” he said.