The Koala in the KYC The Difference Between a Presence Check and a Real Control
Published on: Thu Nov 02 2023 by Ivar Strand
The Koala in the KYC: The Difference Between a “Presence Check” and a Real Control 🐨
A recent, documented case in the financial technology sector provides an instructive lesson for anyone responsible for fiduciary oversight. A digital platform’s automated Know Your Customer (KYC) process, which required new users to upload a photo of a government-issued ID, was successfully completed by an individual who instead submitted a picture of a koala.
While the incident is superficially amusing, it is a clear illustration of a widespread and significant vulnerability in many digital control systems. It reveals the critical difference between a simple “presence check” and a substantive control.
The Anatomy of the Failure: Presence vs. Content
The failure in the KYC process was not a bug in the traditional sense; the system performed exactly as it had been programmed to. The flaw was in the design of the control itself. The system was built to perform a presence check.
- A presence check verifies that a required action has been taken, but not the quality or validity of that action. In this case, it checked that a file with an accepted image format (e.g.,
.jpg) had been successfully uploaded to the mandatory ID field.
The system was not, however, programmed to perform a content check.
- A content check analyzes the substance of the uploaded file to ensure it meets specific criteria. A true KYC control would have used machine vision or optical character recognition (OCR) to verify that the image actually contained the features of a passport or driver’s license.
The system’s control was a form of “security theater”—a process that provided the appearance of security while lacking any substantive verification, thereby creating a false sense of assurance for auditors and compliance officers.
A Widespread Vulnerability in Supporting Documentation
This is not an isolated issue limited to KYC processes. The same fundamental weakness exists in countless business processes across all sectors, including international development, that rely on the submission of “supporting documents.”
- Expense Reporting: A system may require that a receipt be attached to every expense claim over a certain value. However, many systems only perform a presence check, verifying that a file was uploaded, not that the file is a valid receipt corresponding to the claim’s date and amount.
- Procurement: A vendor onboarding process may require the submission of a business registration certificate. A simple presence check can be satisfied by a user uploading a blank PDF or an unrelated document.
- Grant Reporting: A sub-grantee may be required to submit a signed, narrative progress report. The system may confirm that a file named “Progress_Report.pdf” has been uploaded, without any ability to verify its content.
In each of these cases, a superficial audit could easily conclude that a control is in place and functioning. The “receipt attached” field is populated, and the transaction is processed. The underlying risk remains entirely unmitigated.
Moving Towards Substantive Verification
The lesson from the koala is that our systems and our assurance methodologies must evolve.
For system design, this means moving beyond simple presence checks. Technologies like OCR and basic machine vision are increasingly accessible and can be deployed to perform rudimentary content verification—classifying documents and extracting key information for validation.
For auditors and monitoring agents, this means our testing must become more sophisticated. Verifying a document upload control is not complete until one has actively attempted to subvert it. The test script for any such control should now include a step to “upload an irrelevant image or a blank file” to see if the system correctly rejects it.
The integrity of a financial process depends on the substantive quality of its controls, not the mere existence of procedural steps. True, technology-driven monitoring requires a deep inquiry into how these controls actually function. It is our responsibility to ensure the systems we rely on can, in fact, tell the difference between a passport and a koala.
