The INFORM Consumers Act & 23 Years of AML/KYC Compliance & Enforcement

Sep 24, 2024

4 min read

Jeff Lavine

JPL Advisory LLC

September 25, 2024

Know Your Customer (KYC) mandates are in fashion. In my last blog post, I covered recent bank-like KYC mandates for B2B Infrastructure as a Service (IaaS) firms, such as the big cloud providers Google Cloud, Amazon Web Services, and Microsoft Azure. This post covers recent bank-like KYC requirements for B2C online marketplaces like eBay, Amazon, and Etsy. Specifically, effective last year, the INFORM Consumers Act (ICA) applies KYC requirements for third-party sellers deemed "High Volume," those with more than 200 transactions and aggregate total sales of USD 5,000.

Below, I will introduce ICA/KYC and, based on the past 23 years of experience in bank anti-money laundering KYC requirements (AML/KYC), highlight two lessons that may be a prologue for future ICA enforcement.

What is the ICA, and what motivated its passage?

Passed in 2022 and implemented in mid-2023, the ICA aims to protect online marketplace customers from counterfeit goods and fraudulent transactions. As noted in various surveys, online platform fraud continues to grow; for example, in 2022, the PwC Global Economic Crime Survey found that such platform frauds accounted for 39% of all frauds reported.

To address this issue, the ICA mandates that marketplace firms identify and verify the following from each High Volume seller:

Physical address
Working phone number
Working email address
Tax identification number
Bank account number
For entities, a copy of a valid government-issued identification for an individual acting on behalf of the seller or a copy of a valid government-issued record or tax document

The marketplace must also collect an at least annual certification for the seller that nothing has changed.

The online marketplace must then show the contact information to consumers clearly and conspicuously on the product listing. Also, the marketplace must disclose on the product listing whether the seller is a manufacturer, importer, or reseller.

In addition, and like AML rules, there is a reporting component. The ICA requires marketplaces to give a mechanism for customers to report "suspicious marketplace activity."

Lesson 1: More Information Creates More Work and More Risk

The ICA has placed marketplaces on a slippery slope. Information marketplaces collect on a seller, both ICA/KYC, sales, and money movements, creates inherent risk. A good compliance program's hallmark, which meets the standard for protection under the U.S. Department of Justice's Sentencing Guidelines, is that a firm should assess its inherent risks and mitigate them with effective controls.

For each High Volume seller, for example, the marketplace will know the type of good sold and to whom, the seller's bank account, the names of the authorized employees, complaints filed by consumers, returns, refunds, the remitters, and recipients of funds transfers in and out of the seller's account, and whether the seller is a reseller, manufacturer, etc.

Good compliance means a firm should understand the risks that this data exposes and do something to mitigate them. Good compliance in the age of accessible artificial intelligence tools in the possession of technologically sophisticated marketplaces compels data analytics. This counts doubly for firms who may already be mining such data for marketing purposes. This inevitably means detection algorithms to find deviations from expected behavior patterns and alerts, like the transaction monitoring banks currently undertake to monitor and report for AML purposes.

For extra credit, read supervisory releases like OCC 2011-12, describing the best practices to validate the quality of these models, and the excellent blog by my friend Dr. Ric Pace at The AI LendScape Blog.

Lesson 2: More Work Creates Its Own Enforcement Risk

Another lesson from AML/KYC is about volume. Though tech firms may outperform banks' automation capabilities, KYC still needs manual work. Over time, KYC processes have proven time-consuming, labor-intensive, expensive, and error-prone. Industry surveys suggest that 54% of banks spend $1,500 - $3,000, and 21% spend more per corporate & institutional client file. A KYC review for a single corporate client often takes +60 hours and 30 to 60 days to complete. Some banks take even longer – more than 200 days in some cases. AML/KYC requires significant personnel resources, with most larger banks employing 2000+ FTE teams dedicated solely to KYC. KYC operations are heavily manual, and 2/3 of the costs are people, increasing the risk of human error and inconsistencies.

For example, verification is among the most complicated task required in both ICA/KYC and AML/KYC. Both regimes require independently determining that any information and documents provided are valid, corresponding to the seller or an individual acting on the seller's behalf, not misappropriated, and not falsified. In practice, the combination of documents and third-party databases used requires significant manual reconciliation.

Errors, inconsistencies, and volume related backlogs have become the most significant contributors to KYC-related enforcement actions. These enforcement actions totaled $260 million in the first half of 2024. Moreover, as a rule of thumb, banks can typically budget three to five times the size of the fine in remediation costs.

Conclusion

In conclusion, the ICA imposes significant new responsibilities on online marketplaces, necessitating the implementation of robust compliance and risk assessment frameworks. Marketplace firms can glean valuable insights into managing and mitigating risks by examining the practices of financial institutions, particularly in KYC and AML compliance.

The vast volumes of information collected under ICA requirements create operational challenges and elevate the risk of enforcement actions if not managed correctly. Therefore, marketplace firms should adopt comprehensive risk assessment methodologies akin to those employed by banks to identify potential threats and establish effective controls. By doing so, they can ensure compliance, protect against penalties, and maintain consumer trust in an increasingly regulated environment.

For more information on this and other topics, please contact: jeff.lavine@jpladv.com.