With recent increases in fraud and other types of digital crime, regulations are stronger than ever. As such, it has never been more important for financial institutions to ensure compliance with regulatory requirements – to protect themselves and their consumers, and avoid regulatory penalties.
Know Your Customer (KYC) is the process of verifying a customer. This takes place throughout the customer relationship and is vital to help prevent fraud, money laundering and other financial crime. Fortunately, regulation for KYC is in place in most countries, but what’s the best way to get KYC processes in place? Financial institutions often follow a three-step approach.
KYC for financial institutions.
As a quick recap – why do you need KYC as a financial institution? Simply put: being aware of customers’ identities and what they are doing is important in many industries – especially for financial institutions.
Criminal activity in this sector can affect not just the financial institution, but other customers, the general public and even the wider economy. Learn more in our ‘How KYC technology helps Germany comply with AML regulations’ blog. Financial institutions are therefore tightly regulated, with strict KYC and AML requirements they must adhere to. There are stiff penalties and likely reputational damage if they do not.
Regulations are in place in many countries to enforce and regulate KYC processes. These were first introduced by the Financial Action Task Force (FATF) in the 1990s, and the most recent implementations began in the US with the Patriot Act in 2001. In total, over 190 countries follow FATF guidance for KYC.
The 3 components of a KYC process.
While the exact implementation process is left to the financial institution, a three-step process for KYC is standard and specified in many countries’ regulations. This is often referred to as the three components or pillars of KYC, and involves:
- Customer Identification Program (CIP)
- Customer Due Diligence (CDD)
- Ongoing Monitoring
Customer Identification Program (CIP)
The first step in KYC processes is to establish that the customer is who they claim to be. This requires any customer – both individual and corporate – to have their identity verified.
For all individuals involved (including the identified beneficial owners for corporate customers), identity details must be obtained and verified. Documents usually include those that contain the following:
- Date of birth
- Government-issued identity number
- Other government-issued identities (such as passport or driving license)
For corporate customers, verification documents may also include a business license, articles of incorporation, partnership agreements or financial statements. Financial institutions also need to establish the company’s ownership structure and identify the Ultimate Beneficial Owners (UBOs).
Proper collection and use of this data is also part of CIP requirements. Institutions should be able to verify it – and do so in a timely manner. Procedures for doing so should be well documented and followed by all staff involved.
Customer Due Diligence (CDD)
Customer Due Diligence (CDD) takes verification further and asks whether financial institutions trust the customer. CDD is about establishing a customer’s risk level and to what extent they can be trusted.
There are three levels of CDD. Basic due diligence is carried out for all customers to establish their level of risk. This can involve collecting additional information, establishing the location of the customer, and types or patterns of transactions. For corporate customers, due diligence needs to be carried out for all individuals that are identified as UBOs.
Simplified Due Diligence (SDD). For customers and accounts deemed to be at very low risk, SDD can be used. With this, the full checks of CDD are not needed.
Enhanced Due Diligence (EDD). On the other hand, much more analysis is done under the EDD approach for a customer thought to be at higher risk. This could include obtaining more information from customers, additional checks with agencies or public sources, or further investigation into accounts and transactions.
Regulators specify the need to carry out EDD, but will not detail the exact steps to be taken. Thus, it is up to individual financial institutions to establish the appropriate level of risk.
CDD is an ongoing process, not just carried out when onboarding a new customer. A customer’s activity and risk profile can change over time, and periodic CDD monitoring should be conducted. Full CDD and EDD records need to be kept for internal or regulatory audit purposes.
KYC is not just about checking new customers during onboarding. This is important, of course, and will establish the identity and initial risk level of the customer, but financial institutions must also have a program in place for ongoing KYC checks and monitoring.
Ongoing monitoring will identify changes in customer activity that may warrant an adjustment in risk profile or further investigation. The level and frequency of monitoring will depend on the customer’s perceived risk and the institution’s strategy.
Monitoring should look at factors including:
- Customer transaction types, frequency and amounts
- Changes in customer or transaction locations
- Inclusion on Politically Exposed Persons (PEP) or sanction lists
- Adverse media coverage
As with the previous two KYC components, CIP and CDD, financial institutions should have well-established processes in place to handle ongoing monitoring. This should include the raising of concerns relating to suspicious activity.
Connect with a KYC service provider.
KYC regulations, alongside the standard three-step approach, provide a good foundation for a KYC process. However, there are many more detailed KYC requirements and technical steps needed for full implementation. A KYC service provider can help establish best practices and the right technology for this. They will also ensure you stay up to date with changing regulations and meet the latest regulations in different countries.
As a global leader in the identity verification industry, IDnow has developed solutions for KYC and AML. These offer a full range of features and meet the regulations in a growing list of countries.
Specifically, AutoIdent offers fully compliant automated onboarding using video, biometrics and identity verification. Regulations differ between countries regarding whether verification should have manual involvement or be fully automated. However, AutoIdent allows both and is fully compliant in several jurisdictions, including the UK, Europe, and the UAE.
KYC and AML are not just about meeting requirements, though. Financial institutions want to ensure that solutions provide a reliable and positive user experience. Customers want to see that banks take security seriously and carry out appropriate checks, but they do not want to be held back or inconvenienced by this.
Onboarding and KYC provide the first customer experience with a financial institution – so you should make sure you should leave a good impression. Thankfully, IDnow solutions are designed with this in mind.
Senior Content & SEO Manager at IDnow
Connect with Jonathan on LinkedIn