| I used to be involved in a UK based startup (as a developer) where we would create a bank account for our customers as a part of the product. The AML/KYC process was outsourced. The customer would go through the registration form, provide their details, and then we would hit up the third party AML/KYC API, which would come back with details on the additional information required. We would then have to chase up the customer for this information (usually a picture of their passport/utility bill, that sort of thing) and provide this back to the third party handling AML/KYC, who would then give authorization to another third party to create the actual bank account. The whole thing seemed ripe for abuse. After a bank account was created, at no point was the customer contacted by the third party to tell them a bank account had been created in their name. If I was malicious and knew somebodies address history, DOB and had a picture of their passport, I could create a bank account for them with a couple of API calls, and they wouldn't have a clue. It used to be that to get a bank account you would have to physically go to the bank and meet a human being first, but we’ve moved away from that. We were closely watched by, and regularly in touch with, the FCA who didn't have any problem with what we were doing. |