A Know Your Customer (KYC) program is a lot like a cooking — there might be many chefs and a host of ways to prepare a recipe, but only one order of operations is going to get you a hot meal in a reasonable amount of time with a minimum of complaints, broken plates, and smoke alarms.
Companies adding anti-money laundering (AML) programs don’t have the time, money, staffing, or appetite for risk — or undercooked chicken — to take a hunt-and-peck approach to designing the optimal KYC workflow.
Below we walk you through the most efficient KYC process steps for your four-star compliance operation.
What is the KYC Process?
KYC (Know Your Customer) is the due diligence process used by banks, financial institutions and other related companies to verify the identity of their clients and assess the potential risks of money laundering and fraud. A growing number of industries are mandated by regulators to complete a KYC review at onboarding as well as to periodically review to see if mission-critical information has changed, such as ownership or business locations.
Challenges in the KYC Process
With so much documentation and data required to paint a full picture of a customer’s identity and potential risk, compounded by ever-changing regulatory requirements, KYC can be as complicated and messy as an episode of “The Bear.” And building out an AML program can be a pricey trial-and-error experience, especially for financial institutions reeling from regulatory enforcement actions resulting in fines, monitorships, or consent orders.
Companies expanding into new and unknown countries or growing faster than anticipated — for example, startups, online gaming, and cryptocurrency — can experience a burden of epic proportions. Challenges range from expanding an insufficient or underbuilt system, developing entirely new processes and procedures, training employees across the globe, and anticipating friction such as new languages, unusual documentation, foreign privacy laws, and customers uncomfortable with new types of requests.
With so many moving parts and executives demanding sales results, it is more important than ever to ensure that the basics are covered. Just as health inspectors don’t care how good the food is if a kitchen isn’t clean, regulators and law enforcement don’t view shortcuts kindly.
Best KYC Process Workflow
The best order of operations for a KYC program is one that can quickly eliminate fraudulent, risky, or costly and time-intensive customers as early as possible. Likewise, it allows customers with complex profiles or urgent needs to exit the process before they have invested too much time or resources with potential service providers.
Step 1: Customer Identification Program (CIP)
The first step in KYC should be the broadest. CIP involves verifying the identity of a new or prospective customer to ensure they are who they claim to be. For individuals, this typically means providing a valid and current government-issued ID, which undergoes a secure identity verification verified and screened against sanctions and criminal watchlists. For companies undergoing what is sometimes called Know Your Business (KYB) reviews, this usually requires evidence of legal formation and/or government registration as well as confirmation of ultimate beneficial ownership (UBO) to ensure that the majority owners and controllers are validated and verified.
Why is this first?
CIP is the most effective method of quickly identifying bad actors, fake companies, and questionable customers. Customers with something to hide will quickly be identified or will remove themselves from further scrutiny by existing the onboarding process. Demonstrating a clear commitment to compliance at the very start of a relationship signals to customers that you are serious about safety and protecting yourself and your clients from financial harm.
Step 2: Customer Due Diligence (CDD)
CDD is a risk assessment process that, in many cases, can be simplified if there are no red flags resulting from CIP screenings, if the geography and industry are low risk, and/or if the intended product usage is low risk. For example, many banks and financial institutions place immense trust in the extensive oversight processes conducted by the U.S. Securities and Exchange Commission (SEC) and, therefore, any U.S. publicly traded companies and their majority owned subsidiaries would require minimal due diligence once the trading and ownership status are confirmed by a bank as part of the onboarding process.
Why is this second?
An optimal onboarding is one that doesn’t require additional due diligence to achieve comfort with a customer’s risk. Asking for unnecessary documentation can be costly, not only to analyze but in lost business when customers opt not to continue the onboarding process.
Step 3: Enhanced Due Diligence (EDD)
In the event that additional and notable risk is identified during the CIP stage, EDD enters the picture. Geopolitical risk, product usage risk, politically exposed persons in the ownership or control structure, and negative news are all red flags for potential fraud or money laundering and require additional due diligence. A company might ask for further documentation, assurances that past incidents were fully mitigated, or clarification on the business purpose of a location or product in order to achieve full assurance that there is acceptable reputational risk in doing business with this company or individual.
Why is this third?
EDD can be time-consuming and intensive and even invasive if a personal visit needs to be made to a customer or private finances need to be reviewed because a source of wealth needs to be better understood. Prospective customers may not understand why certain questions are being asked and they might even balk at the delays. A company needs to be sure the juice is worth the squeeze when starting EDD.
Step 4: Ongoing Monitoring and Perpetual KYC
Ongoing monitoring includes reviewing transactions that are taking place, such as screening for countries with government sanctions as well as unusual transaction sizes and frequency. It can also include screening customer names and individuals against watchlists, negative news lists, and for PEPs.
Perpetual KYC, or periodic reviews, typically involve completing a re-review of due diligence documentation and verifying that ownership and control information on file, including IDs, is current. It can also include a re-confirmation of product usage and customer size and scope. Most companies complete periodic reviews of the customers on a yearly basis or as little as every 3 years. Some banks have put their lowest risk clients on a review schedule of once a decade or longer due to the extremely low risk they present for money laundering or other financial crimes. It is far more likely in those cases that transaction monitoring would flag suspicious activity better than a periodic review would.
Why is this fourth?
This is a logical final step because it takes place well after onboarding has occurred.
Optimize Your KYC Workflow with Persona
Persona takes the guesswork out of KYC workflows through customizable solutions that pick up where your onboarding leaves off. Our products help companies optimize regulatory compliance and streamline operations with our modular tools and robust library of verification options. We enable your compliance team to keep pace with changing regulations while your risk oversight team rests easy knowing that new markets are fully understood prior to expansion.
Need a compliance solution that can scale with the unique needs of your business? Contact us to learn more or get started for free.