I am going to venture myself to write this article on Compliance, with the disclaimer that I am not a compliance professional and that the idea behind this is to get compliance colleagues to comment and compliance officers to pay attention.
Talking last week to a fintech company about their payment processing services in Mexico, i.e. bank deposits, one of their key selling points was that they do identity matching on every bank deposit that they process through Mexico’s SPEI System. They explained why, using a technology solution, this fintech was the only institution in Mexico that could positively match the name of the account holder with the bank account number or CLABE.
Knowing this fact, it raised in my head all types of questions.
SOME INFORMATION ON MEXICO’S SPEI SYSTEM
Let’s back down a second. Banco de Mexico developed a Fast Payment System called SPEI (Sistema de Pagos Electronicos Interbancarios) [1] that became operational more than 10 years ago. SPEI uses an open protocol allowing participants to develop automatic processes to provide more and improved services to their customers. The participants in the system are Bank and Non-Bank entities and through SPEI you can make money transfers and payments using the CLABE (Clave Bancaria Estandarizada – 18 digits Account Number [2]), a debit card or even a mobile phone number. And although SPEI requires the Name of the Account Holder, the system does not provide identity matching [3].
Notes:
– [1] http://bit.ly/2gGc8pc
– [2] CLABE might change the name from Clave Bancaria Estandarizada to Cuenta Básica Estandarizada
– [3] Banco de Mexico might require identity matching in the future
LET’S GO BACK TO THE QUESTIONS
The first question that I asked was: If the SPEI system does not provide identity matching, then I can use any name or variation of a name and the payment will go through to the account number specified? The answer was yes.
The second question was: What is the use of checking all these names against OFAC, PEPS and all the lists that are available without the guarantee that the names are accurate? Is that a perceived risk? There was no answer.
I shouldn’t say that there was no answer. There was AN answer but not an answer to my question. I was explained that most fast payments, ACH payments, bank transfers, behave the same way, with few exceptions in the world. That there is no identity matching. An example was given to me that if a payment is made to a wrong person and the mistake is in the account number, the sender basically can lose the funds. I found a case described by the Independent Bankers Association in Texas in which they explain: “Most banks do not check both the name and the account number because if the bank checks both, there is a question of liability if they in fact become aware of an inconsistency [4].” IBAT in turns cites the Federal Reserve 12 CFR 210.27 [5] – Reliance on identifying number (part of Regulation J) where is explained that a Federal Reserve Bank has no duty to detect any inconsistency in identification.
Notes:
– [4] http://bit.ly/2gaIYxB
– [5] § 210.27 Reliance on identifying number: http://bit.ly/2xHhYB4
SAMPLING OF IDENTITY MATCHING SERVICES
There are companies that provide identity matching services in some countries but they are not widely used by financial institutions. Some do use them, but most don’t. And when the payments are cross-border, there is basically no identity matching.
So I spent some time googling companies that provide identity matching and I found some, such as a company in California called ACHWorks [6]. They have an Account Verification program that only checks if the account is open and currently in good status with a positive balance and covers around 70% of US accounts. To authenticate who the owner/signer of a particular account they have another service but warns that qualifying for access to the Account Owner Authentication service “can be challenging”.
I checked Europe and I find a company called CBG [7] that provides a service that can “instantly validate the sort code and account number” and for UK-based customers, they can “even verify that the account details really belong to the customer”. CBG has offices in many countries, from London to Barcelona, Beijing, Manila, Sidney, San Mateo, CA and many more.
Notes:
[6] [7] Disclaimer: I don’t know ACHWorks or GBG and I am not endorsing or qualifying their services.
NEW TRANSFER RULES AND IDENTITY MATCHING
Europe’s new wire transfer rules — the Funds Transfer Regulation (FTR)[8] which became effective in June 2017 is trying to address the bank account number and the account holder’s identity in international wires and any cross-border payments. A couple of calls to European colleagues confirmed that intra-European transfers were going to be compliant but international ones, including payments to US banking institutions will take quite some time [9].
A November 2016 article in The Guardian entitled “Banks act to stop transfer scams and errors” [10] discusses the issue. The problem here is not compliance in terms of AML and CTF but on errors people commit inputting wrong numbers: “Many people type in, the account name of the person they’re paying, but this is irrelevant as banks do not cross-check this element when processing payments.” As in the M-PESA mobile service in Kenya, when you put an account number to make a transfer, the system might ask you back: “Are you sure you want to pay John Doe?”
Notes:
[8] http://bit.ly/2yqGV2Q
[9] A number of domestic account-to-account systems in different countries seem to be also working on identity matching systems
[10] http://bit.ly/2xGvXlM
AN MTO AGENT INSIGHT
Curious, I called an agent of an MTO and discussed with her payments in Mexico and she was well aware that there was no matching between the name of the beneficiary and the account number. She stated: “[. …] [11] makes a big compliance fuss when we send large cash payments when we know that in order to pay those remittances, the beneficiary has to identify himself and the names and last names all have to match perfectly or else they don’t pay it, but when it is an account deposit it doesn’t matter, the sender can put any name.” Cash Payments 1 – Bank Deposits 0.
Notes:
[11] I am omitting he name of the licensed MTO
GOING BACK TO LIST CHECKING
So, what is the use of checking all the names of bank deposit beneficiaries against OFAC, PEPS and all the lists that are available without the guarantee that the names are accurate? Is that a perceived risk? The truth is that very few companies perceive this as a risk. I immediately envision, if a problem arises, how a compliance officer will explain this situation to a law enforcement agent? [12]
A colleague of mine, interviewed for this article told me that the MTO that he works for only does cross-border bank deposits to Mexico because their compliance team believes that those payments are safer than cash payouts. I guess they will have to rethink their strategy and understand the risks. Sometimes common perceptions are not always so accurate.
Please gives us your comments in our Linkedin group. We will certainly discuss this issue in IMTC WORLD 2017 this coming November.
[12] Of course, it will be extremely risky if no lists are all are checked or if the list solution used is not up to par.
