Join the 7/21 live chat & demo: How to turn KYB & KYC into your competitive advantage

Industry

Global KYC: A KYC breakdown by countries

Learn how KYC regulations differ by country.

Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • If your business operates internationally, it’s critically important to understand the specific laws and regulations governing each jurisdiction you operate within.
  • Each country has the authority to establish the KYC laws and regulations that govern its jurisdiction as it sees fit. As a result, global KYC laws can vary significantly.

Around the world, many countries have implemented laws and regulations requiring certain businesses to meet Know Your Customer (KYC) requirements. Unfortunately, these requirements are not identical — they vary from country to country. Sometimes the differences are minor; other times, the differences can be quite significant. 

If your business operates internationally, it’s critically important to understand the specific laws and regulations governing each jurisdiction you operate within. If you don’t, you won’t be able to build a KYC program (or programs) that meets all requirements. 

Below, we offer a quick primer on what KYC is and why so many businesses have KYC laws on the books. We then walk through the various KYC laws in place around the world, country by country.

What is KYC?

Know Your Customer (KYC) is a term that broadly refers to the policies and regulations that require certain businesses to have a clear picture of who their customer is. It is also commonly known as identity verification and customer due diligence (CDD).

KYC regulations serve many purposes, but they are most commonly used to combat money laundering, the financing of terrorism, and other financial crimes. With this in mind, KYC laws usually apply broadly to businesses that are considered “financial institutions” or which are otherwise deemed to carry a high risk of financial crime. 

While this traditionally includes banks, lenders, insurers, and businesses that handle large transactions such as casinos and auto dealers, this definition has evolved in recent years to include fintech companies, cryptocurrency exchanges, e-gaming platforms, online casinos, and many other types of businesses.

Likewise, businesses that are in no way considered to be financial institutions may be subject to varying degrees of KYC regulation. Online marketplaces that engage in age-restricted commerce, for example, must ensure that only customers of legal age purchase through their platforms.

How does KYC differ globally?

Each country has the authority to establish the KYC laws and regulations that govern its jurisdiction as it sees fit. As a result, global KYC laws can vary significantly. These differences can cause confusion around questions such as:

  • Which businesses must comply with KYC laws
  • The specific documents or information that can be used to verify an individual’s identity
  • How customer information must be stored and secured
  • and more

That said, it should be noted that a number of international organizations have established recommendations meant to guide the development of global KYC and AML laws. For example, the Financial Action Task Force (FATF) has compiled a list of 40 recommendations for member states, and also offers model legislation that can be used as a starting place for new laws. The goal of these organizations is to promote a common standard that can be used to combat financial crime around the world.

KYC regulations by region and country

Asia

China

In China, financial institutions must verify the identity of all customers in accordance with the Anti-Money Laundering Law of 2006 and more recently-passed laws that have built upon it. The law applies to banks, insurance companies, securities firms, and other “deposit-taking institutions.” Businesses in other industries, such as casinos and those dealing in high-value goods, are also required to comply with the regulations.

The law is enforced by the People’s Bank of China (PBOC), alongside other regulatory bodies including:

  • China Banking Regulatory Commission (CRBC)
  • China Securities Regulatory Commission (CSRC)
  • China Insurance Regulatory Commission (CIRC)
  • State Administration for Industry and Commerce (SAIC)

Japan

In Japan, KYC regulations are guided by the Act on the Prevention of Transfer of Criminal Proceeds, which was passed in 2007 and amended in 2011 and 2013. The law specifically requires businesses to verify a customer’s name, address, and date of birth against official documents such as a driver’s license, passport, or alien registration card.

KYC rules in Japan are enforced by the Japan Financial Services Agency (FSA).

India

Indian KYC requirements were established in the Prevention of Money Laundering Act 2002 (PMLA), which went into effect in 2005 and was amended in 2012 and 2013. The law requires financial institutions to verify the identity and current address of all customers. Acceptable documents used in verification include an individual’s:

  • Driver’s license
  • Passport
  • Permanent Account Number (PAN) Card
  • Voter Identity Card

Many online financial institutions in India now verify user identities through the country’s eKYC system, Aadhaar.

The law is enforced by three different regulators: The Reserve Bank of India Financial Intelligence Unit (RBI FIU) for banks, the Insurance Regulatory and Development Authority (IRDA) for insurers, and the Securities and Exchange Board for India (SEBI) for asset management companies.

Singapore

In Singapore, KYC requirements are regulated by the Monetary Authority of Singapore (MAS), which issued a notice titled Prevention of Money Laundering and Countering the Financing of Terrorism in 2007. 

The law requires financial institutions to verify the full name and aliases, identification number, residential address, date of birth, and nationality of all customers. Verification can be completed against documents and other independent data sources such as relevant databases.

Oceanic Pacific

Australia

In 2006, Australia passed the Anti-Money Laundering and Counter-Terrorism Financing Act. It and subsequent laws outline KYC and customer due diligence requirements in the country. Specifically, it requires all organizations subject to KYC reporting regulations to collect and verify customer data before providing any financial or transactional services.

The law is regulated by the Australian Transaction Reports and Analysis Centre (AUSTRAC).

New Zealand

In New Zealand, KYC requirements are guided by the AML/CFT Act, which passed into law in 2013 and applies to financial institutions. (Lawyers, specifically, are subject to an older law known as the Financial Transactions Reporting Act 1996.) Businesses subject to the law must collect and verify a customer’s full name, date of birth, and current address.

KYC is regulated by the Reserve Bank of New Zealand, the Financial Markets Authority, and the Department of Internal Affairs.

Europe

Individual member states of the European Union have the ability to craft their own KYC and AML legislation. That said, the EU has issued a number of “directives” meant to guide this legislation. For example, rules such as 4AMLD, 5AMLD, and 6AMLD require companies to collect, verify, and keep records of customers’ personally identifiable information (PII) in addition to screening customers against PEP and adverse media lists to assess overall risk.

France

In France, the AMF General Regulation, passed in 2009, sets the KYC and AML compliance rules that all French institutions must meet. The law specifies that businesses must collect a government-issued photo ID, as well as documents that can be used to verify the customer’s address, occupation, and income. 

The law is regulated by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), Autorité des Marchés Financiers (AMF), and Autorité de Régulation des Jeux en ligne (ARJEL).

Germany

The German Anti-Money Laundering Act (GwG) was passed in 1993 and updated or amended in 2003, 2008, 2011, 2014, and 2015. It requires businesses to verify a customer’s name, address, place of birth, nationality, and date of birth. 

The law specifies that documentary evidence must be used in verifying a customer’s identity. It lists a national identity card, passport, diplomatic passport, passport replacement papers, residential papers, and birth certificate as acceptable documents. 

KYC in Germany is regulated by the Federal Financial Supervisory Authority (BaFin) and the Federal Ministry of Finance (BMF).

Italy

Italy’s first AML law (Decree No 197) was passed in 1991. It has been regularly updated to reflect new requirements, including EU directives. The law specifies that financial institutions must collect and verify a customer’s name, address, place of birth, date of birth, tax number, and at least one government-issued ID, such as a driver’s license or passport.

KYC in Italy is regulated by the Financial Intelligence Unit of the Bank of Italy, IVASS, and CONSOB. 

Spain

In Spain, KYC requirements are set forth in Law 10/2010. The law dictates that a financial institution must collect and verify a customer’s ID, whether that be a national identity document, passport, or other government-issued ID. Specifically, the document must include the person’s name and photograph.

The law is regulated by the Executive Service of the Commission for Monitoring Exchange Control Offences (SEPBLAC).

Switzerland

Switzerland’s KYC requirements have their roots in a law called the Anti-Money Laundering Ordinance of the Swiss Financial Market Supervisory Authority (AMLO-FINMA), passed in 1977 and regularly amended since then. The law requires that all financial institutions verify a customer’s name, date of birth, address, and nationality. 

When verification is completed remotely, the institution must collect a certified copy of the customer’s official identification document (such as a passport or driver’s license) and confirmation of residential address. 

Swiss KYC is regulated by the Swiss Financial Market Supervisory Authority (FINMA).

United Kingdom

The Money Laundering Regulations of 2007 and subsequent amendments outline KYC requirements in the United Kingdom. The law requires financial institutions to verify a customer’s name, residential address, and date of birth — ideally from a government-issued document that contains the customer’s photo, name, address, and date of birth. A passport, driver’s license, and other forms of ID may be used. 

The law is regulated primarily by the Financial Conduct Authority (FCA), as well as the HM Revenue & Customs (HMRC) and the Gambling Commission. 

North America

Canada

Canada defines its KYC regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), which was passed in 2000 and amended in subsequent years. It requires all financial institutions to verify a customer’s name, date of birth, address, occupation, and intended use of the account. The law specifically cites a birth certificate, driver’s license, passport, permanent resident card, and other documentation as acceptable for verification.

The Financial Transactions Reports Analysis Centre of Canada (FINTRAC) enforces and regulates the KYC requirements established by the law, alongside other governmental agencies.

Mexico

Mexico established the Financial Intelligence Unit (FIU) in 2004 to combat money laundering and other financial crimes. A number of laws establish its KYC requirements — most importantly the Federal Law for the Prevention and Identification of Transactions with Funds from Illicit Sources, which was recently amended in 2019. 

Under the law, financial institutions must collect and verify the following information for all customers:

  • Name
  • Gender
  • Date of birth
  • Country of birth
  • Nationality
  • Employment information
  • Address
  • Telephone number
  • Email address
  • Code of Taxpayer Registration (RFC)
  • Advanced Electronic Signature

United States

In the United States, the primary laws responsible for establishing KYC and AML regulations are the Bank Secrecy Act (BSA) and the USA PATRIOT Act, passed in 1970 and 2001, respectively. At a minimum, the laws require that financial institutions implement a risk-based approach to verify a customer’s name, date of birth, residential address, and identification number (typically a Taxpayer Identification Number such as an SSN or EIN). 

These laws are primarily enforced by the Financial Crimes Enforcement Network (FinCEN), as well as other regulators such as the US Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), US Commodities Futures Trading Commission  (CFTC), and others.

South America

Argentina

Argentina’s anti-money laundering law (Law 25.246) was passed in 2000 and outlines key KYC requirements. The law is primarily regulated by the Unidad de Información Financiera (UIF) and the Banco Central de la Republica Argentina (BCRA).

Under Argentinian law, customers are to be classified as either “permanent” or “not frequent,” and that classification will determine the types of documentation required to verify the identity of the customer. For permanent residents, name and address must be verified. For “not frequent” customers, this expands to include their date of birth, place of birth, and citizenship.

Brazil

In Brazil, KYC requirements are outlined in Law 9,613, enacted in 1998 and amended in 2012. Under the law, financial institutions must verify a customer’s name, nationality, date of birth, place of birth, address, and an official ID document. The Central Bank of Brazil has created an authenticated digital identity portal to streamline account opening.

The law is primarily enforced by the Conselho de Controle de Atividades Financeiras (COAF), alongside other regulators such as the Banco Central do Brasil (BCB).

Chile

Chile’s KYC requirements originate in Law 19.366 and subsequent amendments. It requires financial institutions to collect and verify a customer’s name, National Identification Number (Rol Único Tributario), occupation, address, email, and phone number.

Chile’s Financial Analysis Unit (UAF) is the primary regulator for AML and KYC concerns.

Best practices for international KYC compliance

While specific KYC requirements may vary by jurisdiction, as a general rule of thumb, KYC programs typically include the following three components:

Customer identification program (CIP)

Your business’s customer identification program is exactly that: A program designed to verify the identity of each of your customers. Virtually all KYC laws and regulations around the world will require some form of identity verification, though the specifics of what information must be collected and what forms of verification are acceptable will vary. 

Some forms of identity verification you may choose to implement include:

Customer due diligence (CDD)

Customer due diligence refers to the processes that your business uses to assess customer risk related to money laundering and other financial crimes. In the United States, it’s enforced by FinCEN, which requires businesses to:

  • Verify the identity of all customers
  • Identify and verify all beneficial owners
  • Understand the nature and purpose of your customer relationships and develop customer risk profiles based on that understanding
  • Continuously monitor customer activity to identify and report suspicious activity

In cases deemed to have a greater risk of money laundering, many KYC laws require more stringent due diligence (often called enhanced due diligence). 

Ongoing monitoring 

Finally, most KYC laws require financial institutions to continuously monitor customer activity in order to identify and report suspicious activity. At its most basic level, this includes transaction monitoring, but it can also include screening customers for:

Global KYC and your business

Whether your business operates in multiple countries or just one, getting your KYC program right isn’t a nice-to-have: It’s a necessity. Failure to comply with KYC laws and regulations can result in significant harm to your business and to your customers. 

Here at Persona, we understand that KYC isn’t something that can be copied and pasted from business to business. That’s why we’ve designed our Verifications solution to be highly customizable. Verify your customers the way that makes most sense for your business and the various global KYC requirements that it is subject to. Leverage Dynamic Flow and Workflows to establish KYC requirements on a country-by-country basis. 

Interested in learning more? Start for free or get a demo today.

Disclaimer: It is your responsibility to make a final determination regarding KYC risk and specific country requirements. This post is provided for informational purposes only and is not intended as legal advice. We recommend you consult with an attorney regarding your KYC obligations in your particular jurisdiction.

Frequently asked questions

What are the components of a KYC program?

While KYC requirements vary by jurisdiction, most KYC programs include three main components:

  • Customer Identification Program (CIP): Your customer identification program establishes the processes your business will follow to verify a customer’s identity and ensure they are not lying about who they are. 
  • Customer Due Diligence (CDD): Customer due diligence refers to specific processes used to assess customer risk of money laundering and financial crime.
  • Continuous Monitoring: Financial institutions must continuously monitor the activity of their customers in order to identify and report suspicious activity that may be indicative of financial crime.

How many AML directives have been passed by the European Union since 2016?

The European Union (EU) has passed three AML directives since 2016. These include:

  • The Fourth Money Laundering Directive (4AMLD): Implemented in June 2017, 4AMLD was broadly focused on aligning EU policy with the AML guidelines established by the FATF.
  • The Fifth Money Laundering Directive (5AMLD): Implemented in January 2020, 5AMLD was designed to strengthen and expand upon existing AML regulations. It specifically includes new provisions for cryptocurrencies, prepaid cards, high-value goods, and more. 
  • The Sixth Money Laundering Directive (6AMLD): Implemented in June 2021, 6AMLD primarily focused on clarifying provisions set forth in 5AMLD

What countries have KYC rules on the books?

Many countries have implemented KYC laws and rules. The Internal Revenue Service (IRS) maintains a list of countries with approved Know Your Customer rules here.

Continue reading

Continue reading

How match requirements allow you to fine-tune your IDV processes
Industry

How match requirements allow you to fine-tune your IDV processes

Setting name match requirements is an important part of the identity verification process. Learn more about why it’s important to get them right.

Student identity verification: How educational institutions can improve their IDV
Industry

Student identity verification: How educational institutions can improve their IDV

In an increasingly digitized education space, student identity verification is becoming essential. Learn how it works.

Mobile KYC: How will it transform compliance?
Industry

Mobile KYC: How will it transform compliance?

Improve your verification processes with mobile KYC.

Ready to get started?

Get in touch or start exploring Persona today.