KYC stands for ‘know your customer’, or ‘know your client’. Businesses employ KYC checks to establish their customers’ identities and assess and monitor any associated risks on an ongoing basis.
Put simply, businesses need to perform KYC compliance to ensure a customer really is who they say they are. With more and more interactions taking place in a digital scenario, verifying the identities of your online customers is crucial. Confidence in your customers’ identities provides a solid basis on which to conduct further due diligence and customer risk assessments.
Who needs to do KYC?
KYC is a mandatory legal requirement for some organizations, mainly those in the financial industry. However, these requirements do vary depending from country to country. The goal of KYC checks within financial services is to limit money laundering, terrorist financing, corruption and other illegal activities.
For example, The United States outlines requirements for ‘know your customer’ in the Patriot Act by outlining two concepts: Customer Identification Programs (CIP), and Customer Due Diligence (CDD).
While other industries might not have to do KYC by law, there are other reasons they might consider it. Regulations are tightening around the world, and as more interactions move online, knowing your customer is becoming increasingly important. The range of businesses that need and want to carry out KYC checks is widening — particularly in burgeoning financial services spaces such as cryptocurrency.
Why is KYC important?
1. Meeting compliance requirements
Know Your Customer (KYC) procedures are crucial for preventing financial crime and money laundering. For financial institutions, it’s a legal requirement to verify the identity of their customers in compliance with laws and regulations. This includes Anti-Money Laundering (AML) laws.
KYC requirements differ by geography, so it’s important to check local regulations. In Europe, the two most relevant pieces of legislation for KYC are the GDPR and the AML5 directive (or 5AMLD). Businesses will also want to familiarize themselves with eIDAS regulation.
But individual countries can also impose their own additional requirements. In Germany, institutions must implement video KYC processes as part of their customer identity verification. Spain requires enhanced liveness detection, France a secondary identity document, and Italy seven additional risk checks.
In the US, the Financial Crimes Enforcement Network (FinCEN) is the main AML regulator. The Bank Secrecy Act (BSA) is the most important anti-money laundering law. The USA Patriot Act targets financial crimes associated with terrorism. The US is also a member of the Financial Action Task Force (FATF).
Failure to comply with KYC/AML laws and regulations can have serious consequences. The most serious violations can result in fines and imprisonment. Lax anti-money laundering and KYC compliance are some of the most common issues that result in fines. One example includes Westpac Bank (Australia) who were fined $900 million for AML breaches.
2. Building trust
Not all industries are legally required to perform KYC checks. For some, it’s about building a trusted business relationship. More of our interactions are taking place online, KYC practices are especially relevant. They’re usually the first step in a customer relationship with a company.In fact, a secure identity verification check increases trust in a business. 80% of users trust businesses overall when they use document and biometric checks as part of this process.
And this trust doesn’t just apply to business-customer relationships. It also applies in peer-to-peer environments, such as marketplaces or sharing communities. Customers want to know that peers they’re buying from, or drivers they’re sharing a car with, have been vetted.
Failing to meet customer expectations when it comes to trust can have detrimental consequences. From a reputational standpoint to losing your customers to competitors.
3. Preventing fraud
It’s obvious that fraud has a financial impact. In fact, it costs the global economy $5 trillion a year. And our own research shows that fraud is increasing, in both quantity and quality of attacks. In our Identity Fraud Report we saw attempted fraud in financial services surge 23% in 2022.
But traditional approaches to preventing fraud are no longer enough. Due to large-scale data breaches, huge amounts of personal customer data are now available to buy on the dark web.
This is where a robust identity verification approach as part of KYC comes in. It’s no longer enough to simply rely on database checks alone for verification. Better KYC practices can help defend against bad actors who exploit weak methods of verification.
What do KYC processes include?
KYC processes usually involve three key components.
- A customer identification program (CIP)
- Customer due diligence (CDD)
- Continuous or ongoing monitoring
Customer identification programs (CIP) collect information (such as name, date of birth and address) during the onboarding process or account creation. As part of this, organizations need to verify the identity of customers within a reasonable timeframe.
This verification process can include identity document (ID) verification, face-to-face or in-person verification, address verification (eg. utility bills), biometric verification, or any combination of these.
KYC policies are decided based on the risk-based assessment strategy. Type of account, services offered, and customers’ geographic location among other things are usually considered.
Customer due diligence (CDD) is a key component in establishing trust between your business and your customer. Depending on the risks involved in the relationship, there are different levels of customer due diligence.
Simplified due diligence applies where the risk of fraud or other illegal activities is considered low. Basic CDD is the standard approach. And enhanced due diligence comes into play in higher-risk situations.
Learn more about the differences between CDD and EDD in this article: What’s the difference between CDD and EDD?
Some examples of CDD steps include:
- Gaining an overview of a customer’s business activities
- Determining the potential risks associated with the customer, for example politically exposed persons (PEPs) and sanctions screening
- Periodic assessments to determine if the existing risk category is still applicable
Continuous or ongoing monitoring applies when an initial check is not enough to establish long-term trust, and to check whether a customer's situation changes. Situations that might call for ongoing monitoring include: unusual account activity (eg. spikes), upticks in fraud or illegal undertakings, and the inclusion of the customer on sanction lists. The level of monitoring generally depends on the risk-based assessment and strategy.
How do you comply with KYC?
The specifics of KYC compliance will vary depending on your institution and location. If we take financial services as an example, someone who wants to open a bank account may be required to provide a collection of KYC documents that prove their identity and their address. These documents may include a form of government-issued identification, such as a driver’s license, passport, or residence permit. Different institutions may ask for different documents depending on their requirements, and certain customers may be required to provide more information depending on their assessed risk level. Additionally, institutions in different countries may require different forms of verification.
Verifying your customer identities as part of KYC solutions
As part of Customer Identification Programs (CIP) businesses need to take measures to verify the identity of their customers. In other words, have reasonable assurance that their customers are who they say they are.
This identity verification step usually happens at account opening, or within a reasonable time of the account creation. It can be done both remotely and in-person. When done digitally or as part of online KYC checks, it’s referred to as eKYC (electronic Know Your Customer).
A secure digital identity verification usually involves a mixture, or all, of the following:
- Document/ID verification: checking that an ID is valid and genuine
- Biometric verification: comparing a facial biometrics with a photo ID document, to confirm the person is submitting their rightfully owned document
- ID record validation: validating customer data against trusted databases
- Watchlist screening and ongoing monitoring: checking customer provided data against relevant sanctions, PEPs, and adverse media databases
Our compliance manager’s guide to identity verification summarizes the global regulatory landscape, best practices for building customer identity programs, and what to look for when choosing an identity partner.
This approach to identity verification allows businesses to anchor customers’ digital identities to their real selves. It helps businesses offer a smooth customer onboarding experience that complies with KYC regulations and reduces the risk of fraud. The information captured at this stage can then be used to conduct further due diligence, risk assessments and ongoing monitoring.
As a result of the global pandemic in 2020, many companies have had to shift to a digital KYC approach. But adopting digital identity verification as part of an eKYC solution offers several benefits in its own right.
Speed and customer experience
In a Thomson Reuters survey, 30% of respondents stated it takes them over two months to onboard a new client. 10% indicate it takes over four months. This isn’t the best first impression to leave with your customer.
Some customers will even abandon the process (up to 43%), which in turn hurts revenue growth. A more efficient eKYC and identity verification solution can turn this around. And it’s not only quicker: a mobile or internet-first approach makes life easier for your customers. Our customer KOHO reduced their time to verify a new user by 98%, and increased onboarding conversion by 15%.
Accuracy and automation
Mistakes, such as those made by human error, can slow down the process and add extra costs. By automating many of these processes, you can avoid errors and have more time to fix any mistakes.
Part of KYC checks will usually involve assessing an identity document to ensure it’s genuine. In an online environment, this becomes extremely challenging. Identity documents are complex — and there are hundreds of thousands in circulation, from different countries. To determine the validity of a large range of document types, you can’t rely on humans alone.
Digital systems do have costs. But their faster speeds and improved accuracy are better value for money. And in the long term or as your company grows, they’ll prove much more scalable.
Your compliance and legal teams are valuable resources. Removing some of the manual, day-to-day tasks they might usually have to complete will help drive their efficiency. They’ll have more time to dedicate to high-priority or time-consuming matters. In their Total Economic Impact Report™ of Onfido, Forrester found that Onfido reduced time manually reviewing verifications by 30%, contributing to an overall ROI of 261%.
The Real Identity Platform features a comprehensive suite of verification solutions and fraud detection signals. Take our interactive tour to explore the platform, and walk through how to build KYC workflows in our drag-and-drop orchestration solution, Onfido Studio.