KYC: 3 steps to effective Know Your Customer compliance
What is KYC?
Know Your Customer (KYC) procedures are a critical function to assess customer risk and a legal requirement to comply with Anti-Money Laundering (AML) laws. Effective KYC involves knowing a customers identity, their financial activities and the risk they pose.
- Customer Identification Program
- Customer Due Diligence
- Ongoing monitoring
- Corporate KYC
- eKYC verification
- Mobile KYC
- Global KYC compliance
- Some KYC laws around the world
Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions, and reputational damage, if you do business with a money launderer or terrorist. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions.
“KYC” refers to the steps taken by a financial institution (or business) to:
- Establish customer identity
- Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
- Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities
To create and run an effective KYC program requires the following elements:
1) Customer Identification Program (CIP)
How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 16.7 million US consumers and accounting for 16.8 billion dollars stolen in 2017. For obliged entities, such as financial institutions, it’s more than a financial risk — it’s the law.
In the US, the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed
to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures.
The desired outcome is that obliged entities accurately identify their customers.
A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level.
The minimum requirements to open an individual financial account are clearly delimited in the CIP:
- Date of birth
- Identification number
While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both.
These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.
The exact policies depend on the risk-based approach of the institution and may consider factors such as:
- The types of accounts offered by the bank
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations
2) Customer Due Diligence
For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and Politically Exposed Persons (PEPs) who might present a risk.
There are three levels of due diligence:
- Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors.
Some practical steps to include in your customer due diligence program include:
- Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer.
- When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally.
- Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following:
- Location of the person
- Occupation of the person
- Type of transactions
- Expected pattern of activity in terms of transaction types, dollar value and frequency
- Expected method of payment
- Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit.
3) Ongoing monitoring
It’s not enough to just check your customer once, you need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Depending on the customer and your risk mitigation strategy, some other factors to monitor may include:
- Spikes in activities
- Out of area or unusual cross-border activities
- Inclusion of people on sanction lists
- Adverse media mentions
There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual.
Periodical reviews of the account and the associated risk are also considered best practices:
- Is the account record up-to-date?
- Do the type and amount of transactions match the stated purpose of the account?
- Is the risk-level appropriate for the type and amount of transactions?
In general, the level of transaction monitoring relies on a risk-based assessment.
Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts, and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB).
While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program:
Retrieve company vitals
Identify and verify an accurate company record such as information regarding register number, company name, address, status, and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows.
Analyze ownership structure and percentages
Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party.
Identify Ultimate Beneficial Owners (UBOs)
Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting.
Perform AML/KYC checks on individuals
For all individuals that are determined to be a UBO, perform AML/KYC checks.
It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thompson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. Eighty-nine percent of corporate customers have not had a good KYC experience — so much so that 13 percent have actually switched to another FI as a result.
Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100.
Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors.
Electronic KYC verification (eKYC)
All workflows, where possible, should take advantage of digital processes. There might be situations, such as outdated legislations or hard-to-change legacy requirements, where digital techniques can’t be used for KYC. However, these are the exception and are on their way out; full digital KYC is the future and companies that fight it, will find themselves on the losing side.
There are numerous reasons why eKYC will prevail:
The Thompson Reuters survey indicates that 30% of respondents stated it takes over two months to on-board a new client, while 10% indicate it takes over four months. This is damaging client relationships, has a negative impact on the brand, and is hurting revenue growth as some customers abandon the process. Faster eKYC processes improve all these factors.
Mistakes slow down the process and add to cost; eKYC can automatically check for errors and more quickly fix any mistakes.
While eKYC systems do have costs, their faster speeds, improved accuracy and better utilization of compliance resources provide better bang for the buck and improve scalability.
As regulations constantly change, compliance systems need to correspondingly change. eKYC workflows can change almost on the fly; in many cases, simply update a ruleset and you’re done.
eKYC, for the most part, is about using APIs to easily add functionality. With new APIs being added all the time, new capabilities are a simple integration away.
Digital data is seamlessly transferable in its native form to analytics, auditing, tracking and reporting systems creating opportunities for optimization and strategic analysis.
Not only is eKYC a quicker process, it is easier from the get-go for the customer. The entire process is often mobile or internet-only thus delivering a smooth, convenient experience.
Your compliance and legal teams are highly paid, intelligent and valuable resources. eKYC enables a better work environment resulting in a more engaged work force.
New technological developments continue to drive KYC solutions forward. From biometric data to AI, technology is offering better ways to identify customers, run due diligence checks and perform ongoing monitoring.
The combination of mobile data with traditional data sources can take KYC to the next level, adding an extra layer of authentication to help deliver a convenient, immediate and effortless customer experience, along with the necessary compliance and fraud-mitigation measures.
Connecting with real customers and foiling fraudsters in the mobile world is a challenge. While you have an array of verification methods and data available to you, accessing mobile data and leveraging it to ensure that specific criteria are met by legitimate customers adds an extra layer of protection. Simply put, it’s another tool to help reduce fraud risk, improve KYC standards, and just as important, secure an effortless experience for your mobile-minded customers.
[White Paper] Meet Global KYC Compliance Requirements Without Burdening Customers
The traditional onboarding process for new clients is a time-consuming, labor-intensive, manual process that can lead to frustrating delays. Find out how electronic identity verification enables financial institutions to comply with tough industry regulations without burdening customers.
Some KYC laws around the world
Australian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system. All reporting entities must apply customer identification procedures to all customers, including collecting and verifying information before providing any designated services to them.
Since 2016, regulations have been in place to allow account opening via electronic channels. To streamline the creation of simplified KYC accounts and better information sharing, the Central Bank of Brazil has created an Open Data Portal, allowing customers with an authenticated digital identity to open an account quickly.
In Canada, regulated companies report to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) is the law covering Federal KYC and AML regulations.
Since 2016, Europe has passed three AML Directives (4AMLD, 5AMLD and 6AMLD), all of which expand the scope of KYC requirements to new sectors and the need for enhanced Customer Due Diligence. These processes include collection, verification and record keeping of Personally Identifiable Information (PII); and screening customers against sanctions and Politically Exposed Persons (PEP) lists, and adverse news to assess the risks associated with each customer.
To create more cohesive, harmonious and powerful AML regulations, the European Commission adopted an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing.
In India, Know Your Customer (KYC) is born out of the Prevention of Money Laundering Act (PMLA), 2002. The government further released procedural details in a separate document called the PML Rules. Regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority (IRDA) then further interpret these rules for the entities they regulate.
Now, Aadhaar-based eKYC enables financial service providers to electronically verify the identities of Indian consumers.
In 2019, Mexico updated its AML law, the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources. Regulated parties, according to the FATF, “are generally prohibited from opening or maintaining anonymous accounts.” An exception is made to promote financial inclusion for deposits of pesos into individual accounts that don’t exceed a certain threshold. Further regulations and AML provisions vary based on the industry and regulator.
New Zealand is at the forefront of electronic identity innovation. The country’s RealMe system enables users to provide identity verification for online services and simplified log-ins to access government services. There are requirements for reporting entities to conduct standard Customer Due Diligence on all accounts.
In South Africa, the Financial Intelligence Centre Act (FICA) covers AML and KYC factors. To enable more streamlined oversight over FICA, the Government of South Africa established the Financial Sector Conduct Authority (FSCA) as the market conduct regulator of financial institutions that provide financial products and services, including banks, insurers, retirement funds and administrators, and market infrastructures.
The UK has robust AML and KYC laws and regulations. These include requirements for identity verification on individuals and businesses. The Financial Conduct Authority (FCA) — the UK regulator for financial services firms and financial markets — is well known for its forward-thinking approach to innovation and favors a risk-based approach, focusing on the outputs rather than specific AML laws and rules.
This post was originally published October 17, 2016, updated to reflect the latest industry news, trends and insights.