In recent years, increases in fraud and criminal sophistication have led to strengthening regulations. It has never been more important for financial institutions to ensure compliance with this – both to protect themselves and avoid regulatory penalties.
Know Your Customer (KYC) is the process of verifying a customer. This takes place throughout the customer relationship and is vital to help prevent fraud, money laundering and other financial crime. Fortunately, regulation for KYC is in place in most countries, but what’s the best way to get KYC processes in place? For financial institutions, a three-step approach to this is the best practice.
KYC for financial institutions
As a quick recap – why do you need KYC as a financial institution? Checking and staying aware of customers’ identity and activity is important in many industries – especially for financial institutions.
Criminal activity in this sector can affect not just the financial institution involved but other individuals, customers and the wider economy. Financial institutions are therefore tightly regulated, with strict KYC and AML requirements they must adhere to. There are stiff penalties and likely reputational damage if they do not.
Regulations are in place in many countries to enforce and regulate KYC processes. These were first introduced by the Financial Action Task Force (FATF) in the 1990s, and the most recent implementations began in the US with the Patriot Act in 2001. In total, over 190 countries follow FATF guidance for KYC.
The 3 steps to implement KYC and set up a KYC process
While the exact implementation process is left to the financial institution, a three-step process for KYC is standard and specified in many countries’ regulations. This is often referred to as the three components or pillars of KYC, and involves:
- Customer Identification Program (CIP)
- Customer Due Diligence (CDD)
- Ongoing Monitoring
Customer Identification Program (CIP)
The first step in KYC processes is to establish that the customer is who they claim to be. This requires any customer – both individual and corporate – to have their identity verified.
For all individuals involved (including the identified beneficial owners for corporate customers), identity details must be obtained and verified. There is a scope for financial institutions to use the documents most appropriate for their customers and that they can be verified. This will usually include:
- Date of birth
- Government-issued identity number
- Other government-issued identities (such as passport or driving license)
For corporate customers, verification documents also include a business license, articles of incorporation, partnership agreements or financial statements. Financial institutions also need to establish the company’s ownership structure and identify the Ultimate Beneficial Owners (UBOs).
Proper collection and use of this data is also part of CIP requirements. Institutions should be able to verify it – and do so in a timely manner. Procedures for doing so should be well documented and followed by all staff involved.
Customer Due Diligence (CDD)
Customer Due Diligence (CDD) takes verification further and asks whether financial institutions trust the customer. CDD is about establishing a customer’s risk level and to what extent they can be trusted.
There are three levels of CDD. Basic due diligence is carried out for all customers to establish their level of risk. This can involve collecting additional information, establishing the location of the customer, and types or patterns of transactions. For corporate customers, due diligence needs to be carried out for all individuals that are identified as UBOs.
Simplified Due Diligence (SDD). For customers and accounts deemed to be at very low risk, SDD can be used. With this, the full checks of CDD are not needed.
Enhanced Due Diligence (EDD). On the other hand, much more analysis is done under the EDD approach for a customer thought to be at higher risk. This could include obtaining more information from customers, additional checks with agencies or public sources, and further investigation into accounts and transactions.
Regulators specify the need to carry out EDD, but will not detail the exact steps to be taken. Thus, it is up to individual financial institutions to establish the level of risk as appropriate.
CDD is an ongoing process, not just carried out when onboarding a new customer. A customer’s activity and risk profile can change over time, and periodic CDD monitoring should be conducted. Full CDD and EDD records need to be kept for internal or regulatory audit purposes.
KYC is not just about checking new customers during onboarding. This is important, of course, and will establish the identity and initial risk level of the customer. Beyond this, financial institutions must have a program in place for ongoing KYC checks and monitoring.
Ongoing monitoring should pick up changes in the customer or activity that warrant a shift in risk profile or further investigation. The level and frequency of monitoring will depend on the customer’s perceived risk and the institution’s strategy.
Monitoring should look at factors including:
- Customer transaction types, frequency and amounts
- Changes in customer or transaction locations
- Inclusion on Politically Exposed Persons (PEP) or sanction lists
- Adverse media coverage
As with CIP and CDD, financial institutions should have well-established processes in place to handle ongoing monitoring. This should include the raising of concerns relating to suspicious activity as appropriate.
Connect with a KYC service provider
The KYC regulations, and the standard three-step approach, provide a good grounding for KYC. There are many more detailed requirements and technical steps needed for full implementation, however. A KYC service provider can help establish best practices and technology for this. They will also ensure that you stay up to date with changing regulations and meet the latest regulations in different countries.
As a global leader in the identity verification industry, IDnow has developed solutions for KYC and AML. These offer a full range of features and meet the regulations in a growing list of countries.
Specifically, AutoIdent offers fully compliant automated onboarding using video, biometrics and identity verification. Regulations differ between countries regarding whether verification should have manual involvement or be fully automated. However, AutoIdent allows both and is fully compliant in several jurisdictions, including the UK, Europe, and the UAE.
KYC and AML are not just about meeting requirements, though. Financial institutions want to ensure that solutions provide a reliable and positive user experience. Customers want to see that banks take security seriously and carry out appropriate checks, but they do not want to be held back or inconvenienced by this.
Onboarding and KYC provide the first experience with a financial institution and its brand – which should leave a good impression. Thankfully, IDnow solutions are designed with this in mind.
Senior Content & SEO Manager at IDnow
Connect with Jonathan on LinkedIn