Payment Systems Regulator strategy to introduce ‘Trusted KYC Data Sharing’

Whatever one’s opinion of Nigel Farage, the concept that he can be de-banked should be troubling to everyone. It should be even more troubling to those familiar with the financial industry’s measures to counter financial crime, as remedies being applied by banks are more extreme than is required of them, and may not even be available to them in this and similar cases.

When challenged, they half hide behind ‘tipping off’, and half behind formulations like ‘commercial reasons’ and ‘the returns do not justify the risks’, which will be familiar to those who have attempted to represent sectors that have been de-banked.

Until all related concerns have been allayed, there should be no question of the banking industry going ahead with its project called ‘Trusted KYC Data Sharing’. This is part of the response of the Payment Systems Regulator (PSR) to Authorised Push Payment Fraud and features under that heading in their 2023/4 strategy paper with the wording ‘Work with UK Finance and Pay.UK on information-sharing among PSPs (Payment Service Providers), to improve scam detection’.

While Authorised Push Payment Fraud is a major problem and efforts to combat it should be applauded at a high level, the solutions already espoused by the PSR have had little impact on it so far – Confirmation of Payee and Contingent Reimbursement Model. The same section of the PSR’s strategy promises ‘greater reimbursement of APP scam victims’ i.e. a widening of the scope of Contingent Reimbursement Model.

So we do not have a track record of the success of the PSR’s efforts, and we have recent evidence of market actors being blacklisted by banks for reasons either disguised or else inferred as being in some way connected to money laundering rules. These rules are to do with the laundering of dirty money (AML – Anti-Money Laundering) and the financing of terrorism (CFT – Countering the Financing of Terrorism), and the ‘KYC’ in the project’s title stands for ‘Know Your Customer’, a major aspect of the rules.

The ‘Trusted KYC Data Sharing’ project envisages institutions sharing data and concerns about market actors between one another and not necessarily with the subject’s consent. It is easy to see how one institution’s black-listing of an actor risks resulting in the actor not being able to access banking services anywhere, regardless of the veracity or gravity of the concerns. It is easy to imagine a systemic transmission of incompetence, as other incompetent institutions replicate the incompetence of the first one.

This project would insert itself into an environment where the rights and remedies of a market actor are already weak in the face of the way in which financial institutions interpret the rights and remedies available to themselves, such as closing an account because they have identified an actor as a ‘Politically Exposed Person’: that is an example of incompetence because there is nothing in AML/CFT regulation stating that this is an automatic and mandatory remedy.

The actor’s rights and remedies are all the more important due to the degree of digitization of banking and payments. In the past an actor could operate with cash, but the industry, government and regulators have all but made that impossible, without at the same time ensuring that actors cannot be de-banked other than through due process, for specific reasons, and once the reason has reached a given stage of examination and corroboration in the process: the logging of a Suspicious Activity Report is not enough, still less the legal expression of an opinion.

This is what is so dangerous about the Bank of England’s ‘digital pound’ project, for which the consultation has unfortunately just closed (not that it contained any questions in this area).[1] The ‘digital pound’ would displace transactions made using physical cash. There are no intermediaries involved in the usage of physical cash. It is spent in a Two-Corner Model: the payer pays the payee. But there would be intermediaries for the ‘digital pound’, and the same intermediaries that are involved in card and bank payments: banks, Visa, Mastercard, and a plethora of industry-controlled middlemen such as Pay.UK and Vocalink, in more than a Four-Corner Model.[2]

A complete digital world furnishes these financial intermediaries with disproportionate power to exclude an actor from being able to function. This power should not be granted to an industry not known for its transparency, its concern for customers or its professional competence.

My own experience derives from trying to stop and reverse the de-banking of the UK’s Payment Institutions sector.[3] Under Article 105 of the 2017 Payment Services Regulations, banks were meant offer services to Payment Institutions, but the guidance from the Financial Conduct Authority and the Payment Systems Regulator brought this to nought: they said that at the end of the day it was a commercial decision for the banks and they could turn the business away if ‘the returns do not justify the risks’. This became banks’ standard phrase in letters of denial or withdrawal of service, and the regulators did not require them to disclose any of the workings-out behind this judgement.

Now the banks are apparently permitted to expand the mystery to de-banking private persons, as well as to closing Automated Teller Machines (and restricting access to cash) and to closing branches (denying face-to-face banking services to entire communities). The phrases ‘commercial reasons’ and ‘the returns do not justify the risks’ abound.

This must now be stopped, and a good departure point would be to ditch ‘Trusted KYC Data Sharing’. Under it financial institutions would place ‘reliance’ on the AML/CFT work of one another: the phrase ‘the blind leading the blind’ comes to mind, but with the proviso that they hold people’s fate in their hands.

Firstly, they are not up to being entrusted with that degree of power.

Secondly, once one breaks with the principle – as ‘Trusted KYC Data Sharing’ does – that each institution must do its own homework and to a high standard, problems emerge with regard to detecting financial crime: the weakest link in the chain allows access to a bad actor and the misplaced, positive opinion of the weakest link enables the actor to obtain wider access to the financial system. Authorised Push Payment Fraud would not exist if the industry had not incompetently permitted fraudsters to open the accounts into which the fraud proceeds are paid.

And thirdly it can also work the other way: if one institution flags an actor as potentially bad on weak evidence, or for reasons that they do not wish or feel able to disclose, this negative mark risks proliferating across the financial system and is hard to remove and reverse. This is an area where the actor’s rights and remedies are weak.

This risk is too great to be allowed to insert itself into a financial services industry in which service provision is critical to the buyer but is available, not freely, but at the seller’s sole and unchallengeable discretion, and subject to the seller’s professional competence. FarageGate shows that the project should be stopped.

[1] accessed on 2 July 2023

[2] The Four Corner Model: payer, payer’s Account Servicing Payment Service Provider, payee and payee’s Account Servicing Payment Service Provider

[3] The writer acted as chair of the trade body for this sector and made attempts to re-gain access to bank accounts for its members