How Much Data do You Need to Collect to Really Know Your Customer

Good afternoon. I initially, when I proposed a topic, I, it was around knowing your customer. I do work for a financial institution. So when I thought customer in enterprise architecture, my customers are my lines of business. And then I thought, well, customers really apply to people that are gonna spend and make money with us. And then I thought c could also mean constituent. So if you're in the federal space, the government space, there's a lot of areas where we need to collect user data. So I'm gonna talk to you quickly about why we do it.

You know, should we collect it? What's important to collect? Who cares if it's being collected? And then some best practices. So there's some things that we do in the financial space that might be a little bit different than some other industries, but you'll get the idea on how it can be applied generally. So let's face it, before you enter into any partnership or any agreement, do you do your due diligence? So let's face it, when you go to hire someone, what do you do? Do you look through their LinkedIn profile? Do you look at a resume? Do you interview them?

You're, you're collecting information about them. Would you lend somebody money without knowing if they could pay it back?

And, and I was, I was rehearsing and I was walking around the office and I said, would you buy a car without testing it? And I thought, yeah, I would.

I, I would probably do that. So that's a bad example.

But there, there are scenarios where you really should know your, your customer in the Canadian space. And now we're finding globally talking to PWCs here, I see consultants are here. Why do people do this?

Well, because we're, we have to, it's mandated regulatory requirements through fintrac and financials, through the US Patriot Act. There's other areas that say you must collect customer data. And why we do it, we have to do due diligence. We have to make sure that the people are able to pay money back. There's no risk to them. There's a couple of other reasons. So personalization, I dunno how many of you use technology. And then you log in and it says, welcome Denny. So they want to know about you and your spending habits or your tracking. I'm not a big fan of doing it that way.

I mean, you really probably don't need my personal information for that, but that is something that we're commonly seeing. Authorization is something else we're seeing. So identity proofing, and I'm sure you've seen talking to some of the vendors now with deep fake technologies out there. Identity proofing is gonna be a big thing. So KYC before we used to collect, you know, name, address, but now we're collecting biometrics, we're collecting voice authentication prints. So there's things around there we're, and research.

So again, being Canada's largest bank, we collect probably more citizen data than the federal government. We know everything about you, where you shop, where your mortgage is, the street you live on, and through your number of Starbucks coffees you buy during the day, your route to work. So there's a lot of things that we know about you that you have to give us permission. And if you do with consent, we know our customers.

So this, this is some information that you guys can follow up on. So we broke it up into a couple of categories. People said, well, what does Canada do? So Canada has some regulations through Fintrac.

You know, we have reasons we have to track for public sector, casinos, financial institutions, they have rules they have to track. And worse, if you don't track it and don't prove it, we get fined in Japan.

Again, similar authorities in the u in the eu. Again, additional rules. United States has been doing this considerably longer than Canada has. They started back with any money, anti-money laundering rules. Back in the seventies, it wasn't regulated and pushed down to everybody. But now you'll see throughout history every several years because of new ways to do inappropriate actions, people are enhancing these rules. So I included this, you can see that countries around the world are now starting to climb on board or have been on board for quite some time.

And again, the presentation's available. So if you need some of this information for internal reasons why you should do it, someone earlier asked, what should I collect? So there's common attributes. So to know your client, customer constituent normal things, you know, name, possibly gender or sex. Some of them are, are questionable right now. Country of birth. Now we're getting into things like passport number, driver's license information.

That's, that's from an authoritative source. Again, to know your, know your audience a little bit better, you'll start to see things like your taxpayer, your land roll number, where your property's physically sitting. So why do we collect it?

And I, I underline the word consent because I'm a big fan and of, if you want something from me, you have to ask for my permission. If you immediately go onto sites and you, they're starting to make you fill out forms and collect all this data, find out what they're gonna do with it. Granted it may go nowhere, but hypothetically, if there's a breach, what happens if it goes out? So when do we collect it? So the fis, we, we do have, we do have a couple times, we obviously do it when we register. So you want to come on board with our bank or any others.

The FIS need to have identity proof, we need to know about you. We want real-time usage data. So we want to know for our reasons, for risk profiling, we want to know, are you generally doing transactions in North America? I won't lie, as soon as I landed in Germany, my Amex card chirped and said, you've performed a transaction outside of your standard region cuz I'm an employee and it's a corporate AMEX card.

Now, there's a couple other rules. You'll see c i p for customer identification. There are programs that actually elevate the level of risk. So you need to prove you your, you've done due diligence on the individual and there's a customer due diligence program that most organizations have. There's elevated people, and again, you don't wanna put people into categories, but there are scenarios where you'll see money laundering scams, or you'll see inappropriate use of funds coming from specific regions of the world, certain demographics.

And unfortunately there are rules that most of the fis that will trigger an alert that if you're doing a transaction from that space, you need to follow up and do further due diligence. So we've collected all this data, we have it in a big bucket, a data mart internally. Now we want to use it at rbc. We trigger everything through a number of different methods. Normally it's, it's transaction based. So most of the fis globally, and even I've talked to a number of them here, they do things per transaction.

You know, your regular transaction of a deposit or a transfer, not really of interest, you're doing a larger scale thing, you're doing things out of band, out of your normal patterns, yes, you're gonna trigger an alert and then they will start to use this type type of data. The last little column at the bottom talks about the personalization of services. So we are seeing more and more situations where it's used for marketing and I'm sure all of you have logged into websites of most of the vendors here. And there's a section at the bottom that says, please register so we can contact you.

It's a similar scenario in, in, in a number of our, our sites. So when I log in as a banking customer, if I have consumer banking, I can deposit checks and my pays and whatnot, possibly they may wanna sell me insurance, they may want me to do investments with them. So those are additional services that the bank may want to upgrade me to, to enhance my portfolio. So why is it important? So cost that's lost by the FIS is staggering. So these are last year's numbers in the trillions of dollars that are put through, through Andy money laundering.

So if we knew more about who's spending the money, where the money's going, more about the users themselves, we can probably cut down a little bit on some of this. So obviously three key points, fraud, fines, and you know, reputational damage is a really big thing. If they can't trust you or they've known you've had a breach or if, if something is your institution or your enterprise, regardless of if it's an FI or not, has done something a little shady, they may not wanna do business with you in the future. So for my consumers, my customers, it's peace of mind.

They want to know that I'm doing my due diligence, not just on them, but on, on everybody else that I work with. So if we break it down, people that are generally impacted and the ones we collect the most data on, and the ones we trigger the most actions on, and not, not specifically rbc, but most fis, people that are obviously playing with money. So the accountants, the notaries, the casinos, insurance companies always come up. Now it does impact the customers. They have to provide data, they have to volunteer data.

The, so I broke apart clients and customers because there are potential clients. I'm sure most of you looked at services online. You clicked a link and said, I'm interested and I want to get a quote for mortgages for whatever the case happens to be. So now the future may bring us other opportunities. So in open banking there, there's no body in a brick and mortar location anymore. They're APIs, there's things talking behind the scenes. So we probably want to make sure that the API is coming from a trusted source, from a trusted individual if at all possible. A trusted app, a device.

So some things we need to do, some things to keep in mind. So due diligence, the bottom left bullet point is probably, probably my key favorite one is when you're collecting your data, look at an accredited source. Now you'll see with deep fa deep fakes with all the AI coming out there, I can easily open up chat g p t on my phone and say, open up a bank account with Mickey Mouse at a certain institution and it will happily fill out all the information for me. I'm not really an accredited source, neither is my cell phone.

So the, the validity of information is, is key if any of you are collecting information. So there's a lot of optional information and it may be tougher to get. So keep in mind if you start asking for things like passports, a as a Canadian, I mean I've, I've traveled a fair amount. So I'm used to checking into a hotel and them asking me for my passport when I'm in Germany. That would never happen in Canada. Well happens very rarely. Sorry. Additional forms of identification, things like partnerships and companies, ownerships of properties, locations, devices, physical things.

You might, might see them starting to ask for that. So best practices, you've gotta collect all this data. Don't just do it once. Validate it with the user perhaps on random transactions. See when they do things, see if they need the data. Don't just assume that you've opened up a new account. I've got everything I need on Denny, I don't need to follow up with 'em at all. Start to go through your risk modeling. Look to see if there's any requirements or any oddities in in their transaction.

So if there's a specific, a suspicious event, you can do some additional due diligence and do it regularly. Nothing worse. I'm sure that any of you have come up, you've opened up a mobile app and it's forcing you to reauthenticate or validate an integration. Give you a great example. I have a telco provider that I use. They're also my cable provider, my internet provider, and my satellite provider. If any of you know anything about telcos, most of those divisions don't get along and they don't talk to each other.

So at random times I may get a message saying, please validate your account number so I can do my one bill. I'm gonna leave a thought with you if you ever had to open an account. So a lot of texts, but I'll, I'll run through it. So it's something you guys can think about in the background. So imagine if you had to open up a bank account. So you pull out your mobile phone and you say, Siri, can I open up a bank account? And Siri has now identified your device with your telco has identified that you've purchased a valid device.

Because, because the EM e I number has validated your network that you happen to be on has validated that you've used your biometric to log into your phone now knows you're a real person, has validated your voice. So all of the KYC has already been done by your apples, your series, all your devices. So now you've come to our bank and we ask you, who are you? So I open up the camera and I say, please take a picture. I can validate your photo, I can validate it with the face idea and the device.

I see some privacy people kind of cringing a little bit, but what happens if I take a picture of your driver's license? Can I validate it with the face idea on your phone? Two photos sounds like a perfectly valid option. Your driver's license, well I should say Canadian driver's license. The numbers on the license also include my birthday.

Very, very interesting design. So I can look at that and I can say, oh, Denny's of age. So he's able to do this because of my age and my driver's license, it knows that I've paid taxes. Now I can figure out where I've learned, we can check all this in the background. I've seen two people smile, which means I'm freaking them out because now they know additional things that I can look up about you behind the scenes. So now I've looked up and I've seen interesting scenario and that it was done unintentionally.

But when I ran through this, my son was in the room and he was watching a movie and he said, dad, what happens if your last name is Escobar? Okay, well he is a fairly well known person in the drug world, so maybe he shouldn't be looking up a bank account, but I've validated his bank account, his driver's license, and he has a very suspicious name or potentially suspicious name. I should do my due diligence. So this is a scenario I never had to go into brick and mortar location. I've opened up a bank account all from my phone all through kyc.

Think of the future, we can now start to do things like how fast you type. We can track that. So I know if you're a human or a bot, I can look at your gate. So if I've walked into an account, into a branch, in a branch, I can look at your walking speed so I can see if you're the same person that's, that's actually Danny that's opened up the account. How you moved your phone. There's a couple vendors here that do biometric on devices. You can do voice patterning, mouse clicks. There are some cost savings. So there's a little bit of a breakdown that you can start to go through, sorry.

And a as far as as why you would want these types of things. The piece that I'm gonna leave you is should you collect it and should you automate it. There's lots of, lots of pros and cons to both. It may work, it may not work. There's a lot of data that's out there. So I just want you to think about it. You're starting to collect data from your consumers, constituents and clients. Do you really need it? Thank you for your time. Sorry. Thank you very much. So if we have any questions from the audience, please Any question, questions online? Got one on the back.

I think we have time for one question. Yeah.

Oh, thank you for this presentation. Very, very insightful. The question I have for you is the customer identity data that you're collecting today. What if a third party provider, and especially with SSI coming in in the picture, how much of that would a bank trust that information as part of the registration?

Ooh, that might be longer than a two minute question. Yes, there are trusted providers, I can speak for our bank. A number of institutions have these control assessments that we do with those third party providers. So we validate them, the data, the type of data they collect. Did they get it from a credible source? Did they have a true process for collecting data? If they can prove to us that they've done their due diligence, collecting it, they have a higher probability of trust with us. We do have them all the time where a third party may come to us and say, is this okay?

And we have to do a little bit of extra work. So, so there's no quick short answer for it.

But yeah, if, if they've done their due diligence and they can prove it, we're a little happier. Thank you. Any more questions? So I'll ask you a question. What's the single most important thing you think an organization should do? You've obviously talked from the perspective of banks that are heavily regulated. Is it simply complying with regulation matters or are there other benefits that you think come from collecting minimum information? Personal opinion. I believe it's the trust factor. I'd like to know in any situation for me, I'm still old school.

I'd rather a handshake and a hello and know a little bit about you when I deal with you. Then just a, a name and a number that trust builds, builds some relationships and I would rather collect minimal amount of information and if I need more ask you than just go all out and collect everything. That's good thought. Yeah. Yeah.

It it, it's interesting. One of the, the things that has been of concern in the UK at least is that many of these anti money, money laundering laws have led to people being automatically disconnected from their banks and their bank accounts. So how do you think you should deal with the sort of the problem, the false positive if, if you fall away?

Yes, we do get those false positives and that's, that's scary because you've put all of your savings, your investments, your earnings into the trust of an institution and then you may get flagged as a person of interest. Yeah. And that's why my one statement is check often and validate often. So if not all institutions do that and I wish they would.

So if, yeah, I think if we could do that, that would save a lot of that payment suffering. Somebody's, I think cameras just switched.

Oh, we lost your volume. Okay. Sorry. Well thank you very much. In indeed. Thanks Mike.

So I, I can we give a round of applause? Thank you very much. Thank you.