Economic fraud and financial crime represent significant risks for organizations.
According to a recent PWC survey where they quizzed more than 5,000 respondents across 99 territories about their experience of fraud over the past 24 months, almost half reported that they experienced at least one instance of fraud in the last 12 months — more than 10 percent of those victimized said they lost more than $50 million, and the total cost of fraud worldwide topped $42 billion.
Know Your Customer (KYC) programs provide a way for companies to reduce fraud risk by implementing policies and processes that reliably identify customers and assess their potential risk. Some solutions enable teams to share risk assessments of potential users, allowing organizations to stop fraudsters from onboarding at all.
But how do organizations implement essential KYC procedures?
We've created this go-to guide to help streamline the design, development, and deployment of KYC frameworks to help set the stage, dive into the specifics, and offer five fundamental steps in building an effective KYC program.
What is KYC — and Why Is It Required?
Implemented under Financial Industry Regulatory Authority (FINRA) Rule 2090, know your customer processes are designed to reduce the risk of fraud by requiring to obtain and verify information about client identities before carrying out financial transactions.
According to the rule, "every member shall use reasonable diligence, in regard to the opening and maintenance of every account, to know (and retain) the essential facts concerning every customer and concerning the authority of each person acting on behalf of such customer."
KYC works closely with the customer due diligence (CDD) final rule from the Financial Crimes Enforcement Network (FinCEN), which requires companies to assess the nature of customer transactions as part of their more extensive risk profile. In combination, KYC and CDD requirements can help companies pinpoint potential fraud before it occurs rather than attempting to deal with the aftermath.
KYC and CDD also play a role in anti-money laundering (AML) efforts. By taking the time to evaluate client characteristics and transaction requests before approval, organizations can identify and report red flags to relevant stakeholders and regulatory bodies.
Types of KYC
At its core, KYC focuses on evaluating and verifying customer identities. However, depending on business needs and customer requirements, companies may implement one (or more) types of KYC to streamline this process.
Developed by the Unique Identification Authority of India (UIDAI), Aadhaar represents one of the largest identity databases in the world. Companies can leverage Aadhaar-based KYC to verify customer identities online with linked digital documents or leverage biometric-based verification.
Aadhaar-based KYC is reliable and easy to access but requires that customers are registered with the UIDAI.
In-Person Verification (IPV) KYC
In-person KYC — also called paper-based KYC — requires customers to provide physical proof of identity. This form of KYC is familiar to many organizations: Customers attend branches or offices in-person with identity documents such as drivers' licenses, passports, or financial statements, which are then verified by staff.
In-person KYC is familiar and straightforward but less efficient than other options for identity verification since companies are required to store and eventually destroy collected identity data securely.
Digital KYC typically leverages a software-based verification portal that allows individuals to submit their documents for review online securely. In addition, identity verification software tools often include options for photo verification via digital selfies and may also offer connections for watchlist screening and advanced media monitoring.
The Three Fundamentals of a KYC Program
All KYC programs include three core components:
Customer Identification Program (CIP)
A customer identification program helps companies ensure that potential customers are whom they say they are. Defined under Section 326 of the Patriot Act, CIPs must include a written program, robust identity verification procedures, recordkeeping, comparison with government lists — such as Financial Action Task Force (FATF) blacklists, and politically exposed persons (PEP) lists.
Businesses must also obtain four pieces of identifying information from customers: Name, date of birth, address, and identification number.
Customer Due Diligence
Customer due diligence focuses on determining the potential risk posed by a new customer or due to the nature of the transaction being requested — for example, high-volume or high-value transactions to or from areas of the world with high money laundering rates come with greater risk than lower-value transactions closer to home.
Standard CDD procedures include verifying potential customers' location and identity and determining their overall level of risk based on the type and nature of their transaction.
The nature of financial transactions is dynamic — accounts that originally represented low risk may see a sudden increase based on geopolitical unrest or socioeconomic factors. As a result, companies must authenticate users when they conduct new transactions and regularly monitor customer accounts for any unusual activity.
This activity may include changes in overall transaction volumes or destinations, including new persons or companies on sanction lists, or the notification of adverse media mentions.
Traditional KYC Procedures and Policies
Traditional KYC policies and procedures focus on collecting customer data and then comparing this information to government watch and sanctions lists. These may include U.S. Department of State sanction lists, financial action task force (FATF) greylists and blacklists, and state sponsors of terrorism lists.
If overlaps in customer identity and sanction lists are identified, companies may either implement enhanced screening processes or choose not to conduct financial transactions with the specific individual or business. This significantly reduces fraudsters abilities to exploit stolen user information, synthetic IDs, and other methods of identity theft.
Using a Risk-Based Approach to KYC
However, the adoption of digital and online KYC frameworks now makes it possible for companies to adopt a risk-based approach to KYC. Rather than simply comparing watch or sanction list data to collected KYC information, this approach sees companies evaluating the potential risks of creating accounts and completing transactions.
This approach provides more granularity to the KYC process and allows organizations to separate potential clients across three levels of identity due diligence:
- Basic Due Diligence (BDD)
Basic due diligence applies to most customers. Under BDD, companies collect common identity data to verify customers and assess transactions. Common BDD conditions include regular transactions between known accounts or the creation of a new account by a client already registered in your system.
- Simplified Due Diligence (SDD)
Simplified due diligence is possible in situations where regular customers have been verified multiple times with continual success or in cases of low-value or low-velocity transactions between accounts that represent limited overall risks.
- Enhanced Due Diligence (EDD)
Enhanced due diligence frameworks may apply if customers are conducting high-value transactions or sending money to countries with high rates of money laundering. For example, under EDD, you may opt to collect additional customer, business, and transaction information to provide a clearer picture of where money is being sent and for what purpose.
5 Steps to Follow for an Effective KYC Program
While there's no one-size-fits-all framework for KYC, we've identified five steps that can help streamline the process of building an effective KYC program.
- Identify where you need KYC
- Determine your preferred KYC method(s)
- Account for all three KYC components
- Create an effective risk mitigation strategy
- Find an identity verification partner
Identify Where You Need KYC
In the United States, any individual conducting financial transactions must verify their identity by the institution facilitating the transaction. As a result, KYC is broadly applicable for financial firms, investment brokers, and banks, but depending on the nature of your business, your clientele, and the services you offer, there may be situations where KYC is not required.
In this case, you have a choice to make: Implement KYC for all transactions to streamline the process, or pick and choose your KYC implementation to align with compliance obligations.
Determine Your Preferred KYC Method(s)
Depending on current operations and infrastructure, some KYC methods may suit your business better than others. For example, while in-person KYC comes with familiarity, recent pandemic pressures have made it challenging for many companies to view and verify documents in person. Digital verification tools, meanwhile, offer ways to streamline the process but require robust software to ensure effective data collection and security.
Account For All Three KYC Components
To achieve KYC compliance, CIPs aren't enough. Businesses must also create and deploy processes that deliver CDD and deliver continuous monitoring to ensure they're prepared to respond if risk levels change or suspicious activities occur.
Create an Effective Risk Mitigation Strategy
Risk isn't necessarily a barrier to financial transactions, but evolving risks must be addressed to help companies mitigate their impact. In practice, this means creating an effective risk mitigation strategy that describes specific KYC actions based on assessed risk levels.
Find an Identity Verification Partner
Building an effective and on-demand identity verification solution from the ground up is costly and time-consuming. As a result, companies are often better served by finding and partnering with a provider that helps streamline the identity verification process without compromising company or customer security.
Creating an Effective Know Your Customer Program: Key Takeaways
When it comes to KYC, creating an effective program is critical to reduce complexity and ensure compliance. Identity verification and KYC is an essential part of an effective fraud and AML program.
In practice, this means understanding the role of KYC in keeping both customers and companies safe, along with identifying KYC approaches that align with current operational frameworks. Meanwhile, evaluation of existing processes can help identify areas for improvement, such as the implementation of risk-based procedures. Finally, it's worth adopting a five-step framework to streamline the creation of effective KYC programs at scale. Part of this should be regulatory technology that keeps you on top of all AML regulations.
Ready to learn more? Connect with Unit21 and see how we can help kickstart your KYC compliance. Learn specifically how to integrate sophisticated identify verification while still offering frictionless onboarding that users love.