Article 7 min

KYCC – Know Your Customer’s Customer

Know Your Customer’s Customer

A front. A shell. A dummy corporation. While there are many ways to name it, the purpose is to shield another company from liability or scrutiny. There are legitimate reasons for setting these up in many cases, such as protecting privacy or limiting liability.

Most of us suspect that, mainly, these are just ways to hide or launder money or other nefarious activities. There are often fewer restrictions on shell companies; many countries have strict Know Your Customer (KYC) laws that don’t extend to shell corporations or similar entities. However, that is changing as the demand to close loopholes increases and countries start to regulate laws that fall under the heading ­­­Know Your Customer’s Customer (KYCC).

KYC laws stipulate financial institutions and other regulated entities must:

  • Establish customer identity,
  • Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate),
  • Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities.

KYCC takes requirements to the next level and looks at who your customers are doing business with, their sources of funds and its legitimacy, and the risk that these third parties are laundering money.­­ One example, since the Panama and Paradise Papers, regulators now spotlight beneficial ownership and the complex paths of hiding money it enables. Jurisdiction after jurisdiction is passing new laws or strengthening existing rules to combat layering ownership to hide funds.

But even these changes don’t seem to have gone far enough. Consider the release in September 2021 of the Pandora Papers, which shows the labyrinthine corporate structures used by some of the world’s richest people. Using opaque shell companies, these rich and famous hide their wealth and often avoid paying taxes, adding to inequality.

Garient Evans, Trulioo SVP of Identity Solutions, states “In a time when wealth inequality is growing and the pandemic has created more need for tax revenue, the hiding of extreme wealth has hit a raw nerve. Laws to understand who is behind corporate shells are on the books but more needs to be done. Any government that wants to keep the will of the people needs to ensure that they are no loopholes to fairness and equality.”

Beneficial ownership requirements around the world

United States

In the U.S., the Customer Due Diligence (CDD) Final Rule went into full effect May 11, 2018: “Specifically, the rule contains three core requirements: (1) identifying and verifying the identity of the beneficial owners of companies opening accounts; (2) understanding the nature and purpose of customer relationships to develop customer risk profiles; and (3) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”

Once the Corporate Transparency Act comes into effect, U.S. companies will have to report their Ultimate Beneficial Owner (UBO) information to the Financial Crimes Enforcement Network (FinCEN). Any new incorporation or significant UBO change will need to be reported. Any company formed before the Act’s effective date will have two years to report to FinCEN. The regulations implementing the reporting requirements must be in place by January 1, 2022, with an effective date to be determined.


In Europe, the 4th AML Directive came into effect June 26, 2017, and has significant initiatives regarding beneficial ownership. As the commission notes, “understanding the beneficial ownership of companies is at the heart of the risk mitigation of financial crime and of prevention strategies for regulated firms.”

Since then, all EU Members have passed country-specific laws to meet the Directive requirements. Two newer Directives (5AMLD and 6AMLD) called for company registers and interconnecting them with the European platform. While most Members now have a UBO Register in place, not all are publicly available. There are significant calls for a Pan-European compliance regime which would, most likely, include specific requirements for UBO reporting.


In Canada, new regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) came into full effect on June 17, 2017. Reporting companies must consider: “any new developments in respect of, or the impact of new technologies on … clients, business relationships, products or delivery channels or the geographic location of their activities”; and any risk resulting from the activities of an affiliated Canadian financial entity, amongst others.

As of June 1, 2021, all Reporting Entities must now report beneficial ownership information. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) states, “You must take reasonable measures to confirm the accuracy of the beneficial ownership information when you first obtain it and in the course of conducting ongoing monitoring of your business relationships.” These measures include the entity’s CEO and screenings for politically exposed persons (PEPs) or heads of international organizations (HIOs).

Know the beneficiary of your clients’ activities

It’s not just a legal compliance issue; to properly manage your institution’s risk, to protect against infiltration by illicit funds, you need to know the beneficiary of your clients’ activities. Whether it be another entity, an owner, a partner, a customer, a supplier, or another relationship, each could be the source or destination of questionable funds. Extend the same steps and procedures you take to Know Your Customer to their entire network of connections.

Effective third-party due diligence policies, screening and processes are necessary to protect your organization and manage risk. Systematically thinking about your business relationships, the potential exposures they could incur, what steps you need to implement, and how you can operationalize and review those procedures is smart business — and proper compliance.

Due diligence over your entire supply chain also supports risk mitigation. If, for example, a supplier risk profile shows that the supplier is non-compliant with a law your business must comply with, that information can feed into the contracting stage as a contractual requirement: the supplier must make all commercially reasonable efforts to become compliant.

Although this can be substantially more work and cost, depending on the circumstance, the alternative is worse; fines, losses and reputational damage due to allowing illegal funds to channel through your institution.

Solutions and best practices to ease the burden of KYCC compliance

On the positive side, new technologies and processes are available to cut the cost and workload while still delivering effective KYCC risk management. One potential solution is KYC registries or, in Europe, a central depository. The concept is that instead of every institute doing their Customer Due Diligence on their own, they’d pool their resources and share third-party registration data. There are already a few initiatives on this front, but it’s still early days for any final determination if these will become successful.

One solution currently powering compliance systems across borders is electronic identity verification (eIDV). Agile and fast-growing businesses in regulated industries are integrating eIDV for quicker, smoother and cost-effective identification for all parties of a proper KYCC analysis. Digital business onboarding processes that replace cumbersome, slow paper processes are one effective way in improving KYCC compliance.

Evans points out “the systematic need for understanding the true nature of corporate ownership is deepening. But, business verifications need to be cost- and time-effective, or otherwise the process becomes untenable. The Know Your Business product by Trulioo is built to solve this problem – the product provides direct connection to government databases via a real time API to ensure you know who you’re dealing with.”

As the complexity and interconnection of financial relationships deepen and spread, the requirements to track and monitor these relationships will similarly expand. Regulators won’t accept the corruption and tax avoidance of money laundering and the danger of terrorist financing. Financial institutions can’t accept the higher risk of fraud and non-compliance. KYCC is an unstoppable trend and innovative companies need to craft an effective KYCC strategy to set themselves up for the new reality.

This post was originally published on March 9, 2017. It has been updated to reflect the latest industry developments and best practices.