Know Your Customer (KYC) refers to the process institutions use to verify the identities of their customers and ascertain what fraud risks they may pose. The premise is that knowing your customers — performing identity verification, reviewing their financial activities, and assessing their risk factors — can keep money laundering, terrorism financing and other types of illicit financial activities in check.
The U.S. Treasury has had legislation in place for decades directing financial institutions to assist the government in detecting and preventing money laundering. In an evolution of these regulations, KYC processes were introduced in 2001 as part of the Patriot Act. They were further strengthened in 2016 by the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) rulings around customer due diligence (CDD).
Globally, the European Union’s (EU) General Data Protection Regulation (GDPR) regulations took effect in May 2018. GDPR significantly restricts how institutions acquire and manage customer data. These regulations, along with the EU’s Second Payment Services Directive (PSD2), create additional hurdles for organizations in meeting anti-money laundering (AML) and CDD procedures within the KYC compliance framework.
The ultimate aim of KYC is to confirm, with a high level of assurance, that customers are who they say they are and that they are not likely to be engaged in criminal activity. KYC is mandated for some organizations — primarily financial institutions — but for other businesses that voluntarily implement KYC procedures, it’s an important signal that the business is trustworthy and cares about protecting its customers.
Why are KYC Regulations Needed for Banks and Financial Services Companies?
If the last decade has taught us anything, it’s that a person’s online identity isn’t always what it appears to be. Data breaches, phishing schemes, identity theft, money laundering and other digital scams have wreaked havoc on organizations from every sector of the economy — from fintech services to dating sites to players in the sharing economy.
The intergovernmental Financial Action Task Force (FATF) estimated that in 2009, criminal proceeds from illicit funds generated from drug trafficking and organized crimes amounted to 3.6 percent of global GDP, with 2.7 percent (or US$1.6 trillion) being laundered to disguise their illegal origin. On top of that, corporate losses from fraudulent online transactions are expected to reach $25.6 billion in 2020, according to Juniper Research.
Add to this an abundance of identity information housed online and creating a goldmine for fraudsters. Digital identities act as a currency on the web, with specific data (e.g., Social Security numbers, email addresses, passwords, credit card numbers and medical records) fetching anywhere from 25 cents to $60 per record. Bad actors are exploiting all angles to obtain and utilize this data to their benefit.
To lessen the likelihood of these financial crimes, not to mention to protect their brand reputations, financial services organizations have a clear monetary incentive to accurately verify their users’ online identities through the use of KYC procedures.
KYC Process & Compliance Requirements
KYC compliance begins when an account is created (either in person or online) or a customer starts doing business with an organization. They also come into play later, when the customer accesses that account. There are several important components to achieving KYC compliance.
Customer Due Diligence
One cornerstone of a strong KYC compliance program is conducting comprehensive customer due diligence (CDD) for all customers. Financial institutions need to know their customers and protect their financial ecosystems against criminals, terrorists and politically exposed persons (PEPs) who might present added risk.
Because business customers can vary in terms of their types of transactions, customers, locations, scale and business lines, CDD efforts will also differ, ranging from simplified to standard to enhanced CDD. In general, CDD will include verifying the identity of customers and understanding the monetary thresholds for required reporting and record retention, as well as the specific FinCEN rules governing different types of transactions.
In determining what level of due diligence is appropriate, a company should look for red flags relating to:
- Understanding of the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
Customer Identification Program
A second component of KYC compliance is the establishment of a Customer Identification Program (CIP) as a part of the onboarding process to “form a reasonable belief that (the business) knows the true identity of each customer.” In other words, a financial institution must verify the identity of every individual or business customer who wants to open an account.
Every CIP must have a risk-adjusted procedure to verify the identity of the account holder during customer onboarding. The minimum requirements to open an individual financial account include such personally identifiable information as the customer’s name, date of birth, address and the identification number. Other risks that may be assessed include the type of account in question, typical transaction size, the quality of the information offered by the customer, the characteristics of the organization as a customer and the location(s) where the customer’s transactions originate or end.
Procedures for identity verification include reviewing ID documents, non-documentary methods (e.g., comparing information provided by the customer with consumer reporting agencies, public databases) or a combination of both.
When it comes to online customer onboarding, online identity verification is a must-have for CIP. New verification technologies are helping organizations meet their KYC and data privacy requirements, as well as successfully integrating with their back-end and customer-facing systems. For institutions that rely on a government-issued ID document and biometric verification, the online identity verification process generally consists of:
- Optical Character Recognition (OCR) to extract data from the ID document
- ID verification to ensure the ID is valid and unaltered
- Selfie capture and comparison to ID document to increase identity assurance
KYC and the Customer Experience
Emerging technologies for online identity verification are critical because KYC adds friction to the onboarding process as customers go through the necessary identity verification steps. Long wait times are expensive for banks and frustrating for customers who expect quick and easy interactions. In fact, research by Signicat found that more than 50 percent of retail banking customers in Europe abandoned their attempt to sign up for new financial services. The leading cause? The process simply took too long and was too onerous.
The challenge that every business faces, therefore, is how to balance KYC with the need for fast, efficient onboarding processes that deliver a positive customer experience.
It’s not enough to look at a customer’s risk profile only during the enhanced due diligence process of onboarding. Banks and other organizations must also look for signs of terrorist financing, suspicious activity or other high-risk behaviors throughout the course of the business relationship.
In general, once a customer has been identified and verified, there is no requirement to re-verify their identity. The exception is when there is a trigger event, for example:
- A product or service that you supply the customer changes
- Concerns are raised regarding previous information collected and its validity
- Suspicions of money laundering are raised
By performing ongoing monitoring, businesses can implement a continuous risk assessment process that flags customers who may pose increased risks as circumstances change.
Ongoing monitoring calls for a periodic review of all information regarding clients, including oversight of their financial transactions and accounts based on thresholds developed as part of a customer’s risk profile. The emphasis is on organizations to develop clear, auditable processes to manage these ongoing checks.
The primary objectives of monitoring are to:
- Detect suspicious financial transactions (e.g., spikes in activities) and strengthen anti-money laundering efforts
- Keep client identification, beneficial ownership information and the purpose and intended nature of the business relationship record up to date
- Determine if customers are included on politically exposed persons (PEP), sanctions or adverse media lists after new account onboarding (i.e., when the initial vetting occurred)
- Identify unusual cross-border activities
These activities, which were once considered “best practices,” have moved to law, reflecting an increasing expectation from both global regulators and stakeholders that firms should be more aware of customer risk at all times.
Who Regulates KYC Compliance?
Oversight bodies across the globe have begun using mandates to bring digital identity verification and Know Your Customer to the forefront of the minds of businesses. In the United States, KYC and AML mandates (and their associated CDD requirements) stem from the 1970 Bank Secrecy Act and the 2001 Patriot Act. They were expanded in 2016 by the U.S. Treasury’s FinCEN and even by new state regulations, including California’s CCPA compliance rules.
Elsewhere, the EU, Asia-Pacific countries (APAC) and other regions have built upon or created their own compliance frameworks. In addition to GDPR regulations, the EU has a new regulatory requirement, PSD2, to reduce fraud and make online payments more secure, as well as the 6th EU Anti-Money Laundering Directive (6AMLD). In Canada, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) oversees anti-money laundering and anti-terrorist funding regulations. And dozens of countries and international bodies follow the Financial Action Task Force’s recommendations regarding politically exposed persons terrorist financing.
What is KYCC?
KYC processes require financial services companies to verify the identities of their customers, understand the nature of their transactions and assess their risk for money laundering or other financial crimes.
These rules are an essential foundation for ensuring trust among customers and limiting fraud. Increasingly, though, they are not enough. While the customer with whom you’re doing business may be legitimate, their customers may not be. The Panama Papers, for instance, revealed how easy it is for unscrupulous businesses, politicians and individuals to hide funds in offshore tax havens.
As a result, more regions are strengthening or passing new laws to combat the ability to hide ownership or funds. These new regulations are called Know Your Customer’s Customer, or KYCC, and they serve to make the end customer’s identity more transparent.
Compliance with KYC Requirements through Identity Verification
Companies are striving to grow their customer base through faster, easier and lower-cost digital channels, yet the current regulatory landscape creates many barriers to achieving those ideals. Customers want the convenience of signing up through digital channels, and they want the process to be quick and painless. Institutions, on the other hand, have to manage the realities of complying with KYC regulations, which can mean sending new customers out of their preferred (digital) channel for identity verification or making customers wait for days or weeks as their identities are verified.
These competing demands have created a clear need for KYC technologies that can transform an organization’s manual KYC and customer onboarding processes into a streamlined online approach.
The right solution needs to have these fundamental identity verification capabilities:
- Ability to accurately extract data from a wide range of ID documents (e.g., passports, government-issued IDs, driver’s licenses)
- Ability to verify the authenticity and validity of the ID document
- Ability to capture biometric data from the customer (e.g., selfie, fingerprint)
- Ability to compare the biometric data and the ID document to validate the customer’s identity
In addition to securely meeting these technical objectives, the ideal KYC solution must be scalable for companies with an international presence or global ambitions. This means, for example, that the solution can accommodate a wide range of national identification documents, based on where the company does business. Secondly, the solutions must be effective — both in terms of its cost-effectiveness and its ability to create a positive customer onboarding experience.
The challenge and imperative for KYC is clear. We invite you to learn how Jumio’s end-to-end identity verification and authentication solutions can help.
To learn more now, request a copy of our new guide, The ABCs of eKYC.