Skip to content Skip to footer

Why robust KYC procedures are crucial for SaaS companies

Image: Adobe Stockk / PST Vector

Vaidotas Šedys, Head of Risk Management at Oxylabs, explains the know-your-customer (KYC) challenges being faced by proxy and web scraping service providers.

Anti-money laundering (AML) efforts cost money, whether they are well-implemented or not. Non-compliance, however, costs more than investing in ensuring compliance.

For banks, know-your-customer (KYC) measures amount to 40% of all AML compliance costs, totalling $5.7 million each year. This sum is tiny, however, compared to what is paid for non-compliance. In 2022, the global fines for inadequate AML grew by 50%, almost reaching $5 billion. Danske Bank took the lion’s share with a $2 billion fine for misconduct in their Estonian branch.

Naturally, financial institutions face the highest requirements for AML and KYC. However, effective identification and vetting are important across industries, including for recruitment purposes, high-value transactions (such as real estate), and even education when it comes to verifying students.

Web data collection is another industry where effective KYC is crucial, due to the sensitivity of the product. Automated data scraping requires proxy server infrastructure that can be used for bad as well as for good. The bad part clearly manifested in a recent case of one major provider maliciously hijacking devices to create a botnet.

AML and KYC are usually associated with banks and financial institutions. What makes such measures important when providing proxy and data scraping services?

Dealing with data and information technologies can be just as sensitive as having a direct link to people’s finances. Proxies are intermediary servers between a client’s device and the internet. As such, they provide increased anonymity for the client and open their hands to various kinds of automation. This includes automated public web data collection, which is a useful asset for businesses, governmental and non-governmental agencies, as well as researchers.

By providing both proxy infrastructure and web scraping solutions, we put a powerful tool in our client’s hands. Naturally, we want to know who we are entrusting with this tool and how they are going to use it. It is necessary for protecting both our infrastructure and the general public from potentially harmful activity.

Recent high-profile cases in both financial industries and proxy services show that these standards are not always met with diligence. How can the public be sure that advertised ideals of ethical SaaS services are pursued in practice?

Even putting aside ethical concerns, implementing robust KYC standards is in the interest of business. In the case of proxies, you are putting your own infrastructure on the line when giving someone access to it, so you want to be able to trust them as much as possible. For example, having your servers used for illegitimate or harmful activity might get your IP addresses banned across commonly used online platforms and search engines. One badly checked client can make your product useless for the entire base of legitimate customers.

Additionally, reputational damage for companies that are revealed to enable criminal or malicious activity can be harmful even when no monetary fines are issued, especially in such a young and developing industry as data scraping, which is already ridden with misconceptions. Hopefully, these cases where KYC measures were less than ideal will clearly show that slacking in this area is, simply put, bad business.

Does compliance in proxy services differ from that in finances, and how is this reflected in risk management approaches?

In both cases, you have to know who you are dealing with. So, you need to verify that the person is who they say they are or have the authority to represent the institution they say they do. Here, we use the same highest-standard practices of checking all relevant public information and documentation as well as communicating with the customers as much as we deem necessary to manage risks.

The main difference is in use cases. In finance, they mainly look for transactions that assist in money laundering, organised crime, and terrorist financing.

As for us, we have to ask each client what exactly they want to do with our tools. There are many known ways how someone can use these tools, from price aggregation to market monitoring. Additionally, with constant development in the IT sector, there is always room for discovering new use cases and workflow improvements with the help of proxies and web scrapers.

We have to make sure that these improvements are going to be made to non-harmful, legitimate tasks. With some types of data gathering, we will help researchers looking to advance knowledge but not, for example, companies that want to launch spam marketing campaigns. Then, there are applications that have no known legitimate use cases – they are rejected by default.

Gaming might be an interesting example. Although it seems like a perfectly innocent activity, there are hardly any legitimate use cases for using proxies on gaming platforms. Usually, they are used by hackers aiming to steal player accounts by combining brute force and previously obtained data. The accounts or in-game items can then be sold for profit.

So, the burden of proof would be on the client to explain how exactly they could use proxies for gaming legitimately and in accordance with the platform’s rules. Without such explanation, using our tools on gaming platforms would not be approved.

After verifying the client and approving the use case, the third stage is ongoing due diligence. We have to check in to see that our tools are used for agreed-on purposes and nothing else.

Speaking about the future, how is the always-evolving regulation going to affect compliance in the industry?

I think the effect is going to be positive. For example, the European Union is going for a new stage of digital verification with the European digital identity or eID framework. This new regulation will make it easier for EU citizens and companies to identify themselves and share only necessary information.

Things like that make our work easier. Generally, additional authority providing standards and guidance for compliance is good for our industry. It helps assure our customers and equalise the competitive conditions. We welcome it.

Picture of Vaidotas Šedys
Vaidotas Šedys
Head of Risk Management at Oxylabs

You may also like

Stay In The Know

Get the Data Centre Review Newsletter direct to your inbox.