Many types of businesses — from financial institutions to online marketplaces — are subject to Know Your Customer (KYC) regulations. Though these regulations may vary slightly from industry to industry, they’re a critical piece of preventing money laundering, fraud, and other crimes. Even when it’s not required, KYC can offer businesses a number of benefits.
A lot of the focus tends to fall on the initial identity verification that forms KYC’s backbone. But while the customer onboarding process is an important part of KYC, the process doesn’t end there: It’s just the beginning. A number of equally important KYC processes can only take place after onboarding has occurred.
KYC remediation is one such process.
Below, we define KYC remediation and take a look at how it fits into the greater KYC life cycle. We also outline the key steps of the KYC remediation process so you’ll be better equipped to design the process that best works for your business.
Refresh my memory: What is KYC?
Know Your Customer, or KYC, refers to the processes a business uses to understand whether or not their user is who they say they are. It consists of three main components: Customer identity verification, customer due diligence, and ongoing monitoring.
Businesses operating within certain industries are required to have KYC programs that comply with relevant regulations. Financial institutions, for example, must comply with the KYC requirements established in anti-money laundering (AML) legislation, while online marketplaces must comply with the KYC requirements established by the INFORM Consumers Act (and related laws).
Many other businesses also embrace KYC, despite not currently being required to do so by law.
What is KYC remediation?
Before businesses can verify users, they must collect key pieces of information.
In the financial space, this includes a minimum of the individual’s name, date of birth, address, and identification number. Other information can also be collected, however, such as additional contact information and passive or device signals like a browser or device fingerprint. Other industries may also require a business to collect additional — or different — information.
Over time, however, this information may become less accurate. People may move, rendering their address on file out of date. Names can change — for example, when someone gets married or divorced.
Likewise, the laws and regulations governing KYC can change over time, rendering a business’s profile of its customers incomplete. A law can be expanded, for example, requiring businesses to collect new customer data that they did not previously need to collect.
KYC remediation is the process of periodically reviewing the customer information you have on file to understand if it is a) still accurate, and b) still comprehensive enough to meet the requirements of whatever laws and regulations your business is subject to. When necessary, KYC remediation includes the updating, deleting, or “cleaning” of this information.
The same concept can be applied to related concepts such as Know Your Business (KYB) and Know Your Patient (KYP).
Why is KYC remediation important?
KYC remediation is all about managing different types of risk.
As mentioned above, the regulations governing KYC are not static. They periodically change, adapt, and grow as governments pass new laws. If these requirements change or expand the types of customer data you are required to collect as a part of the KYC process, you will need to update the information of any customers who do not meet these requirements.
Failure to do so can result in fines, lawsuits, government sanctions against your business, and even jail time for individuals deemed responsible.
Beyond this, however, it’s important to note that a customer’s risk profile can also change over time. When customer data becomes out of date, it makes your job of evaluating that customer’s risk of money laundering or fraud that much more difficult. To make an accurate judgment on the level of risk an individual poses, you need up-to-date and accurate information.
Data remediation helps you address both of these risks.
KYC remediation process
The data remediation process falls within the greater KYC life cycle. To better understand how KYC remediation works, we discuss it within the greater context of the entire life cycle below.
The KYC life cycle begins with the initial collection of customer data, which is used to verify the customer’s identity. This typically occurs during customer onboarding or account creation. Depending on your processes, additional information may be periodically collected after this moment. Transaction monitoring and various KYC screenings, for example, occur in an ongoing manner.
Before remediation can occur, there must be a precipitating event that makes remediation necessary. As discussed above, this precipitating event can take many different forms, including:
- Changing regulations that render your data insufficient or obsolete
- Discrepancies in data — for example, if a customer opens a second account with information that is different from the information used to open their original account
- Out-of-date data — for example, an expired ID, change of address, etc.
Recently, for example, online marketplaces experienced a precipitating event in the passage of the INFORM Consumers Act. This law requires operators of online marketplaces to collect and verify the contact information, bank account details, and tax identification number of all third-party sellers making at least 200 sales or earning at least $5,000 in gross revenues per year (among other requirements). While some marketplaces may have already been conducting this verification prior to the law’s passage, most were likely not. For those businesses, passage of the act became a precipitating event making KYC remediation necessary.
Optional: Process adjustments
Once the precipitating event has occurred, it’s important to understand whether it requires you to change or adjust your internal KYC processes. Changing regulations, for example, will likely require you to update your processes to ensure you remain compliant moving forward. One-off discrepancies in data, on the other hand, may not require significant process adjustments.
This process adjustment is not technically a part of KYC remediation. Instead, when necessary, it happens in parallel with KYC remediation.
Returning to the example of online marketplaces impacted by the INFORM Act, a marketplace would likely adjust its customer onboarding process for seller accounts moving forward to comply with the tenets of the law. However, it’d likely leave the onboarding process for buyer accounts as-is, since those accounts are not impacted by the law.
Identification of impacted data
Once the precipitating event has occurred, the KYC remediation process officially begins with the identification of impacted data or accounts. In most cases, this identification can be automated by querying your database of customers — looking specifically for those that exhibit traits indicating they must be updated.
The marketplace discussed above, for example, might query their database for all accounts meeting the following criteria:
- Is a seller account / vendor account
- Makes more than 200 transactions per year
- Earns at least $5,000 in gross revenues per year
Once the impacted accounts have been identified, they must be brought up to compliance — whether that means bringing existing data fields up to date, collecting new data from customers, or collecting new required supporting documents (IDs, tax forms, etc.) for updated verification requirements.
Naturally, if you need to collect more data, you’ll need to notify the affected users. Whether done through emails or in-app notifications, these communications should clearly spell out what the user must do to retain their account, as well as consequences (account suspension/deletion, shop closure, etc.) for failing to supply the new/updated information within the given timeframe.
In some instances, data remediation might uncover data that simply isn’t needed anymore. This can happen when the remediation process uncovers long-dormant accounts, accounts that have been closed by a customer, accounts held by deceased individuals, etc. In these instances, it’s important to have procedures in place that dictate when data is deleted — compliant with any record-keeping laws your business is subject to.
Why not just keep the data, you ask? On one hand, keeping unnecessary data on file increases risk to your business. The more data you retain, the more individuals can be impacted if you experience a data incursion — and the greater your potential liabilities. Deleting customer data you no longer need is a way of limiting this damage.
On the other hand, you might be required by law to delete customer data when certain criteria are met. GDPR, for example, establishes a consumer’s “right to be forgotten,” in which their data should be deleted when it is no longer necessary. The CPRA also gives customers a path to request their data be deleted. Failure to comply with these requirements can lead to regulatory action.
What is Persona’s role in KYC remediation?
Persona’s end-to-end identity suite was built to support you throughout the entire KYC life cycle — from customer onboarding and monitoring all the way through the remediation process. Our flexible identity infrastructure allows you to craft the processes best suited to your unique business needs.
Use our Verifications solution to build and iterate on the onboarding KYC flow that works best for your business. Choose what data to collect, and which forms of verification to use. Options include government ID verification, document verification, database verification, selfie verification, and more.
Use Reports to augment your understanding of your clients, on both an initial and ongoing basis. Scan customers against sanctions lists, politically-exposed persons (PEP) databases, criminal watchlists, phone and email risk reports, adverse media reports, and more to build a truly comprehensive risk profile of each customer.
Spot something suspicious in your customer data? Leverage Graph, our link analysis and fraud detection tool, to understand how different accounts are connected — and quickly take action when necessary.
Interested in learning more? Start for free or get a demo today.