are you kidding me?

Mini Rant: KYC is Bullshit

Andrew Andrew

For the past few months, a mini-rant is percolating in my mind about how KYC/AML is bullshit and how we're not punishing companies enough for leaking our data. Fundamentally, the cost bears to the individual who cannot meaningfully secure their data. KYC/AML appears to reduce fraudulent transactions...for the company. In theory, this helps stop fraud for the individual as well. The company only has to protect their assets (aka your data). The individual is forced to give out their data to many companies, because of KYC/AML regulations. 

Here's a common conversation had with any financial or medical company:

"What's your date of birth?"

"What's your mother's maiden name?

"Please give us your full address with zip code so we can verify the account."

"What's your mobile phone number?"

"We need your social security number for your protection to verify the account."

How dare you, the consumer, balk at any of those questions! You're a damned criminal or, heavens, a potential terrorist!

I'll ask the questions

And never joke that "It's all on the Internet", which may be true (statistically, is almost certainly true if you're an American). The poor call center person on the other end will just repeat their question or give you some platitude about how it is for your protections (you idiot).

But wait, maybe your bank or doctor's office CAN keep their data secure!? Hah! Can all their 3rd parties? When you first called in with some question did you hear the ubiquitous, "All calls are recorded for"...insert reason here.

we're recording this

So once I asked a simple question before being forced to hand overm my vitals, "For whom do you work?", in my best imitation of Mrs. Slocumbe. it's a third party call center that has access to your data. It's likely the cheapest call center option the company could find, along with the cheapest transcription service. Just think about that for a second or two. Someone, or more likely a machine, has converted your conversation to text and stored it some way, some where. It's all in our privacy policy you see. And you can mail a letter to opt-out from sharing your data for this type of transaction in 4-6 weeks. We'll just need you to include all your information and a copy of your driver's license in the letter. Oh yeah, and so we can identify you, please include your full social security number on the form.

It's still cheaper to get thoroughly breached-ahem Equifax/Home Depot/OPM contractor-and pay the fines than it is to actually secure the systems. The lackadaisical approach to cyber security by American industry is both appalling and helping to destroy the economy. But is it more appalling that there are no real penalties for losing all your data? In some cases, repeatedly? It's not a new problem. It goes back  beyond 2004, we just started keeping track when AOL lost 92,000,000 accounts. Click the year column to sort by year. In 16 years, we haven't been able to solve it and it's getting worse.

On the other hand, all these companies are unintentionally getting what they wanted out of globalization. Through repeated breaches, their data is being shared globally and making data cheaper around the world. As foreign companies analyze the breached data sets, they learn how to better compete with their American counterparts. It's a great gift from American industry to the world!

As for the consumer, the KYC/AML regulations make it impossible to stop your data from being spread far and wide. The cost bears to the consumer. I can't change my mother's maiden name, social security number, and photo of my ID cards. The breached company can pay $5 per breached identity and offer useless monitoring ( why isn't it actual identity theft defense?!) for a year.

worst security check

Meanwhile, criminals and everyone else can use my personal info far and wide and profit while insurance companies reimburse the cost. Of course, that works once. IF you're a victim of multiple breaches, the insurance company over time deems you a risk and either raises your rates or denies you coverage. See, it's your fault you provided the data for someone else to lose! The individual's credit score drops and the long tail of breaches bears its consequences as they are denied  loans, credit cards, mortgages, and job opportunities. All this because the consumer complied with KYC policies at their bank, credit card company, doctor's office, etc.

Meanwhile, foreign intelligence agencies greatly appreciate the lack of security and continue to thrive in all the data.

</mini-rant over>

You should also read: