KYC and Email: A Dangerous Mix

This month, I wrote about how the buy side is increasingly having to carry weight when it comes to know-your-customer/ anti-money-laundering (KYC/AML) requirements. The sell side is looking for help—and is tired of getting fined—and regulators want asset managers to provide greater transparency, as well.

As a result, many large buy-side institutions have turned to utilities and managed-services providers for help. While the decision-making is not likely to be outsourced, data collection and dissemination is.

But another reason why buy-side firms should consider a shift toward third-party offerings is security, specifically of the cyber kind. The Sony Pictures Entertainment hack should have been a thunderbolt for every industry—information sent through “secure” email is never really secure. One asset management source told me that cybersecurity “is a concern of course, but it’s not a driving factor,” in the firm’s attempt to lessen its reliance on email. Another asset management source put it more bluntly: “The security and privacy issues can be handled. I think it’s overblown, but I could be proven wrong.”

In public, buy siders like to talk about the necessity of security. In private, I’ve always had the impression that while it’s important, there’s a helpless feeling, too, so you can’t have cyber concerns paralyze you.

But there is reason for concern. Take, for example, what Bloomberg’s Dan Matthies—head of Bloomberg Entity Exchange—has to say: “When you think about a hedge fund wanting to identify, eliminate and mitigate risk, there’s a lot of concern about the fact that the process today happens over email,” he says. “When you multiply the number of counterparties you have, times the number of entities that you have, times the number of groups that you’re dealing with at those counterparties, there are hundreds of different people that you’re dealing with and if everything is being done over email, you’re susceptible to disorganization and to a lot of cyber risk.”

Hedge funds have never been comfortable having their personal details, their firm’s details, and their more sensitive documents being sent via email. They want control over that process

Even though it’s always been the way it’s done, hedge funds have never been comfortable having their personal details, their firm’s details, and their more sensitive documents being sent via email. They want control over that process, but when it comes to KYC, traditionally there haven’t been a lot of options. 

In this new world, though, where vendors are entering into the KYC space specifically to help the buy side, it’s also imperative that the vendors change their ideas about liability, says Steve Pulley, head of Thomson Reuters’ risk managed services. “They all asked the following question and I think it’s the biggest question for all those other asset managers that we’d love to bring on board: What liability is the service provider prepared to take on and inherit in the event of a bad outcome around information security?” Pulley says. “Providers and vendors that say ‘zero’ or ‘de minimis’ aren’t going to do business with the big buy-side firms, period. It’s a cost of doing business in this space and you had better be good at what you do.”

Danger

For the feature, I laid out the challenge that buy-side firms are facing and why it’s different today, and then focused on the four vendors in the space that I’ve heard most about from my buy-side contacts. To me, it makes sense for asset managers to turn over some of their onboarding processes to specialists. It’s good for everyone involved because there is a ton of overlap and there’s no real competitive advantage. Large numbers of buy-side firms are still looking but not acting. As onerous as it could be, there’s a familiar comfort.

But if you need a reason to make the change, it’s cybersecurity. This is a new era and it demands new tools. Going it alone has worked for a long time, and, as one of my sources noted, you can think that the cyber issue is overstated, but it’s dangerous to be proven wrong.