In today’s digital world, it’s more important than ever to know who your customers really are. And not just so you can figure out the best way to interact with them, but also because verifying who’s behind the screen can protect both your business and customers — and depending on your industry, it may be required.
KYC and AML are regulations that require businesses to verify their customers’ identities. Here’s what you need to know.
What is Know Your Customer (KYC)?
KYC stands for Know Your Customer, but it’s also known as customer due diligence, know your client, or simply identity verification.
At its heart, KYC involves verifying current or prospective customers’ identities so you understand who you’re interacting with. You can think of it as doing a mini background check before doing business with a customer. Note: a customer can be an individual or a business, though KYC for businesses is often called corporate KYC or Know Your Business (KYB).
Why should I care about KYC?
Having a KYC program isn’t just important if you want to avoid fines (though that is one of the reasons we’ll cover below). As mentioned earlier, KYC can benefit your business and customers alike:
It can protect your customers and help you build trust.
While identity verification can add some friction to your onboarding process, customers may appreciate that you’re taking steps to secure their account, vet your marketplace, protect them from account takeovers and other types of identity theft, and more.
It can help reduce fraud and financial crimes.
While KYC processes won’t eliminate fraud completely, knowing who your customers are can help you weed out bad actors and ultimately limit crimes that can spawn from fraud, such as money laundering and terrorism funding.
It’s often required.
In some industries, you need a KYC program to meet compliance requirements. If you don’t comply with KYC/AML laws, you could be fined or even imprisoned. In fact, companies were fined almost $1 billion for non-compliance in the first half of 2021 alone.
Who needs to comply with KYC regulations?
In the US, the Financial Crimes Enforcement Network (FinCEN) specifically requires financial institutions to follow KYC requirements. Regulations can vary from country to country, but regulated entities often include:
KYC for banking
In the banking sector, KYC is all about risk management — by knowing more about their customers, banks can reduce the risk of fraudulent transactions, reduce the likelihood of their system being used to commit crimes such as money laundering, and reduce the potential for non-compliance with FinCEN and FINRA rules.
KYC obligations also extend beyond traditional retail banks to include fintech and “neobanks” that operate primarily or entirely online. Regardless of how they operate, banks must ensure that they implement KYC processes that effectively capture, confirm, and verify customer data before allowing any high-value transactions to proceed.
KYC for credit unions
KYC for credit unions is similar to that of banks, with the caveat that many credit unions still operate brick-and-mortar locations to better serve clients’ needs. As a result, credit unions may find themselves in the unique position of having in-person clients who nonetheless want to conduct some transactions digitally.
As a result, credit unions need KYC solutions capable of bridging the digital/physical divide and ensuring that no matter how clients choose to conduct their transactions, their identity is confirmed and their account details are secure.
KYC for payment companies
Payment companies facilitate the exchange of funds between two (or more) parties online. As a result, they need strong KYC processes to ensure the parties on each side of the transaction are who they say they are.
Payment companies need robust KYC solutions capable of capturing and verifying customer data in real time to both reduce total risk and bolster confidence — if customers are confident that their personal data is being handled securely and verified effectively, they’re more likely to continue doing business with the payment company.
KYC for insurance agencies
Insurance agencies collect a variety of data from customers, including personal, medical, and financial information to determine policy limits, deductibles, and premiums. As a result, insurance providers must have strong KYC processes capable of ensuring that customers are who they say they are.
As an example, imagine an insurance agency issues a policy to an individual masquerading as someone else or based on false information provided. Given the robust regulatory oversight in the insurance industry, this could lead to significant fines for failing to meet compliance standards.
KYC for regulated industries, such as gambling facilities
Gambling facilities — both online and in-person — process massive amounts of money every day. From money taken in as players spend to payouts made on big wins, the constant flow of cash shows why gambling companies need to know exactly who they’re dealing with and what type of risk they represent.
For example, gambling establishments might ask for financial data along with personal information to make sure players can cover their debts if the numbers don’t go their way.
KYC for cryptocurrency exchanges
While cryptocurrency exchanges used to be relatively unregulated, they are now required to implement Know Your Customer programs that both reduce the risk of fraud and deter potential money laundering.
Given the anonymous nature of many crypto platforms, KYC may focus more on verifying trusted ID addresses, evaluating watchlists, and ensuring that customers provide complete documentation regarding their source of funds.
KYC for digital wallet providers
As mobile-based payments become more commonplace, the number of digital wallet providers is rapidly increasing — and each provider must ensure they employ robust KYC to reduce the risk of fraudulent transactions.
Without effective KYC, fraudsters might be able to use someone else’s payment data and connect key financial sources, such as debit accounts or credit cards, to their digital wallet — and the digital wallet provider could be held responsible for the ramifications. Effective evaluation of customer data up-front reduces this risk.
KYC for asset management firms
Asset management firms often handle massive sums of money for their clients.
Here, KYC is critical to ensure that new clients looking to open an account and make substantial investments are thoroughly vetted before any transactions take place. In particular, it’s important for asset management firms to ensure potential customers aren’t listed on international watchlists or politically exposed person (PEP) lists.
KYC for real estate agencies
Real estate agencies often deal with high-value transactions ranging from hundreds of thousands to millions of dollars for a single purchase. As a result, comprehensive KYC should be a key component of the sales and purchasing process.
If agencies can ensure that potential clients are who they say they are, they can proceed with confidence when it comes to putting in offers or closing sales deals. Lacking this information, meanwhile, puts agencies at risk of non-compliance and the potential loss of licensure.
KYC for trust formation services
Trust formation services help individuals or families establish trusts, which facilitate the transfer of assets and reduce their potential tax burden.
Given the large monetary volumes often involved in trust management, there’s a growing need for robust digital KYC solutions that allow trust formation staff to quickly and easily verify the information of both trust owners and their eventual beneficiaries.
KYC for dealers of high-value goods
The advent of digital storefronts and worldwide shipping has made it possible for dealers of high-value goods to make the move online. In many cases, these goods are rare or irreplaceable, meaning they generate substantial interest from legitimate buyers and bad actors alike.
Effective KYC processes are therefore critical to verify parties on both sides of a high-value transaction and ensure regulatory compliance.
Note: While not all industries are obligated to carry out KYC operations, any business can adopt these processes to improve its overall security. In fact, most businesses that deal directly with consumers do implement some sort of identity verification program, as it protects both the business and its customers. And as the world becomes increasingly digital, more and more industries will likely be required to follow KYC regulations in the future.
What are the 3 main components of a KYC program?
KYC verification programs don’t look the same at every business.
As mentioned above, KYC regulations can vary by geography. For example, companies in Europe have to follow 6AMLD and eIDAS while companies in the US need to follow the Bank Secrecy Act (BSA) and the USA PATRIOT Act — not to mention additional local regulations, such as the California Consumer Privacy Act (CCPA).
Programs also vary because regulations tend to be vague to prevent companies from only implementing the minimum processes needed to stay compliant.
In general, though, KYC usually involves three main risk-based approaches to counteracting identity theft, money laundering, and financial fraud:
Customer identification program (CIP)
A customer identification program, or CIP, is exactly what it sounds like — a program for verifying identities and ensuring a customer is who they say they are.
How you actually go about obtaining and verifying personal information, though, can vary. At a minimum, you usually need to collect and verify four pieces of identifying information: the individual’s name, date of birth, address, and identification number. However, you can also add additional layers of verification — by requesting a selfie, running PII through authoritative databases, and assessing other signals, such as IP address, for example — if you deem an individual or situation to be higher risk.
However, there aren’t hard rules. This means you’re relatively free to customize your program based on your use cases, risk tolerance, customers, and other factors. For example, you can tailor:
- How you do KYC, e.g. in-person or remote (also known as eKYC, which is often faster and more convenient, as 99% of the population already has an electronic identity) and what information you collect to verify identities. For example, do you want customers to submit driver’s licenses, passports, SSN cards, or utility bills? Do you want to add a biometric selfie to ensure the same person is submitting the government ID? Do you want to layer additional signals on top of the submitted information, such as watchlists and sanctions checks or email risk reports?
- When you do KYC, e.g. how often you want to run sanctions and adverse media lists and what actions merit KYC (creating an account, withdrawing money, changing account details, etc).
Customer due diligence (CDD)
- Identify and verify customer identities
- Identify and verify identities of beneficial owners (anyone who owns 25% or more) of companies that want to open an account
- Understand customer relationships and develop risk profiles
- Continuously monitor customers and transactions
Depending on the risk level each customer and situation presents, you can employ different levels of CDD:
- Simplified due diligence is for situations where there’s a low risk of fraud, money laundering, or terrorism — for example, if someone wants to withdraw $50.
- Basic due diligence is for baseline customers and situations and involves collecting and verifying basic information to decrease risk.
- Enhanced due diligence is when you collect additional information for higher-risk individuals (such as high-net-worth individuals or anyone who’s a politically exposed person) and situations. For example, you may want to verify the source of their funds, continually monitor their transactions, and investigate their line of work and relationship with other known individuals.
Having different levels of due diligence is helpful because it means you don’t have to automatically turn away risky customers. Instead, you can use progressive risk segmentation to modify the user’s experience based on signals you receive during the verification process. If your system deems a user as a higher risk, you can simply add additional checks.
Continuous monitoring is exactly what it sounds like — monitoring individuals and their transactions over time and reporting anything suspicious by submitting a Suspicious Activities Report (SAR) to FinCEN and other relevant law enforcement agencies.
Some red flags you may want to watch out for include:
- Unexplainable activity spikes
- Activity in areas known for money laundering and other financial crimes
- New inclusions on PEP, sanctions, and/or adverse media lists
What is corporate KYC (KYB)?
While vetting individuals is one thing, companies must also create KYC processes for businesses they want to work with — and the people behind those businesses.
- Verifying the business: First, companies should collect and verify corporate information such as the business name, address, registration number, and any relevant business registration documents.
- Identifying UBOs: Ultimate beneficial owners (UBOs) are individuals who control the company or have a 25% or greater ownership stake, and must be identified as part of KYB.
- Performing KYC on the business’s UBOs: Finally, companies must perform in-depth KYC checks on anyone determined to be a UBO.
KYC laws and regulations worldwide
Depending on where your business operates and where your customers are located, your KYC obligations and KYC processes will differ. Regulatory requirements vary depending on the region. Examples of KYC laws and regulations worldwide include:
In Canada, KYC regulations are defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and all regulated companies must report KYC data to the Financial Transactions and Reports Analysis Center (FINTRAC).
In Australia, all organizations subject to KYC reporting regulations must collect and verify customer data before providing any financial or transactional services. KYC regulations are managed by the Australian Transaction Reports and Analysis Center (AUSTRAC).
The European Union
In the EU, rules such as 4AMLD, 5AMLD, and 6AMLD require companies to collect, verify, and keep records of customers’ personally identifiable information (PII) in addition to screening customers against PEP and adverse media lists to assess overall risk.
In Brazil, digital account opening and transaction processing are covered by KYC regulations to reduce the risk of fraudulent transactions. The Central Bank of Brazil has also created an authenticated digital identity portal to streamline account opening.
In Egypt, companies must obtain and verify individuals’ data including name, address, and date of birth using government-issued identification cards, passports, or weapons licenses. If an individual is identified as a PEP, financial entities must take “special customer due diligence measures.”
In Kenya, the Financial Reporting Center (FRC) is responsible for ensuring compliance with KYC regulations. To meet customer identification requirements, businesses must confirm customer data via passports, birth certificates, or driver's licenses, obtain a verified address and source of income, and ensure they have written confirmation from the customer’s previous financial institution attesting to their identity.
- ~95% of Hong Kong-based banks said that KYC/AML checks are one of their top regulatory expenses.
- ~85% of Hong Kong-based banks are in favor of a shared KYC utility that’d allow client information to be pooled and shared between banks.
- 31% of financial institutions use a centralized source of information to decide risk and collect KYC information.
- 42% of financial institutions consider collecting accurate UBO information very challenging.
- Only one-third of financial institutions said cutting KYC costs and effort is a high priority.
- Watchlist activities account for roughly 33% of AML compliance costs.
- 96% of compliance officers say their KYC processes require scrutinizing Asian language documents.
- Financial penalties rose from $1B in 2020 to $3.4B in 2021.
What is Anti-Money Laundering (AML)?
AML stands for Anti-Money Laundering. AML regulations are frameworks created by governments and international regulatory bodies that are designed to prevent both money laundering by criminal organizations and the funding of terrorism.
While the specifics are up to you, AML programs are built on five main pillars:
- Designate a compliance officer
- Develop an internal policy
- Train employees
- Test and audit your program
- Implement risk-based procedures for conducting ongoing customer due diligence
To comply with AML regulations (particularly the fifth pillar), it’s important to continuously run watchlist and sanctions reports on an individual to ensure they’re not associated with any lists of people that you should not be serving — and that they aren’t added to a list after they’ve already onboarded with your platform.
What’s the difference between KYC and AML?
KYC and AML are closely related, and you’ll often see them grouped together, as both involve verifying customers’ identities. To put it simply, AML includes but isn’t limited to KYC.
In other words, KYC falls under the umbrella of AML regulations. They’re often grouped together because verifying and continuously monitoring individuals as part of your KYC process can help filter out individuals linked with money laundering and terrorism.
Why is it important to abide by KYC and AML regulations?
It’s important to abide by KYC and AML regulations to protect your business and customers. These regulations are meant to ensure that the individuals and businesses you’re working with are actually who they say they are. As a result, it can also protect your end-user from being a victim of identity fraud.
Additionally, not abiding by these regulations can result in major fines from the government for compliance violations and can tarnish your business reputation.
Persona's KYC solutions
Since AML and KYC procedures can add friction to your user experience — no one wants to hand over PII — it’s important to ensure your process is as streamlined and secure as possible. With Persona’s KYC solutions, most identity verification decisions take just 5 seconds, so users can get verified quickly and be on their way. You can also customize everything from the theme to the copy so every flow is native to your brand, and reach users in more than 200 countries and territories in over 20 different languages.
Perhaps more importantly, Persona’s KYC solutions can also help your business meet constantly evolving KYC/AML compliance standards and regulation changes, as we’ve done for companies such as Coursera and Square.
Our full suite of KYC tools gives you everything you need to build a custom eKYC program and tailor your identity experience for each use case and customer. For example, you can put customers through a more rigorous process if they want to withdraw money versus just open an account, and you can allow individuals who don’t have an SSN to verify their identity another way or add extra verification steps if the individual’s PII was leaked in a data breach.
Choose from one of the industry’s widest ranges of verification components — from government IDs and selfies to database and document verification — to verify users upon signup, and continuously monitor them throughout the customer lifecycle with recurring reports, such as watchlists, adverse media, email and phone risk, and more.