KYC: 3 Steps to Know Your Customer
Know Your Customer (KYC) procedures are a critical function to assess and monitor customer risk; they are also a legal requirement to comply with Anti-Money Laundering (AML) laws.
Do you know your customer? At any rate, you ought to. If you’re a financial institution (FI), you could face possible fines, sanctions, and reputational damage, if you do business with a money launderer or terrorist. More importantly, KYC is a fundamental practice to protect your organization from fraud and losses resulting from illegal funds and transactions.
“KYC” refers to the steps taken by a financial institution (or business) to:
- Establish customer identity
- Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
- Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities
To create and run an effective KYC program requires the following elements:
1) Customer Identification Program (CIP)
How do you know someone is who they say they are? After all, identity theft is widespread, affecting over 16.7 million US consumers and accounting for 16.8 billion dollars stolen in 2017. For obliged entities, such as financial institutions, it’s more than a financial risk — it’s the law.
In the US, the CIP mandates that any individual conducting financial transactions needs to have their identity verified. Provisioned in the Patriot Act, the CIP is designed
to limit money laundering, terrorism funding, corruption and other illegal activities. Other jurisdictions have similar provisions; over 190 jurisdictions around the world have committed to recommendations from the Financial Action Task Force (FATF), a pan-government organization designed to fight money laundering. These recommendations include identity verification procedures.
The desired outcome is that obliged entities accurately identify their customers.
A critical element to a successful CIP is a risk assessment, both at the institutional level and at the level of procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level.
The minimum requirements to open an individual financial account are clearly delimited in the CIP:
- Date of birth
- Identification number
While gathering this information during account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both.
These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.
The exact policies depend on the risk-based approach of the institution and may consider factors such as:
- The types of accounts offered by the bank
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations
2) Customer Due Diligence
For any financial institution, one of the first analysis made is to determine if you can trust a potential client. You need to make sure a potential customer is trustworthy; customer due diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and Politically Exposed Persons (PEPs) who might present a risk.
There are three levels of due diligence:
- Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low value accounts or accounts.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. In the end, while some EDD factors are specifically enshrined in a country’s legislations, it’s up to a financial institution to determine their risk and take measures to ensure that their customers are not bad actors.
Some practical steps to include in your customer due diligence program include:
- Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your customer.
- When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are, before storing this information and any additional documentation digitally.
- Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following:
- Location of the person
- Occupation of the person
- Type of transactions
- Expected pattern of activity in terms of transaction types, dollar value and frequency
- Expected method of payment
- Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit.
3) Ongoing Monitoring
It’s not enough to just check your customer once, you need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Depending on the customer and your risk mitigation strategy, some other factors to monitor may include:
- Spikes in activities
- Out of area or unusual cross-border activities
- Inclusion of people on sanction lists
- Adverse media mentions
There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual.
Periodical reviews of the account and the associated risk are also considered best practices:
- Is the account record up-to-date?
- Do the type and amount of transactions match the stated purpose of the account?
- Is the risk-level appropriate for the type and amount of transactions?
In general, the level of transaction monitoring relies on a risk-based assessment.
Just as individual accounts require identification, due diligence and monitoring, corporate accounts require KYC procedures as well. While the process bears similarity to KYC for individual customers, its requirements are different; additionally, transaction volumes, transaction amounts, and other risk factors, are usually more pronounced so the procedures are more involved. These procedures are often referred to as Know Your Business (KYB).
While each jurisdiction has its own KYB requirements, here are four general steps to implement an effective program:
Retrieve Company Vitals
Identify and verify an accurate company record such as information regarding register number, company name, address, status, and key management personnel. While the specific information that you gather depends on the jurisdiction and your fraud prevention standards, you’ll need to systematically gather the information and input it into your workflows.
Analyze Ownership Structure and Percentages
Determine the entities or natural-persons who have an ownership stake, either through direct ownership or through another party.
Identify Ultimate Beneficial Owners (UBOs)
Calculate the total ownership stake, or management control, of any natural-person and determine if it crosses the threshold for UBO reporting.
Perform AML/KYC Checks on Individuals
For all individuals that are determined to be a UBO, perform AML/KYC checks.
It’s one issue to ensure KYC compliance, it’s an all-together far greater issue to deliver compliance in a manner that is cost-effective, scalable and doesn’t unduly burden the customer. A Thompson Reuters survey reveals escalating costs and complexities bogging financial institutions (FIs) down. Eighty-nine percent of corporate customers have not had a good KYC experience — so much so that 13 percent have actually switched to another FI as a result.
Besides the poor customer experience, the actual cost of running a comprehensive KYC compliance program continues to rise. Amongst the 800 FIs in the survey, the average was $60 million annually while some firms were spending up to $500 million. In the UK, a Consult Hyperion report estimates KYC compliance costs cost banks £47 million a year, while each check runs £10 to £100.
Compliance professionals will have no option but to bear the weight of these new requirements and expectations going forward; having said that, it’s essential to know that these regulatory strictures serve a vital function: Battling fraud, eliminating money laundering, terrorist financing, bribery, corruption, market abuse, and other financial misconduct. While the fight is complex and often costly, the value is vital, both in protecting consumers and the whole financial system from being manipulated by bad actors.
Electronic KYC (eKYC)
All workflows, where possible, should take advantage of digital processes. There might be situations, such as outdated legislations or hard-to-change legacy requirements, where digital techniques can’t be used for KYC. However, these are the exception and are on their way out; full digital KYC is the future and companies that fight it, will find themselves on the losing side.
There are numerous reasons why eKYC will prevail:
The Thompson Reuters survey indicates that 30% of respondents stated it takes over two months to on-board a new client, while 10% indicate it takes over four months. This is damaging client relationships, has a negative impact on the brand, and is hurting revenue growth as some customers abandon the process. Faster eKYC processes improve all these factors.
Mistakes slow down the process and add to cost; eKYC can automatically check for errors and more quickly fix any mistakes.
While eKYC systems do have costs, their faster speeds, improved accuracy and better utilization of compliance resources provide better bang for the buck and improve scalability.
As regulations constantly change, compliance systems need to correspondingly change. eKYC workflows can change almost on the fly; in many cases, simply update a ruleset and you’re done.
eKYC, for the most part, is about using APIs to easily add functionality. With new APIs being added all the time, new capabilities are a simple integration away.
Digital data is seamlessly transferable in its native form to analytics, auditing, tracking and reporting systems creating opportunities for optimization and strategic analysis.
Not only is eKYC a quicker process, it is easier from the get-go for the customer. The entire process is often mobile or internet-only thus delivering a smooth, convenient experience.
Your compliance and legal teams are highly paid, intelligent and valuable resources. eKYC enables a better work environment resulting in a more engaged work force.
New technological developments continue to drive KYC solutions forward. From biometric data to AI, technology is offering better ways to identify customers, run due diligence checks and perform ongoing monitoring.
The combination of mobile data with traditional data sources can take KYC to the next level, adding an extra layer of authentication to help deliver a convenient, immediate and effortless customer experience, along with the necessary compliance and fraud-mitigation measures.
Connecting with real customers and foiling fraudsters in the mobile world is a challenge. While you have an array of verification methods and data available to you, accessing mobile data and leveraging it to ensure that specific criteria are met by legitimate customers adds an extra layer of protection. Simply put, it’s another tool to help reduce fraud risk, improve KYC standards, and just as important, secure an effortless experience for your mobile-minded customers.
Take the necessary steps to ensure that your organization meets compliance obligations. The traditional onboarding process for new clients is a time-consuming, labor-intensive, manual process that can lead to frustrating delays.
Find out how electronic identity verification enables financial institutions to comply with tough industry regulations without burdening customers.