KYC wall of shame

By Jake Morrison in Products on Sun 14 January 2018

There is a saying that frustration is an occupational hazard of being a user experience designer (or an excessively logical engineer). Once you start designing processes, you see process problems everywhere, whether or not you want to. As an American living in Taiwan, I am used to being the weird guy who breaks the process. Lately, however, I have been having more than my usual share of identity confusion (no jokes, please).

Other than PayPal, which was particularly bad, I won't name and shame, because the general state of the art is pretty sad. There are lots of opportunities for startups to compete on user experience.

Bank 1

My bank was sold to another bank (for the fourth time, now). I had activated my new card at the ATM, but that apparently wasn't enough, so they gave me a call. The lady said, "For security, we need to verify your identity. What is your birthday?" I was like, "Uh, no, that's not the way that security verification works. Would you give your birthday to anyone who called you on the phone?" We compromised, she gave me the year and month, and I gave her the day.

Next she wanted to set up a new phone banking PIN. But their phone system doesn't recognize DTMF tones from mobile phones, so I couldn't do it.

Takeaways

There are some logic problems here. First, they need to get the fundamentals of authentication right. It's hard enough to train users to avoid scams, we should not make people think it's normal. Second, why call me on my mobile if your system can't handle it?

Bank 2

I opened a bank account when I first arrived in Taiwan years ago. The bank's systems required the customer's national id number. As a foreigner, I didn't have one, so they created a fake number for me from my birth date and name.

A year ago, my internet banking stopped working, and we had to switch the account to use my alien registration certificate number. That's better, but still a problem. The format of the ARC numbers is slightly different from national id card numbers, so their validation logic fails. I had to use use my wife's national id number for my login.

It took about two hours sitting in the branch, as the staff diligently made phone calls to people at the head office. At some points we almost lost hope and closed the account, but eventually it worked. Recently, though, the bank's systems changed, and the various parts of my account became dissociated. My ATM card stopped working, saying that there was no bank account (another hour to fix). Now the internet banking stopped working with a 500 error. At least the paper account book still works....

Better than this guy, I guess:

Takeaways

Don't assume that everyone has a national id. Make your own unique identifier and associate it with the user's id. How do you deal with foreigners? What is the key that links different systems in your organization? Is it the customer's name? Their id number? Do you expect that number to never change? In some countries the passport number is their national id number, in others it changes when they renew their passport.

Bank 3

Another bank in Taiwan is verifying accounts for FATCA. I needed to fill out the US W-9 form with my name. Of course, I actually had to fill it out three times, with three names. One to match my US tax return, and two more for the different ways they had broken my name on my bank account and credit card, e.g. family name first, name chopped because it is too long.

At some banks, my name is "MORR", because Chinese people have a maximum of four characters in their name. I have learned that I can only make a wire transfer to one bank during the day, because matching the account names requires human attention. Otherwise, it fails with an obscure XML error.

Bank 4

We opened a bank account for my daughter, and my mother wired her some money. When the money arrived, the bank rejected it because it didn't use her full name, it had a middle initial. They wanted us to send the transaction back to the US and do it again (paying the fees again, of course). I told them that if we had to do that, we would close the account because they were too incompetent to trust with money, and they relented.

Takeaways

The Know Your Customer and Anti-Money Laundering process would be a lot easier if you let your customer actually use their real name. Of course this gets a bit challenging, e.g. different scripts or Chinese names, but it certainly makes people happy. So you should let people enter their real names, and add a field for a transliterated version if necessary. Maybe allow them to have multiple variations on their name. Is the goal to veriify that the name is correct or to make sure it's unambiguous?

Bank 4

My corporate credit card has an enhanced verification process. Sometimes when making online purchases, it bounces me to a page to verify my identity. It used to ask me for my passport number (from a previous passport, but whatever).

With no notice, the bank changed the system so that it required a code sent to my mobile phone. Their credit card system didn't have the correct mobile number, though, it had our office number in Hong Kong. There was no place on the web to see or change the phone number, I had to send them a letter by post, which takes a week to process. So the effect was that I suddenly became unable to make payments by corporate credit card.

The bank redesigned their website. The new website is prettier, but doesn't address the actual usability issues. If anything, it makes them worse, because it fits less information on a single screen.

As a business, our most fundamental issues are being able to reconcile payments we receive and making outbound payments. The only information we get in statements is "DEPOSIT" and "WITHDRAWAL". The bank only keeps 90 days of transactions online, because, I guess, lines in a database are expensive. That's a problem when we have questions on our annual accounting 18 months later, though. So every month we copy out the transactions.

They send us PDF equivalents of the paper statements, but they insist on encrypting them with a crazy Java-based system that only works on Windows. If an email doesn't get through, we have to pay them US$25 to mail us a duplicate copy. The passphrase that encrypts the files suddenly stopped working at the same time as their website changed. So now we can't open any old emails. Instead of using the password protection built into the PDF standard, they created a monster.

Recently, they were collecting more information for their KYC process. There was supposed to be a form on their website, but it disappeared in the rewrite. So I had to email 100MB of scans of documents to them. In the course of it, they asked me to provide the id of my partner, who I bought out 12+ years ago. It seems, despite notifying the bank by postal mail (twice!), it didn't work, so we will need to do it yet again. There is no acknowlegement of receipt of documents.

Takeaways

Make sure that what you are relying on for authentication actually works. They could have sent a message via SMS to the mobile numbers before switching the system over.

Let people view and change things online.

Pay attention to the fundamental things that your customers care about.

As a business, I would love to get an "API" driven bank account so I never had to go to their website at all.

Bank 5

We were trying to reconcile the bank statements for our Vietnam branch. The internet banking site has a way to export statements. Their export files had an XLS extension, but were actually HTML. When we got that figured out, we tried to parse the line items, written in Vietnamese. After the tenth regular expression variation, we realized that this was not generated by a computer, some human was entering the descriptions of the transactions for deposits and withdrawals.

Phone company 1

In our Taiwan branch, the registration lists the "responsible person" (me) and also a "branch manager." We moved to a new office, so I went to change the billing address for a mobile phone. The clerk thought that because there were two people on the registration, he had to have both managers there to approve the change of address. It took half an hour of arguing to get him to understand the difference between OR vs AND.

In practice, what do they really care what the address is, as long as someone pays the bill? Cue Mitch Hedberg

I guess I should be happy they are authenticating the request. Despite everyone adding SMS verification to their verification processes, it's not particularly secure. It's often easy for an attacker to convince a mobile phone company that I have lost my phone and need a new SIM, then they can intercept the SMS.

Phone company 2 + 3

Based on my previous professional experience with VoIP, when we set up the old office, I tried to get a VoIP phone line. I thought I had succeeded, but when they installed the system, it turned out that we had VoIP number attached to a dedicated ADSL line. The only way they could legally sell us a phone number was to also sell us a physical phone line.

When we moved, we tried to transfer the phone number to our new office. Unlike mobile numbers, it turns out that the "VoIP" phone numbers could not be ported. Same thing for our fax number. It was associated with the ADSL line, which was in a different telephone exchange, and could not be ported.

I decided that since we hadn't gotten a non-junk fax in the last year, that fax is officially over. Losing the phone number was more annoying.

Immediately after installing the new phone line, we started getting automated scam phone calls from someone pretending to be the National Health Insurance Administration, saying that there was fraud associated with my card. "Press 1 to talk with an operator." Talking with a foreigner broke the scammer's script pretty fast...

Takeaways

What happens if your user loses their phone or changes their number? How will you authenticate them?

The bank has a mobile app. Why not use that to verify my identity? I needed to talk with customer service at my bank in the US. They had a button on their app that said "Call Us." I thought, "Great! VoIP." Nope, it dialed the phone for me. Of course, I was in Taiwan, so it didn't add an international prefix. If you already have a secure login on the phone, leverage it to get a secure connection into the call center for talk. If you use chat, then you can provide rich navigation instead of voice prompts, and avoid making the customer enter their account number over and over.

What kind of permissions does your customer want to see for transactions? In my situation, any one manager should be enough. But if there were two partners, then maybe it should require both of us. How would they know the difference? How can you allow your customer to delegate responsibility for e.g. accounting or making transactions? The boss is busy...

Do your contracts specify fax as a legal notification mechanism? Does anyone have a fax number anymore?