Trillion Dollar Dilemma: Digital Onboarding and the Identity Utility
Abstract: Exponential growth in online investment and a corresponding increase in identity regulation present a unique set of challenges for financial firms operating in a global world. Investors now demand instant access to a broad set of financial products across multiple verticals, but legacy institutions and systems cannot keep up. The largest points of friction stem from outdated onboarding processes that not only delay investment and frustrate investors, but also generate significant data vulnerabilities and fail to achieve their stated goal in preventing crime.
There is a massive opportunity to be had in developing a robust and frictionless solution that simultaneously satisfies investor demands and financial institution regulatory needs. We predict that the financial ecosystem will evolve over the coming years to adopt an industry-wide Identity Utility that will streamline investor access and provide for more robust criminal detection and prevention. Our version of this Identity Utility, the Parallel Passport, simultaneously collects and validates investor identity information while empowering investors to leverage this validated data set across institutions in a single click. The result? Instant onboarding, enhanced crime detection and lower costs for all parties involved.
Setting the Stage
The financial services industry has gone through a dramatic transformation over the last 30 years. Long gone are the days where retail investors dialed up a broker on their landline to place orders for public equities on the open market. Once the sole purview of the wealthy elite, banking services are now ubiquitous for large segments of the population.¹ Online access and digitization have powered revolutions in how retail investors interact with the brokerage and wealth management industry on both the public and private markets.² Customers demand immediate access to the financial products of their choosing, and financial service providers are eager to deliver.³
From automated retirement portfolio construction to designer public market derivatives to alternative investments across every imaginable asset class (farmland, shipping containers and even future earnings of college students or professional athletes to name a few), the sheer number of investing verticals available to retail investors has never been greater. While investment suitability remains an open and important question as retail investors access new financial products, the fact is that mom- and pop-investors have never had more options and better financial advice available at their fingertips.
But this is not the whole story…
Technological globalization not only made the world smaller and faster, it also made possible ever more sophisticated avenues to avoid taxes, launder money or otherwise engage in illicit financing schemes. While regulation to counter these nefarious activities is necessary, the method in which regulation has been deployed globally has been burdensome and ineffective at achieving its stated purpose. Current fraud prevention and anti-money laundering policy helps authorities intercept approximately $3 billion of an estimated $3 trillion in criminal funds generated annually (a 0.1% success rate!) while costing banks and other businesses more than $300 billion in compliance personnel and vendors.⁴ It is worth emphasizing — firms currently spend 100x the amount of criminal funds actually intercepted in an effort to prevent those funds from moving. There has to be a better way.
While these two narratives — increasing access and inefficient constraints — seem at odds, they are actually converging rapidly to the only practical solution: digital investor identity available to permissioned parties through an Identity Utility.
In this white paper, we will: (i) describe the regulatory environment in which financial institutions must operate, (ii) argue that this overlapping regulatory set, when combined with competitive dynamics between firms, leads to extremely inefficient and risky onboarding processes across the industry and (iii) make the case for our comprehensive Identity Utility, the Parallel Passport, that promises to help firms meet industry best practices, provide more robust fraud detection and dramatically reduce frictions in investor onboarding.
Disclaimer: The information contained in this article is provided for informational purposes only and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice.
In the United States and internationally, independent legislative development means financial firms in a global world are forced to navigate an increasingly complex regulatory web to satisfy various jurisdictional standards. A U.S. firm dealing with international investors must navigate the overlapping requirements under, for example, the Bank Secrecy Act (“BSA”) and its progeny, including the PATRIOT Act and the rules promulgated by the Financial Crimes Enforcement Network (“FinCEN”); the Foreign Account Tax Compliance Act (“FATCA”); sanctions programs under the Office of Foreign Asset Control (“OFAC”) and various international programs; and policymaking conducted by the Financial Action Task Force (“FATF”), including implementing the OECD’s Common Reporting Standards (“CRS”). All of this leads to tremendous confusion, friction and frustration between investors and firms, as well as powerful incentives for cutting corners. Investor movement across and between financial institutions only compounds the inefficiency as the new firm must engage in its own due diligence process, oftentimes requesting substantially identical information as was previously provided to others in the group.
Simultaneously, the mid-2010s brought about increased attention and regulation in the realm of privacy and customer data control. Recognizing the inequities and lack of accountability involved where firms monetize customer data absent knowledge or consent, legislation like the General Data Protection Regulation (“GDPR”) in the EU and the California Consumer Privacy Act (“CCPA”) in the United States emerged to enhance privacy rights and protect consumers from exploitation. These new data constraints exacerbate already friction-filled information collection and validation processes, perversely leading to an increase in both: (i) the number of times sensitive data must be provided and (ii) the number of databases in which such information is stored.
This section will examine the key components of the major regulatory frameworks at play. This will inform how the successful Identity Utility must interact with both investors and the financial firms involved.
KYC/AML/CFT — Fighting Crime in a Digital World
The United States passed the first modern anti-money laundering statute, the BSA, in 1970. The goal with its passage was to enlist the support of financial institutions in identifying proceeds from criminal activity and to mandate assistance from those financial institutions in investigating and, if necessary, freezing financial accounts funded from criminal enterprises. The BSA has been supplemented every few years with additional legislation to broaden the scope of its impact. The most important amendment for the purposes of this article is the PATRIOT Act of 2001 as amended by FinCEN’s customer due diligence (“CDD”) rule enacted in 2018. Together, these pieces of legislation/regulation impose an affirmative requirement on each financial institution within the United States or subject to its jurisdiction to implement Customer Identification Programs (“CIP”) to verify the identity of their customers, beneficial owners above a percentage threshold and certain control persons in an effort to identify potential money laundering and combat terrorist financing.
Internationally, the FATF is the leading inter-governmental body with a mandate to examine criminal trends and promote effective implementation of policies and procedures to counteract money laundering at the national level. Originally comprising forty recommendations (the “FATF Recommendations”) when released in 1990, the FATF Recommendations have been amended and updated a number of times over the years and currently represent the global standard to combat money laundering and terrorist financing. Similar to its evolution under United States law, the current FATF Recommendations provide for a robust financial institution CDD program to identify customers and their beneficial owners, along with validating identity information in conjunction with onboarding.
Importantly, United States guidance and the FATF Recommendations stress a risk-based approach to customer onboarding. This places the burden on individual financial institutions to develop bespoke onboarding procedures narrowly tailored to the circumstances surrounding a specific customer onboarding. Factors that may affect the information requested include the customer’s business vertical, business type, geographic location or other bits of information that affect perceived riskiness. Further, firms are required to evaluate the nature and purpose of the customer’s relationship on an ongoing basis, as well as request refreshed identity and other data. Again, the cadence at which a firm requests updates must fall within a holistic, risk-based approach to customer interaction. While this risk-based approach makes sense from a standards perspective, it means that any financial institution or third-party technology vendor must maintain a custom (or customizable) onboarding stack.
The Parallel Passport is the first identity product designed to satisfy bespoke onboarding procedures across multiple financial institutions. By building bottom-up rather than top-down, the Parallel Passport enables financial firms to comply with their specific regulatory obligations.
Tax Evasion — The Tax Man Must Get Paid
Money laundering and tax evasion, in certain respects, go hand-in-hand. It is unsurprising then that legislative and regulatory trends in the AML space have their mirror in the realm of tax evasion. Initially passed in 2010 as a dramatic incentive for foreign firms to identify and report to the IRS and FinCEN certain United States taxpayers holding assets abroad (and potentially thereby avoiding tax liability), FATCA has had a cascading effect across the globe as various countries and organizations scrambled to form the infrastructure and standards necessary for effective implementation of its requirements. Exploring the full scope of FATCA and related international development (including Form CRS) is outside the scope of this article. However, it is important to note the substantial overlap in identity validation requirements under these anti-tax evasion regimes and the KYC/AML/CFT paradigm discussed above.
Both sets of laws require the collection and validation of identity information as it pertains to the person or entity opening the account, as well as any beneficial owner or control person. The methods of validation are similar across both paradigms, oftentimes requiring documentary verification of the information provided. This may come as a surprise, but legislation passed to combat tax evasion is, in certain respects, even more stringent than the KYC/AML/CFT requirements discussed above given the mandate to identify each beneficial owner for a particular enterprise (as opposed to, for example, beneficial owners only above a certain percentage threshold).
Privacy — Protecting Personal Data
While the above regulations evolved to require an ever-increasing amount of personal information about customers, data privacy regulations simultaneously and independently moved in the opposite direction, strictly limiting how businesses may collect, store and process such data. Since going into effect in 2018, the GDPR has transformed privacy standards internationally and led to direct changes in the manner in which online platforms interact with and obtain consent from their users. In the United States, California followed suit with the CCPA taking effect in 2020.
Broadly speaking, both the GDPR and CCPA require firms to inform their users about what personal data is collected and how it is processed and utilized. In addition, both sets of legislation mandate stringent permissioning requirements to address how personal data is transferred or shared. In all cases, users must do three things:
- Have a clear understanding of who exactly is gaining access to personal data,
- Affirmatively consent to any sharing or selling of that data and
- Maintain the ability to revoke consent and delete that information if they so choose.
While incredibly positive for user privacy and control, these rules present serious obstacles to efficient onboarding processes in the world of financial goods and services as will be highlighted below.
An important distinction to understand under the GDPR rules is the difference between a data controller and a data processor. The GDPR imposes different rules on data controllers and data processors, the most consequential of which for the purposes of this article is that data controllers are permitted to maintain a user’s personal data while data processors must return or destroy that information at the end of the processing relationship.
A number of technology companies have popped up to provide greater certainty and accuracy when it comes to validating customer identity information, but those firms act as data processors and are specifically prohibited from maintaining an ongoing relationship with the end-user. The customer loses the ability to efficiently share previously validated data (even if that validation came from the same processor) with new third parties because the entities conducting the validation simply have no way of knowing whether the user has been through their process before. The onboarding friction simply never disappears under this system.
The regulatory environment described above results in wildly different onboarding procedures across firms, a certain level of uneasiness in compliance departments and incredibly frustrated investors that are tired of being asked to go through repetitive onboarding processes across firms.
There is no room in the regulations for a streamlined, one-size-fits-all onboarding procedure because that concept is definitionally antithetical to a risk-based approach. Each new client is a unique case that, absent any safe harbors to fall into, requires firms to analyze them in a bespoke manner. To do otherwise risks running afoul of the firm’s regulatory mandate.
This dynamic leads to a bizarre balancing act among financial institutions. They are each a bit like Goldilocks and her bowl of porridge, wishing to appear neither over- nor under-compliant, but just right. Firms jealously guard their exact onboarding request list lest a competitor use it against them. There is risk in both directions as a competitor can warn a potential customer off for the firm being either too difficult to work with or not as stringent regarding compliance as they ought to be.
Compliance departments are rightfully self-conscious about the state of their programs. While they employ entire armies of compliance officers, third-party consultants, lawyers and technology vendors in an effort to meet their regulatory obligations (these costs are estimated to be 5% of financial institution payroll⁵ or $300 billion annually⁶), ultimate discretion over whether to accept a particular customer frequently comes down to “feel” over bright-line rules. Even when a firm successfully guides an investor through this onerous identity validation process, they must continuously monitor the investor and re-validate previously provided information on an ongoing basis.
Finally, once an investor has been successfully onboarded, there is simply no incentive for firms to cooperate to make the process easier at other institutions even though this is exactly what the investors want. These existing client relationships are precious to each financial firm, and information sharing represents a potential reduction in revenue, as well as increased risk in both the data privacy and KYC/AML realms. Has the firm obtained all the appropriate consents to share their client’s most sensitive information? Are there ongoing obligations to provide or refrain from providing such information? What manner of data transmission are permitted? What if the firm’s conclusion regarding this particular customer is wrong? These are merely a subset of the questions any firm would have to answer and feel comfortable with in order to make third-party data sharing feasible.
The competitive dynamics at play in the financial services industry, combined with the regulatorily-mandated information gathering and siloing requirements, create an absolutely terrible user experience. New customers run into repetitive onboarding requests and, without any standardized documentation request list, a seemingly never-ending set of new requirements to meet. Once successfully onboarded, there is simply no ability to leverage that effort to make future processes easier elsewhere.
Not only is the customer experience bad, it is also woefully insecure from a data transmission perspective. A typical onboarding process at a legacy financial institution involves sending a person’s or business entity’s most sensitive identity information over email, numerous follow-ups with additional requests, entire compliance teams being copied on correspondence (as well as third-parties like lawyers and accountants) and a whole host of additional potential leaks along the way…all in the name of compliance.
Unfortunately, the tech companies emerging to solve these problems are simply unable to address the underlying causes. Digital onboarding is not and cannot be a fungible product easily adapted to new financial institutions. The risk-based approach to onboarding means third-party standards are definitionally insufficient to address a particular firm’s needs. As an example, the exact same request for a digital-only onboarding experience may raise red flags at a locally-owned bank in Missouri while constituting business-as-usual at a FinTech supported brokerage in California. The onboarding flows must be customized (or at least customizable) depending on a number of factors, including the customer type, investment category, industry vertical and any other pertinent data.
This “customization required” dynamic disincents external SaaS firms from providing the necessary solutions as, at first glance, there are inadequate economies of scale to justify development costs (no firm wants to build custom software for each new client). As a result, financial institutions either have to spend a great deal of money paying development shops to build custom flows to be updated over time, or, as is more common, KYC/AML processes at most financial institutions simply remain manual and paper-based to the detriment of all.
To the extent newly-minted, digital-only technology for onboarding has been developed, it looks an awful lot like the following:
- User A shares identity data with Financial Institution.
- Financial Institution passes all or a portion of that identity data to Third-Party Data Processor for validation.
- Third-Party Data Processor returns the validation results to the Financial Institution and immediately deletes any identifying information about User A.
- Financial Institution makes a final determination and opens or fails to open User A’s account.
- User A goes to Financial Institution B where this process repeats itself.
There is a limit to the level of efficiency such solutions can generate and, in compliance with data privacy regulations, any data processed is not portable to additional third parties.
In short, the existing system is unacceptable and must change.
The Solution — An Identity Utility
(…aka The KYC Utility aka The MCDDP)
An Identity Utility is the only solution that solves all of the problems at hand. This term can be something of a suitcase phrase, so this section will clarify exactly what we mean by Identity Utility and detail how it solves each of the problems described above.
Parallel Passport — the Global Identity Utility
Imagine a technology company that simultaneously acts as a front-end onboarding tool as well as a validator of identity information. It is a data controller rather than a data processor and maintains a direct relationship with the end-user. By sitting in that data controller seat, the Identity Utility is uniquely situated because it can not only collect and validate investor identity information and screen against various sanctions lists, it also has the ability to provide the results of this process to any third-party the investor chooses. The Identity Utility’s service is modular, meaning it only requests information to the extent it is required for a particular firm’s onboarding process and does not re-request information the investor has already provided. The results of this collection and validation process are encrypted and only available over a secure API to the requesting third-party. Any API call presents the relevant information in a machine-readable format, meaning the data can be fed directly into any existing CRM or client onboarding process seamlessly, regardless of the legacy system the third-party used previously.
When the investor moves to a new platform, again because of the data controller relationship, the investor’s identity information easily moves with the investor — it is simply a matter of the investor instructing the Identity Utility to make their identity information available to the new firm. The foundational layer of identity information from previous onboarding experiences is supplemented over time as the investor interacts with new platforms that have different or additional information requests. In all cases, the investor only goes through the minimum necessary flows to capture the data a particular third-party requires. Further, as the investor updates identity information over time (in plain speak, the investor changes addresses or investing interests), all third-parties with permissioned access to that data are simultaneously updated. The investor maintains complete control over which third-parties have access to any aspect of their personal information and can decide to revoke access to any third party at any time.
Parallel Markets has surveyed every conceivable participant in this industry — from funds and fund administrators to issuers and investors to banks and brokerages and everyone in between. They are all crying out for this product in various forms. SS&C, the world’s leading fund administrator, refers to it as a KYC utility. McKinsey & Company calls it the same. The Alternative Investment Management Association (AIMA) refers to it as a multi-country centralized due diligence processor (MCDDP). We simply call it the Parallel Passport.
The Identity Utility is the Holy Grail
A well-functioning Identity Utility is the silver bullet that simultaneously solves every single problem listed throughout this article:
Cost Reduction and Fraud Prevention
The Identity Utility makes validated identity information access as easy as calling an API. This is a far cheaper alternative to armies of compliance officers and vendors employed in an effort to collect documentation more efficiently. Further, in the face of a constantly evolving regulatory landscape, the Identity Utility helps firms avoid ongoing engineering costs as the documentation and data requested of a user changes over time. Rather than employing teams of outsourced engineers to modify existing flows, the third-parties can simply change the scopes of their requests within the Identity Utility’s system. After all, the Identity Utility is best-situated to develop efficient flows that accommodate new regulatory developments, as well as provide for the latest in industry standards.
Finally, as investors move from platform-to-platform, multiple compliance departments will have the ability to review that investor’s data. This is a dramatic improvement in detecting and preventing fraud as the entire ecosystem is more difficult to fool than a single firm. Four sets of eyes are better than one, and ten sets are better still.
Overlapping Regulatory Requirements
The Identity Utility is also best-suited to help firms implement a risk-based approach to customer onboarding. As discussed above, the “one-size-fits-all” solution runs counter to regulatory trends that require financial institutions to take into account firm- and customer-specific information regarding any particular account opening. The Identity Utility solves this problem by enabling firms to request data in a modular fashion. Firm A can modify parameters within the Identity Utility’s system to require, for example, certified utility bills and 10% beneficial ownership mapping if those are the thresholds best situated to their compliance program. If Firm B only requires identity verification for 25% beneficial owners, they similarly need only set a single scope. Any investor going through Firm A’s onboarding will interact with the Identity Provider on the front-end, which will request the necessary documents and beneficial owner details. As Firm B does not need this same level of information, an investor going through Firm B’s flow will not be asked to provide equivalent data.
In addition, as tax evasion and anti-money laundering regulatory systems require firms to request similar, though not identical, categories of information, the Identity Utility is able to leverage the commonality across regimes into a customizable set of data requests.
Finally, when it comes to sharing investor information and GDPR/CCPA requirements, the Identity Utility specifically acts on behalf of the investor as a data controller and will never share information absent the investor’s specific consent. The investor has a single portal to manage their identity data, able to grant or revoke consent at will. In addition, should the investor have updated data to share, it can be disseminated to the entire permissioned network in a single click rather than needing to update multiple platforms individually. This is a massive improvement over existing processes where groups of onboarding professionals, lawyers, CPAs, bankers and others may have access to an investor’s data over email.
The Identity Utility also solves a lot of the competitive inefficiencies that emerged naturally as the regulatory landscape evolved. Rather than sharing valuable investors with competitors, the Identity Utility provides an easy avenue out of the rat race — the Identity Utility is not trying to sell financial products to investors. It is an independent third-party streamlining investor onboarding processes rather than a threat to any particular financial firm’s existing business. Further, the Identity Utility is in constant communication with industry experts and regulators. It is up-to-date on the latest trends and understands exactly what an industry-standard process looks like. Rather than worrying about competitive disadvantages from differing onboarding protocols, the Identity Utility provides unique insights into how the market is evolving that will result in a more robust and complete dataset.
Two trends provide context on how financial products and services have evolved over the past few decades. Although enhanced investor access to a broad variety of investing verticals is unrecognizable from what existed thirty years ago, the dominant trend in financial regulation over that same period of time has been an enhanced focus on positive customer identification, sanctions screening and ongoing monitoring. Given the focus on a risk-based approach to customer onboarding, technology companies have struggled to create friction-free experiences for users looking to access new investments. Instead, the existing systems are characterized by unstructured data collection and storage, lack of easy accessibility, insecure data transmission and the need for human intervention and decision-making.
We propose a better alternative.
There is a massive opportunity to be had in developing a robust and frictionless solution that simultaneously satisfies investor demands and financial institution regulatory needs. The financial ecosystem will evolve over the coming years to adopt an industry-wide Identity Utility that will streamline investor access and provide for more robust criminal detection and prevention. Our version of this Identity Utility, the Parallel Passport, simultaneously collects and validates investor identity information while empowering investors to leverage this validated data set across institutions in a single click. The result? Instant onboarding, enhanced crime detection and lower costs for all parties involved.
Parallel Markets is a digital identity company developing the tools to help private market participants access investments and trade securities. Leveraging decades of private market experience, Parallel is building technology from the perspective of actual issuers, employees and investors for use by actual issuers, employees and investors. Securely and accurately asserting identity online is a fundamental piece of private market infrastructure, and the Parallel Passport is the tool Parallel developed to provide a universal and portable identity solution for investors online. Follow us on Twitter, Facebook, LinkedIn.
- This is particularly true in the United States where over 95% of American households have at least one person that maintains a checking or savings account. https://www.fdic.gov/analysis/household-survey/2019report.pdf. [return]
- E*Trade brought public stock investing to the living room. Vanguard revolutionized how lay investors could mimic public market performance with low-fee index funds. While the “trusted financial advisor” has not been put completely out of business, robo-advisors like Wealthfront and Betterment help investors construct optimal portfolios for a particular risk profile. More recently, Robinhood upended the dominant paradigm by bringing no-fee trading to the mainstream and (controversially) granting retail investors access to evermore exotic financial instruments. Within the private markets, alternative investments are an exploding asset class. From real estate and venture capital to cars, antiques and even sports players, investors now have the ability to earn a return on just about any asset under the sun. [return]
- See, for example, the recent wild swings in Reddit darlings GME, PLUG and AMC. [return]
- See Ronald F. Pol’s Anti-money laundering: The world’s least effective policy experiment? Together, we can fix it, estimating that 99.95% of criminal proceeds end up being retained by criminal enterprises.From a cost-benefit perspective, Pol estimates $3.1 billion in criminal assets seized compared to $3.1 trillion in criminal revenue, $300 billion annually in firm compliance costs and $8 billion in government penalties for failing to implement adequate safeguards. [return]
- https://www.ssctech.com/resources-insights/whitepapers/kyc-aml-screening-for-funds-industry. [return]
- See Pol supra note 4 above. [return]