In today’s digital world, it’s more important than ever to know who your customers really are. And not just so you can figure out the best way to interact with them, but also because verifying who’s behind the screen can protect both your business and customers — and depending on your industry, it may be required.
KYC and AML are regulations that require businesses to verify their customers’ identities. Here’s what you need to know.
What is Know Your Customer (KYC)?
KYC stands for Know Your Customer, but it’s also known as customer due diligence, know your client, or simply identity verification.
At its heart, KYC involves verifying current or prospective customers’ identities so you understand who you’re interacting with. You can think of it as doing a mini background check before doing business with a customer. Note: a customer can be an individual or a business, though KYC for businesses is often called corporate KYC or Know Your Business (KYB).
Why should I care about KYC?
Having a KYC program isn’t just important if you want to avoid fines (though that is one of the reasons we’ll cover below). As mentioned earlier, KYC can benefit your business and customers alike:
It can protect your customers and help you build trust.
While identity verification can add some friction to your onboarding process, customers may appreciate that you’re taking steps to secure their account, vet your marketplace, protect them from account takeovers and other types of identity theft, and more.
It can help reduce fraud and financial crimes.
While KYC processes won’t eliminate fraud completely, knowing who your customers are can help you weed out bad actors and ultimately limit crimes that can spawn from fraud, such as money laundering and terrorism funding.
It’s often required.
In some industries, you need a KYC program to meet compliance requirements. If you don’t comply with KYC/AML laws, you could be fined or even imprisoned. In fact, companies were fined almost $1 billion for non-compliance in the first half of 2021 alone.
Who needs to comply with KYC regulations?
In the US, the Financial Crimes Enforcement Network (FinCEN) specifically requires financial institutions to follow KYC requirements. Regulations can vary from country to country, but regulated entities often include:
- Banks (including nontraditional/neobanks)
- Credit unions
- Payment companies
- Insurance agencies
- Regulated industries, such as gambling facilities
- Cryptocurrency exchanges
- Digital wallet providers
- Asset management firms
- Real estate agencies
- Trust formation services
- Dealers of high-value goods
While not all industries are obligated to carry out KYC operations, any business can adopt these processes to improve its overall security. In fact, most businesses that deal directly with consumers do implement some sort of identity verification program, as it protects both the business and its customers. And as the world becomes increasingly digital, more and more industries will likely be required to follow KYC regulations in the future.
What does a KYC verification program look like?
The short answer: it depends.
As mentioned above, KYC regulations can vary by geography. For example, companies in Europe have to follow GDPR, 6AMLD, and eIDAS while companies in the US need to follow the Bank Secrecy Act (BSA) and the USA Patriot Act — not to mention additional local regulations, such as the California Consumer Privacy Act (CCPA).
Programs also vary because regulations tend to be vague to prevent companies from only implementing the minimum processes needed to stay compliant.
In general, though, KYC usually involves three main risk-based approaches to counteracting identity theft, money laundering, and financial fraud:
Customer identification program (CIP)
A customer identification program, or CIP, is exactly what it sounds like — a program for verifying identities and ensuring a customer is who they say they are.
How you actually go about obtaining and verifying personal information, though, can vary. At a minimum, you usually need to collect and verify four pieces of identifying information: the individual’s name, date of birth, address, and identification number. However, you can also add additional layers of verification — by requesting a selfie, running PII through authoritative databases, and assessing other signals, such as IP address, for example — if you deem an individual or situation to be higher risk.
However, there aren’t hard rules. This means you’re relatively free to customize your program based on your use cases, risk tolerance, customers, and other factors. For example, you can tailor:
- How you do KYC, e.g. in-person or remote (also known as eKYC, which is often faster and more convenient, as 99% of the population already has an electronic identity) and what information you collect to verify identities. For example, do you want customers to submit driver’s licenses, passports, SSN cards, or utility bills? Do you want to add a biometric selfie to ensure the same person is submitting the government ID? Do you want to layer additional signals on top of the submitted information, such as watchlists and sanctions checks or email risk reports?
- When you do KYC, e.g. how often you want to run sanctions and adverse media lists and what actions merit KYC (creating an account, withdrawing money, changing account details, etc).
Customer due diligence (CDD)
Customer due diligence (CDD) involves assessing customer risk. It’s enforced by FinCEN and requires financial institutions to follow four requirements:
- Identify and verify customer identities
- Identify and verify identities of beneficial owners (anyone who owns 25% or more) of companies that want to open an account
- Understand customer relationships and develop risk profiles
- Continuously monitor customers and transactions
Depending on the risk level each customer and situation presents, you can employ different levels of CDD:
- Simplified due diligence is for situations where there’s a low risk of fraud, money laundering, or terrorism — for example, if someone wants to withdraw $50.
- Basic due diligence is for baseline customers and situations and involves collecting and verifying basic information to decrease risk.
- Enhanced due diligence is when you collect additional information for higher-risk individuals (such as high-net-worth individuals or anyone who’s a politically exposed person) and situations. For example, you may want to verify the source of their funds, continually monitor their transactions, and investigate their line of work and relationship with other known individuals.
Having different levels of due diligence is helpful because it means you don’t have to automatically turn away risky customers. Instead, you can use progressive risk segmentation to modify the user’s experience based on signals you receive during the verification process. If your system deems a user as a higher risk, you can simply add additional checks.
Continuous monitoring is exactly what it sounds like — monitoring individuals and their transactions over time and reporting anything suspicious by submitting a Suspicious Activities Report (SAR) to FinCEN and other relevant law enforcement agencies.
Some red flags you may want to watch out for include:
- Unexplainable activity spikes
- Activity in areas known for money laundering and other financial crimes
- New inclusions on PEP, sanctions, and/or adverse media lists
What is Anti-Money Laundering (AML)?
AML stands for Anti-Money Laundering. AML regulations are frameworks created by governments and international regulatory bodies that are designed to prevent both money laundering by criminal organizations and the funding of terrorism.
While the specifics are up to you, AML programs are built on five main pillars:
- Designate a compliance officer
- Develop an internal policy
- Train employees
- Test and audit your program
- Implement risk-based procedures for conducting ongoing customer due diligence
To comply with AML regulations (particularly the fifth pillar), it’s important to continuously run watchlist and sanctions reports on an individual to ensure they’re not associated with any lists of people that you should not be serving — and that they aren’t added to a list after they’ve already onboarded with your platform.
What’s the difference between KYC and AML?
KYC and AML are closely related, and you’ll often see them grouped together, as both involve verifying customers’ identities. To put it simply, AML includes but isn’t limited to KYC.
In other words, KYC falls under the umbrella of AML regulations. They’re often grouped together because verifying and continuously monitoring individuals as part of your KYC process can help filter out individuals linked with money laundering and terrorism.
Why is it important to abide by KYC and AML regulations?
It’s important to abide by KYC and AML regulations to protect your business and customers. These regulations are meant to ensure that the individuals and businesses you’re working with are actually who they say they are. As a result, it can also protect your end-user from being a victim of identity fraud.
Additionally, not abiding by these regulations can result in major fines from the government for compliance violations and can tarnish your business reputation.
How can Persona help with your KYC/AML compliance?
Since KYC and AML can add friction to your user experience — no one wants to hand over PII — it’s important to ensure your process is as streamlined and secure as possible. With Persona, most identity verification decisions take just 5 seconds, so users can get verified quickly and be on their way. You can also customize everything from the theme to the copy so every flow is native to your brand, and reach users in more than 200 countries and territories in over 20 different languages.
Perhaps more importantly, Persona can also help your business meet constantly evolving KYC/AML compliance standards and regulation changes, as we’ve done for companies such as Coursera, BlockFi, and Square.
Our full suite of tools gives you everything you need to build a custom eKYC program and tailor your identity experience for each use case and customer. For example, you can put customers through a more rigorous process if they want to withdraw money versus just open an account, and you can allow individuals who don’t have an SSN to verify their identity another way or add extra verification steps if the individual’s PII was leaked in a data breach.
Choose from one of the industry’s widest ranges of verification components — from government IDs and selfies to database and document verification — to verify users upon signup, and continuously monitor them throughout the customer lifecycle with recurring reports, such as watchlists, adverse media, email and phone risk, and more.