Providing an innovative customer journey in a constantly evolving regulatory environment
According to a recent survey published by the ABBL’s Digital Banking and FinTech Innovation Cluster, focusing on mutualization and outsourcing on the financial services industry, KYC is seen as one of the priorities for most respondents. 93% of them believe that mutualization of certain functions between institutions is valuable for the financial services community and 71% believe that Know Your Customer (KYC), Anti-Money Laundering (AML) and Combating Financing of Terrorism (CFT) are the most attractive areas to embark on. As explained by Pascal Morosini, “KYC outsourcing is clearly accelerating and there has been a specific need and growing demand from the Luxembourg financial centre for the last 10 years. This dream about the creation of a centralized KYC utility has now become a reality, made in Luxembourg”.
In the current context of increased regulation, banks are transforming through digital, which can clearly facilitate the daily routine of bankers by easing or even replacing their redundant tasks, while also adding significant value to financial institutions as well as to their own customers. In the frame of recent KYC regulations, all the players of the financial services industry are required to collect a growing number of data concerning their clients with the need to update them on a regular basis. “KYC is one of the key business processes of the bank and is therefore regulated by the CSSF. And when it comes to outsourcing, we need to remember that the bank remains responsible for the security and availability of the clients’ data. The bank is also in charge of risk analysis,” underlines Fernand Lepage. As BGL BNP Paribas is going through a profound digital transformation to answer to the new needs of its customers, it decided to partner with i-Hub, a startup created 3 years ago by POST Group with the promises to deliver innovative KYC managed services. As highlighted by the KYC Office Director of the bank, “our collaboration started back in 2018, with the goal to offer a new user experience to our clients as well as an innovative customer journey. It actually bothers clients to fill in the same documents at different times of their relation with their banks: for instance, they can now allow the sharing of their information, in a secure and confidential environment. As an enabler of data acquisition, this solution allows us to concentrate on our core business while trusting i-Hub and its innovative KYC outsourcing services”.
A platform from scratch, made – and hosted – in Luxembourg
To answer to the new needs of the banks linked to a rapidly changing regulatory environment, the i-Hub team built its platform from scratch. The startup was actually launched by POST Group to allow the outsourcing of KYC managed services: thanks to its affiliation with the Luxembourgish group, i-Hub benefited from the start from POST’s chain of trust. Moreover, the Luxembourgish regulation requires service providers to be PFS certified (Professional of the Financial Sector) to be able to deliver services to financial institutions. “For BGL BNP Paribas to collaborate with i-Hub on this specific topic, the startup absolutely needed to obtain the PFS – Professional of the Financial Sector – certification and be regulated just like the bank itself. For instance, if data were hosted outside of Luxembourg, we would have to ask for the permission of our clients. But with i-Hub being regulated and having its infrastructure in Luxembourg, we are under the same legislation, working closely with a local and regulated entity,” adds Fernand Lepage.
The platform in itself was built from scratch to answer the needs of the Luxembourg financial centre. “First of all, when evolving in the financial services industry, security and confidentiality are key aspects, as the banks trust us with their clients’ files which also need to be available 24/7. Actually, as we are seeing an important wave of mutualization, we, as a startup and service provider, need to be even more demanding in terms of quality so that we can serve and satisfy the entire ecosystem. To do so, we rely on partners with the same standards, and that align in terms of those key aspects, in order to further strengthen this chain of trust,” explains Abdelha Tayeb. Moreover, to ensure the highest level of security, i-Hub performs four pen tests per year, and benefits from POST Group’s Cyberforce hackers – divided in blue and red teams – to work on multiple attacks scenarios and eventually improve the defense processes and strategies.
To pick the perfect partner, i-Hub launched a call for tender and finally selected EBRC. “As a young startup, composed at that time of around 15 people, our focus was entirely on building a platform that would answer to the needs of the financial sector. Therefore, EBRC was ticking all the boxes in terms of security – with its SOC -, integration of technology and managed services offer,” adds the CEO of i-Hub. He also explains that partnering with a renowned infrastructure and security provider allowed a rapid development of the solution. “It took us less time to deploy the platform. In the last two years, we have never experienced any downtime in terms of availability. The teams at EBRC are also extremely reactive and can rapidly provide us with additional servers or innovative technologies if needed. Their OpenShift infrastructure and their DevSecOps methodology allow the containerization of applications, agile development and continuous production. The flexibility and agility of our partner is crucial: without EBRC we would not have been able to deploy our solution and would not be considered as a true Regtech”, highlight Pascal Morosini and Abdelha Tayeb. The experts underline two of EBRC’s main values: its managed services expertise and experience, as well as ability to provide innovative products. According to the CIO, “they combine the best of both worlds. Moreover, the load balancing server provides continuous availability, and therefore adds another layer in terms of trust and security. The traditional product was enhanced and adapted to new standards, which now allow i-Hub to successfully talk to – and convince – extremely demanding clients and enter the financial services industry”.
A fruitful collaboration with a leading banking group
The i-Hub platform is composed of three different environments. “First, the back office is operated by our experts who are in charge of updating files and remediation. There is also an environment accessible via an API and a web portal for our clients from the financial sector. And finally, there is a portal dedicated to the clients of our clients, whether it is a person or an institution, for them to update their data and documents and give their consent to mutualize their information,” highlights the CEO of the startup. The startup, in the context of open banking, provides the bank with an intelligent and disruptive concept which reduces onboarding friction as well as the time-to-market: it can actually play a central role as it mutualizes the effort and therefore convinces the market.
In the first months of its collaboration with BGL BNP Paribas, the banking group mandated a cybersecurity company, located in Tel-Aviv, to fully audit i-Hub’s processes and services. “The results were positive and we noticed that we already answered to 13 of the 18 pillars of the ISO 27001 certification. We decided to close the gap and worked with the same company to address the missing points. We finally got certified in less than a year. We then chose to further expand this certification process with EBRC-Advisory Services team, and are now also the holders of ISO 22301, which deals with business continuity,” explains Pascal Morosini. It is also important to underline that the cybersecurity experts also visited EBRC’s infrastructures in order to audit the entire “chain of trust”.
Prior to implementing the system, BGL BNP Paribas and i-Hub worked on a PoC – Proof of Concept – with 500 clients of the bank using the platform, with sometimes needs expressed in the early morning, and solutions developed in the following hours to finally be deployed at 1pm. The Director KYC Office comments: “i-Hub successfully passed the technological test as none of our clients expressed negative feelings and feedback about this innovative platform”. Once deployed, the platform has to be available for the bank’s 300,000 clients, with no service interruption. As explained by Fernand Lepage, most clients usually open their banking accounts from 8am to 4pm, which can be managed easily, but all their other actions, during the day and all night long, must therefore be processed whenever they want. The infrastructure has to be flexible, adaptable and monitored by professionals, and of course, must support and manage an important volume of data. Abdelha Tayeb adds: “each client represents around 250 data points. Multiplied by the number of customers, with regular updates, the amount of data is huge and managed through our platform. On the other hand, BGL BNP Paribas can concentrate on assessing risk rather than spending time on acquiring data”. Fernand Lepage also underlines the importance of communication when implementing innovative and disruptive solutions in legacy systems: “internally, communicating is essential to embark all the collaborators in this new adventure as some might fear handing data and information to a third-party provider. We needed to reassure them and clearly explain how we were only sharing identification data and no banking data at all. We used to evolve in an industry, which advocated banking secrecy, and encrypted data, and now, we have entered the era of open banking, with KYC becoming a utility. It was therefore key to adapt our communications strategy, internally and externally”.
The BGL BNP Paribas board members validated the solution, and so did the IT and legal departments, as it answers to the most recent needs expressed to clients and pushed by regulation. “With i-Hub, banks – and eventually their clients – benefit from an all-in-one solution, with, contrary to most startups, a focus on security. The decision-making process may look fastidious but it implies deep reflections and transformations: following the audit, the PoC and the latest developments, we are convinced that we picked the startup with the best solution to tackle today’s regulatory challenges while providing our clients with an innovative and intuitive platform,” highlights Fernand Lepage. In Luxembourg, around 80 BGL BNP Paribas employees are working on KYC-related topics, but at the group scale, more than one hundred experts are currently dealing with KYC.
Through its “Powered by EBRC” program, the company, which initially built its infrastructure for the financial services industry, aims at facilitating the IT operations of its partners to drastically reduce the time-to-market. Its DevSecOps methodology empowers IT teams, allows the redefinition of business approaches and favors regular applications improvements. It also features key security guarantees through its numerous certifications and builds trust through its track record. i-Hub therefore benefits from a secure, robust and available infrastructure to build its platform on, while BGL BNP Paribas advocates the mutualization of technology – with the participation of as many actors as possible, for the benefit of the entire ecosystem. As BGL BNP Paribas modernizes its legacy systems, and through i-Hub and indirectly EBRC, the bank now relies on a secure platform, which aims at standardizing the market. “i-Hub, which comes in as a neutral and trusted partner, is increasing the pace of transformation and brings significant added-value to our banking services and eventually to our end-clients with an innovative user experience and digital customer journey. In a trusted environment, through the entire chain,” concludes Fernand Lepage.