You are here:

What security? Costs of KYC outweigh the benefits

by Ajay Shah  May 17, 2012 18:03 IST

#KYC   #Money laundering   #Open wifi networks   #Security  

Only in a police state is the job of a policeman easy.
 - Orson Welles

The policemen of India say: It is only by using onerous and intrusive tracking procedures that we will be able to block terrorism, tax evasion, money laundering. But society should be designed for the convenience of the median citizen and not for the convenience of the policeman. Yes, when citizens have liberty, it imposes more work upon the policeman. That is a tradeoff we should favour.

In every place in the world, I walk into a coffee shop, open my laptop, and go into free open wifi networks. Except in India. Open wifi networks are banned in India, because they make life difficult for policemen. This is a bad tradeoff : we have sacrificed the immense gains from ubiquitous open wifi networks in return for reducing the work of policemen.

Agencies

Terrorists and criminals use roads. Does that mean that we will only permit people with photo IDs to embark on roads? Terrorists and criminals drink water. Does this mean that we will only permit people with photo IDs to buy water? And so on.

Global norms on financial distribution, which have been pushed hard into the direction of more monitoring by the US Treasury, do not require a know-your-customer (KYC) on every transaction. They only require customer due diligence' (CDD), which means that the due diligence applied on a transaction should be appropriate (a big principles-based word) for the transaction at hand. We in India have translated this into a mechanistic rule "demand KYC for everything". This is incorrect. A greater push-back is required, from citizens.

A civil liberties perspective

They who can give up essential liberty
 to obtain a little temporary safety,
deserve neither liberty nor safety
- Benjamin Franklin

We get asked to prove identity to enter an airport, to do financial transactions, to get a mobile phone, etc. We have become used to the idea that this is essential in this world inhabited by too many terrorists.

I think anonymity is precious and valuable. We in India have given up even an attempt at protecting civil liberties from an encroaching state that wants to know a lot about us. Particularly given that we are a fragile democracy that works imperfectly, it is important for us to have less information in the hands of the state.

The best we're able to muster today is the hope that the Unique ID will reduce our transactions costs of complying with the surveillance state. I think it's important to go deeper, to question this array of rules that monitor us. How much security do they buy us, in return for what costs to society?

What bang for the buck?

We should be more intelligent in weighing these tradeoffs between imposing costs upon society at large, and the extent to which they help us catch criminals. A great deal of what passes for security procedures today is quite silly when you pause to think about it.

We are obsessed with monitoring electronic payments. The bad guys will just use cash. The amount of money required for pulling off the WTC attacks is believed to be roughly $100,000, which was wired to Mohammad Atta. It is not hard to move $100,000 through non-electronic channels: this is the value of 11 ingots of gold, each the size of a pack of cigarettes.

In fact, it is very convenient for the authorities when the bad guys use electronic channels, since greater tracing becomes feasible. We have a fair clue that this money came to Mohammad Atta from Pakistan's ISI because the money was wired; if the bad guys had moved money through cash or gold or diamonds or platinum, we would have not known this crucial fact.

It is better for us if more bad guys ride on the electronic highways of the financial system. As long as cash is around in large quantities in India, it makes little sense to block people from coming into electronic payments on the grounds of KYC.

We are obsessed with physical IDs as a tool for security. But the bad guys will easily forge any physical IDs that you can propose. It is not clear what safety we're buying, in return for the enormous human resource and cost in time that is being expended today in checking IDs.

We in India are surprised to discover that in the US, you can buy a temporary one-month GSM SIM card at a storefront, without any know-your-customer or proof of identity. They do not even want to know your name. This is not to say that the security agencies in the US are not watching everyone keenly. The point is that they are doing this in ways that impose lower costs upon society; the security procedures are less of an eyesore.

A need to rethink where we're going

Many elements of the information before us, today, suggest things aren't going well:

  • In the US, despite a fairly open and liberal system (eg, freely selling GSM SIMs to anyone, without requiring even a name), law enforcement has been pretty effective: They haven't had a single successful terrorist attack after 2001, despite being the #1 target of myriad nutcases like Osama Bin Laden. In India, thousands of people have died in terrorist attacks, even though we have embarked on a barrage of security procedures.
  • Every terrorist caught dead or alive in India has a cell phone. This suggests that our attempts at requiring a KYC for every mobile phone aren't so useful.
Failure should have consequences. We should rethink the way we work today, drawing on these blocks of evidence.
We need to ask three questions:
  1. Tradeoffs between freedom and safety. How much of a violation of personal freedom are we willing to accept, in return for better enforcement of laws. We should be willing to sacrifice some safety in return for more freedom. E.g. Saudi Arabia has low crime, but do we want to be Saudi Arabia?
  2. Tradeoffs between prosperity and safety. How much inferior GDP are we getting as a consequence of the security procedures which are being put into place? We are willing to sacrifice some safety in return for more GDP. Eg there would be fewer road accidents if the speed limit were 25 kph (and road accidents kill vastly more people than terrorists), but we're willing to live with the carnage on the roads in return for higher prosperity.
  3. Does the claimed security procedure even work?? What is the bang for the buck, the effectiveness of these procedures? As many examples above have suggested, many of the security procedures used in India seem to be poorly thought out.

Drawing on my experiences in Indian public policy process, I can venture a guess about how the prevailing tools of security came about. A meeting was organised. Everybody in the room was an experienced practitioner; there was no thinker around. Everyone was indignant. We have to do something.

A few security as theatre proposals came up. Everyone agreed. It felt like we were making progress; we certainly got plenty of showy security procedures to impress Parliamentarians and the media. Nobody asked second order questions; nobody analysed the data. This combination of factors (indignation, decision making dominated by the status quo, theatre to satisfy journalists and politicians, lack of a feedback loop through data capture and data analysis) is not conducive to problem solving.

Ajay Shah's Blog