The Dangers around Data Quality: How Poor Data Quality Can Harm Your Ability to Fight Financial Crime

FinTechs and RegTechs are at the forefront of using data innovatively and efficiently to help facilitate everyday financial services. When managed correctly, this data can also help strengthen AML/CTF defences and help you pick out unusual or suspicious behaviour and customers. However, that doesn’t mean that FinTechs and RegTechs are immune to missteps when gathering, transporting and utilising data. When data quality goes wrong, the dangers can have a hugely damaging impact on the strength of anti-financial crime controls. Here are a few areas to take into consideration when evaluating how your data quality impacts your AML/CTF operation. 

What are the risks?

FinTechs tend to collect non-standard data on their customers. This not only covers the use of electronic ID verification, selfie matching and address verification technology, but also the collection of non-standard data points, such as IP address, geolocation and device ID. While this provides FinTechs with a number of benefits, including a more dynamic risk profile along with a more seamless user experience for customers, there can be major risks to meaningful financial crime prevention if the data collected isn’t robust. 

A FinTech could run into trouble if:

  • Non-standard data becomes limited data

    • This is when collecting less information from your customer and more information about your customer crosses the line into not enough information on your customer at all. Not only is there a regulatory implication of this, but it could also hinder your ability to implement a number of key financial crime controls - from transaction monitoring based on customer behaviour to customer screening against PEPs, sanctions and adverse media databases. 

  • The onboarding experience is over-prioritised 

    • One of the key benefits FinTechs offer is a more streamlined customer experience, so that customers can start using a product within a few minutes of signing up on the app or website. However, if too much priority is placed on having a seamless onboarding journey, it could lead to not enough information being collected on a customer to form a useful profile on their risk level and expected behaviour. FinTechs can consider limiting access to their product based on information collected or adding a few extra steps for customers deemed high risk in order to help combat this concern.

  • Data isn’t refreshed 

    • Obligations to know your customer don’t stop with onboarding; it’s imperative to keep customer data accurate and up-to-date. Without refreshing customer data, it may be more difficult to truly understand whether a customer’s behaviour is unusual or suspicious, and it may likewise become difficult to fully understand the risk they pose. 

  • Data is entered manually 

    • While most data a FinTech collects will be gathered automatically, some data requested from customers through in-app chats or help desks may require manual entry. Entering data manually, without robust four-eyes checks or routine assurance, can leave a FinTech open to problems from inaccurate data that can make it difficult to truly know who your customer is and their risk profile.

FinTechs can also run into trouble with gathering, analysing and responding to management information (MI). Especially when starting up and building out a compliance framework, MI collection, storage and analysis may not be their top priority. In the worst cases, important macro-level data on SAR volumes, customer breakdowns and risk types and TM alerts could go undervalued. Without regular MI collection, easy access to data and trend analysis, quality assurance on AML/CTF controls becomes more difficult. This has knock-on effects, making it harder to update your risk assessment and risk appetite and accurately reflect your product to the board and regulators. Poor MI can even prevent you from being able to advocate for the resources you need on a financial crime team.

What about RegTechs?

Given the digital and innovative nature of their products, FinTechs tend to rely heavily on RegTechs, especially at the point of onboarding. This means that it is incredibly important for FinTechs to understand how and what data RegTechs access, use and provide and consider how this can best support their AML/CTF operations. When considering the use of RegTechs there are some key risks that FinTechs should be aware of: 

  • ID&V Providers

    • RegTechs have spearheaded major innovations in digitising the ID verification process, making it easier to reliably onboard customers in minutes and spot fraud indicators that the human eye struggles to detect. The main data quality risk we’ve seen with ID&V providers is potential inaccurate transposition. In this case, data that is automatically pulled from ID and proof of address documents into customer forms and profiles doesn’t match the actual data on the ID. When data pulled from an ID is incorrect, it can lead to poor records being kept on a customer that make future customer screening and  investigation of suspicious activity more cumbersome, weakening the wider AML/CTF controls infrastructure at the FinTech.

  • Customer Screening Tools

    • The use of RegTechs for customer screening generally gives FinTech customers access to vast amounts of information that can be customised to the FinTech’s specific product offering and customer base. However, with the amount of quality data provided, there can still sometimes be gaps that need filling. Particularly with PEPs and their relatives and close associates (RCAs), we have seen databases missing key information, including dates of birth, photos, activity, nationality, citizenship and address. We have also seen the inclusion of deceased PEPs and RCAs and some PEPs and RCAs who haven’t been active for decades. When this information is screened against, it can be more difficult for an analyst to clear alerts and can generate large volumes of false positives that require clearance. 

Once again, MI is worth considering. When RegTech providers offer poor analytics on the services they are providing, that can be easily categorised and sorted, then their FinTech customers will have to rely on manual processes in order to gather and assess crucial information that informs risk and control frameworks. MI needs to be able to provide detail where required and show changes over time. Access is also critical; in our experience, certain RegTech providers’ systems are difficult to access, with support teams that take time to respond to requests for additional information. The best approach we see is when RegTechs and FinTechs work together dynamically in order to ensure information can be swiftly accessed.

Top Takeaways 

While many of the FinTechs and RegTechs we engage with are taking the needed steps to ensure the comprehensiveness and effective usage of their data, there are still some pitfalls that indicate the negative impact when things go wrong. There needs to be more awareness of how poor data quality can emerge and how it can affect our anti-financial crime operations. Ongoing quality assurance, testing and audit are essential to ensuring that we remain out in front of any potential data quality errors. 

So what should we do?

FinTechs:

  • Take a risk-based approach to KYC and the gathering of customer data, gathering more data on higher risk customers to ensure you’re able to understand their behaviour and your ongoing risk exposure. 

  • Perform regular KYC refreshes and take a risk-based approach to these as well, to ensure you have the highest quality, most accurate data on your customers.

  • Implement robust assurance on manual processes, perform rigorous testing on RegTech providers, and ensure financial crime compliance has input into data storage practices.

  • Collect MI on all key aspects of your anti-financial crime programme, including on customer risk, customer due diligence and screening, transactions, suspicious activities and exits for financial crime. This information should be regularly shared and easily accessible for the second and third lines of defence.

RegTechs:

  • Consider a data quality review by a third party to get ahead of any potential complaints that clients may identify when it comes to the data you provide and transpose. 

  • Internally review the transposition of data pulled from documents and other sources to ensure it is being accurately reflected. Consider implementing a human review element depending on the data quality risks.

  • Devote research analysts to building out PEP profiles to encourage more efficient alert clearance, and build in filtering options so that firms can filter out deceased or inactive PEPs, RCAs and sanctions targets. 

  • Build robust analytics and reporting functions with access that can easily be determined by clients to meet their specific needs. 

  • Ensure requests from clients for additional information are responded to promptly and properly, and that this practice is expressed within agreed SLAs. 


If you or anyone on your team would like to discuss or explore how data quality concerns may affect your company and what steps you need to take to improve your approach, please feel free to get in touch contact@fintrail.co.uk.