{state.loggedInUser.fullName} {state.loggedInUser.plan | ifNot 'Your account'}
{item.label}
{subitem.label}
Login
Making sense of the Internet
Support the Research

Get data. Get insights. Help affect change.

View joining options
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}
{tag.title}

Blog

Public Safety | Cybercrime

Lessons from KYC in the Banking and Finance Industry

KYC, Finance
Media current

This blog post is part of a series looking at how verification techniques and practice collectively referred to as Know Your Customer (KYC) may help the domain name industry comply with new EU legal obligations. Find the overview here.
Money laundering, fraud, and terrorist financing carry an enormous economic cost to the global economy: between $800 billion and $2 trillion a year, according to the United Nations.

At the same time, e-commerce fraud continues to surge - to over $48 billion last year - driven by increasingly sophisticated schemes like phishing, fake credentials, and account takeovers​.

To counteract this, the financial sector has invested heavily in Know Your Customer (KYC) technologies and processes; first to understand who its customers are, and second to protect consumers from fraud, scams or criminal activity.

The banking and finance industry makes use of the most advanced KYC methods - rigorous identity checks and verification processes - but could similar practices help the domain name industry?

KYC in the Banking and Finance World

Finance is a highly regulated industry and KYC measures are necessary to comply with anti-money laundering, counter-terrorist finance and anti-fraud regulations. 

A multi-pronged approach is used to verify the identities of customers, assess risks, and keep a constant watch for suspicious activity. In general terms, that comprises:

  • Identity Verification: Customers present government-issued identification, proof of address, and sometimes biometric data (e.g. fingerprints or facial recognition).
  • Customer Due Diligence (CDD): Financial behaviours are analysed to determine the purpose behind accounts which may include checking to see if they are legitimate business owners.
  • Ongoing Monitoring: Transactions are continuously scanned to detect anything unusual - a sudden influx of funds from an offshore account or a flurry of small, structured withdrawals.

Fraud within the banking industry is often a pass-through for criminals i.e. the fraud is carried out elsewhere and the financial system is used for the proceeds. 

Fraudulent profiles are frequently created by exploiting vulnerabilities in telecommunications, internet services or retail systems to fabricate identities or get hold of and then use stolen personal data. But the burden of resolving the issue falls heavily on banks, who are tasked with identifying and preventing fraudulent withdrawals.

Some examples

  • In December 2021, over 790 banking customers of the Singaporean Bank OCBC were targeted in a phishing scam which resulted in a loss of at least $13.7 million. The link provided by the scammers was a cloned bank website.
  • InfoCom Corporation, a tech company based in Texas, was accused of conducting business with a senior leader of Hamas who was listed as a “Specially Designated Terrorist” by the US Government.

Using financial investigative tools, including suspicious activity reports (SARs) submitted by financial institutions, US authorities traced financial transactions from InfoCom to individuals and entities connected to Hamas.

The transactions were identified through KYC and Anti-Money Laundering (AML) processes, which uncovered the financial links between the corporation and a terrorist organisation.

In Singapore, an explosion in online scams led the government to work with the banking industry to secure bank accounts through KYC measures - facial recognition and verification alongside anti-malware features in banking apps. The government subsequently reported a 70 per cent drop in scams using malware as an entry point.

There are also examples where weak KYC protocols have facilitated crime. Between 2007 and 2015, over $230 billion of suspicious transactions flowed through the Estonian branch of Danske Bank.

Weak KYC protocols allowed criminals to exploit the system, and the results sent shockwaves through the financial world. In response, Danske Bank revamped its KYC processes, introducing stricter controls that made such large-scale abuses far harder to repeat.

Challenges with KYC
KYC has proven effective and worth the investment for financial institutions but its implementation also comes with challenges:

  1. Cost: Extensive KYC measures can prove costly. Globally, banks have spent billions implementing and maintaining KYC systems - a worthwhile investment given the trillions that flow across their systems. But nevertheless, KYC measures need to be budgeted for.
  2. Privacy: The sharing and storing of sensitive data needs to be given careful consideration.
  3. False Positives: Transaction monitoring systems will inevitably flag legitimate activities as suspicious, requiring compliance teams to act swiftly to avoid upsetting customers.

Applying KYC to the Domain Name Sector

From phishing scams to fake e-commerce sites, malicious actors often hide behind domain names to perpetrate crimes (see the Singapore Bank example above). 

Unlike the banking sector, the domain name industry has not been required to verify identities until recently and does not have a strong tradition of external enforcement. With the arrival of NIS2 regulations, however, that model may need to change. KYC principles could help manage that process through:

  • Verification at registration: Domain registrars could implement checks to ensure registrants are who they claim to be, such as validating government IDs or linking domain ownership to verified accounts.
  • Risk-based approaches: Registrars could prioritise KYC efforts for domain names that are considered higher risk. For example, those dealing with financial transactions or with histories of abuse. This advice is consistent with the guidance of the NIS Cooperation Group.

Where the financial and domain names industries align - and divide

There are similarities between the financial industry and domain name industry that can serve as a useful guide, but also differences that would make wholesale translation of banks’ KYC measures difficult.

  1. Scale and complexity: As with financial institutions, the domain name industry sees millions of domain transactions annually. KYC measures have been proven to be implementable and to work at this scale. At the same time, the deeper those checks become, the more resources are needed, which could prove a barrier for small businesses.
  2. Global Nature: Domains are by their nature a global business, with registrations carried out across multiple jurisdictions, each with different legal and privacy standards. The financial industry offers a model that has been shown to work but it did require international collaboration.
  3. Resistance from stakeholders: While bank customers have been largely forgiving when it comes to the introduction of KYC because it is their finances at risk, the same depth of KYC measures may meet resistance from domain name registrants who are only looking for an online address.

The potential for KYC to enhance trust and security in the domain name industry remains clear however.

Recommendations for the Domain Name Sector

With Article 28 of the NIS2 Directive obligating entities that provide domain name registration services to implement verification checks, KYC would help through:

  1. Risk-based approaches: By focusing on implementing KYC for high-risk domains, such as those involved in financial transactions or with histories of abuse, resources can be used effectively.
  2. Leveraging Technology: AI and machine learning may help automate identity verification and monitor domain activity, reducing costs and improving efficiency.
  3. Collaborate Across Sectors: Partnering and sharing data with different sectors would help share the burden. Cross-industry collaboration has worked well in the domain name industry in the past.

Conclusion

KYC has helped the banking and financial industry curb persistent and determined crime. 

Although criminals will try to find a way to exploit systems for their own gain, stronger checks make that harder. KYC also safeguards customers. 

The domain name industry can gain insights from the mature systems used in the banking and finance sector to help deter abuse, protect users, and foster trust. Verifying identities at registration and adopting a risk-based approach for ongoing checks are two examples. 

Collaboration may help implement verification procedures that enable compliance with the NIS2 Directive without becoming a burden.

KYC, Finance
Thank you for signing up for our mailing list.
Unfortunately we could not sign you up for our mailing list at this time. Please try again later

Latest posts here

{blogitem.title}
Top
This section: News
Other sections
Categories