Industry

KYC and AML differences: What you need to know

Discover the differences between KYC and AML — and their significance in financial regulations.

An image of three people discussing financial topics.
Last updated:
10/17/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • AML refers to the steps a financial institution takes to prevent money laundering and other financial crimes from taking place via its platform or products.
  • KYC refers to the steps that a business undertakes to verify the identities of its customers or users.
  • Businesses that may seem to be unrelated to the financial industry may actually have KYC requirements after all; some businesses may also have additional KYC requirements that have nothing to do with fighting money laundering.

The relationship between anti-money laundering (AML) and Know Your Customer (KYC) is a lot like the relationship between a car and its wheels. Just like a car isn’t a car without its engine, an AML program is nothing without KYC. And just like you wouldn’t buy a Ferrari if you lived in the mountains, a KYC program should be appropriate to the risks of its industry and the expectations of its regulators. 

AML and KYC are inextricably linked to one another, but it’s important to understand how they differ so you can craft the best strategy for your organization. 

Below, we present the basics of KYC and AML to inform your business’ AML and KYC policies. 

What is anti-money laundering (AML)?

Anti-money laundering (AML) is an umbrella term that applies broadly to the policies, processes, and programs that a financial institution must implement in order to prevent criminals from using its products, services, or platforms to launder money. 

What is Know Your Customer (KYC)?

Know Your Customer (KYC) refers to the steps a business takes to collect and verify information about a customer’s identity, typically during the account opening process and then ongoing for the lifespan of that customer relationship. Financial institutions are required by law to implement KYC as part of their AML program. 

How do AML and KYC differ?

To better understand the differences between AML and KYC, let’s take a closer look at their purpose, criteria, industry, and legal requirements.

What is the purpose of AML and KYC programs?

The purpose of an AML program is to prevent bad actors from using financial services to launder money and engage in other financial crimes like terrorist financing and tax evasion. 

A KYC program has more specific outcomes: To verify a customer’s identity; determine what risk, if any, a customer poses to the business; and decide whether to work with that customer. 

What criteria must an AML program meet?

Per U.S. law, an AML program must meet five key requirements, also known as the five pillars of AML compliance:

  • Designation of a compliance officer
  • Development of internal policies
  • Creation of a training program for employees
  • Independent testing and auditing
  • Deployment of an in-depth risk assessment

With this in mind, the typical AML program will include a customer risk assessment, AML screenings, transaction monitoring, record keeping, the reporting of suspicious activity, and a KYC program that verifies a customer’s identity and assesses their risk.

This KYC program must consist of three key parts:

By law, financial institutions must collect and verify four pieces of information: the customer’s name, date of birth, address, and identification number, e.g., Social Security number (SSN), taxpayer identification number (TIN), or passport number. While financial institutions are largely free to decide which verification methods they use in their program, it will typically include some combination of government ID verification, document verification, database verification, and other strategies. 

Industries subject to AML requirements

AML regulations in the U.S. pertain to financial institutions under the Bank Secrecy Act (BSA). Importantly, the BSA’s list includes some businesses with a high degree of money laundering risk that would not normally be considered financial institutions. 

Businesses subject to U.S. AML requirements include:

  • Banks
  • Credit unions
  • Thrift institutions
  • Broker/dealers
  • Investment firms
  • Currency exchanges
  • Cryptocurrency exchanges
  • Credit card companies
  • Online payment portals
  • Lenders
  • Pawnbrokers
  • Precious metal/gemstone dealers
  • Travel agencies
  • Insurers
  • Telegraph companies
  • Vehicle dealerships
  • Art dealers
  • Real estate agents/agencies
  • Casinos and iGaming platforms
  • Virtual assets service providers (VASPs)

These financial institutions are subject to KYC requirements as a subset of AML laws. Businesses in other industries may also implement KYC for reasons completely unrelated to AML — either to comply with regulations or to proactively protect their platform, community, and users.

Industries outside the financial sector where KYC can be found include:

Legal requirements

In the U.S., the most important AML laws are the BSA and the laws that have expanded it, including:

  • Money Laundering Control Act (1986)
  • Anti-Drug Abuse Act (1988)
  • Annunzio-Wylie Anti-Money Laundering Act (1992)
  • Money Laundering Suppression Act (1994)
  • Money Laundering and Financial Crimes Strategy Act (1998)
  • USA PATRIOT Act (2001)
  • Anti-Money Laundering Act (2020)

These laws also establish KYC requirements for financial institutions, and are enforced by the Financial Crimes Enforcement Network (FinCEN). 

As noted above, businesses operating in a number of other industries may also be subject to laws establishing KYC requirements. Some of the most important federal and state laws in the U.S. include:

Free white paper
See how experts evaluate KYC/AML solutions

Global AML and KYC regulatory requirements

AML and KYC requirements elsewhere in the world vary greatly depending on local regulators and respective risks. Although many countries adhere to the standards established by the Financial Action Task Force (FATF), only 39 countries currently are members who must follow the recommendations. Thus, most jurisdictions globally have the authority to create their own respective AML regulations, making it nearly impossible for financial institutions and multinational companies to take a blanket approach to AML.

Customer identity verification for account creation

Identifying customers is a process featured in virtually all non-U.S. KYC regulations as part of customer onboarding and account creation, although the identification documents and level of verification may vary depending on the country and local privacy laws. Like in the U.S., at a minimum, banks and financial institutions outside the U.S. require a customer to provide proof of their legal name, date of birth, and residential address using some form of government ID that includes a photo. Some countries require additional information, including proof of occupation, evidence of country of origin, and biometric information.

PEP screenings, watchlists, and sanction monitoring

As part of the AML process, all individuals associated with a client must be cross-checked via AML screenings during onboarding and recurring reviews. This includes screening for the presence of politically exposed persons (PEPs) in the relationship and any inclusion on government watchlists, negative news reports, and sanctions lists that would indicate further risk for possible financial crimes. 

Enhanced due diligence (EDD) assessments

When a customer profile indicates elevated likelihood of financial crimes, such as the presence of a PEP, negative news, or industry risk, EDD is required. An additional level of verification, EDD is determined by each financial institution or their money laundering reporting officer (MLRO) based on their interpretation of local regulations, and thus can differ greatly depending on the risk appetite of the financial institution. EDD requirements can range from requesting an additional form of identification or a signature to an additional form or even a documented site visit, which is a time-consuming and often costly process.

Eliminate false-positives through automation

EDD can be a complicated step in an already complex onboarding process with financial institutions. Even the process to avoid EDD can be rocky due to the imperfect nature of manual data gathering, data entry, and screening. If a client named “Michael Jones” is screened, it could take exponentially longer for an analyst to manually weed through the many criminals with the same name vs. adding his middle name from the onset as it appears on his ID and quickly determining that he is the only “Michael Xavier Jones.” With more complete information added at the front end, the frequency of false positives in the screening process can be greatly reduced and the distance between onboarding and going live is that much faster.

How Persona can help you get AML and KYC right

Identity verification (IDV) is a central component of any AML or KYC program. Designing an IDV process that suits your business needs should take into account:

  • The local laws and regulations affecting your business and industry
  • Your company’s unique risk profile
  • The expectations of your customers or users

Here at Persona, we understand the importance of having a flexible identity infrastructure. That’s why our Verifications solution is fully customizable. Pick and choose from a variety of verification strategies — including government ID verification, database verification, document verification, selfie verification, and even video verification — to build the verification flow that’s right for you. Incorporate supplemental checks where it makes sense to gain a deeper understanding of who your customers are and what risks they pose. 

Want to tailor your verification flow to each individual customer? With risk-based segmentation, you can do just that — without tapping product or engineering resources or overburdening your team. Serve the right level of friction to each customer based on the risk signals you detect in real time.

Streamline and scale your efforts with automated workflows where it makes sense, while reserving manual review capabilities for edge cases. 

Interested in learning more? Start for free or get a demo today.

Published on:
7/7/2023

Frequently asked questions

How are KYC and AML related?

In the financial industry, Know Your Customer (KYC) can be thought of as a subset of broader anti-money laundering (AML) initiatives. Importantly, however, industries outside the financial space may also implement KYC processes for reasons unrelated to money laundering, such as verifying an age for accessing certain websites.

Who is responsible for KYC and AML compliance?

KYC and AML typically fall under the purview of an organization’s compliance team. Compliance will often collaborate with other departments, including legal, product, sales, customer service, and the C-suite.

What’s the difference between KYC and CDD?

Customer due diligence (CDD) refers to the processes that a business uses to assess customer risk. This is achieved by:

  • Verifying the identity of customers or users
  • Identifying and verifying the identity of the beneficial owners of any companies a business is considering engaging with 
  • Understanding the nature and purpose of customer relationships
  • Continuously monitoring customer activity and transactions for suspicious or unusual activity

Just as KYC can be thought of as one piece of AML, CDD is just one element of KYC.

How is risk assessed in KYC and AML?

Money laundering risk is generally driven by a combination of geographic and political considerations in the region; the risks inherent in the industry and the financial products being used; and any existing negative news, watchlist, or PEP screening results that arise as part of the CDD process. For example, a casino operating in a country known as a hub for financial crimes and owned by a politically connected family would be considered to be very high risk for money laundering. But a cooperatively owned quilt shop in Iowa that accepts only credit card payments, uses only locally sourced materials, and does not sell its products outside the U.S. would be among the lowest risk.

Continue reading

Continue reading

Identity proofing: what it is and why it matters
Identity proofing: what it is and why it matters
Industry

Identity proofing: what it is and why it matters

Learn what identity proofing entails and how to incorporate it into your business to prevent fraud.

Employment identity verification: what it is and why it matters
Employment identity verification: what it is and why it matters
Industry

Employment identity verification: what it is and why it matters

Find out why you need to verify prospective employees’ identities — and how to actually do it.

How to check if a company is legitimate: a step-by-step guide
How to check if a company is legitimate: a step-by-step guide
Industry

How to check if a company is legitimate: a step-by-step guide

Find out which verification methods to use — and how a KYB tool can streamline the process.

What is Know Your Customer (KYC) — and why does it matter?
Industry

What is Know Your Customer (KYC) — and why does it matter?

KYC and AML are regulations that require businesses to verify their customers’ identities. Here’s what you need to know.

What is anti-money laundering (AML), and why is it important?
Industry

What is anti-money laundering (AML), and why is it important?

Learn about the stages and harms of money laundering, key AML regulations, and how to meet constantly evolving compliance standards.

What is eKYC?
Industry

What is eKYC?

Take a look at the different signals that eKYC can take advantage of and review the benefits that eKYC offers both businesses and their customers.

Ready to get started?

Get in touch or start exploring Persona today.