Skip to main content

Business Registration Data as the Best Vehicle to Achieve KYC and AML for Business

  • 1294 Accesses

Part of the AIDA Europe Research Series on Insurance Law and Regulation book series (ERSILR,volume 6)


To achieve the corporate purpose of a company, it is necessary to follow the regulations that exist in its respective sector, which include not only the adoption of policies and protocols, but also the prevention of fraudulent activities, which can be done through a sufficient knowledge of the customer. It is of greater relevance in the case of insurance companies, which must sufficiently know their client, taking into account their transactions and activities, since the internal decisions that the company takes in relation to the risks it assumes are based on its own corporate governance policies.

For this purpose, this chapter proposes the alternative of implementing RegTech tools through the adoption of a Single Business Registry. This registry contains all the required information from a company, including financial statements for the respective periods, which can be supplemented with records already existing in a country, as this would facilitate regulatory compliance.

1 Introduction

RegTech is a FinTech segment that, through technology, creates solutions to help companies comply with regulatory requirements.Footnote 1 Its main objectives are to improve the parameters of regulatory compliance of companies, optimize processes, promote business efficiency, and improve customer service. They are the technological tools that help different entities, mainly financial ones, to comply with the applicable legislation, especially with the normative and regulatory burdens that could be verified through the use of data.

A major category within RegTech is primarily dedicated to compliance, providing the tools for Know Your Customer (KYC) and Anti-Money Laundering (AML) as part of a Customer Due Diligence (CDD) process.

On the other hand, corporate governance is made up of the set of rules, principles, and procedures that regulate the structure and operation of the governing bodies of a company.

The strategic decisions made by the corporate governments of an insurance company must have an accurate data analysis to acquire adequate information about the client and the possible business that may be undertaken with the latter. Thus, having accurate and complete corporate data enables in-depth analysis of agents and customers, which generates appropriate product offering strategies and direct marketing programs.

Properly analyzing the data and knowing the customer causes a significant demand for time and cost, as compliance with the standard implies an essential information requirement. However, it is also necessary to avoid crimes such as money laundering, corruption, and crimes related to drugs and terrorism that may occur in any country through adequate knowledge of the client and the origin of its assets by virtue of the coherence between income and different bank movements.

The certification and business registration entities are essential component within the statistics and operation of the business sector. However, to make its activity more efficient, it is necessary to improve public records at the time of data capture. Under this scenario, this article aims to solve the question: How can insurance companies adopt corporate governance that uses business records to develop KYC or AML to improve their own compliance?

To improve public records and possess the tools for an adequate KYC and AML in insurance companies, it is necessary to consider financial information, including the definition of income, expenses, and profits for the respective period. This is considered the best vehicle to achieve a complete KYC and AML that may benefit the entire industry, especially the insurance industry.

In this context, the information provided during registration could be verified against external sources of information, as well as the set of other delegated registries existing in a country which facilitate business registration to avoid money laundering and other practices. In this way, business records are shown as the central axis of KYC in our society, with the aim of preventing the risk of identity theft both for the ones who hold the status of merchant, as well as for companies, generating greater precision in the analyzation of data when insurance company conducts business.

Obtaining company information from public commercial registers provides the insurance industry protection in its relationships with clients, suppliers, and counterparties, through watch list filtering solutions, KYC, and transaction filtering and monitoring.

Finally, these projects are relevant as most of the registries in a country share data, and the commercial public registries have accurate and updated information on their operations and provide accurate corporate data for an efficient aggregation of risk, obtaining even a more precise actuarial price or profitability relationship and improving compliance with regulations such as KYC and AML, among others, thus providing the insurance market with legal and operational security.

2 An Overview on RegTech

Broadly, it might be thought that regulatory developments and technological advances are not closely related to each other. However, these advances have changed in recent times the nature and way in which financial services are provided. Thus, they have evolved to be in tune with the context that exists at a given time, going from being reactive to the crisis, to considering the digital transformation in developed countries and the growth in digital financial services in developing countries, and finally, to considering the increase in the roles of FinTech and RegTech companies.Footnote 2

In protecting financial consumers, especially insurance consumers, a complete regulation has been generated that implies an increase in costs in the financial system involving insurance companies. For this matter, companies seek mechanisms that tend to facilitate compliance with all regulations, which increased considerably, thus avoiding the imposition of fines.Footnote 3

RegTech was born in this context, as were the technological tools applied to regulatory compliance. This makes it possible to solve the legal problem of a lack of incentive, thus improving competitiveness. RegTech performs online monitoring, which identifies problems or irregularities that may arise; thus, in the event of an atypical value, it is transmitted to the financial institution in charge of determining whether a fraudulent activity was carried out, looking for and identifying possible threats to financial security from the beginning, minimizing risks and costs related to loss of funds and data breaches.Footnote 4

Other authors, like Jake Frankenfield, defined it as “Regtech, or RegTech, consist of a group of companies that use cloud computing technology through software-as-a-service (SaaS) to help businesses comply with regulations efficiently and less expensively. RegTech is also known as regulatory technology.”Footnote 5

Under this scenario, RegTech makes it possible to comply with the regulatory burden that currently exists in the different countries on the financial system, which includes insurers, avoiding not only simple breaches, but also the imposition of sanctions for failure to adequately comply with the regulatory burden with respect to multiple aspects. Consumer protection has a special relevance, for which its adequate knowledge is required to guarantee the protection of data, as well as the possibility of avoiding fraudulent activities that can be committed in the development of these activities.

Likewise, and for the specific case, RegTech represents an important advantage and has an essential purpose in the regulatory compliance of insurance companies. Using technology to manage data and information facilitates compliance with KYC and AML regulations, as well as internal regulations of each state. The foregoing is based on the sense of organization of the information and compliance as having adequate information systems facilitates a permanent audit that guarantees quality and success in insurance companies.

DeloitteFootnote 6 establishes that RegTech provides permanent monitoring that improves efficiency in the provision of financial services, freeing up the time generated by the investigation not only of the different regulations and capital invested in it, but also of those related to the sanctions for a certain breach. In this sense, RegTech acts as a tool that enables companies to act proactively and not only reactively, which in turn generates significant economic impacts.

To fulfill the purpose of these technologies that promote compliance, different mechanisms such as artificial intelligence or big data can be used, organizing the multiple data into information that may be useful in regulatory compliance and generating algorithms that identify suspicious activities being carried out, and the existing probabilities that a certain activity can be considered fraudulent within a company.

In addition, RegTech companies collaborate with financial institutions and regulatory bodies, using mechanisms such as cloud computing and big data, which allow information to be shared, since cloud computing is evidently a low-cost technology where data can be shared quickly and securely. In this sense, these companies combine the large volumes of financial information with the data they have from previous regulatory failures to determine, through predictions, areas of potential risk in which special emphasis should be placed.

It is important to note that it is not possible to simplify the entire RegTech panorama as a simple FinTech tool since FinTech has the “know-how” of innovation, but RegTech provides expert knowledge of the industry with special emphasis in the risks that need to be mitigated, offering security to users of financial services.Footnote 7

In this way, although FinTech has an approach that is inherent in the financial system, RegTech has the potential to be applied in a wide range of contexts, based on principles such as Know Your Customer, which is transformed into Know Your Data, consolidating as a regulatory paradigm that must consider multiple aspects and new axes more broadly than the financial sphere.Footnote 8

3 KYC and AML Within Corporate Governance

RegTech favors the incorporation of technological solutions regarding improved regulatory processes and their compliance through new technological developments such as artificial intelligence, machine learning, among others, seeking regulatory reforms using technology in important issues such as anti-money laundering and KYC compliance.Footnote 9

RegTech application can generate important impacts on the financial system, especially in insurance companies taking advantage of the potential that they have to automate and centralize Know Your Consumer (KYC) processes through blockchain technology. This kind of technology is more resistant to modifications and records activities in a transparent manner, which supports the integrity of costs, reducing them when incorporating new clients.Footnote 10

The ease of centralizing KYC processes represents important benefits in companies such as insurance since it streamlines security and management processes in compliance with the regulations of the countries. In this sense, by automating this kind of process, companies can spend less time and resources in the in-depth and manual study of each client with respect to the state guidelines and focus on central tasks of special interest within their business.

The expression “Know Your Customer” or KYC first emerged in the United States in the late 1960s, with the purpose of referring to the specific obligation of loyalty that the broker had, where he must sufficiently know his client to make the appropriate investment recommendations, which are adjusted to one’s conditions and needs. However, it was at the beginning of the 1990s that the obligation to know the customer permeated other banking and financial activities, gaining greater relevance since it acquired functions in preventing money laundering; thus, it was consolidated as the obligation to identify and to control clients, thereby seeking to fight money laundering.Footnote 11

In tune with KYC is due diligence in anti-money laundering and fraud detection controls, where together the digitization of the client and partner incorporation processes, information exchange and analysis of data, clients, and transactions is sought.Footnote 12

Considering that the information requirements on clients have increased to prevent terrorist activities and SARLAFT fraudulent businesses, RegTech provides reporting regulation systems, which in turn facilitates regulatory compliance by the actors involved.

On anti-money laundering, RegTech companies have had great relevance since they tend to improve the fight of different financial institutions against financial crimes. As an example, by 2017, based on a Global FinTech study, of 341 RegTech companies, more than 53% were mainly dedicated to AML and KYC-related issues.Footnote 13

The need for financial companies, such as insurance companies, to adapt RegTech- related alternatives for KYC and AML is given because of the use of sophisticated methods implemented by crime that aims to make money obtained by illegal means as well as from legitimate funds. Therefore, greater regulation and controls on money laundering are necessary by institutions dedicated to this purpose, which also manage resources from their different clients.Footnote 14

Under this context of the rise of crime by different means, it is necessary to place special emphasis on KYC and AML. Thus, each client or potential client of a financial institution or an insurance company should be properly studied under the requirements that these two precepts bring with them. This process requires special attention and having sufficient documentation regarding identity, income, and provenance of similar funds.Footnote 15 Basic and superficial information are not enough, it is requiring depth for the technological tools to acquire the data sufficient to foresee situations that may compromise entities or insurance companies.

The need arises because currently, at the time of making transactions with different companies, whether involved in banking services or providing insurance, insurance entities no longer have enough confidence in traditional risks management systems. These have shown significant shortcomings that raise questions not only to the companies themselves, but also to the insurers, engaging in activities that may be criminal from not having sufficient regulatory support.

Therefore, insurance companies sought technology and apply it to comply with the regulation and different standards, with an emphasis on adequate knowledge of their clients and potential clients by processing the large amount of information and data that they can count on, thereby avoiding the carrying out by the insured of fraudulent activities such as money laundering.

It should be noted that the AML and KYC requirements regarding RegTech were established by the FATF and the Basel Committee, which seek to promote the implementation in different countries of RegTech solutions that not only simplify processes and guarantee regulatory compliance, but also identify transactions that may be suspicious.Footnote 16

In this sense, the importance of RegTech in insurance companies is clear, where it is necessary to have adequate customer information before providing the respective insurance, thus guaranteeing an adequate origin of funds and the legality of all movements made by the insured company, which makes it possible to control not only the activity of the insured but also compliance with the regulation.

The implementation of RegTech tools is not a measure that can be used within an insurance company suddenly and indiscriminately. It is necessary to start making a series of decisions within the company that come from its different organs and are in tune with all its policies and objectives. It is also necessary to consider how these emerging changes that have been brought about by technological advances may have repercussions on insurance companies, making it necessary for the existence of an interaction between corporate law and insurance regulation.

Within any company, especially insurance companies, taking into account the activities they are engaged in, there are circumstances that may make them more or less prone to risk. Therefore, it is not possible to completely eliminate the risks that arise in a company, the most relevant being the conscious acceptance of risk levels, communicating decisions to shareholders to take actions for their mitigation and control, using the tools and standards available.Footnote 17

Based on the above and considering that companies will always have some kind of risk, even the more they try to moderate them, the author Javier Ísmodes CascónFootnote 18 points out that an adequate corporate governance should seek to ensure that risks are understood, managed, and communicated appropriately. Thus, although at the time of conducting legal business controls and audits are carried out, there is no adequate qualification of ex-ante risks or those indicators that alert potential risks before they occur. Therefore, to prevent this class of risks in insurance companies, it is required to have an adequate KYC, which tends to identify future clients by investigating the origin of funds and their history of transactions and exchanges.

With respect to insurance companies, in Colombia specifically, the “Federación de Aseguradores Colombianos”—Fasecolda—is constituted, a non-profit entity that groups and represents the insurance sector mainly against surveillance and control entities. In 2007, this body approved the guidelines for establishing a corporate governance code for the Colombian insurance sector, which had as its main objective to offer a framework of behaviors and actions for insurance companies that would provide security, projection of interests, and in general, a responsible management of the entire company.Footnote 19

The code of corporate governance above seeks to mitigate risks, provide transparency, and facilitate decision-making, generating greater confidence and better management of resources to reduce risks.Footnote 20

The relationship between adequate corporate governance, which seeks to make correct decisions and regulatory compliance, is found in Legal Compliance. The action that aims to comply with the standard is the activity of obedience to the standard that is agreed or imposed. In this way, it is aimed at ensuring compliance with the company obligations, providing mechanisms that require adherence, and the study of compliance with current regulations, whether they are mandatory rules or different obligations voluntarily assumed by the company.Footnote 21

Under this scenario, the corporate governance of insurance companies is in charge of implementing an adequate legal compliance within their organization, including current regulations. For this, it is important to use the tools that the world provides us, which not only ensure greater compliance, but also create cost effectiveness and efficiency. Thus, it is important that the different corporate governments duly study the possibility of applying RegTech tools within their organization.

4 The New Solution: Business Records

As mentioned, certification and business registration entities currently occupy a crucial role for the proper functioning of companies. They cause the registration of the main information of each society, generating with it a general database with basic information.

Most of the information available to these entities is obtained, in the Colombian case, from the records voluntarily made by the people of their companies, such as notification addresses, subscribed, paid, and authorized capital, corporate purpose, legal representative, among other information, which, although it is highly relevant, is inadequate to fully understand a company and all the activities it carries out, as well as different asset movements.

This lack of information creates the possibility that insurers may provide their services to companies whose assets may be made up of illicit money. This occurs from having inadequate knowledge of the client and lack of a large public database that guarantees transparency in the actions of the different market participants.

In this context, it is proposed as an alternative the obligatory nature of financial and accounting information, including income, expenses, and profits that must be registered in a single business registry, thereby seeking a KYC and AML. Thus, the corporate governance of insurance companies can be based on such records to have the well-founded and sufficient knowledge in insuring a respective client, preventing fraudulent activities and identity theft, and improving the internal compliance of each company.

A single business registry with sufficient information results in in-depth knowledge of the different clients of the insurance companies, taking into account their accounting history and income origin. This translates into an adequate KYC that facilitates better data treatment for AML policies based on RegTech, which are consolidated and capable of carrying out specific actions aimed at preventing fraudulent activities.

It should be noted that, in addition to the implementation of the Single Business Registry with sufficient information, the decisions to adapt it must be implemented within each company, also taking into account the adoption of RegTech tools.

For the implementation of the proposed Single Business Registry, it is important to know some aspects that the legislator must consider for the consolidation of a project of such magnitude. In this sense, a regulation that enables interoperability between the different registration systems present in a country is necessary so that an exchange of information is carried out, reducing costs for entrepreneurs while increasing the quality and updating of the data for the knowledge of the interested parties.

In the case of a country like Colombia, different registration systems have specific functions. There are records for merchants and records for natural or legal persons who intend to carry out contracting processes with the state. In this case, it would be necessary to have a regulation that would enable interoperability between these information systems, enabling the transmission of information. Additionally, the legislature must analyze the possibility of a consolidated system where interested parties can consult the information in the registers without having to go to each one individually.

Additionally, special emphasis must be placed on the legislator at the time of its regulation concerning the information that can be considered sensitive. Although greater publicity and transparency are sought to guarantee the KYC and AML, the monitoring of the personal data protection policies of each state must be considered to have an appropriate regulation that only represents benefits for the market participants.

Based on the above, RegTech promotes good corporate practices in compliance management and improves the results of regulatory compliance. In this sense, it enables the ordinary fulfillment of tasks, reducing operating costs related to the performance of daily tasks in a company.Footnote 22

Given the importance of RegTech’s application, Christopher Woorlard, Director of Strategy and Competition at the Financial Conduct Authority—the regulatory body for financial services in the United Kingdom—identified several uses of RegTech that can be highlighted in this case, which, when in tune, may result to the proper functioning of RegTech tools in compliance with the objectives set:

  1. 1.

    Facilitates compliance of companies with legal requirements, such as reports, documentation, among others.

  2. 2.

    By promoting efficiency in compliance, it is aimed at closing the gap between the intention of the regulatory requirements, their subsequent interpretation, and the effective implementation within a company.

  3. 3.

    The implementation of RegTech tools simplifies and helps companies to manage and exploit existing data, facilitating the best decision-making and finding in real time those who are not following the regulations.

  4. 4.

    Finally, the author points out that technologies and innovations give rise to more efficient regulation and compliance processes.Footnote 23

For RegTech to function properly in areas such as KYC and AML, which are the most structured applications to date in financial companies, proper data management must be had, implementing structured data under provisions and rules, using mechanisms such as predictive analytics and machine learning, which help identify inside information, threats and information that may be suspicious and related to fraud and financial crimes, as well as the use of privileged information and misconduct, all of which are collected through data exchanges in the network, such as telephone calls, exchanges in emails, commercial transactions, among others.Footnote 24

As the authors Tom Blutler and Leona O’BrienFootnote 25 point out, for the proper management of KYC and AML, a traditional approach of technologies has been used that seek to transform and map the regulation of legal provisions through rules in software codes. However, this can create a solution called “black box” since violations of the regulation may be presented by the client that are not encoded in all its variables. That is, the commission of a certain conduct may be codified, however, there is not only one way to commit it. Hence, when coding it, it generates multiple existing combinations which cannot be entered in the code for the same act, thus some fraudulent behaviors could not be properly avoided.

In this sense, Nizan Geslevich PackinFootnote 26 says about the problem, “it requires a carefully tailored design of the technology, a joint effort of the regulators and the private sector, and some shifts in corporate thinking.” Therefore, the application of technological tools should not be carried out in isolation, but in tune with the entities and the needs of the private sector and insurance companies.

Under this scenario, there must be an agreement and joint effort between the companies interested in the application of RegTech tools to improve their compliance in relation to KYC and AML and both public and private entities, such as, in the Colombian case, the Chambers of Commerce and DIAN, where they were able to unify the information to a single database, which by implementing tools such as predictive analytics, AI, among others, facilitate the prevention of the commission of crimes and provides sufficient knowledge for companies before carrying out the respective hiring or underwriting.

In addition, the legislator must also consider whether there are limitations for each entity to transfer its information. In this sense, it is necessary to analyze the total legislative panorama of each country to determine the extent of the integration of registers. It is not a question of the elimination of a particular record, since each one seeks the satisfaction of specific objectives, but of a consolidation of information that is complete, updated, and truthful, based on the existing data.

One of the main problems for a correct implementation of the proposal is the proper handling of the data, as it does not only refer to a few of them but to big data, that is, “data that contains a greater variety and that is presented in increasing volumes and at a higher speed.”Footnote 27

Among the main challenges that regulators faced and that the Single Business Registry that arises could have is the management and processing of the big data. However, it is at this point where the different regulators must work in tune with FinTech and Insurtech tools, determining not only the information that is considered relevant for its adequate treatment in line with the proposed objectives, but also the ideal means to collect it, such as through the expansion of the necessary information in the Single Tax Registry, or that which is registered at the time of the renewal of the Commercial Registry or other existing registry systems in the country. For this, regulation is necessary that not only guarantees the implementation of the appropriate tools, without limiting them, but also flexible to the changes necessary for proper operation.

In this sense, an adequate management of information resources and the data themselves is a potential agent of change and transformation for KYC and AML, which paved the way to the introduction of the concept of Know Your Data (KYD), since it is not only a matter of the insurance companies having an incalculable variety of information in their bases, but of the proper use given to it. Therefore, if this information is in the hands of the industry at a general level, efforts in the fight against laundering can be strengthened while reducing certain compliance costs and guaranteeing regulatory compliance of companies.

In this way, by implementing the Single Business Registry for insurance companies, with the goals that have been previously noted, compliance is achieved, which means acting in accordance with internal rules, regulations, laws, and procedures. Thus, when it is indicated that a company is compliant, this means that it complies with the regulations that the regulatory bodies impose, depending on the activities undertaken by it.Footnote 28

For its fulfillment, it now depends to the respective body of each entity responsible for making decisions to implement the information in the Single Business Registry after it has been created, to prevent money laundering and obtain sufficient internal controls for normative compliance and its specific purposes.

The importance of the proposal is given because having an adequate RegTech through a Single Business Registry facilitates the KYC, which provides security on the legality of the clients. However, this has an important precedent in the Financial Action Task Force (FATF), which in 2007 published an important document that addresses market risks, how these should be managed efficiently, as well as the mechanisms to establish minimum due diligence parameters with the client.Footnote 29

Aside from sufficient documentation as support and presence in the registry where insurance companies have access to, it is important to bear in mind that adequate KYC policies must contain the following:

  1. 1.

    Customer acceptance policy

  2. 2.

    Customer identification

    1. 2.1.

      General identification requirements

    2. 2.2.

      Specific identification issues such as: trust accounts, corporate vehicles, business presented, client accounts, political persons, clients not present, and correspondent banking

  3. 3.

    Continuous account and transaction tracking

  4. 4.

    Risk managementFootnote 30

In this sense, both banks and insurance entities implementing RegTech policies must seek to sufficiently know the identity of their clients, control the activities they carry out, and take into account their account information to determine the transactions that are not within their normal business or those that are expected for the type of client or account. In this sense, the KYC is a necessary element in risk management and control, and it is essential that it is supported by compliance evaluations and internal audits.Footnote 31

Finally, as an additional aspect for a possible RegTech implementation in the insurance area, in 2018 the IV International Congress of Insurance Law was held in Colombia, where the Financial Superintendence of Colombia, the body in charge of regulating the country’s the financial market, announced that it will launch three tools that aim to promote and seek to facilitate innovation in the financial system, namely:Footnote 32

  • The hub, which acts as a meeting point for entities so that those interested in the FinTech sector can exchange information.

  • “La Arenera,” which through a control environment and in real time, facilitates the development of products, technologies, or business models.

  • Finally, and with special relevance for this work, the aim is to implement RegTech, aiming through its use, by the Superintendency, to streamline and optimize internal processes in regulatory matters, thanks to the use of technological developments.

By implementing RegTech tools, the Financial Superintendency, in tune with the chambers of commerce, could exchange their information and generate a complete source of information that can be consulted by those interested. Thus, not only would it provide companies with an adequate KYC, the same superintendence could also more efficiently exercise its supervisory function, seeking compliance with the regulations by all insurance companies.

5 The Sources of Information in the Business Registry

To have a single business registry that contains all the necessary information for RegTech to have an adequate management of KYC and AML, it is necessary that such information is complete and is obtained by contrasting the different external and internal sources of information on which a company can count. Hence, the importance of information is evident, as indicated by Arias and Portela,Footnote 33

Las organizaciones empresariales son concebidas como entidades procesadoras de información, independientemente de su actividad, ya que todas las empresas tienen necesidad de obtener y analizar información actualizada sobre mercados, costos, ventas y procesos de producción. Esta información procede tanto de fuentes internas como fuentes externas a la organización, y, una vez procesada y utilizada, genera, a su vez, nueva información que será difundida dentro y fuera de la empresa (p. 11).

Translated to English as follows:

Business organizations are conceived as information processing entities, regardless of their activity, since all companies need to obtain and analyze updated information on markets, costs, sales, and production processes. This information comes from both internal and external sources to the organization, and once processed and used, generates, in turn, new information that will be disseminated inside and outside the company (p. 11).

It is the information which provides enough tools for adequate compliance that promotes knowledge of the client and avoids fraudulent activities. Although the company may possess internal information provided by the client, it is necessary that this information be contrasted with external sources for verification, granting a greater degree of certainty and transparency in the actions.

The Single Business Registry must have information systems that take raw data and transform them into knowledge that can be used by companies such as insurance. Thus, the information system can be defined as “un conjunto de procedimientos ordenados, que proporcionan información efectiva para apoyar la Toma de Decisiones y, con ello, asegurar el control de la organización”; translated to English as “a set of ordered procedures, which provide effective information to support Decision Making and, with it, ensure control of the organization.”Footnote 34

In this measure, it is not enough to indiscriminately obtain the information reported by companies and potential clients, it is necessary to organize and adapt it in a way that represents a true utility. In the case of insurance companies, they must contain clearly and easily accessible information on potential policyholders, with access to assets, liabilities, and current income, in addition to the requirements that insurance companies consider aspects of study at the time of making an assurance.

Having the information that facilitates the adequate execution of the company’s corporate purpose and proper management is a key element for the development or maintenance of advantages within a company; in this way, the required information and the possible sources of collection for such information must be clearly identified to define a structure for its processing, communication, and implementation with respect to clients and in decision-making.Footnote 35

The information that business records should have should be obtained mainly from external sources of information. The internal sources are those internal documents and records of operations of a company, generated through reports of departments, procedures, and products. This kind of information makes it possible to know the conditions of insurance companies to insure other companies, analyzing the level of risk that it can assume, among others—factors necessary for making decisions from within.

In this regard, as indicated by UMB Virtual, external sources provide information generated outside the company, such as publications by public entities, development or international organizations, associations, directories, databases, or the press. It is generally the information to which a company refers because it is outside its scope and normal course of business and operation. In this sense, a Single Business Registry must go to these external sources to obtain its information, based on existing registries and on the obligation to register certain information by companies.

In this sense, insurance companies could have a wide range of information not only internal for them to know their business scope, but also about potential clients by consulting a single information system complete enough to avoid isolated consultation of different information bases. In the same Registry, everything that is necessary for an adequate management of all its objectives is found.

It is necessary to note that although there are already records that contain different information from companies, the majority have basic information such as: (i) general data (including ID number, address, corporate purpose, among others), (ii) establishment and branches, (iii) administrators, (iv) legal publications, (v) press publications, and (vi) commercial references and suppliers. These show the lack of information regarding the commercial activities of the companies and the relationships between assets, liabilities, and profits.

The foregoing is relevant because it is known that in a country like Colombia a company can have broad social objects, where “any legal activity” is indicated, which can open multiple possibilities that a company can carry out, making it difficult to really monitor and control by the interested parties, such as insurance companies. Additionally, although what is related to the publicity of a company’s accounting information is questionable, certain information is necessary for entities such as banks, as its record makes it easier to detect the possible performance of suspicious activities.

Companies such as “Einforma” in Colombia prepare reports on different companies, which include not only basic information, but also evaluations of commercial risk, financial situation, of establishments, commercial references, commercial policies, shareholders, and occupational risk, among others. This platform uses sources of primary business information, taken from public sources and the media, and sources of secondary business information, which comes directly from the company.

While it has a complete record of essential information that could be useful for insurance companies, this information is not public, so payment must be made to access it. This is understood at present since a private company collects the data and consolidates it as useful information. However, if there were already a public access tool where it is mandatory for companies to register certain information, the costs to access it could decrease, the tool being public makes access simpler and updated.

In conclusion, it can be established that the different companies, especially insurance entities, rely on external sources of information to implement RegTech tools for an appropriate KYC and AML, facilitating the fulfillment of the information needs, providing updated, relevant, reliable, and valid information—information that is necessary to solve questions and make hiring and assurance decisionsFootnote 36.

6 Some Difficulties in Its Application

Finally, following the concept of the author Nizan Geslevich PackinFootnote 37, it is worth highlighting some difficulties in the RegTech application that cause it to be infrequently used with respect to the challenges of corporate governance, among which the following can be highlighted:

  1. 1)

    The motivation of market participants to assist in the formation of a common solution is unclear. In this sense, the cost/benefit analysis for compliance with regulatory obligations is partial, since it only covers the individual operational response of a specific entity, rather than the entire industry, which limits the ability to devise a common solution.

This difficulty would not be visible in the proposed registry, since a Registry with the aforementioned information and characteristics would provide important solutions for a large percentage of companies not only in the insurance industry but also in different sectors of the economy. In this sense, as indicated above, a Registry with general and accounting information, and with the main transactions, would provide assurances to companies at the time of hiring, having security of the identification and knowledge of their client, which in turn facilitates regulatory compliance and prevents fraudulent activities.

  1. 2)

    There is a lack of a general mandate or even an established standard on RegTech solutions. As indicated by the author, technology providers, finance companies, and legislators are reluctant to establish dialogue on common solutions, making their implementation more difficult for companies.

This approach is shared with the author since RegTech and the possible solutions that its implementation can provide are currently seen as a scenario in the development process, which is why the information about it is scarce, even more so its possibilities of implementation.

Colombia is still in a process of identifying, recognizing, and starting the implementation of technology in different fields, which is why the lack of general knowledge and guidelines on RegTech results in its lack of use and homogeneity in policies that would have benefited all participants in an industry such as insurance.

Thus, a solution to this difficulty is the dialogue between the different parties that provide managing solutions for regulatory compliance, implementing technological tools, thereby providing greater visibility to RegTech solutions in achieving objectives and reducing operating costs.

  1. 3)

    The complexity in the connection and interaction of regulatory initiatives makes it difficult to adopt common solutions. In addition, difficulties in relation to data protection can constitute an obstacle to the efficient exchange of information.

As stated, the difficulty related to the security of the information and the privacy of the same within a company is recognized. Although the obligation for certain information is proposed to facilitate its access and consultation, the problems that this could bring with it on data protection is undeniable. Thus, it is necessary for RegTech tools and the proposed single business registry to use technology not only to guarantee the transparency of the information and provide access to it for multiple actors, but also to give security in the proper handling of such information by the companies.

7 Conclusions

Aiming for an adequate regulatory compliance within a company, as well as the need for business efficiency in relation to decision-making for contracting with different clients, thereby preventing and controlling the performance of illegal activities by the insured, the implementation of RegTech was shown as an alternative that facilitates the fulfillment of such objectives, allowing in its application not only the adequate compliance with the legislation and regulatory loads through utilization of data but also providing security and reducing costs.

As authors such as Douglas W. Arner, Jànos Barberis & Ross P. BuckleyFootnote 38 point out, the implementation of RegTech is not only justifiable in making a financial regulation more effective and affordable for the different stakeholders, but it can also be implemented as a mechanism to reconceptualize and redesign financial regulation, taking into account the transformations that the market has undergone in this regard.

Considering the relevance of the certification and business registration entities, the implementation of a single business registry with sufficient data for each company taken from different entities within a country, such as the Chamber of Commerce and DIAN, in the Colombian case, was shown as an important element of RegTech application for the consultation of customer information, thus generating an adequate KYC and AML.

Insurance entities can adopt a single registry to develop customer awareness or anti-laundering tools and improve their own compliance from the decisions made by corporate government, thus, a corporate government that is solely responsible for making decisions is not enough. Decisions which are usually based on internal information sources must necessarily use external sources such as the single registry to have sufficient knowledge and provide the insurance company with tools for an adequate risk analysis.

To this extent, for the insurance companies to achieve optimal KYC and AML, the single registry must have the general accounting and financial information of each period as mandatory information. This registry and its subsequent implementation by the corporate government of each company is the best vehicle to achieve a complete business KYC and AML that favors not only the insurance industry, but generally the important sectors of the industry in decision-making.

The idea that business records are the central axis of the KYC of our society is defended, having important functions in preventing the risk of identity theft, such as knowledge of the activities and transactions made, alerting risky actions.

Based on the above, it can be pointed out that the way companies use information is an aspect that allows them to generate competitive advantages between organizations. Thus, as Patricia González and Tatiana BermúdezFootnote 39 point out, the strategic use of information is useful in decision-making, providing changes that have representation and create knowledge.

In the field of insurance companies, having sufficient information through a complete business registry that has the adequate resources and data for greater facilities when providing their services is extremely important, since taking into account the insurance activity which is based mainly on the acceptance and management of risks from third parties, the use of such information reduces the risks inherent to the activity, generating significant advantages for companies not only in their processes but also in economic terms.

Based on the above, to the extent that insurance companies have access to a varied information system associated with clients and therefore to risks, they will have more adequate tools for making business decisions. Having a greater knowledge of the insured object, that is, of the risk and its client, which, as the author Andrea LondoñoFootnote 40 points out, empowers the insurance companies to implement:

  1. (i)

    Mejores políticas de suscripción y mitigación de riesgos (contragarantías o garantías en los Contratos de Seguros), mejores esquemas de tarifación (Pricing)

  2. (ii)

    Mejores y más adecuados productos a ser ofrecidos a los consumidores, a la luz de sus necesidades reales y hábitos de consumo y

  3. (iii)

    Mejor y más eficiente diseño y manejo de reclamaciones y políticas antifraude

Translated to English as follows:

  1. (i)

    Better underwriting and risk mitigation policies (counter-guarantees or guarantees in Insurance Contracts), better pricing schemes (Pricing)

  2. (ii)

    Better and more suitable products to be offered to consumers, considering their real needs and consumption habits

  3. (iii)

    Better and more efficient design and handling of claims and anti-fraud policies

In conclusion, it is important that corporate governments, especially the ones at the insurance market, seek the implementation of RegTech tools that facilitate regulatory compliance. A crucial strategy is the single business registry that has a complete and detailed information on each of the companies to guarantee an efficient KYC and AML appropriate to their needs.

Finally, it can be seen how the application of RegTech still present some difficulties that must be solved so it can be implemented optimally. However, with existing tools, it is possible to use RegTech in a country like Colombia to facilitate information-based decision-making for insurance companies, which minimizes their risks and facilitates regulatory compliance.


  1. 1.

    Cermeño (2016).

  2. 2.

    Arner et al. (2017), p. 377.

  3. 3.

    Rincon (2020).

  4. 4.

    Rincon (2020).

  5. 5.

    Frankenfield (2019).

  6. 6.

    Deloitte (2016), 07.

  7. 7.

    Deloitte (2016), 07.

  8. 8.

    Arner et al. (2017), p. 383.

  9. 9.

    Arner et al. (2017), p. 377.

  10. 10.

    Rincon (2020).

  11. 11.

    Bonzom (2011).

  12. 12.

    Rincon (2020).

  13. 13.

    Kurum (2020).

  14. 14.

    Kurum (2020).

  15. 15.

    Arner et al. (2017), p. 391.

  16. 16.

    Arner et al. (2017), p. 395.

  17. 17.

    Cascón (2019), p. 197.

  18. 18.

    Cascón (2019).

  19. 19.

    Montañez et al. (2017), p. 27.

  20. 20.

    Fasecolda (s.f.).

  21. 21.

    Tejeira (2015).

  22. 22.

    Geslevich (2018), p. 198.

  23. 23.

    Woolard (2016).

  24. 24.

    Butler and O’Brien (2019), p. 97.

  25. 25.

    Butler and O’Brien (2019), p. 40.

  26. 26.

    Geslevich (2018), p. 194.

  27. 27.

    Oracle (s.f).

  28. 28.

    Falotico (2017).

  29. 29.

    Falotico (2017), p. 24.

  30. 30.

    Bank of Spain (2002).

  31. 31.

    Bank of Spain (2002).

  32. 32.

    Bermúdez (2018), p. 62.

  33. 33.

    Arias and Portela (1997), p. 11.

  34. 34.

    Arias and Portela (1997), p. 12.

  35. 35.

    Virtual UMB (s.f).

  36. 36.

    ComuExter13 (2017).

  37. 37.

    Geslevich (2018), p. 211.

  38. 38.

    Arner et al. (2017), p. 402.

  39. 39.

    González and Bermúdez (2010), p. 86.

  40. 40.

    Londoño (2018).


Download references

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Erick Rincón Cárdenas or Valeria Martinez Molano .

Editor information

Editors and Affiliations

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and Permissions

Copyright information

© 2022 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

Cárdenas, E.R., Molano, V.M. (2022). Business Registration Data as the Best Vehicle to Achieve KYC and AML for Business. In: Marano, P., Noussia, K. (eds) The Governance of Insurance Undertakings . AIDA Europe Research Series on Insurance Law and Regulation, vol 6. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-85816-2

  • Online ISBN: 978-3-030-85817-9

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)