KYC (know your customer)

While the primary purpose of KYC may vary from one industry to another, the KYC process generally consists of distinct steps designed to verify customer identity. Identity verification platforms help businesses verify customer identities and assess fraud risks. This is especially important (and a legal requirement) for financial institutions, which are highly regulated.

The KYC process builds trust between businesses and their customers, ultimately benefiting both. By implementing robust identity verification processes at onboarding and developing an understanding of ongoing customer behavior such as transaction patterns, businesses can spot suspicious activities and prevent criminal activity such as money-laundering.

Know your customer checks are conducted when a business wants to establish a business relationship with an individual person. Know your business checks are conducted when they want to establish a business relationship with another company. KYB checks typically involve identifying the ultimate beneficial ownership (UBO) in order to ascertain who might be benefiting from the financial activity of the business. They also often include identifying if a business is subject to PEPs and sanctions checks, or has been linked through adverse media to illicit activity.

Yes, KYC is a legal requirement in many industries. The financial services industry is highly regulated with regulations applicable to starting new customer relationships as well as managing and monitoring customer accounts on an ongoing basis. Only through diligent and consistent KYC processes can these organizations counteract illegal activities like money laundering, corruption, and more.

United Kingdom

In the United Kingdom (UK), AML regulations are outlined in the terrorism act (2000), Proceeds of Crime Act (2002), and money laundering, terrorist financing, and transfer of funds regulations (2017). Additional regulations and guidance are related to biometrics regulation, cryptocurrency, and evolving AML rules.

European Union

Companies operating in the European Union (EU) must abide by regulations set forth in the Fifth and Sixth Anti-Money Laundering Directives (also known as 5AMLD, 6AMLD). Additional EU regulations concern AI best practices and AML reforms that have been developed to include specific guidance related to various use cases like gambling services and stringent remote identity verification procedures.

United States

As it relates to know your customer regulation, the Patriot Act of the United States was designed to “deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes.” While Section 326 of the USA Patriot Act doesn’t represent the origin of KYC regulations and compliance across the United States, it certainly signifies an important development. The know your customer rule in the USA Patriot Act requires that financial institutions enact safeguards against money laundering, terrorist financing, identity theft and other forms of fraud. 

Ultimately, whether companies are operating in the UK, EU, US, or elsewhere, KYC requirements effectively serve to:

• Strengthen domestic measures for preventing, detecting, and prosecuting international money laundering and financing of terrorism.
• Subject foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse to special scrutiny.
• Require all appropriate elements of the financial services industry to report potential money laundering.
• Strengthen measures to prevent the use of financial systems for personal gain by corrupt foreign officials (and facilitate repatriation of stolen assets to the citizens of countries to whom such assets belong).

You can learn much more about how Onfido empowers organizations to satisfy global compliance requirements in our global compliance manager’s guide or EU compliance manager’s guide.

In addition to compliance, the benefits of knowing your customer also include:

• Fraud and money laundering prevention: Robust KYC processes contribute to strong confidence regarding customer identity, helping to protect against exposure to threats like identity theft, as well as various types of financial crime — all of which can be costly to remedy once it’s occurred. 
• Cost savings: Comprehensive, properly-implemented KYC/AML processes help organizations avoid fines and other penalties that could have financially severe consequences. When these processes can be automated and digitized, they’re even more cost-efficient.
• Increased customer trust: Many customers are savvy to the various threats the modern world presents, including the risk of identity theft or other forms of fraud. When organizations implement dependable solutions that mitigate those risks, customers will know they can trust working with them.

As mentioned above, one key objective of KYC adherence is detecting and preventing suspicious activity, including money laundering. Anti-money laundering (AML) practices refer to specific procedures that financial institutions leverage to prevent criminal activities, such as any attempts to deposit or transfer funds generated through illicit or illegal activities. When you consider the prevalence of financial fraud, the importance of AML in KYC is difficult to overstate. 

Like KYC compliance, international and local anti-money laundering regulations are required for certain business types. Ongoing monitoring and risk management is crucial, since people can be sanctioned (or subject to restrictions by authorities) after they have already started a banking relationship. KYC and AML work hand-in-hand to set a framework for organizations to maintain legal compliance, protect customers’ identities and personal data, and prevent fraud. By adding identity verification at sign-up, companies can ensure customers are who they say they are from the start of their relationship, laying a strong foundation for future due diligence and ongoing monitoring.

There are two primary ways to conduct KYC: a manual (paper-based) process or an online (digital) process — sometimes known as electronic know your customer (eKYC).

As you might expect, KYC started as a physical process but has since shifted to be mostly digital. Why the shift? It has a lot to do with the many challenges of manual or offline KYC, which include:

• Manual data entry including information checks, error identification and correcting, and following up with clients or customers to collect additional information. These processes, when done manually, are exceptionally time-consuming and prone to human error.
• High costs including salary wages as well as the potential for hefty regulatory fines.
• A poor customer/client experience, driven by time-consuming processes that had to be completed in person.
• Keeping up with industry regulations, which are constantly evolving and being updated in the face of sophisticated new threats around identity theft and financial fraud.
• Security threats, including data breaches that can substantially erode client trust and result in hefty financial penalties for banks and other businesses.

The four most important elements of a well-rounded and effective KYC/eKYC framework are:

1. Client/customer acceptance policies
2. Customer identification processes
3. Customer due diligence and enhanced due diligence
4. Ongoing monitoring/risk management

1. Client/customer acceptance policies

Financial institutions and other organizations should outline client acceptance policies that determine the types of customer or client profiles that present different levels of risk. 

For example, an individual looking to open a modest, basic checking or savings account may not pose too great a risk to the institution, so KYC requirements are likely to be less intensive than those for wealthy clients (or those with complex needs). A bank wouldn’t necessarily need to apply extremely rigorous or lengthy review processes for these accounts — and doing so might drive clients away in frustration. KYC automation — which we’ll cover a little later — expedites these processes without sacrificing accuracy. By contrast, though, if another client has a particularly high net worth or their source of their funds is unclear, the financial institution would be wise to take a deeper look at the client’s financial picture in order to understand the potential risks and how they may be mitigated.

2. Customer identification programs

Who are your customers? True to its name, customer identification involves a series of steps designed to ensure that all customers or clients who do business with a financial institution are who they say they are (and that their business is legitimate). 

In the United States, financial institutions are required to uphold a Customer Identification Program (CIP), a mandate enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the United States Department of the Treasury.

FinCEN’s CIP rule sets minimum requirements for onboarding new clients or customers. While these will vary somewhat depending on factors like the organization’s size and geographic location, it should always include identifying and verifying persons opening an account, organized and timely recordkeeping, and comparison with government lists to spot any discrepancies.

3. Customer due diligence

Customer due diligence (CDD) refers to a series of checks that work to verify customers’ identities and understand their unique risk profiles. It becomes the basis for any additional enhanced due diligence (EDD) that is necessary based on the customer’s risk profile.

4. Ongoing monitoring and risk management

In the context of KYC, ongoing monitoring helps ensure that a company’s understanding of its customer or user base remains consistent and accurate over time. Ongoing monitoring is designed to detect any reasons why a banking institution might be prohibited from doing business with certain customers — due to newly-applied sanctions, for example.

It also helps to protect company assets, provide a positive customer experience, and remain in regulatory compliance. To put it in simple terms, ongoing monitoring involves regularly revisiting steps one through three, as described above. This way, companies can assess whether their client/customer acceptance policies, CIPs, or due diligence procedures need to be adjusted or updated.

When paired with ongoing monitoring, KYC/AML risk management helps ensure compliance with local governments and regulators.

Yes, many KYC/AML processes can — and should — be automated. When done right, automation streamlines and speeds up onboarding and helps ensure ongoing monitoring and compliance. 

Onfido’s Real Identity Platform (powered by Atlas™ AI) provides flexible, end-to-end identity verification — including document and biometric verifications, trusted data validation, fraud detection and more.

KYC regulations depend on industry and geography and are always changing — learn about the latest in our EU KYC requirements guide and global compliance manager’s guide to KYC.