I loathe clichés, but there is one oft-repeated platitude about fraud management that I never argue with.
Whatever is done to prevent fraud, we should anticipate fraudsters will adapt and work around it. This observation is consistent with many decades of experience as voiced by hundreds of experts. So it follows that if you merely block or interrupt a crime, then the criminal will return and experiment with other ways of committing crime because they remain free to do so. Following this logic to its conclusion means we should try to deny criminals the freedom to perform their experiments if we want to permanently reduce crime. We must seek to bar them entry to the communications ecosystem in order to minimize the harm they can do in future.
This observation about fraudsters also applies to irresponsible marketeers. That explains why there can be a lot of blurring of the boundaries between anti-scam and anti-spam controls. There is only a nuanced distinction between a scam call that sells something which does not exist and a telesales call that intentionally misleads the recipient about what is being sold. Both calls are typically illegal. Some industry insiders go further by muddying the waters between legal and illegal telesales calls. Their rationale is that both kinds of telesales calls can cause annoyance. However, the distinction is important because businesses should not routinely interfere with legal activities, even if they are being pushed to do so by politicians who lack the courage to pass legislation that would change the definition of what is prohibited. A lot of manipulative games are currently being played by professionals who select when they do or do not differentiate between scams and other illegal communications, and when they do or do not distinguish between illegal spam and legal spam. Vague boundaries can easily leave us slipping down a slope where know-your-customer (KYC) controls offer as little obstacle to criminals as they do to irritating but legitimate marketeers. Both want the ability to instigate large volumes of communications at low cost. Somebody has to decide who will be barred from doing so.
A further corollary to our opening maxim is that bad actors will not relent simply because one communications business turned them away. They will try the same tricks with a second provider, then a third, and will rotate around every business that enables bulk communication until all avenues have been exhausted. This is why we should always be skeptical about providers who insist they impose robust KYC checks. The business with the strictest KYC would turn away the most potential customers. Businesses with weaker KYC will profit financially from the high standards adopted by others. It can be difficult to voluntarily maintain ethical principles in a cutthroat market. If consistency is not enforced, then the slippery slope can easily turn into a race to the bottom.
The same KYC challenges occur with voice, SMS and other messaging channels. When it comes to scams, we need to start thinking of all channels as being potential substitutes for all other channels. A scammer does not care if their initial contact with a victim is instigated through a robocall, or an SMS message, or an RCS message, or a Whatsapp message, or a message sent by Snapchat or Telegram or a hundred other platforms. For the scammer, all roads lead to Rome. They just need one point of entry into the road system in order to progress towards their destination. Laws and regulations have not been updated to deal with this reality. Even if somebody in authority tried to pursue consistency in the KYC checks for bulk enablers of robocalls, then different laws and regulations would apply to over-the-top messaging platforms. So even if all the bad actors were barred from accessing one channel, many of them would simply congregate around a different channel that is less well protected.
If that was not enough of a challenge, the global nature of our communications infrastructure is another obstacle to consistent KYC. We have communications technology which connects everyone to everyone else, but laws and regulations have limited jurisdiction. A country might pass a law which applies to bad actors elsewhere but they will probably lack the means or the determination to enforce it. If robust KYC became the norm in one part of the world, the scammers and spammers could still reach victims all over the planet by simply originating their communications in those regions which have weaker KYC.
And then there is another obstacle to consistent KYC: nobody can think of a way to become rich by turning robust KYC into a fancy technology. KYC is only ever a cost. Money needs to be spent employing staff who will devote their time to performing KYC checks and evaluating the risk that a potential customer poses. Revenue is reduced when potential customers are turned away. There are no vendors who can promise regulators that KYC would be fixed by mandating the purchase of their product. So we remain thoroughly stuck in a swamp where everybody says they apply robust KYC but nobody really trusts anybody else to do it.
So that is why I wrote a KYC standard. I wrote it because I am the kind of arrogant do-it-yourself imbecile who tackles problems that are global, intractable, and where there is no profit motive. And by ‘wrote’, I mean that I shamelessly plagiarized a KYC standard written by somebody more knowledgeable than me. Because if the standard I plagiarized is adopted by some communications businesses, and my copy of that standard is adopted by some other communications businesses, and I can get you to shamelessly copy this standard and apply it some communications businesses that you know, then maybe we will lay the foundations for more consistent KYC in general. We need that underlying consistency to give the authorities the leverage to begin punishing the truly bad and reckless providers of bulk communications. If anti-fraud professionals align their efforts then we can gain strength in numbers.
On some other occasion I will share the story of the CEO of an industry association that refused to even look at my draft KYC standard just because I revealed that the i3Forum is already considering whether to endorse it. This helps to explain why I dislike clichés; there is no shortage of scoundrels who say they want more collaboration to reduce fraud, but whose competitive instincts prevent them ever reaching a compromise unless they are guaranteed to profit from it. For today, it is sufficient to state that consistent KYC is vital if we want to permanently reduce illegal activity on networks, and that you are welcome to copy from me as I have copied from others. That is why the promotion of consistent KYC is the second of the three missions that prompted me to keep Commsrisk going, and why the draft KYC standard is visible to everyone below, and available for download from here.



