Risk is a broad term that can refer to a variety of activities that must be managed and monitored appropriately to avoid serious harm to businesses and their customers. It can refer to underwriting in the context of lending, know-your-customer (“KYC”) and know-your-business (“KYB”) in the context of bank account opening, transaction monitoring in the context of AML, market exposure in the context of balance sheet management, and fraud in the context of payments. Recent bank failures have driven the majority of risk related headlines in recent weeks. However, signs have been slowly emerging, since well before these events, that cracks are appearing in very different type of risk management, namely KYC/KYB and AML.
In 2022, financial institutions paid $5B in fines for noncompliance with AML laws globally. One example from earlier this year involved Coinbase, which in January settled a New York State regulatory compliance investigation for a monetary penalty of $50 million and a separate commitment to make $50 million in compliance program investments by the end of 2024. The settlement related to alleged compliance failures, including among other things alleged deficiencies in its KYC/CDD program and transaction monitoring systems, which the regulator attributed in part to failures of these systems to keep pace with business growth. This highlights the challenges fintechs face when attempting to scale transaction monitoring systems.
This reality is somewhat disappointing given the number of impressive teams and companies that have jumped in to try to solve these types of problems over the last decade (see more in our market maps below). This post will explore the challenges that have emerged to bring us to this point of system erosion, the significant opportunity we believe exists for new founders to tackle and build a generational company in this space, and what attributes that company might possess.
A Brief History of KYC/KYB and AML
Before jumping into what the industry is looking for and what we expect to see from incumbents and new entrants as a response, let’s first address the history of anti-money laundering policy in the US. AML policy was initially introduced by the Bank Secrecy Act over 50 years ago, which established requirements for recordkeeping and reporting, including among other things that banks report large cash transactions. The reality that early legislation in the space was created well before fintech as a category existed can make it challenging for scrappy fintechs to make sense of, and comply with regulations. The initial legislation was strengthened over the years, including by the Annunzio-Wylie Anti-Money Laundering Act in 1992 and then the Patriot Act in 2001, which required financial institutions to perform core KYC procedures. As regulation increased, KYC and AML has become a massive area of spend for financial institutions, both on software to support compliance and on fees for noncompliance. Their spend on AML technology and operations is expected to reach $58B in 2023.
Generation 1 Players and What They Accomplished
The gen 1 companies in the market map below helped make digital banking experiences what they are today. In the late 20th century and early 2000s when the Patriot Act was passed, opening an account and performing other financial transactions online was either painfully slow or impossible. The experience of opening a bank account in minutes from your phone or computer was made possible by companies including these. They enabled what we know as fintech today.
There are a number of fundamental pillars of risk infrastructure that gen 1 players, such as Socure*, Jumio, and Persona helped unlock. They include, but are not limited to:
- Digitizing and bringing online core identity databases for real time checks: Dun&Bradstreet and Thomson Reuters were some of the earliest players to make identity related databases easily referenced online. Without this very basic first step in the KYC/KYB process, online account opening would require offline steps.
- Unlocking powerful data network effects for individual organizations: One of our first investments in fintech and early player in the KYC space, Socure, has amassed massive identity coverage and breadth of data. As their customer base has grown to include 1K+ top financial institutions, their data network has grown, too, and increased the accuracy and coverage of their fraud models. An individual financial institution wouldn’t have the ability to accomplish this feat on their own, without a 3rd party software provider.
- Enabling fintechs to meet compliance requirements for key partnerships: Fintechs today are built on top of other fintechs and financial institutions. While this has enabled the rapid growth of the industry, it has also created a complex web of liability. To land partnerships with a bank, or a vendor that is built on top of a sponsor bank, compliance is key. Gen 1 compliance infrastructure enabled fintechs to build faster, together.
Top of Mind Challenges for Risk Leaders Today
Evolving regulation and the costs associated with constantly keeping pace has forced risk leaders to be more thoughtful than ever before in constructing their risk infrastructure. As we have leaned into the space, our conversations with leaders and builders have highlighted a few important challenges that are left to be solved. Below are the ones that stood out the most:
- Expansion of fintech across borders has created new challenges in maintaining adequate risk procedures without sacrificing growth: To do KYC/KYB well, you need high quality data on the individual you are screening. In the US and Europe this is an issue far less often than it is in emerging markets. As financial services companies look to expand across borders, we need more alternative data in secondary markets.
- Difficulty experimenting with new datasets and overall flexibility of risk infrastructure: Financial services companies are notoriously not nimble, but at the pace that fraudsters are changing their tactics it has become critical that risk teams can match their rate of change. Heads of risk want to be able to easily A/B test new datasets to see if they can improve conversion rates and/or fraud rates. In some cases, leaders have budget set aside each year to try new data sets or tools. Some leaders are also eager to have better ways to integrate internal, proprietary data into risk strategies.
- Fragmentation of the risk tech stack is driving up costs and complexity to maintain: As illustrated by the gen 1 market map above, many of the early software solutions in the space started with one step in the AML process (ie. ID verification, risk scoring). This can be fine in the short term, but as companies scale it can be difficult to build workflows around point solutions. The burden is often on the financial institution to connect all these pieces together, typically with manual work.
What is Gen 2 tackling and what do they need to get right?
In the last 12 – 18 months, we have seen a handful of new entrants in the risk infrastructure space come onto the scene and gain momentum. They are tackling the three core challenges addressed above, and in some cases taking a fresh approach on the infrastructure side under the hood. We have, unsurprisingly, seen a handful of early-stage companies form to address the relatively less crowded KYB landscape and also a large number of companies emerge focused on emerging markets. More than half of the companies below are focused on markets outside of the US, with several focused on LATAM and Africa (ie. Trully, Smile Identity, Monnai, Trébol).
We believe that regulation in the space and problems to solve in risk management will continue to evolve, and that there is still an opportunity to build a generational company in this crowded space. As fintech and access to financial services continues to grow, we expect the market for risk infrastructure companies will continue to grow as well. There are a few attributes that we think winner(s) in this pursuit will get right:
- Risk infrastructure will be increasingly horizontal, not solving one step in the process but spanning across multiple: Risk teams are coupling together point solutions for ID verification, risk scoring, monitoring, and more to build a holistic risk management function. We think this not only creates extra costs, complexity, and manual work but also doesn’t capitalize on the power of data siloed in each of these steps. For example, SAR filing solutions could be much more detailed and automated if they had all of the data on a risky transaction and the user journey that initiated it.
- Winning solutions will start with a strong data or technical advantage in one part of the risk management lifecycle that will best position them to eventually master the full lifecycle: While we welcome debate on which part of the stack it makes most sense to build a data advantage in first, we think that building a proprietary data set or data model will be core to building a defensive moat in this space. Focusing on an overlooked or particularly challenging part of the population (i.e. an emerging market or thin file customers) could be another strong wedge.
- Solving for the manual processes surrounding risk management: While identification of risky applicants or activity has been solved by many of the Gen 1 and 2 players, we expect Gen 3 to go beyond that to solve for the workflow after this risk has been surfaced. For example, running an efficient due diligence process triggered by a KYC check and more efficiently reviewing transaction monitoring alerts. Today, banks and fintechs have large teams of risk analysts that take on this burden, often doing repetitive, unscalable work.
Risk infrastructure has been crucial in ushering in the golden age of fintech we have watched unfold over the last few years. It will be equally, if not more, crucial to the continued growth and health of the fintech ecosystem looking ahead. With a greater eye of regulatory scrutiny on the financial ecosystem, the time is now to empower risk teams to not just meet basic standards but go the extra mile, which is important for the health of the ecosystem.
If you are building in this space and share any piece of our views on where it is headed, please reach out. We would love to chat: firstname.lastname@example.org