This article was reviewed by Emily Sachs, CAMS
The relationship between anti-money laundering (AML) and Know Your Customer (KYC) is a lot like the relationship between a car and its wheels. Just like a car isn’t a car without its wheels, you can’t have an AML program without a KYC process. And just as you would want to ensure that a car has the optimal tires and air pressure for its specific environment, a KYC program should be appropriate to the risks of its industry and the expectations of its regulators.
While AML and KYC are inextricably linked to one another, it is important to understand how they differ so you can craft the best strategy for your organization.
Below, we present the basics of KYC and AML to inform your business’s AML and KYC policies.
What is anti-money laundering (AML)?
Anti-money laundering (AML) is an umbrella term that applies broadly to the policies, processes, and programs that a financial institution must implement in order to prevent criminals from using its products, services, or platforms to launder money.
What is Know Your Customer (KYC)?
Know Your Customer (KYC) refers to the steps a business takes to collect and verify information about a customer’s identity, typically during the account opening process and then ongoing for the lifespan of that customer relationship. Financial institutions are required by law to implement KYC as a part of their AML program.
How do AML and KYC differ?
To better understand the differences between AML and KYC, let’s take a closer look at how they differ by purpose, structure, industries, and legal requirements.
The purpose of an AML program is to prevent bad actors from using financial services to launder money and engage in other financial crimes like terrorist financing and tax evasion.
A KYC program, on the other hand, has a much more specific purpose: to verify a customer’s identity; determine what risk, if any, a customer poses to the business; and decide whether to work with that customer.
By law, an AML program must meet five key requirements, also known as the five pillars of AML:
- Designation of a compliance officer
- Development of internal policies
- Creation of a training program for employees
- Independent testing and auditing
- Deployment of an in-depth risk assessment
With this in mind, the typical AML program will include a customer risk assessment, AML screenings, transaction monitoring, recordkeeping, the reporting of suspicious activity, and a KYC program that verifies a customer’s identity and assesses their risk.
This KYC program must consist of three key parts:
- A Customer identification program (CIP), wherein a customer’s identity is verified
- Customer due diligence (CDD), wherein a customer’s risk is assessed
- Continuous monitoring, wherein the customer’s identity and their activity are regularly monitored to ensure their risk profile has not changed
By law, financial institutions must collect and verify four pieces of information: the customer’s name, date of birth, address, and identification number (SSN, TIN, or passport number). While financial institutions are largely free to decide which verification methods they use in their program, it will typically include some combination of government ID verification, document verification, database verification, and other strategies.
Anti-money laundering regulations in the United States pertain to financial institutions under the Bank Secrecy Act (BSA). Importantly, the BSA’s list includes some businesses with a high degree of money laundering risk that would not normally be considered financial institutions.
Businesses subject to U.S. AML requirements include:
- Credit unions
- Thrift institutions
- Investment firms
- Currency exchanges
- Cryptocurrency exchanges
- Credit card companies
- Online Payment Portals
- Precious metals/gemstone dealers
- Travel agencies
- Telegraph companies
- Vehicle dealerships
- Art dealers
- Real estate agents/agencies
- Casinos and iGaming platforms
- Virtual Assets Service Providers (VASPs)
These financial institutions are subject to KYC requirements, as a subset of AML laws. Businesses in other industries may also implement KYC for reasons completely unrelated to AML — either to comply with regulations, or to proactively protect their platform, community, and users.
Industries outside the financial sector where KYC can be found include:
- Online marketplaces
- Online auction sites
- Social media platforms
- Online dating services
- E-learning platforms
- Digital health providers
In the US, the most important AML laws are the BSA and the laws that have expanded it, including:
- Money Laundering Control Act (1986)
- Anti-Drug Abuse Act of 1988
- Annunzio-Wylie Anti-Money Laundering Act (1992)
- Money Laundering Suppression Act (1994)
- Money Laundering and Financial Crimes Strategy Act (1998)
- USA PATRIOT Act (2001)
- Anti-Money Laundering Act (AMLA) of 2020
These laws also establish KYC requirements for financial institutions, and are enforced by the Financial Crimes Enforcement Network (FinCEN).
As noted above, businesses operating in a number of other industries may also be subject to laws establishing KYC requirements. Some of the most important federal and state laws in the US include:
- The INFORM Consumers Act, which requires online marketplaces to collect and verify key pieces of information for sellers who reach a certain threshold of sales or revenue
- Health Insurance Portability & Accountability Act (HIPAA), which requires a digital health provider to verify a patient’s identity before sharing protected health information (PHI) with them
- Arkansas’ Social Media Safety Act and Utah’s Social Media Regulation Acts, which require age verification before a user is allowed to open an account.
How Persona can help you get AML and KYC right
Identity verification (IDV) is a central component of any AML or KYC program. Designing an IDV process that suits your business needs should take into account:
- The laws and regulations affecting your business and industry
- Your company’s unique risk profile
- The expectations of your customers or users
Here at Persona, we understand the importance of having a flexible identity infrastructure. That’s why our Verifications solution is fully customizable. Pick and choose from a variety of verification strategies — including government ID verification, database verification, document verification, selfie verification, and even video verification — to build the verification flow that’s right for you. Incorporate supplemental checks where it makes sense to gain a deeper understanding of who your customers are and what risks they pose.
Want to tailor your verification flow to each individual customer? With risk-based segmentation, you can do just that — without tapping product or engineering resources or overburdening your team. Serve the right level of friction to each customer based on the risk signals you detect in real time.