Know Your Customer (KYC) in banking: A comprehensive guide
Every day, millions of financial transactions move trillions of dollars between bank accounts and financial networks all around the world. A key part of ensuring that those transactions are legitimate and free of fraud? The Know Your Customer (KYC) processes that banks implement to identify their customers and assess risk.
But what is KYC in banking anyway?
Below, we take a closer look at what KYC is and why it’s so important for banks and other financial institutions to get it right. We also highlight the three key KYC procedures for banks and offer some best practices and advice that you can use to inform and shape your own strategy.
What is Know Your Customer (KYC) in banking?
In banking, Know Your Customer (KYC) refers to the processes that a bank undertakes to verify the identity of a prospective customer and assess the risk that customers may pose to the institution before they are allowed to open an account and do business with the bank.
In this way, KYC is an important part of the Anti-Money Laundering (AML) strategy that banks are required to implement. KYC consists of three primary components: a customer identification program (CIP), customer due diligence (CDD), and ongoing monitoring, which we discuss below.
KYC isn’t limited to the banking industry. In a number of other industries — such as e-commerce, online gaming, and even social media — businesses are also required to verify the identities of their customers or users. For the purposes of this article, we will focus on KYC as it applies to banks and other financial institutions.
KYB vs. KYC in banking
When a business or organization wants to open an account or do business with a bank, it must go through a similar vetting process. This process is called KYB, or Know Your Business.
The primary focus of KYB in banking is identifying (and verifying the identity) of a company’s ultimate beneficial owners (UBOs) who control the company.
Keep learning: Understanding ultimate beneficial owner (UBO) checks
What is eKYC?
Electronic KYC, or eKYC, is simply the process of completing KYC digitally instead of in an in-person or face-to-face setting. It relies on many of the same identity verification methods as in-person KYC, but these methods are facilitated by digital technologies.
The camera on a mobile phone, for example, can be used to capture images for government ID verification and selfie verification. Meanwhile, device signals (like an IP address, geolocation data, device fingerprint, or browser fingerprint) can all be collected and used to gauge the customer’s risk.
If a bank or other financial institution wants to offer mobile banking, digital banking, or digital account opening, they must have an eKYC process in place to accommodate this.
What is the importance of KYC in banking?
The importance of KYC in banking is to ensure that financial institutions know who their customers are, which helps prevent illegal activity and builds trust in the financial system.
In summary, Know Your Customer in banking serves two main purposes: Fraud and crime prevention, and risk management.
Around the world, banks and other financial institutions are required to complete KYC before allowing any new customer to open an account. The goal? To make it more difficult for criminals to use the global financial system to conduct financial crimes, such as:
Money laundering
Embezzlement
Counterfeiting and forgery
Financing terrorist activities
Tax evasion
Identity theft
And more
It works like this: By establishing a person’s identity, the bank is essentially initiating a paper trail that makes it easier for regulators to “follow the money” and investigate potential crimes.
A thorough KYC process in banks also makes it possible for businesses to gauge how much risk (of money laundering and other financial crimes) an individual might pose. This in turn facilitates a risk-based approach to AML that has become the bedrock of modern anti-money laundering processes around the world.
Know Your Customer regulations for banks
In the United States, the Anti-Money Laundering (AML) law that laid the groundwork for KYC in banking was the Bank Secrecy Act (BSA) of 1970. The BSA required banks to identify customers and maintain records of financial transactions, among other KYC requirements for banks and other institutions.
Since then, a number of additional Know Your Customer regulations for banks and other businesses have built upon the framework established with the BSA, including:
The Money Laundering Control Act of 1986
Anti-Drug Abuse Act of 1988
Annunzio-Wylie Anti-Money Laundering Act of 1992
Money Laundering Suppression Act of 1994
Of these laws, the USA PATRIOT Act is amongst the most impactful as it builds upon the Bank Secrecy Act. That’s because it:
Strengthens the BSA’s customer identification requirements
Requires financial institutions in the United States to carry out due diligence for the first time ever
Requires that enhanced due diligence procedures be carried out for accounts deemed to carry high levels of risk
Expands the definition of “financial institutions” to include a broader number of businesses
Likewise, the AML Act was similarly impactful with a number of provisions, especially in the way that it triggered the creation of a new beneficial ownership database for US businesses.
Other countries have their own AML laws and regulations requiring KYC. Though these laws do vary from country to country, they are all informed by the Financial Action Task Force’s (FATF’s) 40 recommendations to combat money laundering. This means that while differences do exist, they are often subtle in nature instead of dramatic changes. An important set of AML/KYC laws for banks that serve European customers includes the EU’s Anti-Money Laundering Directives (AMLDs).
Banks that don’t meet the KYC requirements of the jurisdictions in which they operate risk significant fines and regulatory action, as well as damage to brand reputation and customer trust.
Keep learning: Key AML laws and regulations in the US
Key KYC procedures for banks
The KYC process in banks consists of three distinct components that work together to manage customer risk: a Customer Identification Program (CIP), Customer Due Diligence (CDD), and continuous monitoring.
1. Customer Identification Program (CIP)
What it is: A Customer Identification Program (CIP) is a set of procedures that a business uses to identify and verify the identity of a potential customer before they are granted access to an account or other financial product. At a minimum, banks are required to collect and verify an individual’s name, date of birth, address, ID number (such as a TIN or SSN), and a government-issued ID.
The goal: To verify that a potential customer is who they say they are.
Methods used:
Government ID verification
Document verification
2. Customer Due Diligence (CDD)
What it is: Customer Due Diligence (CDD) is a set of processes that a bank performs to assess a customer’s risk of money laundering and other financial crimes. In addition to identity verification, banks are required to understand the nature and purpose of customer relationships and develop customer risk profiles.
To that end, CDD will often include various AML screenings designed to surface risk factors about the individual. When risk factors are detected, banks are required to perform enhanced due diligence before working with an individual as part of the main KYC procedures for banks.
The goal: To assess customer risk.
Methods used:
Database verification
Watchlist screening
PEP screening
Different Customer Due Diligence levels
Banks and other businesses in the financial industry don’t need to perform Customer Due Diligence in the same exact way for all customers they onboard. In fact, it’s possible to tailor the CDD experience to individual customers depending on how risky they may be. There are three generally accepted levels of due diligence:
Simplified Due Diligence: A streamlined form of due diligence for customers deemed low risk. Usually, customers are required to provide less information and evidence, and fewer checks are performed.
Customer Due Diligence: The standard level of due diligence performed for customers deemed to carry an average amount of risk.
Enhanced Due Diligence: A heightened level of due diligence performed on customers deemed to carry a high-than-average risk of money laundering. It typically involves performing a greater number of checks and verifications that are not normally included in standard due diligence.
Leveraging these different levels of due diligence is one of the most impactful ways a financial institution can control friction without compromising security and compliance when onboarding new customers.
3. Continuous monitoring and reporting
What it is: KYC isn’t a one-time thing. Continuous monitoring refers to the ongoing review that banks must perform to perpetually reevaluate a customer’s risk. It should include activity and transaction monitoring, where a bank looks for high-risk or suspicious activity as well as routine AML screenings to ensure that a customer has not been added to a list.
When suspicious activity is detected, banks are also required to prepare and file a number of corresponding reports, including Suspicious Activity Reports (SAR), Currency Transaction Reports (CTR), and Foreign Bank and Financial Account Reports (FBAR).
The goal: To identify suspicious activity and update risk profiles.
Methods used:
Sanctions screening
Watchlist screening
Adverse media screening
Common challenges in KYC for banks
While financial institutions must meet the requirements above in order to comply with KYC requirements, they have a lot of freedom in deciding exactly how they will meet those requirements. This gives banks a lot of freedom and flexibility in designing their programs, but it also poses a number of challenges. Some of the most common challenges in KYC for banks include:
Balancing compliance and user experience
In order to perform KYC on new customers, banks must collect information and identity evidence (i.e., a government ID) from those customers during onboarding. Unfortunately, this introduces friction which, left unchecked, can hurt the user experience and which may even jeopardize the conversion.
This leaves banks with a bit of a catch-22: A stricter KYC program is more likely to catch a greater number of money laundering attempts, but may lead to fewer legitimate customers; a more lenient KYC program is more likely to capture more new customers, but may allow a greater number of bad actors to slip through the cracks.
Keep learning: 3 tips for managing risk without sacrificing user experience
Dealing with false positives
In the context of KYC and AML, a false positive is when a legitimate customer is flagged as being high-risk or potentially fraudulent. When this happens, it can result in that customer being denied access to financial services that they’re entitled to — and which are often essential for modern life. It also means lower conversions for the business.
False positives can have a number of root causes, but are most frequently attributed to a customer having a common name (for example, John Smith) or sharing a name with a known criminal.
Navigating complex global Know Your Customer regulations for banks
Know Your Customer regulations for banks are periodically updated as lawmakers make adjustments to close loopholes, account for new technologies, or otherwise revamp their ability to stop money laundering. Unfortunately, this means that KYC is never something that can be considered “done.” It’s always evolving, and financial institutions must remain agile enough to accommodate these changes when they occur.
Financial institutions operating in multiple jurisdictions have an added challenge because each country is free to set its own KYC requirements. That means a global bank may need to have completely separate KYC programs tailored to the requirements of each jurisdiction for global compliance. It also means that it must keep its fingers on the regulatory pulse of each country it operates within instead of just one.
Operational difficulties
In order to perform each individual step of the KYC process, banks and financial institutions may need to leverage multiple different solutions. Unfortunately, this may mean a separate procurement process for each tool used, a separate contract, and multiple bills to keep track of. It can also mean that you’re duplicating complicated technical integrations and implementations across multiple solutions, each of which will take time, effort, and resources to complete.
Best practices for KYC compliance in banks and other financial institutions
Although KYC is a requirement for banks, it can also be difficult to get “right.” Below are some best practices that may be able to help you overcome the challenges commonly associated with KYC.
1. Control friction with progressive risk segmentation
AML laws and regulations understandably require that KYC takes place during the account signup process. But by adding steps in which you ask customers to submit information, you are also introducing friction at a key moment in your customer’s relationship with your business and brand. In many cases, this friction lowers conversion rates.
One potential solution? Using progressive risk segmentation to tailor your KYC processes to each individual depending on the risk signals you collect in real-time. In this way, users who carry a low risk for money laundering may be moved into a simplified verification flow with fewer requirements, while users with greater risk can be moved into a stricter process.
2. Reduce false positives by tailoring name match requirements
Name match requirements are essentially the internal logic that you put in place to determine whether or not a variation in a name (such as a misspelling, alternative spelling, or even a nickname or diminutive) triggers a “match” during KYC.
You can establish strict match requirements that only trigger a match when an exact spelling is found, or you can establish “fuzzy” match requirements that trigger a match even when edits or typos are in place. The fuzzier your match requirements, the more likely you are to catch all possible mentions of your customer when you perform a check — but you’re also more likely to see more false positives. With this in mind, if you find yourself dealing with a large number of false positives, it can be a good idea to revisit your name match requirements.
3. Leverage automation to scale
In today’s increasingly digital world, customers have come to expect near-instant gratification. When they’re opening a new bank account, that means they expect to be able to sign up and log in within a few minutes. That’s a service level you’ll likely have difficulty meeting if your KYC processes rely on manual verification, risk assessment, and screenings.
The good news is that modern KYC doesn’t need to be a manual process. Banks today can automate as much or as little of their KYC processes as they see fit, depending on resources, account volumes, and more. Smart automation means faster verifications without compromising on risk, making it easier than ever to scale while maintaining KYC compliance in banks.
Keep learning: Automated KYC verification: a guide for compliance managers (and others)
4. Have a plan for generative AI
In recent years, fraudsters have aggressively begun to incorporate various generative AI tools into their arsenals. Today, fraudsters are using GenAI to create deepfakes, AI-generated selfies, forged documents, and other assets to try to skirt past banks’ KYC processes.
Combatting the challenges posed by generative AI requires that you have a plan for how your bank will detect and mitigate these threats. While there is no single solution that will work in all cases, we believe a holistic approach that includes robust liveness detection capabilities offers the greatest path forward.
Keep learning: Embrace a holistic fraud strategy to fight GenAI fraud
5. Prioritize an integrated solution
Instead of cobbling together multiple tools or solutions to support your KYC needs, consider leveraging a single, integrated solution that can perform multiple functions.
In addition to simplifying the procurement and contracting process, this also means you only have to worry about a single integration and implementation instead of multiple. It also means that the members of your team only need to learn how to use a single tool.
Persona’s KYC solutions for banks help businesses get AML right
Here at Persona, we understand just how critically important KYC is for banks and financial institutions. We’ve used that understanding to build a flexible identity platform that you can use to design and implement the ideal KYC process for your business.
With our KYC solutions for banks, you can:
Pick and choose from a variety of different verification methods — including government ID verification, selfie verification, document verification, and database verification.
Leverage workflows and progressive risk segmentation to control friction while maintaining high compliance standards.
Assess customer risk with the reports and screenings that make the most sense to your bank, whether that be sanctions screening, watchlist screening, PEP screening, adverse media screening, or a combination thereof. And do so with the confidence that comes from knowing our platform is backed by robust liveness detection capable of detecting and mitigating GenAI fraud.
Interested in learning more about how Persona can help you get KYC in banking right? Start for free or get a demo today.