In the past decade, the world has seen a proliferation of fintech companies emerge in an attempt to disrupt (or sometimes complement) traditional financial institutions.
According to data compiled by the Milan Fintech Summit, by February 2021 there were more than 10,600 fintech companies in North America — nearly double the number from just two years prior. Globally, there are an estimated 26,000 fintech companies in various stages of development, from early startups to established brands.
Each of these companies offers different services to its users, from banking and savings to lending, payments, money transfers, investing, insurance, cryptocurrency, and more.
Despite these myriad differences, however, there is one similarity tying all fintech companies together: the need to comply with KYC (Know Your Customer) rules and regulations.
Below, we define KYC, review the key components of a KYC program, and discuss why KYC is so important for fintech companies. We also review the challenges of implementing KYC and offer advice that you can use to put a program in place for your business.
What is KYC?
KYC — or Know Your Customer — is a term used to refer to a set of policies and regulations that are a part of anti-money laundering (AML) laws such as the Bank Secrecy Act. It’s also known as identity verification, customer due diligence (CDD), know your client, and a handful of other terms.
In short, Know Your Customer regulations require financial institutions to have a clear picture of who their customers and clients are by verifying their identity; to literally know their customers. This makes it easier to spot instances of suspected money laundering, terrorist financing, and other financial crimes, and empowers federal agencies such as FinCEN to “follow the money” when a crime has been committed.
KYC identity verification is typically completed when a customer opens an account, and then in an ongoing manner (this ongoing process is appropriately called perpetual KYC).
What goes into a KYC program?
Identity verification can take a number of different forms depending on the industry and jurisdiction that a company operates within — along with the business’s risk tolerance and even its specific customers. That being said, the goal is to ensure that the user is not lying about who they are.
At its most basic, KYC typically involves the collection of certain information, such as the customer’s legal name, address, date of birth, and Social Security number. This information may then be cross-checked against verified sources, such as the customer’s government-issued ID and/or various authoritative and issuing databases.
Of course, in some situations additional steps are needed to verify the user's identity, particularly in cases where there is increased risk.
You might, for example, analyze the user’s actions as they fill out the form in order to identify patterns of behavior which may indicate potential fraud. Does the user hesitate or seem distracted at odd moments? Do they use developer tools, copy and paste, or autofill to complete forms? Are their keystrokes and mouse clicks human-like? If any behavior seems suspicious, you may want to consider adding additional verification methods, such as asking them to submit a selfie.
Additionally, you may decide to pull signals directly from the user’s device — such as their IP address, location data, device fingerprint, etc. — and cross-check this against the information they provide directly to you.
Why does KYC matter for fintech companies?
The Bank Secrecy Act requires all financial institutions to comply with certain anti-money laundering regulations, including those related to KYC.
Originally, the law carried a fairly narrow definition of what was considered a “financial institution.” Banks, credit unions, insurance companies, and brokers were all covered under the original interpretation of the law.
Over time, however, this definition has grown to accommodate a greater variety of businesses, including those which are not considered traditional financial institutions — like fintech companies and cryptocurrency exchanges.
Simply put, any company that offers financial services must meet KYC requirements. The penalties for failing to do so can be severe, ranging from million- or even billion-dollar fines, to criminal prosecution.
Challenges of implementing KYC for fintech
Although it’s clear that fintech companies, like all financial institutions, must adhere to KYC and AML regulations, it’s also important to recognize the fact that doing so comes with a number of challenges.
In order to increase customer conversions and prevent dropoffs, most websites and applications try to manage and limit friction as much as possible. The less friction, the easier it is for a customer to open an account, and the more a business is able to grow.
Unfortunately, KYC protocols by necessity must introduce a certain level of friction into the sign-up process. It’s this friction that helps businesses identify potential instances of fraud, identity theft, and other financial crimes. With this in mind, one of the greatest challenges for fintech companies is walking the line between adequate friction and conversion optimization.
The good news is that there are steps that you can take to provide a pleasant user experience without sacrificing thorough identity verification.
Shorter, multi-step forms
When faced with a long and intimidating form, some users may reconsider whether or not they want to go through the trouble of creating an account. This is especially true when the user is completing the form on a mobile device, which may make entering information more difficult.
Instead of requiring users to complete a single form submission, consider breaking that form into a number of smaller parts. Because the user is likely to see these multi-part forms as less intimidating, doing so decreases the likelihood that they will drop off. It also empowers you to collect the most important or valuable information first — such as their name and contact information — which will empower you to reach out and nurture them in the event that they do drop off.
Session transfer between devices
Sometimes, a user may begin the account creation process on one device and then realize that they should have done so on a different device. For example, if your identity verification process requires a user to submit a selfie, but they have begun the process on a desktop device with no camera (or a low resolution camera), they may be frustrated to discover that they need to restart the process from the beginning on their mobile device.
Depending on the capabilities of your KYC solution, it may be possible to allow the user to transfer their session between devices — for example, from a PC to a mobile device, or vice versa — by scanning a QR code or sending themselves a link without having to start over. This can go far in reducing customer frustration and increasing conversions.
Progressive risk segmentation
One of the biggest mistakes that some businesses make in establishing KYC protocols is treating each signup as though they carry the same potential for risk. This often means the business is forced to apply the maximum amount of friction at all times — often, to the detriment of user experience.
But the truth is, not every signup carries the same potential for risk. Some carry more potential, some carry less.
With progressive risk segmentation, you can dynamically tailor the signup process to include more or less friction based on the user’s perceived risk.
For example, if a signup is deemed to be lower risk, you might only require them to upload a photo of their government-issued ID as a part of the verification process. But if a signup is deemed to be higher risk, you might also require them to send you a series of selfies that verify they are, in fact, a living person.
Persona's KYC solution for fintech companies
Here at Persona, we serve some of the top fintech companies, including Square, Brex, and BlockFi, and understand the unique challenges they face as they seek to comply with KYC requirements while managing risk. That's why we’ve designed all of our solutions with these challenges in mind. Identity verification does not need to come at the expense of a pleasant user experience; likewise, a pleasant user experience does not need to come at the expense of robust and thorough compliance.