Know Your Customer (KYC) requirements in the UK

The United Kingdom (UK) has the world’s fifth largest economy, is the largest financial services provider in the world, and, according to the independent intergovernmental Financial Action Task Force (FATF), is “a global leader in promoting corporate transparency.”

Therefore, it’s not surprising the UK has robust Anti-Money Laundering (AML) and Know Your Customer (KYC) laws and regulations. These include requirements that organizations such as the following need to verify individual and business identities:

• Credit and financial institutions
• Payment companies
• Electronic money institutions
• Money service business
• Gaming and casinos
• High-value dealers
• Estate agents
• Independent legal professionals who offer financial or real property transaction services

Note that different industry sectors can have different thresholds, standards and regulators, so it’s imperative to understand the specific requirements of the applicable sector.

KYC requirements for UK banks and financial services

The Financial Conduct Authority (FCA) — the UK regulator for financial services firms and financial markets — is well known for its forward-thinking approach to innovation. Consider the rate of fintech adoption; the UK ranks as the second highest in the world. Many new developments in the field, from the concepts of regulatory sandbox and Open Banking to the idea of RegTech itself, originated in the UK and are a result of collaboration and engagement between the FCA and fintech companies.

The FCA, in general, favors a risk-based approach, focusing on the outputs rather than specific AML laws and rules; “firms must have in place policies and procedures in relation to customer due diligence and monitoring, among others, but neither the law nor our rules prescribe in detail how firms have to do this.”

In terms of performing proper Customer Due Diligence (CDD), there are three requirements according to the 2017 updated AML regulations:

(a) identify the customer

(b) verify the customer’s identity

(c) assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction

While the law itself does not offer specifics, the UK Government offers a Good Practice Guide: Identity proofing and verification of an individual. The Guide specifically mentions checking an individual’s identity digitally as an option.

According to the Guide, there are five parts of identity checking:

• Getting evidence of the claimed identity (“strength”)
• Checking the evidence is genuine or valid (“validity”)
• Checking the claimed identity has existed over time (“activity”)
• Checking if the claimed identity is at high risk of identity fraud (“identity fraud”)
• Determining whether the identity belongs to the person who’s claiming it (“verification”)

One interesting observation is that not all steps must be performed at once. This speaks to the risk-based approach; as the risk level increases, the need for confidence in the identity increases and thus more identity checks are called for. This type of approach syncs with onboarding best practices, signing up visitors quickly and easily and migrating complex requirements until later in the process.

This identity checking process calls on firms to collect various identity evidence pieces to build an identity profile. The number of pieces, the score for each piece and which part of the process is being checked factor into a confidence level for that identity profile.

A critical element of identity checking is having an authoritative source for the information. Protecting the integrity of the information and ensuring the information is up to date are powerful contributors to improving the confidence level.

KYC requirements for corporations

Just as obliged entities must perform identity checking on individuals, they also need to check businesses. The 2017 AML Regulations provide more specific requirements:

Where the customer is a body corporate, the obliged entity

(a) must obtain and verify—

• (i) the name of the body corporate;
• (ii) its company number or other registration number;
• (iii) the address of its registered office, and if different, its principal place of business;

(b) must take reasonable measures to determine and verify—

• (i) the law to which the body corporate is subject, and its constitution (whether set out in its articles of association or other governing documents);
• (ii) the full names of the board of directors (or if there is no board, the members of the equivalent management body) and the senior persons responsible for the operations of the body corporate.

To comply with the UK’s obligations under 4AMLD and 5AMLD, not only must the corporate information be acquired in the course of doing business, so must the beneficial ownership — “the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”

In the UK, a beneficial owner is referred to as a Person of Significant Control (PSC). PSC information must be reported to Companies House, the UK register, within 14 days of any change, including:

• Name
• Date of birth
• Nationality
• Service address
• Usual residential address (not disclosed)
• Date they became a PSC
• Type of PSC conditions
• If there’s an application for public disclosure protection

KYC for gaming

The UK Gambling Commission is the regulator in charge of overseeing people and businesses that provide gambling in the UK. New identity verification requirements for licensed online gaming operators were mandated to take effect on May 7, 2019.

The new rules expressly prohibit any gaming activity before age verification, obligating gaming operators to refrain from accepting any bets before the user’s age is verified. There are also CDD requirements for those who:

• Exceed a threshold limit of €2000
• Are on a self-exclusion scheme, having put themselves on a list to stop gambling such as Gamstop
• Are particularly risk-sensitive, such as a politically exposed person

The rules require remote licensees to:

• Verify, as a minimum, a customer’s name, address and date of birth before allowing them to gamble
• Ask for any additional verification information promptly
• Inform customers, before they can deposit funds, of the types of identity documents or other information that might be required, the circumstances in which the information might be required and how it should be supplied to the licensee
• Take reasonable steps to ensure that their customers’ identity information remains accurate.

KYC for cryptocurrencies

As of January 10, 2020, the FCA has been the AML/KYC regulator of UK cryptoasset businesses, which includes firms involved with exchange tokens (such as Bitcoin). These businesses need to be in compliance with the same AML regulations mentioned above for banks and financial services.

As the FCA states

“Our supervisory approach to cryptoasset businesses will be in line with our approach to other businesses under the MLRs (money laundering rules).”

To that end, cryptoasset businesses must register with the FCA. Existing cryptoasset businesses, which applied before December 16, can still operate under the Temporary Registration Regime 2020 until the extended date of March 31, 2022.

As of October 2021, only 13 businesses have successfully registered with the FCA, and over 200 are pending. Many businesses withdrew, or had their applications rejected, and either moved to other jurisdictions, closed their operations or simply continue to operate without registration.

The future of UK regulatory developments

There was speculation that Brexit would lead to the FCA softening its regulatory stance to bring in more business to the UK. However, if the level of fines is any indication, this doesn’t seem to be the case. In 2021, the FCA issued fines of £577m, an almost 400% increase from the previous year and a six-year high. The two biggest fines, which totaled £329m, were for AML compliance failures.

A forward-thinking approach to regulations and technology is a significant positive for the UK. The country takes a balanced approach, allowing new financial technologies to sprout up and develop without over-regulating, ensuring international standards are met while delivering corporate transparency and enabling gaming operators to deliver new and exciting opportunities while still providing oversight. This balanced approach is creating a vibrant and growing financial sector.  This balanced approach to identity — encouraging new online services while simultaneously fighting fraud and money laundering — is a smart strategy that serves consumers, businesses and governments.