KYC: 3 Steps to Know Your Customer
Know Your Customer (KYC) procedures are a critical function to assess and monitor customer risk; they are also a legal requirement to comply with Anti-Money Laundering (AML) laws.
Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions, and reputational damage, if you do business with a money launderer or terrorist. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions.
“KYC” refers to the steps taken by a financial institution (or business) to:
- Establish customer identity
- Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
- Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities
To create and run an effective KYC program requires the following elements:
1) Customer Identification Program (CIP)
How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 16.7 million US consumers and accounting for 16.8 billion dollars stolen in 2017. For obliged entities, such as financial institutions, it’s more than a financial risk – it’s the law.
In the US, the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed
to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures.
The desired outcome is that obliged entities accurately identify their customers.
A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level.
The minimum requirements to open an individual financial account are clearly delimited in the CIP:
- Date of birth
- Identification number
While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both.
These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.
The exact policies depend on the risk-based approach of the institution and may consider factors such as:
- The types of accounts offered by the bank
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations
For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and Politically Exposed Persons (PEPs) who might present a risk.
There are three levels of due diligence:
- Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors.
Some practical steps to include in your customer due diligence program include:
- Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer.
- When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally.
- Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following:
- Location of the person
- Occupation of the person
- Type of transactions
- Expected pattern of activity in terms of transaction types, dollar value and frequency
- Expected method of payment
- Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit.
It’s not enough to just check your customer once, you need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Depending on the customer and your risk mitigation strategy, some other factors to monitor may include:
- Spikes in activities
- Out of area or unusual cross-border activities
- Inclusion of people on sanction lists
- Adverse media mentions
There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual.
Periodical reviews of the account and the associated risk are also considered best practices:
- Is the account record up-to-date?
- Do the type and amount of transactions match the stated purpose of the account?
- Is the risk-level appropriate for the type and amount of transactions?
In general, the level of transaction monitoring relies on a risk-based assessment.
Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts, and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB).
While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program:
Retrieve Company Vitals
Identify and verify an accurate company record such as information regarding register number, company name, address, status, and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows.
Analyze Ownership Structure and Percentages
Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party.
Identify Ultimate Beneficial Owners (UBOs)
Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting.
Perform AML/KYC Checks on Individuals
For all individuals that are determined to be a UBO, perform AML/KYC checks.
It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thompson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. Eighty-nine percent of corporate customers have not had a good KYC experience – so much so that 13 percent have actually switched to another FI as a result.
Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100.
Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors.
All workflows, where possible, should take advantage of digital processes. There might be situations, such as outdated legislations or hard-to-change legacy requirements, where digital techniques can’t be used for KYC. However, these are the exception and are on their way out; full digital KYC is the future and companies that fight it, will find themselves on the losing side.
There are numerous reasons why eKYC will prevail:
The Thompson Reuters survey indicates that 30% of respondents stated it takes over two months to on-board a new client, while 10% indicate it takes over four months. This is damaging client relationships, has a negative impact on the brand, and is hurting revenue growth as some customers abandon the process. Faster eKYC processes improve all these factors.
Mistakes slow down the process and add to cost; eKYC can automatically check for errors and more quickly fix any mistakes.
While eKYC systems do have costs, their faster speeds, improved accuracy and better utilization of compliance resources provide better bang for the buck and improve scalability.
As regulations constantly change, compliance systems need to correspondingly change. eKYC workflows can change almost on the fly; in many cases, simply update a ruleset and you’re done.
eKYC, for the most part, is about using APIs to easily add functionality. With new APIs being added all the time, new capabilities are a simple integration away.
Digital data is seamlessly transferable in its native form to analytics, auditing, tracking and reporting systems creating opportunities for optimization and strategic analysis.
Not only is eKYC a quicker process, it is easier from the get-go for the customer. The entire process is often mobile or internet-only thus delivering a smooth, convenient experience.
Your compliance and legal teams are highly paid, intelligent and valuable resources. eKYC enables a better work environment resulting in a more engaged work force.
New technological developments continue to drive KYC solutions forward. From biometric data to AI, technology is offering better ways to identify customers, run due diligence checks and perform ongoing monitoring.
The combination of mobile data with traditional data sources can take KYC to the next level, adding an extra layer of authentication to help deliver a convenient, immediate and effortless customer experience, along with the necessary compliance and fraud-mitigation measures.
Connecting with real customers and foiling fraudsters in the mobile world is a challenge. While you have an array of verification methods and data available to you, accessing mobile data and leveraging it to ensure that specific criteria are met by legitimate customers adds an extra layer of protection. Simply put, it’s another tool to help reduce fraud risk, improve KYC standards, and just as important, secure an effortless experience for your mobile-minded customers.
Take the necessary steps to ensure that your organization meets compliance obligations. The traditional onboarding process for new clients is a time-consuming, labor-intensive, manual process that can lead to frustrating delays.
Find out how electronic identity verification enables financial institutions to comply with tough industry regulations without burdening customers.
KYC News Around the World
Ten years on from financial crisis, banks find KYC more confusing than ever
The complexity of know your customer (KYC) regulations continues to bite banks and is acting as a severe deterrent to the financing of trade.
Banks in South Korea to Reduce Crypto Traders Services without Proper KYC Verification
South Korean banks are setting barriers when it comes to offering services. In particular, those who do not abide by Korea’s cryptocurrency-based “Real-Name System”, will see reduced benefits.
FORUM: KYC Technology for Screening, Verification and Monitoring
Why it is so important for companies to know their customers against the backdrop of today’s regulatory environment?
The U.S. Treasury Wants to Know Your Customers, No Matter What the Currency
FinCEN, the Financial Crimes Enforcement Network, has indicated that cryptocurrencies will not get an enforcement “pass.”
Bitcoin Legitimized in EU Following New KYC Regulations
Bitcoin is set to find new legitimacy in the European Union as member states agreed to force cryptocurrency exchanges within its jurisdiction to collect identification data on their users in an effort to prevent money laundering.
Trulioo Releases First International Mobile KYC Solution
Combining mobile network carrier data with existing KYC sources is a real game-changer. MNOs offer enhanced coverage and convenience for identity matching, fraud prevention, proximity location, device information and call forwarding statuses
While FATF has addressed a ‘perceptive leniency’ in the fight against money laundering, much needs to be done at ground level to control operational risks.
Canada’s IIROC reported that it continued to find dealers who failed to collect a client’s investment time horizon as part of their KYC processes.
$60 million. $300 million. One month, four months? Welcome to the well-meaning but truly inefficient world of onboarding and KYC — where financial services firms are mired in manual processes and where wait times are forever, and expensive.
In spite of heavy investments, FIs have been unable to optimally counter the growing peril of money laundering. Regulatory fines on FIs for KYC/AML related violations continue to rise.
Aadhaar-enabled electronic know your customer (KYC) process should be “firmly established” as the acceptable KYC, a panel with representatives from all financial sector regulators has proposed.
Money laundering is an ever expanding problem for the American insurance industry. An increasing number of individuals are using insurance accounts to hide money from federal taxation agencies – and the industry needs to step up and tackle the situation head-on.
The Monetary Authority of Singapore (MAS) is piloting a national know-your-customer (KYC) utility for financial services, based on the MyInfo digital identity service, jointly developed by the Ministry of Finance and GovTech, the lead agency for digital and data strategy in Singapore.
“The message to all financial institutions is clear: The cost of KYC checks is much too high, placing too much reliance on inefficient and error-prone manual processes,” says Steve Pannifer, COO, Consult Hyperion.
Alan Samuels, vice-president and head of product strategy for reference data services at Alacra, said: “There is a clear regulatory need for meeting high standards. This is creating more and more challenges for operational managers to build flexible, scalable processes and systems to be able to address use cases that have not yet even been articulated.”
The Government of India has notified six documents as ‘Officially Valid Documents’ (OVDs) for the purpose of producing proof of identity. These six documents are Passport, Driving Licence, Voters’ Identity Card, PAN Card, Aadhaar Card issued by UIDAI and NREGA Job Card.
Under Republic Act 9160 or the Anti-Money Laundering Act (AMLA), banks and other financial institutions, including remittance centers and pawnshops, are mandated to institute “know your customer” (KYC) rules that ensure the legitimate source of funds.
AUSTRAC has revised Chapter 4 of the AML/CTF Rules in a few small but significant ways. These changes came into effect on 16 September 2016.
The Bank of Thailand (” BOT “) has introduced a new regulation to facilitate the Know-Your-Customer (KYC) process by using an electronic means (” e-KYC “) for account opening for deposit acceptance or fund acceptance from public.
This post was originally published October 17, 2016, updated to reflect the latest industry news, trends and insights.