Denmark is a digitally advanced country where every citizen has a CPR personal identity number. The CPR number allows a person to access bank accounts, health institutions, receive government letters, and sign documents and agreements through local services like NemID, NemID Signatur, CPR or MitID. The same system came in handy when the COVID vaccination program began across Denmark. Not only was it easy to implement, but it was also simple for users to understand as the process was familiar and already streamlined.If you’re a business that wants to onboard Danish clients or companies, keep reading to learn how to leverage the national identity verification scheme or verify data using other local sources. Denmark Anti-Money Laundering and Know Your Customer regulations In Denmark, Anti-Money Laundering (AML) laws are under the Money Laundering Act, which implements the EU’s 4AMLD and 5AMLD. The Danish regulatory agencies include the Danish Financial Supervisory Authority (FSA), and the Danish Business Authority. All obliged businesses need to perform customer due diligence procedures on their customers. The information requirements include: Name Address Social Security number Passport Driving license Birth certificate Using a prospect’s assigned CPR (Social Security) number makes onboarding Danish clients far more accessible and innovative than traditional methods. Pulling data from a vetted, local database using a prospect’s CPR number can instantly fill the form with the relevant data. The benefits of automated information filling for all essential particulars is hugely advantageous when lengthy or repetitive forms are involved, saving a vast amount of time.Verifying the data with other external sources provides greater security for your Know Your Customer (KYC) procedures, ensuring that all information is accurate.When it comes to personal onboarding, using NemID and CPR to verify one’s personal information like name, address, date of birth and citizenship leverages two-factor authentication (2FA), providing the utmost security. NemID also has an eSignature feature, allowing all onboarding practices to be digital. This 2FA works by simply logging in with NemID credentials, and when verified, they can digitally sign any document, keeping the onboarding process entirely online.Approximately 4.7 million Danish citizens use NemID, accounting for more than 55 million transactions monthly. Corporate onboarding made easier in Denmark Similarly, if you are an obliged business, you need to perform Know Your Business (KYB) procedures, including: KYC on natural persons associated with the business KYC on beneficial owners Clarification of a legal person’s ownership and control structure Purpose of the business relationship This information needs ongoing updating based on a risk-based assessment. The Danish government has implemented the same verification processes used in personal onboarding regarding businesses. All Danish companies require a CVR number, their unique business identity number they get from the Danish Central Business Register. You can pull the data from the local government database using the company registration CVR number and automatically fill the form with relevant data, including the names of individuals or the company’s address.You can also match information using a business’s CVR against data from other databases for greater accuracy. There are numerous ways to use these services in corporate onboarding, including verifying businesses quickly and securely. Business Verification is beneficial as corporate onboarding is notorious for taking several months to finalize, whereas this process can shave it down to just days without sacrificing compliance.With Trulioo, you can access Denmark’s digital identity systems and local and international databases to make onboarding more straightforward. Ease clients’ access to your services, save time and ensure you are compliant with Denmark AML/KYC requirements with a comprehensive identity verification solution. A risk-based approach is about understanding the risks your organization faces and creating controls for these risks based on prioritizing the damage they can do. Often used by compliance teams, the approach focuses efforts based on the level of risk. Regulators are increasingly turning toward a risk-based approach, as opposed to prescriptive measures, for many areas of compliance. When it comes to Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an inter-governmental body that sets international goals for AML, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.” How, though, can compliance determine what is the level of risk and what are appropriate measures to mitigate that risk? What are effective strategies and procedures to determine that the RBA is robust and that it protects the organization and meets the expectations of regulators? The benefits of a risk-based approach Consider why the FATF and regulators are proponents of RBA. If regulators provide specific criteria to meet, often taking measures to meet those criteria is the only step. Instead of creating resilient compliance programs that deter money laundering, it’s about getting over a minimum bar. Especially in the current pace of rapid technology developments, criminals always seem to be a few steps ahead of the regulators and legal system. The RBA approach bypasses the need to discover, understand, debate and implement specific measures to combat every new threat, so it’s more flexible, quicker to adapt and provides a common-sense philosophy to guide compliance to do the right thing. Are you considering the risks appropriately? Are you taking reasonable actions? There’s also a practical, bottom-line reality to RBA: spend more time, money and energy on those risks that are more dangerous and more likely to cause harm. Not all threats are equal, so why treat all threats the same? For example, a Know Your Customer (KYC) risk-based approach helps enable a better customer onboarding compliance program as it adjusts the verification levels based on risk factors. Low-risk customers are more quickly accepted, while higher-risk customers can have additional verification procedures added. The RBA approach is about thinking systematically about your business, customers, partners, regulators, and the security and risk environment. It’s the critical systems thinking and what regulators are looking for, not an occasional lapse or oversight. A solid compliance program is characterized by actively considering the possibilities and taking preventive actions. As Zhang Fan, CAMS, vice chairman, Macau Anti-Money Laundering Specialists Association, Bank of China, Macau states, regulated organizations “should consider the risk for money laundering as one of the angles for examining customers and business operations, while driving the gradual integration of various business operation management measures such as credit risks, market risks and operational risks.” The risk-based approach has three steps: determine the risk profile, implement effective risk controls and balance the residual risk. 1. Determine the risk profile Before any actual Customer Due Diligence occurs, the organization needs to have a risk assessment in place; what are the risk factors for that organization and how are they set up to deal with them? The first step is determining the risk profile, the inherent risk of an organization, which can vary widely based on factors such as these: What industry are they in? What jurisdictions are they in? What jurisdictions are their customers in? What types of products and services do they offer? What types of transactions are involved? What volume of transactions? What is the value of transactions? What types of companies do they deal with? Who owns and operates these companies? What third parties do they deal with? Identifying potential issues, understanding overall risk scenarios, and determining what risks and risk levels are appropriate to the institution helps limit the scope of compliance considerations. Not all organizations will accept all types of businesses, so establishing criteria focuses the organization on threats associated with the actual risk profile. Even then, risk assessments have an abundance of information to consider. One crucial consideration: does your organization have the expertise to gauge the risk adequately? Does it have the expertise in that field and the seniority to ensure that decisions are adequately considered? As one enforcement action by the Australian Transaction Reports and Analysis Centre (AUSTRAC) stated, “the unit responsible for monitoring the Bank’s domestic and foreign retail customer accounts was understaffed, and the personnel lacked the requisite knowledge and expertise to adequately perform their duties.” Fortunately, if there is sufficient expertise, there are numerous resources that provide guidance, knowledge and feedback to help deliver a robust risk assessment framework. The FATF is a goldmine of information and has the advantage of looking at money laundering from a global perspective. While the FATF does not set actual laws or regulations, they provide best practices. And, as their recommendations guide jurisdiction-specific implementations, adhering to their suggested practices does help create a long-term viable AML program. Another international organization, The Wolfsberg Group, also guides the management of financial crime risks. The Group represents 13 global banks that came together in 2000 to create AML guidelines for private banking. While many financial organizations might not offer those specific services, The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption provides deep insight into risk assessment thinking and procedures. 2. Implement effective risk controls A risk assessment also needs to consider the control effectiveness, that is, the mitigating measures that the organization puts in place: What governance structures exist? What are the policies and procedures? What are the KYC and due diligence systems? What other risk assessments require consideration? What management checks and oversight have been done? What are the record-keeping and reporting methods? What types of AML controls, training and testing are operational? Each of these control systems (and more) requires consideration, both from a program design point of view and for implementation effectiveness. Ongoing self-assessments make sense, constantly analyzing various parts of the overall program, especially when significant changes occur. Whether it’s a new offering, a changed regulation, staff changes or other alterations, always ensure that assessments are current. On occasion, deploying a third-party assessment from an independent source is also a best practice. Generally, the U.S. Federal Financial Institutions Examination Council (FFIEC) suggests banks update their risk assessments to reflect the bank’s risk accurately. 3. Balance the residual risk Completing a risk assessment requires comparing the risk profile to the risk controls to gauge how effectively the controls match the risk. As the Wolfsberg Group puts it, “residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls.” This step, balancing risks with controls, is the key to operating an RBA. If the risk profile is inaccurate or a risk control is weak or non-existent, then this whole approach becomes unworkable. However, if the assessments are accurate and the systems effective, the residual risk and the necessary adjustments should be apparent. The higher the risk, the more controls should be in place. Once a practical risk-based approach is established, ongoing operations should allow for reasonably quick input of any new information. For example, a new applicant with an unusual profile applies to become a customer; without a robust RBA, they’d have to be considered as a one-off, which might be more time-consuming and costly. However, comparing this applicant to the risk profile can quickly determine whether they meet the predetermined requirements. The individual, scenario and numerous other factors will affect the risk profile and, thus, the rule sets and workflows should also vary. They can be customized to offer the most appropriate onboarding experience based on risk, allowing lower-risk accounts to onboard seamlessly while requiring higher-risk ones to go through more robust measures as part of a balanced, risk-based approach. The strength and beauty of the risk-based approach are to provide the organization with a framework to understand risk and an operational plan for dealing with it. Risk will always be a factor whenever there’s the possibility of money laundering. The organization can effectively manage AML risks and better serve societal imperatives by taking a systematic approach. What is KYC? Know Your Customer (KYC) procedures are a critical function to assess customer risk and a legal requirement to comply with Anti-Money Laundering (AML) laws. Effective KYC involves knowing a customer’s identity, their financial activities and the risk they pose. Customer Identification Program | Customer Due Diligence | Ongoing monitoring | Corporate KYC | eKYC verification | Mobile KYC | KYC requirements | Global KYC compliance | Some KYC laws around the world Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions and reputational damage if you help enable money laundering or terrorist financing. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions. “KYC” refers to the steps taken by a financial institution (or business) to: Establish customer identity Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate) Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities To create and run an effective KYC program requires the following elements: 1) Customer Identification Program (CIP) How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 15 million U.S. consumers and accounting for 24 billion dollars stolen in 2022. For obliged entities, such as financial institutions, it’s more than a financial risk – it’s the law. In the U.S., the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures. The desired outcome is that obliged entities accurately identify their customers. A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level. The minimum requirements to open an individual financial account are clearly delimited in the CIP: Name Date of birth Address Identification number While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both. These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives and for the benefit of regulators. The exact policies depend on the risk-based approach of the institution and may consider factors such as: The types of accounts offered by the bank The bank’s methods of opening accounts The types of identifying information available The bank’s size, location and customer base, including the types of products and services used by customers in different geographic locations 2) Customer Due Diligence For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; Customer Due Diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists and Politically Exposed Persons (PEPs) who might present a risk. There are three levels of due diligence: Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts. Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer. Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors. Some practical steps to include in your Customer Due Diligence program include: Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer. When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally. Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following: Location of the person Occupation of the person Type of transactions Expected pattern of activity in terms of transaction types, dollar value and frequency Expected method of payment Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit. 3) Ongoing Monitoring It’s not enough to just check your customer once. You need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile. Depending on the customer and your risk mitigation strategy, some other factors to monitor may include: Spikes in activities Out of area or unusual cross-border activities Inclusion of people on sanction lists Adverse media mentions There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual. Periodical reviews of the account and the associated risk are also considered best practices: Is the account record up-to-date? Do the type and amount of transactions match the stated purpose of the account? Is the risk-level appropriate for the type and amount of transactions? In general, the level of transaction monitoring relies on a risk-based assessment. Corporate KYC Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB). While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program: Retrieve Company Vitals Identify and verify an accurate company record such as information regarding register number, company name, address, status and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows. Analyze Ownership Structure and Percentages Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party. Identify Ultimate Beneficial Owners (UBOs) Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting. Perform AML/KYC Checks on Individuals For all individuals that are determined to be a UBO, perform AML/KYC checks. It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thomson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. 89% of corporate customers have not had a good KYC experience – so much so that 13% have actually switched to another FI as a result. Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100. Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors. Electronic KYC Verification (eKYC) KYC verification is the process of verifying a customer’s identity to help comply with Know Your Customer regulations. Regulated businesses need to get personal identifying information from the prospective customer and check that it is accurate and legitimate. These procedures, where possible, should take advantage of digital processes. There might be situations, such as outdated legislations or hard-to-change legacy requirements, where digital techniques can’t be used for KYC. However, these are the exception and are on their way out; full digital KYC is the future and companies that fight it, will find themselves on the losing side. There are numerous reasons why electronic KYC (eKYC) will prevail: Speed The Thompson Reuters survey indicates that 30% of respondents stated it takes over two months to on-board a new client, while 10% indicate it takes over four months. This is damaging client relationships, has a negative impact on the brand, and is hurting revenue growth as some customers abandon the process. Faster eKYC processes improve all these factors. Accuracy Mistakes slow down the process and add to cost; eKYC can automatically check for errors and more quickly fix any mistakes. Cost While eKYC systems do have costs, their faster speeds, improved accuracy and better utilization of compliance resources provide better bang for the buck and improve scalability. Adaptability As regulations constantly change, compliance systems need to correspondingly change. eKYC workflows can change almost on the fly; in many cases, simply update a ruleset and you’re done. Integration eKYC, for the most part, is about using APIs to easily add functionality. With new APIs being added all the time, new capabilities are a simple integration away. Tracking/Reporting Digital data is seamlessly transferable in its native form to analytics, auditing, tracking and reporting systems creating opportunities for optimization and strategic analysis. Customer Experience Not only is eKYC a quicker process, it is easier from the get-go for the customer. The entire process is often mobile or internet-only thus delivering a smooth, convenient experience. Efficiency Your compliance and legal teams are highly paid, intelligent and valuable resources. eKYC enables a better work environment resulting in a more engaged work force. Mobile KYC New technological developments continue to drive KYC solutions forward. From biometric data to AI, technology is offering better ways to identify customers, run due diligence checks and perform ongoing monitoring. The combination of mobile data with traditional data sources can take KYC to the next level, adding an extra layer of authentication to help deliver a convenient, immediate and effortless customer experience, along with the necessary compliance and fraud mitigation measures. Connecting with real customers and foiling fraudsters in the mobile world is a challenge. While you have an array of verification methods and data available to you, accessing mobile data and leveraging it to ensure that specific criteria are met by legitimate customers adds an extra layer of protection. Simply put, it’s another tool to help reduce fraud risk, improve KYC standards, and just as important, secure an effortless experience for your mobile-minded customers. KYC Requirements for Sectors KYC for Banking Banking regulations are often the first to reflect new KYC requirements. If left vulnerable, banks could be a substantial conduit for money laundering, as they provide a variety of financial services and deal with significant amounts of accounts, money and transactions. There’s also the need for banks to maintain the substantial amount of trust that banks have built up with their customers when deploying digital processes: “As more banking activities go digital, consumers are becoming aware of the existing vulnerabilities. A FICO report on how the pandemic has driven FIs toward digital transformation found that U.S. consumers have high expectations for identity verification. 62% expect to verify their identity when opening an account digitally, and 42% expect to set up biometric identification during the onboarding process.” Fortunately, technology is improving KYC and AML program for banks with better identity verification speed, accuracy and reliability. Leveraging APIs, AI/ML, biometrics and advanced optical character recognition (OCR) technologies enables banks to gather more information and analyze it more intelligently. Consideration of numerous alternative sources such as email history, mobile data and mobile app analytics can assist in risk assessments. The result is a higher likelihood of detecting synthetic and fraudulent identities before issuing an account. KYC for Financial Services Most other financial services also have KYC requirements similar to banks. It’s up to the service to perform KYC and monitor customer transactions to ensure they aren’t part of a money laundering scheme. As part of their monitoring duties, financial service organizations need to verify the origin of larger sums and report cash transactions exceeding threshold limits. In addition to compliance with AML laws, financial institutions need to make sure their clients understand them. Today, extensive records should be kept on every significant financial transaction. Few methods of detecting crime and corruption are more effective than examining the records of connected financial transactions. KYC for Crypto With numerous countries approaching cryptocurrencies differently, creating a KYC crypto program is challenging. To further assist regulators and industry participants in creating programs that deter money laundering and other financial crimes, the FATF noted several red flags around KYC: Creating separate accounts under different names Initiating transactions from non-trusted IP addresses Incomplete or insufficient KYC information Customers declining requests for KYC documents or inquiries regarding the source of funds Customers providing forged or falsified identity documents or photographs Customers who are on watch lists Customers who frequently change their identification information Ensuring effective KYC procedures are in place at account opening helps deter money launderers and other financial criminals from becoming active on your services. The customer information obtained at onboarding also improves the monitoring process, as it provides insight into the account and the expected use of funds. Some KYC Laws Around the World AustraliaAustralian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system. All reporting entities must apply customer identification procedures to all customers, including collecting and verifying information before providing any designated services to them. BrazilSince 2016, regulations have been in place to allow account opening via electronic channels. To streamline the creation of simplified KYC accounts and better information sharing, the Central Bank of Brazil has created an Open Data Portal, allowing customers with an authenticated digital identity to open an account quickly. CanadaIn Canada, regulated companies report to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the law covering Federal KYC and AML regulations. EuropeSince 2016, Europe has passed three AML Directives (4AMLD, 5AMLD and 6AMLD), all of which expand the scope of KYC requirements to new sectors and the need for enhanced Customer Due Diligence. These processes include collection, verification and record keeping of Personally Identifiable Information (PII); and screening customers against sanctions and Politically Exposed Persons (PEP) lists, and adverse news to assess the risks associated with each customer. To create more cohesive, harmonious and powerful AML regulations, the European Commission adopted an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing. IndiaIn India, Know Your Customer (KYC) is born out of the Prevention of Money Laundering Act (PMLA), 2002. The government further released procedural details in a separate document called the PML Rules. Regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority (IRDA) then further interpret these rules for the entities they regulate. Now, Aadhaar-based eKYC enables financial service providers to electronically verify the identities of Indian consumers. MexicoIn 2019, Mexico updated its AML law, the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources. Regulated parties, according to the FATF, “are generally prohibited from opening or maintaining anonymous accounts.” An exception is made to promote financial inclusion for deposits of pesos into individual accounts that don’t exceed a certain threshold. Further regulations and AML provisions vary based on the industry and regulator. New ZealandNew Zealand is at the forefront of electronic identity innovation. The country’s RealMe system enables users to provide identity verification for online services and simplified log-ins to access government services. There are requirements for reporting entities to conduct standard Customer Due Diligence on all accounts. South AfricaIn South Africa, the Financial Intelligence Centre Act (FICA) covers AML and KYC factors. To enable more streamlined oversight over FICA, the Government of South Africa established the Financial Sector Conduct Authority (FSCA) as the market conduct regulator of financial institutions that provide financial products and services, including banks, insurers, retirement funds and administrators, and market infrastructures. UK The UK has robust AML and KYC laws and regulations. These include requirements for identity verification on individuals and businesses. The Financial Conduct Authority (FCA) — the UK regulator for financial services firms and financial markets — is well known for its forward-thinking approach to innovation and favors a risk-based approach, focusing on the outputs rather than specific AML laws and rules. This post was originally published in 2016 and updated to reflect the latest industry news, trends and insights. Compliance Build Trust and Safety With Digital KYC Meet global Know Your Customer requirements without burdening customers. Get the KYC White Paper Posts navigation Previous 1 … 9 10 11 … 158 Next
Denmark is a digitally advanced country where every citizen has a CPR personal identity number. The CPR number allows a person to access bank accounts, health institutions, receive government letters, and sign documents and agreements through local services like NemID, NemID Signatur, CPR or MitID. The same system came in handy when the COVID vaccination program began across Denmark. Not only was it easy to implement, but it was also simple for users to understand as the process was familiar and already streamlined.If you’re a business that wants to onboard Danish clients or companies, keep reading to learn how to leverage the national identity verification scheme or verify data using other local sources. Denmark Anti-Money Laundering and Know Your Customer regulations In Denmark, Anti-Money Laundering (AML) laws are under the Money Laundering Act, which implements the EU’s 4AMLD and 5AMLD. The Danish regulatory agencies include the Danish Financial Supervisory Authority (FSA), and the Danish Business Authority. All obliged businesses need to perform customer due diligence procedures on their customers. The information requirements include: Name Address Social Security number Passport Driving license Birth certificate Using a prospect’s assigned CPR (Social Security) number makes onboarding Danish clients far more accessible and innovative than traditional methods. Pulling data from a vetted, local database using a prospect’s CPR number can instantly fill the form with the relevant data. The benefits of automated information filling for all essential particulars is hugely advantageous when lengthy or repetitive forms are involved, saving a vast amount of time.Verifying the data with other external sources provides greater security for your Know Your Customer (KYC) procedures, ensuring that all information is accurate.When it comes to personal onboarding, using NemID and CPR to verify one’s personal information like name, address, date of birth and citizenship leverages two-factor authentication (2FA), providing the utmost security. NemID also has an eSignature feature, allowing all onboarding practices to be digital. This 2FA works by simply logging in with NemID credentials, and when verified, they can digitally sign any document, keeping the onboarding process entirely online.Approximately 4.7 million Danish citizens use NemID, accounting for more than 55 million transactions monthly. Corporate onboarding made easier in Denmark Similarly, if you are an obliged business, you need to perform Know Your Business (KYB) procedures, including: KYC on natural persons associated with the business KYC on beneficial owners Clarification of a legal person’s ownership and control structure Purpose of the business relationship This information needs ongoing updating based on a risk-based assessment. The Danish government has implemented the same verification processes used in personal onboarding regarding businesses. All Danish companies require a CVR number, their unique business identity number they get from the Danish Central Business Register. You can pull the data from the local government database using the company registration CVR number and automatically fill the form with relevant data, including the names of individuals or the company’s address.You can also match information using a business’s CVR against data from other databases for greater accuracy. There are numerous ways to use these services in corporate onboarding, including verifying businesses quickly and securely. Business Verification is beneficial as corporate onboarding is notorious for taking several months to finalize, whereas this process can shave it down to just days without sacrificing compliance.With Trulioo, you can access Denmark’s digital identity systems and local and international databases to make onboarding more straightforward. Ease clients’ access to your services, save time and ensure you are compliant with Denmark AML/KYC requirements with a comprehensive identity verification solution.
A risk-based approach is about understanding the risks your organization faces and creating controls for these risks based on prioritizing the damage they can do. Often used by compliance teams, the approach focuses efforts based on the level of risk. Regulators are increasingly turning toward a risk-based approach, as opposed to prescriptive measures, for many areas of compliance. When it comes to Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an inter-governmental body that sets international goals for AML, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.” How, though, can compliance determine what is the level of risk and what are appropriate measures to mitigate that risk? What are effective strategies and procedures to determine that the RBA is robust and that it protects the organization and meets the expectations of regulators? The benefits of a risk-based approach Consider why the FATF and regulators are proponents of RBA. If regulators provide specific criteria to meet, often taking measures to meet those criteria is the only step. Instead of creating resilient compliance programs that deter money laundering, it’s about getting over a minimum bar. Especially in the current pace of rapid technology developments, criminals always seem to be a few steps ahead of the regulators and legal system. The RBA approach bypasses the need to discover, understand, debate and implement specific measures to combat every new threat, so it’s more flexible, quicker to adapt and provides a common-sense philosophy to guide compliance to do the right thing. Are you considering the risks appropriately? Are you taking reasonable actions? There’s also a practical, bottom-line reality to RBA: spend more time, money and energy on those risks that are more dangerous and more likely to cause harm. Not all threats are equal, so why treat all threats the same? For example, a Know Your Customer (KYC) risk-based approach helps enable a better customer onboarding compliance program as it adjusts the verification levels based on risk factors. Low-risk customers are more quickly accepted, while higher-risk customers can have additional verification procedures added. The RBA approach is about thinking systematically about your business, customers, partners, regulators, and the security and risk environment. It’s the critical systems thinking and what regulators are looking for, not an occasional lapse or oversight. A solid compliance program is characterized by actively considering the possibilities and taking preventive actions. As Zhang Fan, CAMS, vice chairman, Macau Anti-Money Laundering Specialists Association, Bank of China, Macau states, regulated organizations “should consider the risk for money laundering as one of the angles for examining customers and business operations, while driving the gradual integration of various business operation management measures such as credit risks, market risks and operational risks.” The risk-based approach has three steps: determine the risk profile, implement effective risk controls and balance the residual risk. 1. Determine the risk profile Before any actual Customer Due Diligence occurs, the organization needs to have a risk assessment in place; what are the risk factors for that organization and how are they set up to deal with them? The first step is determining the risk profile, the inherent risk of an organization, which can vary widely based on factors such as these: What industry are they in? What jurisdictions are they in? What jurisdictions are their customers in? What types of products and services do they offer? What types of transactions are involved? What volume of transactions? What is the value of transactions? What types of companies do they deal with? Who owns and operates these companies? What third parties do they deal with? Identifying potential issues, understanding overall risk scenarios, and determining what risks and risk levels are appropriate to the institution helps limit the scope of compliance considerations. Not all organizations will accept all types of businesses, so establishing criteria focuses the organization on threats associated with the actual risk profile. Even then, risk assessments have an abundance of information to consider. One crucial consideration: does your organization have the expertise to gauge the risk adequately? Does it have the expertise in that field and the seniority to ensure that decisions are adequately considered? As one enforcement action by the Australian Transaction Reports and Analysis Centre (AUSTRAC) stated, “the unit responsible for monitoring the Bank’s domestic and foreign retail customer accounts was understaffed, and the personnel lacked the requisite knowledge and expertise to adequately perform their duties.” Fortunately, if there is sufficient expertise, there are numerous resources that provide guidance, knowledge and feedback to help deliver a robust risk assessment framework. The FATF is a goldmine of information and has the advantage of looking at money laundering from a global perspective. While the FATF does not set actual laws or regulations, they provide best practices. And, as their recommendations guide jurisdiction-specific implementations, adhering to their suggested practices does help create a long-term viable AML program. Another international organization, The Wolfsberg Group, also guides the management of financial crime risks. The Group represents 13 global banks that came together in 2000 to create AML guidelines for private banking. While many financial organizations might not offer those specific services, The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption provides deep insight into risk assessment thinking and procedures. 2. Implement effective risk controls A risk assessment also needs to consider the control effectiveness, that is, the mitigating measures that the organization puts in place: What governance structures exist? What are the policies and procedures? What are the KYC and due diligence systems? What other risk assessments require consideration? What management checks and oversight have been done? What are the record-keeping and reporting methods? What types of AML controls, training and testing are operational? Each of these control systems (and more) requires consideration, both from a program design point of view and for implementation effectiveness. Ongoing self-assessments make sense, constantly analyzing various parts of the overall program, especially when significant changes occur. Whether it’s a new offering, a changed regulation, staff changes or other alterations, always ensure that assessments are current. On occasion, deploying a third-party assessment from an independent source is also a best practice. Generally, the U.S. Federal Financial Institutions Examination Council (FFIEC) suggests banks update their risk assessments to reflect the bank’s risk accurately. 3. Balance the residual risk Completing a risk assessment requires comparing the risk profile to the risk controls to gauge how effectively the controls match the risk. As the Wolfsberg Group puts it, “residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls.” This step, balancing risks with controls, is the key to operating an RBA. If the risk profile is inaccurate or a risk control is weak or non-existent, then this whole approach becomes unworkable. However, if the assessments are accurate and the systems effective, the residual risk and the necessary adjustments should be apparent. The higher the risk, the more controls should be in place. Once a practical risk-based approach is established, ongoing operations should allow for reasonably quick input of any new information. For example, a new applicant with an unusual profile applies to become a customer; without a robust RBA, they’d have to be considered as a one-off, which might be more time-consuming and costly. However, comparing this applicant to the risk profile can quickly determine whether they meet the predetermined requirements. The individual, scenario and numerous other factors will affect the risk profile and, thus, the rule sets and workflows should also vary. They can be customized to offer the most appropriate onboarding experience based on risk, allowing lower-risk accounts to onboard seamlessly while requiring higher-risk ones to go through more robust measures as part of a balanced, risk-based approach. The strength and beauty of the risk-based approach are to provide the organization with a framework to understand risk and an operational plan for dealing with it. Risk will always be a factor whenever there’s the possibility of money laundering. The organization can effectively manage AML risks and better serve societal imperatives by taking a systematic approach.
What is KYC? Know Your Customer (KYC) procedures are a critical function to assess customer risk and a legal requirement to comply with Anti-Money Laundering (AML) laws. Effective KYC involves knowing a customer’s identity, their financial activities and the risk they pose. Customer Identification Program | Customer Due Diligence | Ongoing monitoring | Corporate KYC | eKYC verification | Mobile KYC | KYC requirements | Global KYC compliance | Some KYC laws around the world Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions and reputational damage if you help enable money laundering or terrorist financing. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions. “KYC” refers to the steps taken by a financial institution (or business) to: Establish customer identity Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate) Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities To create and run an effective KYC program requires the following elements: 1) Customer Identification Program (CIP) How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 15 million U.S. consumers and accounting for 24 billion dollars stolen in 2022. For obliged entities, such as financial institutions, it’s more than a financial risk – it’s the law. In the U.S., the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures. The desired outcome is that obliged entities accurately identify their customers. A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level. The minimum requirements to open an individual financial account are clearly delimited in the CIP: Name Date of birth Address Identification number While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both. These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives and for the benefit of regulators. The exact policies depend on the risk-based approach of the institution and may consider factors such as: The types of accounts offered by the bank The bank’s methods of opening accounts The types of identifying information available The bank’s size, location and customer base, including the types of products and services used by customers in different geographic locations 2) Customer Due Diligence For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; Customer Due Diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists and Politically Exposed Persons (PEPs) who might present a risk. There are three levels of due diligence: Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts. Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer. Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors. Some practical steps to include in your Customer Due Diligence program include: Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer. When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally. Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following: Location of the person Occupation of the person Type of transactions Expected pattern of activity in terms of transaction types, dollar value and frequency Expected method of payment Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit. 3) Ongoing Monitoring It’s not enough to just check your customer once. You need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile. Depending on the customer and your risk mitigation strategy, some other factors to monitor may include: Spikes in activities Out of area or unusual cross-border activities Inclusion of people on sanction lists Adverse media mentions There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual. Periodical reviews of the account and the associated risk are also considered best practices: Is the account record up-to-date? Do the type and amount of transactions match the stated purpose of the account? Is the risk-level appropriate for the type and amount of transactions? In general, the level of transaction monitoring relies on a risk-based assessment. Corporate KYC Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB). While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program: Retrieve Company Vitals Identify and verify an accurate company record such as information regarding register number, company name, address, status and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows. Analyze Ownership Structure and Percentages Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party. Identify Ultimate Beneficial Owners (UBOs) Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting. Perform AML/KYC Checks on Individuals For all individuals that are determined to be a UBO, perform AML/KYC checks. It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thomson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. 89% of corporate customers have not had a good KYC experience – so much so that 13% have actually switched to another FI as a result. Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100. Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors. Electronic KYC Verification (eKYC) KYC verification is the process of verifying a customer’s identity to help comply with Know Your Customer regulations. Regulated businesses need to get personal identifying information from the prospective customer and check that it is accurate and legitimate. These procedures, where possible, should take advantage of digital processes. There might be situations, such as outdated legislations or hard-to-change legacy requirements, where digital techniques can’t be used for KYC. However, these are the exception and are on their way out; full digital KYC is the future and companies that fight it, will find themselves on the losing side. There are numerous reasons why electronic KYC (eKYC) will prevail: Speed The Thompson Reuters survey indicates that 30% of respondents stated it takes over two months to on-board a new client, while 10% indicate it takes over four months. This is damaging client relationships, has a negative impact on the brand, and is hurting revenue growth as some customers abandon the process. Faster eKYC processes improve all these factors. Accuracy Mistakes slow down the process and add to cost; eKYC can automatically check for errors and more quickly fix any mistakes. Cost While eKYC systems do have costs, their faster speeds, improved accuracy and better utilization of compliance resources provide better bang for the buck and improve scalability. Adaptability As regulations constantly change, compliance systems need to correspondingly change. eKYC workflows can change almost on the fly; in many cases, simply update a ruleset and you’re done. Integration eKYC, for the most part, is about using APIs to easily add functionality. With new APIs being added all the time, new capabilities are a simple integration away. Tracking/Reporting Digital data is seamlessly transferable in its native form to analytics, auditing, tracking and reporting systems creating opportunities for optimization and strategic analysis. Customer Experience Not only is eKYC a quicker process, it is easier from the get-go for the customer. The entire process is often mobile or internet-only thus delivering a smooth, convenient experience. Efficiency Your compliance and legal teams are highly paid, intelligent and valuable resources. eKYC enables a better work environment resulting in a more engaged work force. Mobile KYC New technological developments continue to drive KYC solutions forward. From biometric data to AI, technology is offering better ways to identify customers, run due diligence checks and perform ongoing monitoring. The combination of mobile data with traditional data sources can take KYC to the next level, adding an extra layer of authentication to help deliver a convenient, immediate and effortless customer experience, along with the necessary compliance and fraud mitigation measures. Connecting with real customers and foiling fraudsters in the mobile world is a challenge. While you have an array of verification methods and data available to you, accessing mobile data and leveraging it to ensure that specific criteria are met by legitimate customers adds an extra layer of protection. Simply put, it’s another tool to help reduce fraud risk, improve KYC standards, and just as important, secure an effortless experience for your mobile-minded customers. KYC Requirements for Sectors KYC for Banking Banking regulations are often the first to reflect new KYC requirements. If left vulnerable, banks could be a substantial conduit for money laundering, as they provide a variety of financial services and deal with significant amounts of accounts, money and transactions. There’s also the need for banks to maintain the substantial amount of trust that banks have built up with their customers when deploying digital processes: “As more banking activities go digital, consumers are becoming aware of the existing vulnerabilities. A FICO report on how the pandemic has driven FIs toward digital transformation found that U.S. consumers have high expectations for identity verification. 62% expect to verify their identity when opening an account digitally, and 42% expect to set up biometric identification during the onboarding process.” Fortunately, technology is improving KYC and AML program for banks with better identity verification speed, accuracy and reliability. Leveraging APIs, AI/ML, biometrics and advanced optical character recognition (OCR) technologies enables banks to gather more information and analyze it more intelligently. Consideration of numerous alternative sources such as email history, mobile data and mobile app analytics can assist in risk assessments. The result is a higher likelihood of detecting synthetic and fraudulent identities before issuing an account. KYC for Financial Services Most other financial services also have KYC requirements similar to banks. It’s up to the service to perform KYC and monitor customer transactions to ensure they aren’t part of a money laundering scheme. As part of their monitoring duties, financial service organizations need to verify the origin of larger sums and report cash transactions exceeding threshold limits. In addition to compliance with AML laws, financial institutions need to make sure their clients understand them. Today, extensive records should be kept on every significant financial transaction. Few methods of detecting crime and corruption are more effective than examining the records of connected financial transactions. KYC for Crypto With numerous countries approaching cryptocurrencies differently, creating a KYC crypto program is challenging. To further assist regulators and industry participants in creating programs that deter money laundering and other financial crimes, the FATF noted several red flags around KYC: Creating separate accounts under different names Initiating transactions from non-trusted IP addresses Incomplete or insufficient KYC information Customers declining requests for KYC documents or inquiries regarding the source of funds Customers providing forged or falsified identity documents or photographs Customers who are on watch lists Customers who frequently change their identification information Ensuring effective KYC procedures are in place at account opening helps deter money launderers and other financial criminals from becoming active on your services. The customer information obtained at onboarding also improves the monitoring process, as it provides insight into the account and the expected use of funds. Some KYC Laws Around the World AustraliaAustralian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system. All reporting entities must apply customer identification procedures to all customers, including collecting and verifying information before providing any designated services to them. BrazilSince 2016, regulations have been in place to allow account opening via electronic channels. To streamline the creation of simplified KYC accounts and better information sharing, the Central Bank of Brazil has created an Open Data Portal, allowing customers with an authenticated digital identity to open an account quickly. CanadaIn Canada, regulated companies report to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the law covering Federal KYC and AML regulations. EuropeSince 2016, Europe has passed three AML Directives (4AMLD, 5AMLD and 6AMLD), all of which expand the scope of KYC requirements to new sectors and the need for enhanced Customer Due Diligence. These processes include collection, verification and record keeping of Personally Identifiable Information (PII); and screening customers against sanctions and Politically Exposed Persons (PEP) lists, and adverse news to assess the risks associated with each customer. To create more cohesive, harmonious and powerful AML regulations, the European Commission adopted an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing. IndiaIn India, Know Your Customer (KYC) is born out of the Prevention of Money Laundering Act (PMLA), 2002. The government further released procedural details in a separate document called the PML Rules. Regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority (IRDA) then further interpret these rules for the entities they regulate. Now, Aadhaar-based eKYC enables financial service providers to electronically verify the identities of Indian consumers. MexicoIn 2019, Mexico updated its AML law, the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources. Regulated parties, according to the FATF, “are generally prohibited from opening or maintaining anonymous accounts.” An exception is made to promote financial inclusion for deposits of pesos into individual accounts that don’t exceed a certain threshold. Further regulations and AML provisions vary based on the industry and regulator. New ZealandNew Zealand is at the forefront of electronic identity innovation. The country’s RealMe system enables users to provide identity verification for online services and simplified log-ins to access government services. There are requirements for reporting entities to conduct standard Customer Due Diligence on all accounts. South AfricaIn South Africa, the Financial Intelligence Centre Act (FICA) covers AML and KYC factors. To enable more streamlined oversight over FICA, the Government of South Africa established the Financial Sector Conduct Authority (FSCA) as the market conduct regulator of financial institutions that provide financial products and services, including banks, insurers, retirement funds and administrators, and market infrastructures. UK The UK has robust AML and KYC laws and regulations. These include requirements for identity verification on individuals and businesses. The Financial Conduct Authority (FCA) — the UK regulator for financial services firms and financial markets — is well known for its forward-thinking approach to innovation and favors a risk-based approach, focusing on the outputs rather than specific AML laws and rules. This post was originally published in 2016 and updated to reflect the latest industry news, trends and insights. Compliance Build Trust and Safety With Digital KYC Meet global Know Your Customer requirements without burdening customers. Get the KYC White Paper