Around the world, many countries have implemented laws and regulations requiring certain businesses to meet Know Your Customer (KYC) requirements. Unfortunately, these requirements are not identical — they vary from country to country. Sometimes the differences are minor; other times, the differences can be quite significant.
If your business operates internationally, it’s critically important to understand the specific laws and regulations governing each jurisdiction you operate within. If you don’t, you won’t be able to build a KYC program (or programs) that meets all requirements.
Below, we offer a quick primer on what KYC is and why so many businesses have KYC laws on the books. We then walk through the various KYC laws in place around the world, country by country.
What is KYC?
Know Your Customer (KYC) is a term that broadly refers to the policies and regulations that require certain businesses to have a clear picture of who their customer is. It is also commonly known as identity verification and customer due diligence (CDD).
KYC regulations serve many purposes, but they are most commonly used to combat money laundering, the financing of terrorism, and other financial crimes. With this in mind, KYC laws usually apply broadly to businesses that are considered “financial institutions” or which are otherwise deemed to carry a high risk of financial crime.
While this traditionally includes banks, lenders, insurers, and businesses that handle large transactions such as casinos and auto dealers, this definition has evolved in recent years to include fintech companies, cryptocurrency exchanges, e-gaming platforms, online casinos, and many other types of businesses.
Likewise, businesses that are in no way considered to be financial institutions may be subject to varying degrees of KYC regulation. Online marketplaces that engage in age-restricted commerce, for example, must ensure that only customers of legal age purchase through their platforms.
How does KYC differ globally?
Each country has the authority to establish the KYC laws and regulations that govern its jurisdiction as it sees fit. As a result, global KYC laws can vary significantly. These differences can cause confusion around questions such as:
- Which businesses must comply with KYC laws
- The specific documents or information that can be used to verify an individual’s identity
- How customer information must be stored and secured
- and more
That said, it should be noted that a number of international organizations have established recommendations meant to guide the development of global KYC and AML laws. For example, the Financial Action Task Force (FATF) has compiled a list of 40 recommendations for member states, and also offers model legislation that can be used as a starting place for new laws. The goal of these organizations is to promote a common standard that can be used to combat financial crime around the world.
KYC regulations by region and country
In China, financial institutions must verify the identity of all customers in accordance with the Anti-Money Laundering Law of 2006 and more recently-passed laws that have built upon it. The law applies to banks, insurance companies, securities firms, and other “deposit-taking institutions.” Businesses in other industries, such as casinos and those dealing in high-value goods, are also required to comply with the regulations.
The law is enforced by the People’s Bank of China (PBOC), alongside other regulatory bodies including:
- China Banking Regulatory Commission (CRBC)
- China Securities Regulatory Commission (CSRC)
- China Insurance Regulatory Commission (CIRC)
- State Administration for Industry and Commerce (SAIC)
In Japan, KYC regulations are guided by the Act on the Prevention of Transfer of Criminal Proceeds, which was passed in 2007 and amended in 2011 and 2013. The law specifically requires businesses to verify a customer’s name, address, and date of birth against official documents such as a driver’s license, passport, or alien registration card.
KYC rules in Japan are enforced by the Japan Financial Services Agency (FSA).
Indian KYC requirements were established in the Prevention of Money Laundering Act 2002 (PMLA), which went into effect in 2005 and was amended in 2012 and 2013. The law requires financial institutions to verify the identity and current address of all customers. Acceptable documents used in verification include an individual’s:
- Driver’s license
- Permanent Account Number (PAN) Card
- Voter Identity Card
Many online financial institutions in India now verify user identities through the country’s eKYC system, Aadhaar.
The law is enforced by three different regulators: The Reserve Bank of India Financial Intelligence Unit (RBI FIU) for banks, the Insurance Regulatory and Development Authority (IRDA) for insurers, and the Securities and Exchange Board for India (SEBI) for asset management companies.
In Singapore, KYC requirements are regulated by the Monetary Authority of Singapore (MAS), which issued a notice titled Prevention of Money Laundering and Countering the Financing of Terrorism in 2007.
The law requires financial institutions to verify the full name and aliases, identification number, residential address, date of birth, and nationality of all customers. Verification can be completed against documents and other independent data sources such as relevant databases.
In 2006, Australia passed the Anti-Money Laundering and Counter-Terrorism Financing Act. It and subsequent laws outline KYC and customer due diligence requirements in the country. Specifically, it requires all organizations subject to KYC reporting regulations to collect and verify customer data before providing any financial or transactional services.
The law is regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC).
In New Zealand, KYC requirements are guided by the AML/CFT Act, which passed into law in 2013 and applies to financial institutions. (Lawyers, specifically, are subject to an older law known as the Financial Transactions Reporting Act 1996.) Businesses subject to the law must collect and verify a customer’s full name, date of birth, and current address.
KYC is regulated by the Reserve Bank of New Zealand, the Financial Markets Authority, and the Department of Internal Affairs.
Individual member states of the European Union have the ability to craft their own KYC and AML legislation. That said, the EU has issued a number of “directives” meant to guide this legislation. For example, rules such as 4AMLD, 5AMLD, and 6AMLD require companies to collect, verify, and keep records of customers’ personally identifiable information (PII) in addition to screening customers against PEP and adverse media lists to assess overall risk.
In France, the AMF General Regulation, passed in 2009, sets the KYC and AML compliance rules that all French institutions must meet. The law specifies that businesses must collect a government-issued photo ID, as well as documents that can be used to verify the customer’s address, occupation, and income.
The law is regulated by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), Autorité des Marchés Financiers (AMF), and Autorité de Régulation des Jeux en ligne (ARJEL).
The German Anti-Money Laundering Act (GwG) was passed in 1993 and updated or amended in 2003, 2008, 2011, 2014, and 2015. It requires businesses to verify a customer’s name, address, place of birth, nationality, and date of birth.
The law specifies that documentary evidence must be used in verifying a customer’s identity. It lists a national identity card, passport, diplomatic passport, passport replacement papers, residential papers, and birth certificate as acceptable documents.
KYC in Germany is regulated by the Federal Financial Supervisory Authority (BaFin) and the Federal Ministry of Finance (BMF).
Italy’s first AML law (Decree No 197) was passed in 1991. It has been regularly updated to reflect new requirements, including EU directives. The law specifies that financial institutions must collect and verify a customer’s name, address, place of birth, date of birth, tax number, and at least one government-issued ID, such as a driver’s license or passport.
KYC in Italy is regulated by the Financial Intelligence Unit of the Bank of Italy, IVASS, and CONSOB.
In Spain, KYC requirements are set forth in Law 10/2010. The law dictates that a financial institution must collect and verify a customer’s ID, whether that be a national identity document, passport, or other government-issued ID. Specifically, the document must include the person’s name and photograph.
The law is regulated by the Executive Service of the Commission for Monitoring Exchange Control Offences (SEPBLAC).
Switzerland’s KYC requirements have their roots in a law called the Anti-Money Laundering Ordinance of the Swiss Financial Market Supervisory Authority (AMLO-FINMA), passed in 1977 and regularly amended since then. The law requires that all financial institutions verify a customer’s name, date of birth, address, and nationality.
When verification is completed remotely, the institution must collect a certified copy of the customer’s official identification document (such as a passport or driver’s license) and confirmation of residential address.
Swiss KYC is regulated by the Swiss Financial Market Supervisory Authority (FINMA).
The Money Laundering Regulations of 2007 and subsequent amendments outline KYC requirements in the United Kingdom. The law requires financial institutions to verify a customer’s name, residential address, and date of birth — ideally from a government-issued document that contains the customer’s photo, name, address, and date of birth. A passport, driver’s license, and other forms of ID may be used.
The law is regulated primarily by the Financial Conduct Authority (FCA), as well as the HM Revenue & Customs (HMRC) and the Gambling Commission.
Canada defines its KYC regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), which was passed in 2000 and amended in subsequent years. It requires all financial institutions to verify a customer’s name, date of birth, address, occupation, and intended use of the account. The law specifically cites a birth certificate, driver’s license, passport, permanent resident card, and other documentation as acceptable for verification.
The Financial Transactions Reports Analysis Centre of Canada (FINTRAC) enforces and regulates the KYC requirements established by the law, alongside other governmental agencies.
Mexico established the Financial Intelligence Unit (FIU) in 2004 to combat money laundering and other financial crimes. A number of laws establish its KYC requirements — most importantly the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources, which was recently amended in 2019.
Under the law, financial institutions must collect and verify the following information for all customers:
- Date of birth
- Country of birth
- Employment information
- Telephone number
- Email address
- Code of Taxpayer Registration (RFC)
- Advanced Electronic Signature
In the United States, the primary laws responsible for establishing KYC and AML regulations are the Bank Secrecy Act (BSA) and the USA PATRIOT Act, passed in 1970 and 2001, respectively. At a minimum, the laws require that financial institutions implement a risk-based approach to verify a customer’s name, date of birth, residential address, and identification number (typically a Taxpayer Identification Number such as an SSN or EIN).
These laws are primarily enforced by the Financial Crimes Enforcement Network (FinCEN), as well as other regulators such as the US Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), US Commodities Futures Trading Commission (CFTC), and others.
Argentina’s anti-money laundering law (Law 25.246) was passed in 2000 and outlines key KYC requirements. The law is primarily regulated by the Unidad de Información Financiera (UIF) and the Banco Central de la Republica Argentina (BCRA).
Under Argentinian law, customers are to be classified as either “permanent” or “not frequent,” and that classification will determine the types of documentation required to verify the identity of the customer. For permanent residents, name and address must be verified. For “not frequent” customers, this expands to include their date of birth, place of birth, and citizenship.
In Brazil, KYC requirements are outlined in Law 9,613, enacted in 1998 and amended in 2012. Under the law, financial institutions must verify a customer’s name, nationality, date of birth, place of birth, address, and an official ID document. The Central Bank of Brazil has created an authenticated digital identity portal to streamline account opening.
The law is primarily enforced by the Conselho de Controle de Atividades Financeiras (COAF), alongside other regulators such as the Banco Central do Brasil (BCB).
Chile’s KYC requirements originate in Law 19.366 and subsequent amendments. It requires financial institutions to collect and verify a customer’s name, National Identification Number (Rol Único Tributario), occupation, address, email, and phone number.
Chile’s Financial Analysis Unit (UAF) is the primary regulator for AML and KYC concerns.
Best practices for international KYC compliance
While specific KYC requirements may vary by jurisdiction, as a general rule of thumb, KYC programs typically include the following three components:
Customer identification program (CIP)
Your business’s customer identification program is exactly that: A program designed to verify the identity of each of your customers. Virtually all KYC laws and regulations around the world will require some form of identity verification, though the specifics of what information must be collected and what forms of verification are acceptable will vary.
Some forms of identity verification you may choose to implement include:
Customer due diligence (CDD)
Customer due diligence refers to the processes that your business uses to assess customer risk related to money laundering and other financial crimes. In the United States, it’s enforced by FinCEN, which requires businesses to:
- Verify the identity of all customers
- Identify and verify all beneficial owners
- Understand the nature and purpose of your customer relationships and develop customer risk profiles based on that understanding
- Continuously monitor customer activity to identify and report suspicious activity
In cases deemed to have a greater risk of money laundering, many KYC laws require more stringent due diligence (often called enhanced due diligence).
Finally, most KYC laws require financial institutions to continuously monitor customer activity in order to identify and report suspicious activity. At its most basic level, this includes transaction monitoring, but it can also include screening customers for:
Global KYC and your business
Whether your business operates in multiple countries or just one, getting your KYC program right isn’t a nice-to-have: It’s a necessity. Failure to comply with KYC laws and regulations can result in significant harm to your business and to your customers.
Here at Persona, we understand that KYC isn’t something that can be copied and pasted from business to business. That’s why we’ve designed our Verifications solution to be highly customizable. Verify your customers the way that makes most sense for your business and the various global KYC requirements that it is subject to. Leverage Dynamic Flow and Workflows to establish KYC requirements on a country-by-country basis.
Disclaimer: It is your responsibility to make a final determination regarding KYC risk and specific country requirements. We recommend you consult with an attorney regarding your KYC obligations in your particular jurisdiction.