Fraud attacks have increased by 46% since the pandemic, according to a study by TransUnion, as people are using and relying on digital services more than ever before. This includes things like online banking, shopping, and entertainment. To help keep your business and customers safe, you’ll want a robust Know Your Customer (KYC) verification process in place.
A potential fraud attack isn’t the only reason to adopt KYC verification in your business. Financial institutions were fined almost $5 billion in 2022 for failing to create adequate KYC systems.
In addition to these hefty fines, when organizations do not meet KYC standards, regulatory bodies also impose remediation plans, which can be pretty costly. For example, Coinbase has to pay $50 million to improve its KYC verification processes in a settlement reached with New York's Department of Financial Services.
In this article, we’ll go through each stage of the KYC process and what you should do to stay compliant with KYC regulations.
What Is a KYC Verification Process?
A Know Your Customer verification process is a way that companies can protect against potential risks like fraud, money laundering, identity theft, bribery, terrorist financing, and corruption by identifying and understanding exactly who their customer is through information gathering.
“Customers” can be both businesses and individuals, and sometimes KYC can also be called Know Your Business (KYB) or corporate KYC. In the U.S., the Financial Crimes Enforcement Network (FinCEN) is in charge of KYC and anti-money laundering (AML) regulations to promote the idea of transparency and knowing who you are getting into business with.
Typically, KYC regulations are in place for financial institutions or those working within the investing and banking sector, like broker-dealers. For instance, the Financial Industry Regulatory Authority governs broker-dealers and says that businesses should make reasonable efforts to identify and know their customer when opening and maintaining client accounts.
Similarly, the Financial Crimes Enforcement Network (FinCEN) requires financial institutions to comply with the Customer Due Diligence (CDD) final rule. This outlines how U.S. banks should do CDD to verify and identify their customers, especially those setting up a new bank account. These standards are in place to protect against illegal activity and financial crimes.
In saying this, other companies (not just financial institutions) also incorporate KYC checks into their onboarding processes, like asking for proof of identity and proof of address, to make sure that customers are who they say they are.
Overall, it’s good practice to do KYC checks because verifying customer identity is crucial to understanding whether they are genuine customers wanting to benefit from your services or whether they are using your business to participate in criminal activities.
So the KYC process should include checking and verifying your customer’s identity, assessing customer risk, monitoring transactions, and performing customer due diligence and enhanced due diligence checks. Let’s go into more detail about how to do KYC verification.
3 Steps to KYC Verification
There are three key steps to really knowing your customer, we’ll talk you through these now.
1. Customer Identification Program (CIP)
The Customer Identification Program (CIP) is a KYC compliance process for new customers. The CIP final rule is a KYC regulation set out by the government for financial services companies. It lays out general KYC requirements for verifying a customer’s identity.
The CIP final rule says that financial services companies must get certain information from customers before account opening, including their full name, date of birth, address, and identification number — like a passport ID number, a taxpayer ID number, or an Alien Registration Number. Valid KYC documents would include legal identity documents such as a driver’s license, passport, utility bill, or mortgage statements that show proof of address.
Section 326 of the USA PATRIOT Act says that financial institutions have to have a written CIP outlining how they will identify customer information. To be compliant, they must make a record of all the CIP checks they do and maintain these records.
Customer information can be verified through physical document checks and electronically through digital identity processes where the customer gives their ID information and takes pictures of their documents. Sometimes the customer may be asked to take a selfie to show that they match their formal ID documentation through biometric authentication means. Through AI, the ID can be analyzed for authentication.
Another method for digital identity checking could be video verification where the customer and a compliance team member have a face-to-face video meeting online.
Generally, digital document verification methods can streamline the KYC process more and enhance the customer experience, as it is often quicker and more efficient than manually checking physical documents or having to wait for an appointment.
2. Customer Due Diligence (CDD)
Once you have identified your customer, CDD is all about going that one step further and deciding how risky (or not) your customer is. You can do this by understanding your relationship with them and creating customer risk profiles based on your risk categories. Risk categories could include things like geographical location, occupation, or the type of business relationship they will have with you.
CDD is delving into who your customer really is by doing your own research and assessments based on the documentation and information they provide. To do this, you can:
- Look at databases, such as government websites and watchlists.
- Use platforms such as Certa, which alerts you of risk factors that you need to be aware of in real time.
- Conduct research through news articles online.
- Subscribe to crime and compliance case updates that notify you of investigations and case outcomes for financial crimes.
You should ask questions about your customers such as:
- Where do they live, and what is their nationality? You can check if they are from high-risk jurisdictions by checking the FATF-monitored watchlist.
- Are they connected to political people or those in high-powered positions? Are they politically exposed persons (PEPs) themselves? They could be PEPs, meaning they may bring greater risk to you as they often have the power to use their connections and their position. For example, they could use their high position within a business to access accounts to launder money.
- What type of business do they work in? Some high-risk sectors can include gambling, real estate, cryptocurrency, or cannabis, as they are notorious for having a large turnover of cash and being used for money laundering.
- Do they have a criminal history? Those with previous convictions for fraud or white-collar crimes are likely to have criminal connections and potentially be at risk of re-committing such crimes.
- Who is the customer company’s ultimate beneficial owner (UBO)? Understanding who controls your customer is actually a regulatory requirement for many businesses. OFAC checks are important to verify that your customers are not linked to high-risk companies or individuals, such as sanctioned entities. This can put you at risk of non-compliance as you are not allowed by law to do business with companies or individuals that are on the OFAC sanctions list.
3. Enhanced Due Diligence (EDD)
Depending on how your CDD process goes will determine whether you need to do enhanced due diligence checks. These are in-depth investigations that are needed when you are dealing with high-risk customers like those from high-risk countries or sectors.
For instance, if you have a PEP on your hands, you will need to do EDD to check that they aren’t a direct risk to you if you do business with them. This may involve asking for further information or doing ongoing monitoring to keep updated on any new potential risks that come up throughout the business relationship.
Financial institutions must submit Suspicious Activity Reports (SARs) within 30 days of sensing unusual behavior that may amount to financial crime. So keeping an eye on customer transactions is a key part of enhanced due diligence processes for finance companies. Reports must be filed for transactions of more than $10,000 because such large quantities could be suspicious and suggest that someone is laundering money or evading taxes.
One of the key reasons for doing EDD is that many industries are required to adhere to money laundering regulations, which can be better identified through enhanced checks. In the U.S., the Financial Action Task Force (FATF) centralizes efforts to combat money laundering around the world.
The reason why money laundering is heavily regulated is that laundered money is often used to fund organized crime like drug importation or child sexual exploitation, human trafficking, and terrorism financing.
The Financial Times reported that global fines for failing to prevent money laundering increased by more than 50% last year. MT Global received one of the biggest U.K. fines for money laundering breaches (£23.8 million) for failing to complete adequate risk assessments and not having correct customer due diligence measures.