KYC as a Competitive Advantage with Fourthline

Krik Gunning is the CEO and co-founder of Fourthline, one of fastest growing companies in Europe. Fourtline verifies the identities of millions of customers for clients like N26, ING, SolarisBank, Degiro, Flatex and many others.

Aman and Krik discuss the genesis of KYC and the constant struggle between compliance and risk at regulated institutions. They look at real world examples of how companies are stopping financial crime and how technology offerings in this commoditized market stand out. Finally, they talk about the e-ID and what the future of centralised KYC might look like and how it might benefit the broader ecosystem.

For all of our past episodes and to sign up for our newsletter, please visit www.rebank.cc.

Thank you very much for joining us today. Please welcome, Aman Ghei and Krik Gunning.

Full transcript:

Aman Ghei:

Krik, welcome to Rebank.

Krik Gunning:

Thanks a lot for having me, Aman.

Aman Ghei:

It's a pleasure to be connected today, and I'm really excited to be talking about, I would say, the genesis of KYC with probably one of the fastest growing companies in The Netherlands. I know you've grown incredibly over the last two years from basically 0 to 150 people. I'd love to maybe start off by giving the audience a little bit of context. So, maybe if you want to spend a minute, Krik, talking a little bit about Fourthline and who you are, and how you're kind of attacking the KYC space.

Krik Gunning:

I think it's important to know that, as a company, we are a regulated financial institution ourselves, which means that we've originally built very strong KYC functionality to be used in-house. And, at the end of 2017, a couple of banks approached us whether they could use that functionality on a standalone basis. We launched that in January 2018 and that has since exploded. And we're fortunate to have verified the identities of millions of customers across Europe for banks and FinTechs alike. Based out of Amsterdam, but also a big team in Barcelona where we have an ops and a tech hub. Primarily catering to financial services, both large banks and fast growing FinTechs, but also to a couple of other verticals who are basically looking for the same thing that banks are looking for, which is a mission critical KYC solution adhering to the highest quality and technical standards.

Aman Ghei:

Very, very helpful. And I know you do KYC for some of the biggest financial institutions in the world, and we can kind of come into that a little bit later on. But maybe to begin with, I wanted to start off by asking you why no? KYC has seen a little bit of a homecoming so to speak or, if you want to call it, genesis. And a lot of people, whether it's investors, customers, are really getting excited about some of the companies in this space. So, maybe that's a good place to start off is what is happening right now, and why didn't it happen before?

Krik Gunning:

That's a great question Aman. And I think, to be honest, the best way to describe it is KYC sort of moved from being an orphan to growing into a poster child. And I think it's helpful to take a step back. And if we look at the way KYC was performed a decade ago, you would walk into a bank branch, show your ID, shake hands with the director, get a cup of coffee and a bank account. And since then, a couple fundamental changes have led to your point of this being a super hot industry at this point in time.

Krik Gunning:

The first thing that happened is we've seen increased scrutiny from regulators for banks to make sure that they fully comply with all the legislation around AML, as well as privacy, primarily in Europe, driven by the fifth AML directive and GDPR. At the same time, and this is something you're of course very familiar with, the industry has shifted to a mobile first industry very, very rapidly. And this led to sort of a perfect storm where, on the one hand, the expectations of customers is that they're able to open a bank account anytime, anywhere on any device, and get a result in near real-time. While, at the same time, banks are facing the challenge of adhering to all the regulation that I just referred to.

Krik Gunning:

And I think the interesting thing that we saw happening is, initially, the reaction of increasing regulation of the banks was to essentially throw bodies at it. So, hire thousands of people to do manual checks in a very inefficient way and a very ineffective way. And I think technology, and the way technology has evolved sort of over the last five years, both on the AI side, machine learning side, but also new technologies like NFC, which is not supported by iOS, have opened up the possibility to combine the two points I just mentioned. So, offer great UX to the end customer, have the full bank vet process completed within minutes while, at the same time, being able to adhere to all those regulations. And that's really where technology steps in, and why both investors are so excited about the space, but also, and I think that's pretty unique, KYC's one of the few FinTech areas where, essentially, no bank is aiming to do this fully in house anymore. So, this is really where FinTech is an enabler to the banks and helping banks solve this challenge.

Aman Ghei:

That makes a lot of sense. And we've seen, I guess, some pretty high profile evidence of regulators taking this pretty seriously, particularly from the AML side. And what's your view in terms of why the banks want, now, to do this with other people, as opposed to, I guess there's this prevalent part, whether it's a little bit prehistoric or not, that everything needs to be kind of under our control from a bank's perspective, particularly when we're talking about kind of important parts of the technology stack? And, of course, we're slowly seeing some of that kind of un-bundling, but with regards to KYC, this is you're handling sensitive customer data, why are they open to working with other people? Is it just because this is something they can't handle themselves? Are they scared about what the regulator might say?

Krik Gunning:

Well, I mean, I think if you look at sort of the key challenges in the industry, the expectations a regulator imposes are one, you need to have proper in place. Two, you, in practice, need to follow those procedures. And three, you need to have an audit trail. And I think sort of having all three combined is a big challenge to a lot of banks. And I think this is where a tech player one, is just at a higher pace of innovation. So, to my earlier point, when the NFC functionality was first supported by Apple in the release of iOS 13 in September of last year on the day it was released we also unlocked the possibility to read the chip of your ID document through the use of your smartphone. And sort of that pace of innovation is impossible for a large financial institution to follow.

Krik Gunning:

At the same time, and that's a very fair point you made Aman, banks are, by definition, extremely focused on making sure that whenever they work with an external vendor that external vendor is able to meet all the requirements that they can expect to. And this is where sort of the vigorous vendor onboarding process of a bank can, oftentimes, kill innovation. And if I look back at sort of the journey we've been on over the past two and a half years, being a regulated financial institution ourselves means that right from the start we structured the company in a similar way a bank would approach this. So, I mean, we act like a FinTech, but we think like a bank, which means that we set up a lot of the procedures, a lot of the processes at the same vigorous level that banks do. And that's really helpful in convincing banks to outsource the critical part of KYC to a vendor like ourselves,

Aman Ghei:

And just on that last point, which is helpful to understand, because I'm sure you've been through the process a couple of times, what is it like from a vendor perspective when a bank reaches out? Is it a typical RFP? How do they go about thinking about onboarding, how you fit into their flow, all these different data points, whether you use people sitting in different locations to manually check? What are they thinking when they're talking to someone like you?

Krik Gunning:

It's very much driven by limiting their downside side, if you will. So, it's very much risk driven. And that means that it's not, let's say, within the realm of possibilities for every vendor to be able to do that because it means you need to show that you're taking IT security, data security, business continuity, stuff like that very seriously. And I think GDPR is a great example where, in my view, if you were to choose between AML regulation and GDPR, probably, banks are more nervous about GDPR given sort of the fines that can be imposed there. And that means that in our setup, we've chosen to have a very narrow interpretation of GDPR.

Krik Gunning:

And this is especially relevant when it comes to where is data, being stored, where is data being processed? And are you going to look at sort of the lowest cost of labor for any manual checks involved, or are you taking sort of the view that it's ultimately better to process it within the European Union? And we've opted for the latter. And I think that really works well, if you're talking to those banks. The process itself is never going to be painless, but I think if you're prepared, and if you have all of the policies and procedures in place that they're asking for, then it becomes easier over time.

Aman Ghei:

Very interesting. And I guess this segues pretty nicely into the second kind of topic I want to talk about, which is compliance versus risk. And we spoke a little bit about risk, but I guess on the compliance side, obviously, AML fines is probably the fastest growing vertical, to be honest. I think about $10 billion worth of fines were given out last year compared to roughly $2 billion the year before that. So, people are starting to take this seriously. What is this constant fight between compliance risk? Because, obviously, there is a certain amount you need to do in terms of making sure you're compliant and whether you have the processes in place. But I guess there's a element of how much risk do I want to take as a bank to onboard a customer, or to continue to do business with a customer? And how does KYC fit into this on a constant basis?

Krik Gunning:

Yeah, again, I think it's a great question, Aman. I think one of the challenges we see is that KYC is a loosely used term. And, for banks, it is way more than snapping an ID and a selfie is they're essentially trying to address two main questions. So, one is can I accept this person as a customer, which is very much a compliance driven question. And even if the answer to that question is, yes, the second question pops up, which is, do I want to accept this person as a customer, which is very much a risk question. And if you think about what needs to happen in the backend at a bank to open a bank account you need to, of course, go through the identity verification steps, but you also need to run address checks, you need you to sanction the screening, you need to do risk scoring. You need to have an audit trail of every step of the process. You need a way to investigate flagged cases, and do ongoing monitoring.

Krik Gunning:

And I think that's what a lot of people don't realize, that this is not something banks have chosen for. This is something the regulators have imposed on them and where, essentially, the almost public task of being the gatekeeper to the financial system is now in the hands of banks where they don't have a choice, whether or not to comply. They're forced to comply at the risk of imposing very heavy fines, if they don't meet the requirements.

Aman Ghei:

And without going, I guess, into too much detail, Krik, what are some of the kind of real-world examples of where you've not only you, but I guess from a broader KYC question, and where we're talking about kind of continuous monitoring, been able to flag things that maybe wouldn't have been able to be flagged, I don't know, two, three years back?

Krik Gunning:

Yeah so, I'll give you a couple of examples. I think one interesting one is we look at the whereabouts of a client and traditionally you would run address checks using proof of address, whether it's a phone bill or utility bill, which in our view in this day and era is not a very strong check. I think, let's say, anyone with basic Photoshop skills can prepare a really good fake document. So what we said is, "Listen, let's use the data points a client provides at the signup, of course, with their explicit consent, which is required on a GDPR. And look at those data points in and check whether the whereabouts of a client makes sense," which means that we look at stuff like the physical address, the prefix of the mobile phone, the device region settings, the geolocation, and a number of other data points. And just check whether that is a coherent picture we see.

Krik Gunning:

And we had a case about a year and a half ago of someone signing up with a perfect UK passport, probably an authentic document bought on the black market. But the guy came to live in France, was signing up with a German phone in the sense that it had a German prefix, but the geolocation pointing to a city in Russia, which was enough reason for us to block that individual attempt. And also make that specific geolocation a suspicious geolocation as a result of which we could see the same guy trying about 10 more times using different ID documents, using mustaches, glasses and hats, trying to circumvent the system. It's those kind of checks, where we really believe that without hurting the UX of the customer, you can run great checks that get you to a very strong level compared to the process in the old days.

Krik Gunning:

Maybe another example is we don't just look at the data of an individual client at signup. We also have a data science team that is monitoring the overall trends we see in the KYC field of all of our partners, which means that you can look for statistical anomalies. And we had someone signing up from Dublin with a Brazilian passport, was nothing fishy going on with that signup, so it was approved. But the week, thereafter, 60 more Brazilians came to live on that exact same physical address. Now, of course, we rejected those 60 cases, but we also went back to the initial case and said, "At that point in time, there was no reason to flag this case is high risk or unacceptable risk, but we're reverting our decision." And I think that is very much where the industry is heading, where you're moving from a snapshot of an individual at the time of signup to taking a step back, and looking what's happening overall and through time. And that allows you to uncover new fraud patterns.

Aman Ghei:

Very interesting. So, it's really more than just kind of document checking, which I guess is what a lot of people associate with KYC is a one time snapshot of whether the document you're using to onboard is a good resemblance of you, correct?

Krik Gunning:

Correct. And I think sort of one of the changes, a practical point the industry faces is money mules. So, a money mule is a legit person with a legit ID document signing up through the flow, and it's very hard to detect that at that point in time. But what we've opted for, which I think is something that our clients value greatly, is a system where, through time, you can flag hotspots that are being used by money mules. And I can pinpoint to number of addresses in different countries where we've seen that kind of activity.

Krik Gunning:

The same thing applies for colluding criminals. And Aman, of course, you know this, if people are laundering money that's never a individual with a single account doing it. It's networks of criminals doing it. And by sort of continuously monitoring the data points we see, we are able to uncover fraud patterns, and share that with our clients that they wouldn't have been able to see back in the old days.

Aman Ghei:

Krik, what does all this cost? So, I think looking at two models, so I'm not really talking specifically about you, but in general, what are banks, FinTechs, other people who care about the level of monitoring and KYC someone like you does, what are they willing to pay for something like this?

Krik Gunning:

It varies greatly over the different use cases. I'll give you one public example, which is not a client of ours, but ABN AMRO, the Dutch bank, was forced by their regulators to do remedy KYC on 5 million existing customers, because they could insufficiently substantiate why a certain risk level was assigned to those clients. Now, this is public information, they stated that they would spend $114 million on re-KYC-ing 5 million clients which is, in our view, a pretty outrageous amount. But it gives you sort of an idea of what an individual KYC case can cost you, I think.

Aman Ghei:

And that's the top end, I guess. What is it like for a you and me type FinTech? Are we paying thousands of dollars a month, or is this running into the millions? I guess, it really depends on how continuous you want to monitor your existing base, correct?

Krik Gunning:

Correct. And I think, let's say, broad numbers the cost reduction we offer compared to the traditional processes at banks is 80 to 95%, which means that we're talking a couple of Euros to perform a full bank wide KYC. And, of course, we can offer lower pricing if people are looking for a more basic solution. But I think sort of the strength we see in our offering is about looking at all of those data points combined. And then, you move to sort of a cascade of checks, which we believe is the right way forward in this industry.

Aman Ghei:

Got it. You mentioned a little bit earlier, Krik, that you're regulated. And, I guess, that's a little bit of a unique take to a KYC. We've seen a number of players in the space, but not a lot that come with the regulated angle. What does that give you? Why do that, number one, and what does that really give you? Of course, it might give you, in terms of being in front of a banking client, the credibility needed to convince them to hand over customer data to you. Is that really the crux of it? Or is there something more beyond that?

Krik Gunning:

Well, I mean, we always jokingly say that we are the only regulated financial institution that loves KYC, which I think is really true because I think for most financial institutions, essentially, we're a tech company, but being regulated means we need to operate in a different way which, to be honest, the team doesn't always love because in light of sort of the strict requirements around IoT security, data security, role-based access control, stuff like that the regulators find really important. It also means that we are putting more restrictions on our tech team than sort of the average tech company.

Krik Gunning:

But if you've done that from the start, you can actually flip it into a competitive advantage when you're talking to the banks, because they are thrilled about the fact that we've implemented in such a way, and that we are actually aware of sort of the nuances of what are regulated actually expects you to do. Because I think one of the challenges at bank see is yes, email regulation is ever stricter, but beta is also sort of taking a hands off approach saying, "Listen, it's up to you to interpret what the regulations mean for you." And I think if we look at you at the sales process we're running, it's very much enterprise, but almost consultative sales, where we're sort of sharing with potential clients what we've seen in conversations with different regulators in different European countries, whether it's sort of the requirements imposed by our own regulators or take, for example, France, Italy, Spain there the local regulators impose additional checks that are required in that country, it's that kind of supporting sales that the banks are really looking for in this day and era.

Aman Ghei:

Got it. I guess, transitioning a little bit into the market, Krik, so two components, one is kind of competition, that I want to talk about in a little bit, is obviously I think a lot of people have heard of Onfido, and I'm sure you've come across them when you pitch. But what does it look like for you in terms of people you see across the table? And what is really kind of driving decision making from a technology perspective to choose one over the other in this market? Again, not necessarily kind of related to you, but if I was a compliance manager, or a risk manager at a bank choosing this function, why do I choose one over the other from a technology perspective?

Krik Gunning:

I think it's a great question. I think it depends on a number of things. It depends on where you're at, as a bank, in your digitalization journey. And that's where we tend to see a difference between certain more Northern European banks, and the Southern European banks where, in some cases, you're replacing a manual process, which makes it a very different decision to having a solution in place that you're looking to potentially replace. It can be very different stages of digitalization. And another sort of decision point we see is whether you're integrating different point solutions, or whether you're looking for an end to end solution. And I think that's where sort of different players in the industry have a different angle. And you mentioned Onfido, which I think is a great example of a fast scaling large point solution, which indeed we come across in certain RFPs. With German banks and FinTechs, traditionally, there the video KYC players have had a strong position IDnow and WebID. And then, another name we come across with Northern European banks is also Mitek, which is a US player.

Aman Ghei:

It makes a lot of sense. And finally, Krik, around kind of market dynamics and landscape, so one big topic that has been around for a while is a little bit more around eID driven regulation which, correct me if I'm wrong, kind of came into existence in 2016. But really kind of hasn't taken off quite yet. And I see that as something fundamental to change the way transactions are taking place, cross border, with different businesses. How does something like that affect the KYC business?

Krik Gunning:

So I couldn't agree more with what saying, so I think if you look at, so the first evolution of KYC was about making it easier for clients, cheaper for banks, and safer for society. The latter meaning being an effective gatekeeper, even in the digital era. I think that the next step of evolution is about eliminating duplicate KYC processes, which is where the real waste in this industry is. That it is true both between different financial institutions, so different banks running the same checks on the same person. But it's even true within a financial organization, so if you're a retail customer at a bank now opening a business account, oftentimes, they will treat you like a complete stranger.

Krik Gunning:

And the EU has imposed regulation called eIDAS, which opens the door to private eIDs. And, essentially, therewith, to your point, offering the possibility of KYC portability and eliminating those duplicate KYC processes. And we've seen great examples. For example-

Aman Ghei:

Just to interject there, are they talking about a central pool so that everybody can tap into this? Or are they kind of talking about each entity will have its own eID that is siloed and not shareable?

Krik Gunning:

So, I think essentially there's a split between two types of eID. One is a government scheme and the other is a private scheme. And I think government scheme, probably most people are aware of, let's say, successful initiatives I think Aadhaar is a great example, BankID in the Nordics is a great example. And there are sort of on a country by country level different initiatives. I think where the real opportunity is, is to unlock the potential of a private eID on a pan-European, but preferably a global basis, where our expectation is that you will see a couple of payers emerge with the skill to play and with the killer use cases for you, as a customer, to want to do this, and to want to use this. And to be able to use it not just with one bank, but across different financial industries and across different verticals, whether it's telco, retail, travel, the government.

Krik Gunning:

And that's really where the play is going to be interesting over the next two or three years, because I think, to your point, if the regulation has been there for a couple of years and so far I think the real challenge has been that banks are generally not comfortable sharing KYC information externally. So, I think most of them are sort of worried about the quality of their KYC files internally, and sort of any external liability on that would not be acceptable. Whereas what we actually believe is if you have a person in the middle such as Fourthline, who is willing to curate the quality of the database, and actually expose that to external parties that will create massive upside for all of the parties involved.

Aman Ghei:

Yeah, I guess the most important component is kind of the willing to expose that to external parties, because my guess is it benefits everybody the more this information is exposed. So, that not only do you know that person X from Dublin, who has a Brazilian passport is a potential fraudster, but anybody else dealing with that also knows through the central repository. And it just generally makes the market for transactions a little bit more transparent and more comfortable for people. Is that how you view it, or is it a little bit different?

Krik Gunning:

Absolutely. I think the reason why sort of initiatives around KYC utilities have failed in the past is because the participants could not agree on a common quality standard nor who would be responsible for that. So, I think that the challenge here is not technology. The challenge is setting it up in such a way that you can maintain consistent quality across the board because I mean, ultimately, this is about trust and for an eID to be successful the person on the other end of the table needs to be confident that if you're presenting yourself with an eID that, that will represent a sign of trust, a sign of quality that they can rely on. And that will be the critical success factor.

Aman Ghei:

Very interesting. Krik, this has been a fascinating conversation around KYC, which I think has been talked about a lot and really appreciate your insights here. Thank you very much for joining us.

Krik Gunning:

Thank you so much, Aman, for having me.