The relationship between anti-money laundering (AML) and Know Your Customer (KYC) is a lot like the relationship between a car and its wheels. Just like a car isn’t a car without its engine, an AML program is nothing without KYC. And just like you wouldn’t buy a Ferrari if you lived in the mountains, a KYC program should be appropriate to the risks of its industry and the expectations of its regulators.
AML and KYC are inextricably linked to one another, but it’s important to understand how they differ so you can craft the best strategy for your organization.
Below, we present the basics of KYC and AML to inform your business’ AML and KYC policies.
What is anti-money laundering (AML)?
Anti-money laundering (AML) is an umbrella term that applies broadly to the policies, processes, and programs that a financial institution must implement in order to prevent criminals from using its products, services, or platforms to launder money.
What is Know Your Customer (KYC)?
Know Your Customer (KYC) refers to the steps a business takes to collect and verify information about a customer’s identity, typically during the account opening process and then ongoing for the lifespan of that customer relationship. Financial institutions are required by law to implement KYC as part of their AML program.
How do AML and KYC differ?
To better understand the differences between AML and KYC, let’s take a closer look at their purpose, criteria, industry, and legal requirements.
What is the purpose of AML and KYC programs?
The purpose of an AML program is to prevent bad actors from using financial services to launder money and engage in other financial crimes like terrorist financing and tax evasion.
A KYC program has more specific outcomes: To verify a customer’s identity; determine what risk, if any, a customer poses to the business; and decide whether to work with that customer.
What criteria must an AML program meet?
Per U.S. law, an AML program must meet five key requirements, also known as the five pillars of AML compliance:
- Designation of a compliance officer
- Development of internal policies
- Creation of a training program for employees
- Independent testing and auditing
- Deployment of an in-depth risk assessment
With this in mind, the typical AML program will include a customer risk assessment, AML screenings, transaction monitoring, record keeping, the reporting of suspicious activity, and a KYC program that verifies a customer’s identity and assesses their risk.
This KYC program must consist of three key parts:
- A customer identification program (CIP), wherein a customer’s identity is verified
- Customer due diligence (CDD), wherein a customer’s risk is assessed
- Continuous monitoring, wherein the customer’s identity and activity are regularly monitored to ensure their risk profile has not changed
By law, financial institutions must collect and verify four pieces of information: the customer’s name, date of birth, address, and identification number, e.g., Social Security number (SSN), taxpayer identification number (TIN), or passport number. While financial institutions are largely free to decide which verification methods they use in their program, it will typically include some combination of government ID verification, document verification, database verification, and other strategies.
Industries subject to AML requirements
AML regulations in the U.S. pertain to financial institutions under the Bank Secrecy Act (BSA). Importantly, the BSA’s list includes some businesses with a high degree of money laundering risk that would not normally be considered financial institutions.
Businesses subject to U.S. AML requirements include:
- Banks
- Credit unions
- Thrift institutions
- Broker/dealers
- Investment firms
- Currency exchanges
- Cryptocurrency exchanges
- Credit card companies
- Online payment portals
- Lenders
- Pawnbrokers
- Precious metal/gemstone dealers
- Travel agencies
- Insurers
- Telegraph companies
- Vehicle dealerships
- Art dealers
- Real estate agents/agencies
- Casinos and iGaming platforms
- Virtual assets service providers (VASPs)
These financial institutions are subject to KYC requirements as a subset of AML laws. Businesses in other industries may also implement KYC for reasons completely unrelated to AML — either to comply with regulations or to proactively protect their platform, community, and users.
Industries outside the financial sector where KYC can be found include:
- E-commerce
- Online marketplaces
- Online auction sites
- Social media platforms
- Online dating services
- E-learning platforms
- Digital health providers
Legal requirements
In the U.S., the most important AML laws are the BSA and the laws that have expanded it, including:
- Money Laundering Control Act (1986)
- Anti-Drug Abuse Act (1988)
- Annunzio-Wylie Anti-Money Laundering Act (1992)
- Money Laundering Suppression Act (1994)
- Money Laundering and Financial Crimes Strategy Act (1998)
- USA PATRIOT Act (2001)
- Anti-Money Laundering Act (2020)
These laws also establish KYC requirements for financial institutions, and are enforced by the Financial Crimes Enforcement Network (FinCEN).
As noted above, businesses operating in a number of other industries may also be subject to laws establishing KYC requirements. Some of the most important federal and state laws in the U.S. include:
- The INFORM Consumers Act, which requires online marketplaces to collect and verify key pieces of information for sellers who reach a certain threshold of sales or revenue
- Health Insurance Portability & Accountability Act (HIPAA), which requires a digital health provider to verify a patient’s identity before sharing protected health information (PHI) with them
- Arkansas’ Social Media Safety Act and Utah’s Social Media Regulation Act, which require age verification before a user is allowed to open an account
Global AML and KYC regulatory requirements
AML and KYC requirements elsewhere in the world vary greatly depending on local regulators and respective risks. Although many countries adhere to the standards established by the Financial Action Task Force (FATF), only 39 countries currently are members who must follow the recommendations. Thus, most jurisdictions globally have the authority to create their own respective AML regulations, making it nearly impossible for financial institutions and multinational companies to take a blanket approach to AML.
Customer identity verification for account creation
Identifying customers is a process featured in virtually all non-U.S. KYC regulations as part of customer onboarding and account creation, although the identification documents and level of verification may vary depending on the country and local privacy laws. Like in the U.S., at a minimum, banks and financial institutions outside the U.S. require a customer to provide proof of their legal name, date of birth, and residential address using some form of government ID that includes a photo. Some countries require additional information, including proof of occupation, evidence of country of origin, and biometric information.
PEP screenings, watchlists, and sanction monitoring
As part of the AML process, all individuals associated with a client must be cross-checked via AML screenings during onboarding and recurring reviews. This includes screening for the presence of politically exposed persons (PEPs) in the relationship and any inclusion on government watchlists, negative news reports, and sanctions lists that would indicate further risk for possible financial crimes.
Enhanced due diligence (EDD) assessments
When a customer profile indicates elevated likelihood of financial crimes, such as the presence of a PEP, negative news, or industry risk, EDD is required. An additional level of verification, EDD is determined by each financial institution or their money laundering reporting officer (MLRO) based on their interpretation of local regulations, and thus can differ greatly depending on the risk appetite of the financial institution. EDD requirements can range from requesting an additional form of identification or a signature to an additional form or even a documented site visit, which is a time-consuming and often costly process.
Eliminate false-positives through automation
EDD can be a complicated step in an already complex onboarding process with financial institutions. Even the process to avoid EDD can be rocky due to the imperfect nature of manual data gathering, data entry, and screening. If a client named “Michael Jones” is screened, it could take exponentially longer for an analyst to manually weed through the many criminals with the same name vs. adding his middle name from the onset as it appears on his ID and quickly determining that he is the only “Michael Xavier Jones.” With more complete information added at the front end, the frequency of false positives in the screening process can be greatly reduced and the distance between onboarding and going live is that much faster.
How Persona can help you get AML and KYC right
Identity verification (IDV) is a central component of any AML or KYC program. Designing an IDV process that suits your business needs should take into account:
- The local laws and regulations affecting your business and industry
- Your company’s unique risk profile
- The expectations of your customers or users
Here at Persona, we understand the importance of having a flexible identity infrastructure. That’s why our Verifications solution is fully customizable. Pick and choose from a variety of verification strategies — including government ID verification, database verification, document verification, selfie verification, and even video verification — to build the verification flow that’s right for you. Incorporate supplemental checks where it makes sense to gain a deeper understanding of who your customers are and what risks they pose.
Want to tailor your verification flow to each individual customer? With risk-based segmentation, you can do just that — without tapping product or engineering resources or overburdening your team. Serve the right level of friction to each customer based on the risk signals you detect in real time.
Streamline and scale your efforts with automated workflows where it makes sense, while reserving manual review capabilities for edge cases.
Interested in learning more? Start for free or get a demo today.