KYC and AML: beyond the acronyms

Patrick McKenzie (patio11)

Many people are vaguely aware that financial institutions have a responsibility to Know Your Customer (KYC) and have anti-moneylaundering (AML) programs, but what do those actually mean? I’m glad you asked.

They’re… complicated and fuzzy, in a way that has managed to give many people (inside and outside of industry) mistaken impressions as to their levels of breadth and rigor. They are also not straightforward in how they achieve their goals, in ways which defy a lot of expectations for how laws generally work.

One can’t discuss policy choices without making some implicit commentary, and so I need some disclaimers here. I once worked for Stripe, and of course went to mandatory Compliance training. I do not speak for anyone but myself here, and will be candid in some ways that the culture that is Compliance departments cannot be, for reasons which will be discussed.

Also: expect an almost uncomfortable level of nuance rather than either a ringing defense of KYC/AML as implemented or the stereotypical technolibertarian take ("burn this government overreach with fire").

Stochastic management of traffic fatalities

Let’s begin with a problem statement: you are a large nation which has many roads. Many people die on the roads. Through decades of experience, and some attempts at rigorous formal research, you’ve connected speeding to the problem of fatal accidents. You would like less fatal accidents. How do you regulate speeding?

One example might be a nationwide speed limit with strict enforcement, but you might not want to do that. You might say “Well, there are many roads in this nation, and they are are not all used in the same fashion. Some are extremely rural and serve primarily industrial traffic, and we do not want to take the hit to commerce implied by capping speed aggressively there. Also, the enforcement costs would be terrible relative to lives saved. On the other hand, we also have major cities, and in those major cities we both see lots of fatalities and also want tight control of speed. However, those cities are governments unto themselves, and we might not have direct control over their police departments’ priorities, even if we can indirectly regulate their road system. Hmm. Hmm.”

The solution you’d likely land on is stochastic management. You want to treat the exercise as a statistical problem, rather than attempting to individually control every road, every foot on every accelerator, or every incident of speeding. You want to create new laws of physics for your roads, and for your subnational authorities who manage individual roads and road systems, which will have the effect of clamping down on speed statistically.

You might formally call the regulations something like Roads Obviously Aren’t Done Speedily (because acronyms are de rigeur for stochastic management laws). Cognoscenti in your regulatory apparatus will understand that you have a high-level policy goal and then a complex machine designed to achieve it by exerting indirect influence. And the high-level policy goal is not speed enforcement. It is preventing deaths on the roads.

And this is the first important non-intuitive thing about KYC and AML regimes: the goal is not to achieve banks having good knowledge of their customers or to prevent money laundering. It is to stochastically manage crime and terrorism at the margins by requiring an oft-unrecognized policy arm, the financial industry, to implement their own stochastic management of their books of business.

A particular important realization is that KYC and AML don’t have to be effective in their own terms to contribute to these goals. That is a bit mindblowing, but let’s come back to it after we talk a bit about their own terms.

Know Your Customer

Know Your Customer refers to the legal obligation that financial institutions must attempt to discover and durably document the true identity of people who have the ongoing ability to make certain transactions with them. Note that this is crucially not what those three words say.

It is underappreciated the degree to which financial regulations are either, take your pick, decided by supernational governing bodies (e.g. the Financial Action Task Force (FATF) and an alphabet soup of regional organizations) or created by exercise of nations’ treaty powers which are then incorporated by reference into their financial regulation. Which is a long way of saying “I could point to AML/KYC laws in your nation, but they are often not the final source of authority for these policies, despite you generally expecting your nation to regulate its own financial system much like it regulates its own healthcare system or agricultural system.”

There has emerged, over the last 50 or so years, an “international consensus” (as it describes itself) or a policy consensus among many major Western governments (far closer to the truth) that the financial industry should be deputized to help control crime. In the wake of 9/11, “terrorist financing” was extremely durably added to the consensus, where that had previously been a more minor note next to garden variety crime (mostly narcotics smuggling and tax evasion).

An early salient regulation here was the Bank Secrecy Act (BSA) in the U.S., which you might waggishly say was designed so that banks would have less secrets from the government. The BSA is the primary statutory source of KYC requirements in the U.S. It has been amended and reorganized over the years, including by the PATRIOT Act, but BSA is still the term of art for these programs.

Notably, the BSA mostly does not directly require or prohibit acts. It primarily requires that financial institutions have documented programs of action and that they adhere to them. This is stochastic management or (if you like) regulation of process rather than outcome.

This is a very different paradigm than most people assume most laws operate under. There was a striking podcast interview recently between a short seller and a crypto-positive (fellow?) banking nerd, where (summarizing a long tangent into crypto marginalia) the short seller was flabbergasted that a bank could possibly let FTX pass due diligence. The opposing guest attempted to keep bringing the conversation back to how little regulators care about individual clients and how much they do care about adequacy of programs.

A key phrase which comes up in the requirements for programs is that they be “risk-based.” What is the definition of that? It is fairly vague, by design. Regulation of the financial industry involves a substantial amount of bilateral trust, including trust to interpret vagueness in roughly the intended way.

Regulation is an iterated game; both regulators and financial institutions expect to meet each other many times over the years. Regulators, in particular, expect to meet individual CEOs and Chief Compliance Officers many time over their careers, and derive a portion of their power over large organizations by being able to end individuals’ careers.

You’ll find this nowhere in the formal laws about the financial industry, but everyone knows that a Compliance Officer who has lost the trust of their regulator is done. You don’t need to issue formal process like e.g. the one that would see a lawyer disbarred, with a factfinding session and an appeals process and what have you. Financial regulation is a trust game; merely conveying to reference checkers that you’d prefer not dealing with someone again is enough to blackball them. Is this fair, just, or how we expect government to work? Eh, above my pay grade; just know that Compliance reports to two masters by nature and everyone who deals with Compliance is aware of this.

Anyhow, risk-based: what transactions are most at risk of facilitating crime/etc? Well, based on the legislative history and similar inputs into regulatory decisionmaking, we are historically more concerned with the actions of large cartels, rogue nations, and similar and less concerned with street-level crime. Accordingly, most institutions documenting their conception of risk will draw a distinction between risk levels based on, among other things, sizes of transactions and customer relationships.

These will often be, extremely not coincidentally, at the same breakpoints where they make business-oriented decisions to segregate the sales motion against various accounts. That is a business decision that makes administration much easier for the financial institution.

And thus an organization will generally have a KYC policy which it uses for its retail accounts, for its (small) business accounts, for its commercial accounts, for its private banking, and similar. The organization will claim that in its considered judgment retail customers pose limited risk “depending on other observable facts” (have I mentioned just how much fudge factor is involved here). And, owing to its characterization of retail use of various products as being low-risk, it will suggest a low-ceremony way for verifying identity once, a low-ceremony “questionnaire” about product usage, and a low-ceremony ongoing monitoring program.

Many people believe that the law requires a bank to see your government-issued ID in person to open a bank account. Again, this is incorrect; the law very rarely requires any particular action. The most prescriptive the US gets is that the sort of KYC information required about a customer include their true identity, including a name (not, incidentally, their “true” name because governments actually have some glimmer of understanding that that is not a thing which exists), a residential address, their date of birth, and an identifying number.

Even this is sometimes observed in the breach. KYC regulations were instituted in stages over the decades, and bank account lifetimes can be very long indeed. There exist many KYC programs which have written guidelines, with the non-objection of responsible regulators, that say that legacy customers or customers who are “personally known to bank staff” are judged by the bank to be low-risk and therefore not having a photocopy of an ID document on file is permissible under the policy.

This gets negotiated both between each institutional/regulator and also wholesale; community banks complained that longstanding personal relationships with their neighbors were better security than a driver’s license. The large money center banks looked at accumulated cruft in their IT departments caused by recursive acquisitions and said “Look, if something was in a database in 1985 in Kentucky, uh, well, how important is that to you really versus competing government interests like e.g. a hundred thousand teachers in Kentucky getting paid pensions this month.” (That is not a specifically true example, but it is the general flavor of attempting backwards-incompatible financial infrastructure upgrades and the complicated political economy of creating losers by mandating those upgrades.)

KYC of artificial intelligences and other non-human persons of interest

Many users of the banking system are not specifically human; “is that user a person person or a legal person?” comes up quite frequently. Corporations et al are also subject to the KYC regime, and to save you a lot of tangential detail, suffice it to say that knowing a company both implies knowing identifying facts about it and also (these days) knowing something about the officers and beneficial owners, traveling far up the chain as required (companies frequently have non-human officers and owners) until one arrives at actual people people.

How is this handled in practice? It’s complicated and contextual!

The fact that degrees of flexibility exist is very important to understand for entrepreneurs who believe that KYC is specifically why certain banking products are bad. Many people came to the conclusion over the years, at least prior to the pandemic, that KYC meant you couldn’t open accounts online. That was obviously nonsense.

KYC very definitely applies to e.g. credit card accounts. A commanding majority of those are opened without a branch visit. You could apply for a credit card on an airplane over the Pacific far before anyone knew what a web browser was. The flight attendant would take your application and cause it to be sent through the postal mail to the bank, which would send you your new account access devices (i.e. card) in the mail.

Does KYC let you open e.g. a business checking account without a branch visit? You’re asking the wrong question. What does your Customer Identification Program (CIP) policy for business checking accounts say is required to KYC a new business account? Does it say that you can only open them with a representative physically in a bank branch? Then your customers need to do branch visits. If it is silent about branch visits, and your regulators are OK with the constellation of controls you have in place like e.g. reviews of organizational documents and similar, then your regulator doesn’t care about branch visits. (In the card-opened-via-postal-mail case your CIP will doubtless include a reference that you e.g. run a check on your new proposed account with the credit bureaus and that the information provided must be sufficiently in line with your expectations or you follow the next line on your flowchart to resolve discrepancies.)

Many people believed, baselessly, that online account opening was controversial in 2016 when Stripe Atlas started helping entrepreneurs from many nations open accounts without branch visits. We had simply found a bank which was comfortable with the risk level of our entrepreneurs and the other controls we had, under their own policies that were extensively reviewed by regulators. It took some creative business development and no small amount of hard work. That’s not how most people spell “magic.”

There was no material movement in the regulations in the last few years on this, but the pandemic lit a fire under a lot of Compliance departments. Or, more to the point, it lit a fire under a lot of "the business" at various financial institutions, who suddenly discovered energy to overcome inertia in their account opening experiences, which simply are not top-of-mind concerns for most management teams at financial institutions. Many institutions suddenly figured out which combination of words written in which documents and spoken before which regulators would allow online account opening. This was legally available for every day of the last several decades, and could have been prioritized at basically any time.

Society has many goals for the banking system

Again, banks were extremely cognizant of how to do this for e.g. credit cards, where it was considered almost competitively mandatory. The impression that it was impossible for deposit accounts was a bit of “Meh, that involves work with an uncertain but probably low ROI” and a helping dollop of blaming regulation for the resulting product equilibrium. Regulators, for their part, (accurately) said they hadn’t ordered anyone to not make Nice Things™ but also prioritized KYC regulations over e.g. access goals even when they simultaneously talked very good game about banking the unbanked.

This sort of finger pointing happens a lot in policy. Too frequently, everyone in a multistakeholder system thinks they’re uniquely responsible for all of the good created by the ecosystem and merely a passive observer of all of the bad.

Speaking of access goals: does a financial institution need to see government-issued identification? Again, asking the wrong question. Their CIP policy will often say that they do because this is easy to justify. If access concerns were top-of-mind for people drafting the CIP policy, they might include a few pages about alternative methods of substantiating identity.

Some institutions do this. I am a tiny angel investor in Seis, a neobank which serves U.S.-resident Spanish speakers, and they and their banking partners have put a lot of thought into matching regulatory requirements and the realities about how many people live.

Many institutions, however, have done the math that someone who doesn’t have a driver’s license is all-else-equal going to be a terribly aggravating customer who will not be contribution margin positive. Many people fall into that fact pattern by being e.g. undocumented immigrants, poor, running from child support obligations, etc. All three of those expose financial institutions to substantial risk and cost while not predicting profitable use of banking services. In lieu of saying that they won’t bank that person as a business decision, a financial institution’s front-line staff will blame the government and say there is “nothing they can do.”

Could we mandate that KYC programs have socially-aware escape hatches for ID requirements? We could, and some polities do. If that was not a priority for your regulators or financial industry, it may not exist in your jurisdiction. Policy making involves tradeoffs, including tradeoffs that one does not want to acknowledge one is making.

A recurring thing which comes up in surveys of the underbanked is that certain legally disfavored men think that banks will take their money from them. They’re basically correct in this belief. We prioritize child support collection over some men being bankable. Almost nobody is comfortable saying that they intend this in as many words. But as a society, yes, we unquestionably intend this outcome.

Effects achieved without effectiveness

You might look at the standard KYC questionnaire for a new retail account and think “Really? You ask questions which have obviously correct answers. You give people less than a tweet worth of space to answer them. How could this possibly catch any criminals not stupid enough to write Occupation: Drug Dealer?”

Well, you’d be surprised with what people write in response to that question. Every Compliance department will explain, with substantial aggravation, that the Lizardman’s Constant means no matter how serious the situation is they will inevitably have to read a lot of Purpose of Transaction: Arms Smuggling and Prostitution. But you’d also be surprised just how dumb some criminals are.

But this is not the only mechanism by which KYC questionnaires have a stochastic effect; they’re also useful in an entirely different part of the crime lifecycle. Many, many crimes involve lies, but most lies told are not crimes and most lies told are not recorded for forever. We did, however, make a special rule for lies told to banks: they’re potentially very serious crimes and they will be recorded with exacting precision, for years, by one of the institutions in society most capable of keeping accurate records and most findable by agents of the state.

This means that if your crime touches money, and much crime is financially motivated, and you get beyond the threshold of crime which can be done purely offline and in cash, you will at some point attempt to interface with the banking system. And you will lie to the banks, because you need bank accounts, and you could not get accounts if you told the whole truth.

The government wants you to do this. Their first choice would be you not committing crimes, but contingent on you choosing to break the law, they prefer you also lie to a bank.

You have probably heard that Al Capone was guilty of many crimes, including conspiracy to commit murder and racketeering, but he was eventually sent to jail for one which was easy to prove: tax evasion. Prosecutors are like engineers who can push buttons that eventually send people to prison: they like having tools available which enable a certain amount of tactical laziness.

Particularly in white collar crime, establishing complicated chains of evidence about e.g. a corporate fraud, and mens rea of the responsible parties, is not straightforward. But then at some point in the caper comes a very simple question: “Were you completely honest with your bank?” And the answer will frequently be “Well, no, I necessarily had to lie in writing.”

And congratulations, you have just eaten (accept this oversimplification for civilians) a wire charge fraud for every transaction you’ve ever done. Which prosecutors will take notice of, and then say that in lieu of them prosecuting you for all of that and winning, you should probably take the plea deal. This will save them investigatory and prosecutorial effort, even though they're pretty confident you're factually guilty of the (far more complicated and odious) crime that happened prior to the lying.

You will see this over and over and over again in federal indictments: two pages of backstory about the crime-y part of the crime, and then ten pages of an exacting reconstruction of how the money was moved and which lies in particular were told about the money movement. Is this necessarily the best possible thing to put in prosecutors’ toolbox? Candidly, I have some concerns about how gamesmanship sometimes enters that practice. Be that as it may, prosecutors and regulators are extremely savvy about how these work mechanically, and they are an explicit goal of the KYC regime even if it doesn’t say that on the tin.

Conspicuous, ingratiating compliance as a performance

I’ve got one other observation to make about the culture that is Compliance departments: Compliance is performed. The word frequently used to describe the tenor of this performance is “ingratiating”, as if one is a courtier to a monarch who is not unreasonable but does have a reputation for executing other-than-diligent courtiers. Keeps you on your toes, that monarch does.

You might assume, as a retail user of the financial system, that the KYC questionnaire is some bureaucratic nonsense and clearly nobody actually takes it seriously. You must must must not say that if you work in a regulated financial institution. You can certainly think it to yourself, but whatever your qualms about the rationale and downstream effects of your responsibilities, the name of the department is Compliance and you must comply gladly. You will be trained—mandatorily, like every other worker in finance is trained, down to the least senior teller capable of opening a cash drawer—how important it is that you make a conspicuous effort in taking compliance (and Compliance) seriously.

I’ve met people working in the financial industry who take a genuine pride and interest in preserving the soundness of the financial system. I’ve met people working in the financial industry who take a genuine pride and interest in e.g. securing the money which ordinary people use to live their lives against risks and bad actors.

I’ve never met anyone who takes genuine pride and interest in KYC qua KYC. But you definitely cannot say that out loud.

At higher-than-the-teller-counter levels of the industry, this becomes a performance of class. You simply need to be able to function as a profit-seeking capitalist and responsible professional who is also, at society’s direction, expected to be a deputized law enforcement officer, and you need to be acutely cognizant of that and not complain about it.

This is one of the critiques of The System that I think a lot of the crypto advocates are right about. I also think that many of the crypto advocates are going to find (to their displeasure) that The System is extremely not kidding when it says that one has to perform ingratiating compliance or end up in prison.

And so Compliance must have a public (and private!) face which approximates Matt Levine’s brilliant bit of social commentary: “We have a zero-tolerance policy for crime,” [a compliance officer] will say, and almost mean.”

Now is the true target zero? No, and The System knows it. The optimal amount of fraud is not zero and the optimal amount of KYC compliance is not 100%. Part of the reasons the regulations stress risk-based countermeasures is that everyone—users, financial institutions, regulators, and other stakeholders—expect a certain amount of sliding around the edges.

Banks do not exist to perform KYC. Society wants them to exist for many reasons and also stochastically perform KYC over their customer base in a way which converges to effective much of the time and especially where the customers are subjectively important.

And that is important: the logic of the regulations replicates its internal logic at the regulated. Just like KYC is stochastic management (of crime), it expects financial institutions to exercise their own stochastic management (of customers). The financial industry and individual institutions have bewilderingly deep and diverse customer lists; society wants multiple institutions to make overlapping porous filters over subsections of society, such that most interesting activity hits at least one functioning surveillance apparatus, but it does not want every surveillance apparatus to be fully functioning to the maximum possible extent.

Like I said, it is nuanced.

And we haven’t even scratched the surface of anti-moneylaundering and how monitoring of ongoing transaction-by-transaction activity is subtly different than KYC checks, which (by design) tend to be frontloaded at the time of account creation. A topic for another day!

← BAM's Early Adopter discount ends soon
BAM is now reader-supported →

Want more essays in your inbox?

I write about the intersection of tech and finance, approximately biweekly. It's free.