July 20, 2004

In order to combat money laundering, financial institutions are required to implement "Know Your Customer" (KYC) safeguards.

But do you know who your customers know?

That's the question powering "entity resolution," the latest trend in anti-money laundering technology.

Currently, the USA PATRIOT Act requires banks to check customers' names against a list of known and suspected terrorists.

But that leaves room for interpretation as to the correct spelling of a name and its variants, as well as a degree of uncertainty as to the proper formatting of addresses and phone numbers. Furthermore, as the recent Riggs Bank scandal shows, a system that relies upon names alone is subject to manipulation. (The New York Times reported this week that a Riggs Bank employee changed the name of an account held for Chile's General Pinochet to "A. Ugarte," using his mother's maiden name. As a result, searches for "Pinochet" would come up empty.)

Companies such as SRD (Las Vegas, Nev.) offer solutions that can prevent such ambiguity in resolving the identity of an individual. Using a combination of public records and proprietary techniques, SRD's solution allows bankers to verify all the data they've been given by the customer -- and make sure that it's stored in a format amenable to rapid and accurate searching.

SRD's customers include public-records providers to the financial industry, such as ChoicePoint (Alpharetta, Ga.), as well as banks that want to consolidate and manage identity data themselves. "This is very sensitive data for [banks]," says John Slitz, CEO of SRD. "They're happy to buy information from people, but they want to consolidate it under their control." What's more, the ability to perform entity resolution spans beyond the KYC requirements. "You can show you're at the forefront of compliance, but you also have something that, for hiring employees, benefits screening, and for outsourcing and other kinds of functions, it becomes a platform within the financial institution," explains Slitz.

With this technology comes the ability to cross-reference data points from the customer base. For example, if two customers share the same beneficiaries, emergency contacts or phone numbers, the SRD system can discover that information and automatically generate reports that point out any accounts that warrant further investigation. "Instead of a very large stack of suspicious activity, you're going to have a smaller, more refined stack," says Slitz.

Not only that, but SRD has tackled the problem of how to cross-reference customers from different institutions. For obvious reasons, banks are loathe to simply provide lists of their customers to competitors, even if it is for noble purposes. In response, SRD has developed a "hashing" algorithm that transforms each data element into a string of coded characters. Thus, instead of two banks exchanging real customer names, addresses and so forth, they exchange the encrypted versions of customer data. If there's a connection worth pursuing between the two entities, the compliance officers at the respective financial institutions can then follow up with identifiable information.

But for everyone else, their information remains within the banks' walls. "They want that evaluation to take place in a way that protects the privacy of the individual and is not data-mining," says Slitz. "They want to be able to find that Joe Smith is a relation to Fred Barnes, and Fred is a known, convicted felon for money laundering, and that association makes Joe Smith a reasonable and particular lead for them to investigate."

SRD, which has several deals in the works with large financial institutions, is also working to integrate the results of its entity resolution searches into compliance workstations from IBM (Armonk, N.Y.).

ABOUT THE AUTHOR