In the United Kingdom and around the world, governments require businesses that operate in certain industries to verify the identity of their customers through a process called Know Your Customer (KYC).
Because KYC requirements can vary per jurisdiction and industry, it’s critical for businesses to understand the specific requirements for each country they operate or serve customers in.
Below, we review some of the basics before taking a deeper look at the KYC requirements that exist for different industries in the UK.
What is KYC?
Know Your Customer (KYC), refers to the processes of confirming a customer’s identity. Businesses operating in certain regulated industries, such as the financial sector, are required to perform KYC before providing regulated products or services to their customers.
KYC can be performed on individuals as well as non-individual entities, such as businesses, non-profit organizations, and trusts.
In the UK, businesses operating in a number of different industries must perform KYC on their customers. This includes banks and other financial institutions, cryptocurrency exchanges, real estate businesses, gambling facilitators, and e-commerce platforms that facilitate the sale of certain regulated products.
Importance of KYC for UK banks and companies
Certain businesses operating in the UK must implement KYC measures for a number of reasons.
Perhaps most obviously, KYC is required in many industries (financial services, crypto, real estate, etc.) to combat money laundering, which is estimated to cost the UK’s economy at least £100 billion pounds every year.
But KYC is also an effective means of preventing other types of financial crime, such as tax evasion, identity theft, and the financing of terrorist activities. And in other industries, KYC plays different roles — for example, ensuring that children can’t access age-restricted products or services through e-commerce platforms.
Even when it isn’t required by law, some businesses choose to implement KYC measures to reduce fraud on their platforms, stay ahead of forthcoming regulations, or simply improve the customer experience.
Industries required to comply with KYC regulations in the UK
KYC for financial services
UK financial services — including banks, lenders, investment firms, payment processors, insurers, currency exchanges, and fintech companies — must comply with the KYC requirements specified in the country’s AML regulations, which were updated in 2017.
When the customer is an individual, financial institutions must:
- Identify the customer
- Verify the customer’s identity
- Assess the purpose and intended nature of the business relationship or occasional transaction
When the customer is a non-individual entity, financial institutions must obtain and verify the entity’s:
- Legal name
- Company number or registration number
- Address of its registered office
- Beneficial owners
These rules are enforced by the UK Financial Conduct Authority (FCA). While the FCA doesn’t specify how verification must be carried out, it does suggest that institutions embrace the risk-based approach to AML recommended by the Financial Action Task Force (FATF). The agency also provides a five-point framework that institutions are encouraged to incorporate into their identity verification process:
- Strength: Gather evidence of the claimed identity, such as a government-issued ID or document
- Validity: Validate that the collected evidence is genuine and authentic, for example by checking an ID’s cryptographic security features or querying the issuing database
- Activity: Determine whether or not the claimed identity has existed over time, for example by collecting employment or credit records
- Identity fraud: Determine if the claimed identity is at a high risk for identity fraud, for example by checking a national fraud database
- Verification: Verify that the identity actually belongs to the person claiming it, for example, by requesting a selfie and comparing it against the photo in an ID
KYC for cryptocurrency
UK businesses operating in the cryptocurrency space are regulated by the FCA, and are therefore subject to the same KYC regulations as other financial services. Businesses seeking to offer these services must register with the FCA prior to offering services.
Cumulatively known as cryptoasset businesses, KYC rules apply to any business that provides the following products or services:
- Cryptocurrency exchange
- Peer-to-peer cryptocurrency transfers
- Initial coin offerings (ICOs) or initial exchange offerings
- Cryptocurrency wallet providers
Briefly, KYC requirements for cryptocurrency businesses in the UK include:
- Implementing a risk-based approach to AML and KYC
- Performing customer due diligence on all customers
- Performing enhanced due diligence on higher-risk customers
- Monitoring customer transactions in an ongoing manner
KYC for real estate
In the UK, estate agents, letting agents, and other businesses dealing with the buying, selling, or financing of real estate must comply with the AML and KYC regulations enforced by Her Majesty's Revenue and Customs (HMRC). This includes verifying the buyer’s/seller’s:
- Identity
- Proof of residential address
- Source of funds
- Source of wealth
- Proof of ownership (seller only)
When the buyer or seller is an entity and not an individual, estate agents must confirm that the entity does, in fact, exist. They must also identify and verify the entity’s beneficial owners.
An enhanced due diligence process must be in place for high-risk clients, such as politically-exposed persons, or for transactions originating in countries deemed to be a high risk for money laundering and terrorist activity.
Importantly, these checks must be performed on both buyers and sellers. For residential property deals, KYC should take place upon signing of the memorandum of sale. For commercial property deals, it should take place upon signing of the heads of agreement.
KYC for gaming
In the UK, any business that facilitates gambling — including online gaming (igaming) operators, bookmaking services, and remote casinos — is regulated by the UK Gambling Commission (UKGC).
Under new rules implemented in 2019, online gaming operators are prohibited from accepting bets from any individual before their age has been verified to be at least 18 years old. This is in contrast to prior rules, which allowed up to 72 hours for age verification. These new rules were put in place following a 2018 report that found an estimated three percent of children aged 11-16 had engaged in online gambling.
Additionally, in an effort to combat money laundering, the Commission requires that for any user who deposits or withdraws €2,000 or more, online gaming operators must verify the user’s:
- Name
- Address
- Date of birth
Verification may include the collection of a government-issued ID, selfies, and other supporting documentation, such as household bills or bank statements. The Commission does not specify which documents must be collected, leaving that choice to the individual business.
These requirements also apply to any user who has joined a self-exclusion list designed to help them stop gambling and those deemed to carry a greater risk of money laundering even if they don’t breach the €2,000 threshold, such as politically-exposed persons.
KYC for e-commerce
E-commerce companies operating in the United Kingdom must comply with multiple KYC regulations.
In March 2022, the Strong Customer Authentication (SCA) rule went into effect for e-commerce transactions. This rule, implemented and enforced by the FCA, was designed to reduce theft resulting from stolen debit or credit card information. It requires banks to collect two pieces of identification prior to checkout to authenticate that the individual making the purchase is in fact the account holder. This identification can be in the form of:
- Knowledge, such as a PIN, password, or answer to a security question
- Possession, such as through a one-time passcode sent to a mobile device or email address
- Inherence, such as a fingerprint or selfie
E-commerce retailers should work with their payment processors to ensure that the required technology and workflows are added to their checkout process.
Additionally, any e-commerce business that sells age-restricted products or services must verify the age of their customers. Failure to do so may result in a maximum fine of up to £20,000, and license forfeiture. Age verification can take place:
- During online checkout, for example by collecting and verifying the customer’s ID
- At point-of-delivery, by requesting proof of age prior to handing over the purchase
- In-store, by requiring in-store pickup which includes age verification
KYC for social media companies
As of August 2023, social media companies operating in the UK are not required to implement KYC or identity verification measures.
That said, a proposed bill — the Social Media Platforms (Identity Verification) Bill — would require social media companies to offer an IDV process to all users, as well as a means of limiting or blocking non-verified users, amongst other measures
The bill was sponsored by MP Siobhan Baillie in 2022 and is currently in its second reading in the House of Commons.
Other petitions related to IDV for social media companies have been submitted in the past, including one which would require social media companies to collect a verified ID from anyone seeking to open an account (or the parent/guardian of users younger than 18).
Become KYC compliant in the UK with Persona
If your business operates in the UK or provides services to UK citizens, it’s crucial that you understand which KYC obligations apply to your industry. It’s also crucial to select a KYC and AML toolkit flexible enough to adapt to these varied requirements.
Here at Persona, we know that a cookie-cutter approach to KYC doesn’t work. That’s why we’ve designed our identity infrastructure with flexibility in mind so that our partners are empowered to build the verification workflow that makes the most sense to their unique situations.
With our Verifications solution, you can quickly and easily collect and analyze government IDs, other documents, and selfies — either for initial verification or for periodic reverification. Reports allows you to build out a fuller picture of your users via watchlist checks, sanctions checks, PEP scans, and other database queries. Use Cases to build out a configurable hub to act as the central dashboard for all things manual review. Do this knowing that your customers’ PII is safe and secure.
Interested in learning more? Learn how Lime leveraged Persona’s suite of identity tools to comply with KYC regulations in each jurisdiction it operates in — including the UK. Start for free or get a demo today.