What is KYC?
"Know Your Customer" or "Know Your Client" (KYC) is the obligation of banks, businesses, and other financial institutions to identify and authenticate a person's identity before doing business with them. KYC encompasses three pillars: identification and due diligence, and ongoing monitoring.
What are the origins of KYC?
The foundations for KYC date back to the Bank Secrecy Act (BSA) of 1970 (itself an amendment of the 1950 Federal Deposit Insurance Act). Charting the course for anti-money laundering protocols, the BSA mandates that banks collect and report certain financial information to regulatory authorities, such as FinCEN.
The 2001 Patriot Act is the basis of modern KYC compliance. In the wake of 9/11, the Patriot Act amended the BSA to impose stricter requirements on financial institutions to verify the customers with which they do business. Section 326 of the Patriot Act sets forth minimum compliance requirements that include:
(a) "verifying the identity of any person seeking to open an account to the extent reasonable and practicable;
(b) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information; and
(c) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list."
Who must comply with KYC?
Just about any business that onboards customers and offers a financial product will need to think about KYC. The Patriot Act broadly defines 'financial institutions' to include banks, credit unions, credit card issuers or operators, brokerages, insurance companies, commodities and futures traders, loan originators, gaming establishments - even travel agencies. With such a sweeping definition (and in an age where 'every company is a fintech' or offers embedded financial services), all business leaders should consider their own KYC exposure.
How does KYC compliance work?
Institutions must establish a Customer Identification Program (CIP) appropriate to the nature of their business and its size. At a minimum, every business falling under the Patriot Act must have a CIP containing:
- A written program
- Four pieces of identifying information (often referred to as the 'core four') - a customer's: name, date of birth address, and identification number.
- Identity verification procedures
- Recordkeeping (often overlooked!)
- Comparison with government lists (ensuring the customer doesn't appear on any OFAC or other government sanction lists).
- Customer notice (the financial institution must its customers know it's requesting information to verify their identities).
The goal of a CIP is for a business to "form a reasonable belief that it knows the true identity of each customer." As this is not a fixed standard, the burden each business shoulders to truly 'know its customer' will differ. For example, a business operating in a less risky space might only need to collect the core four pieces of information, while others may require detailed financial statements during the onboarding process.
Verification can be accomplished in many ways, such as: comparing information received from the customer to consumer reporting agencies (credit bureaus) or canonical public databases, through reference checks with other financial institutions, obtaining financial statements, or by contacting the customer directly. Businesses can even use biometric tools as part of the verification process.
Often overlooked is the record-keeping obligation outlined in 326(b). Businesses must keep records of the customer information collected during the application process. Oftentimes this information contains personally identifiable information (PII), and business will want to ensure this information is stored securely - preferably vaulted.
Customer Due Diligence (CDD) helps businesses determine the risk profile of a customer they onboard. The information gained in the CIP will help determine the customer's risk level. While there are no codified requirements for CDD (as opposed to CIP), many businesses adhere to as many as three levels of due diligence: simplified due diligence, standard due diligence, and enhanced due diligence.
Simplified and standard due diligence comes into play when a business assigns an onboarding customer a relatively low-risk profile. An example might be a customer attempting to open a bank account with a small balance. Businesses perform enhanced due diligence on riskier customers to better understand the nature of the prospective customer's business interest. Some examples might be a customer seeking to open an account with a large sum of money, or a politician or diplomat applying for a loan.
Finally, businesses must continuously monitor for risky activity. By examining shifting patterns in customers’ financial transactions, unusual spikes in account activity, and illegal transactions, companies can ensure they are performing ongoing diligence on their customers. Financial institutions must file a Suspicious Activity Report (SAR) with FinCEN to report any suspicious, risky anomalies.
All businesses required to perform KYC will want to ensure they stay compliant, lest they be subject to fines or business disruption. FinCEN, (and other banking regulators) may audit a business to ensure it's abiding by the provisions of the Patriot Act. If a business fails to establish a CIP, runs afoul of reasonable due diligence, botches its record-keeping obligation, or otherwise fumbles its KYC obligations, the business may face fines.
Best Practices for KYC
Many businesses view KYC compliance as a necessary evil focusing on only two things - meeting the minimum standards and limiting risks. While noble, this is a missed opportunity as some of the best practices for KYC come from institutions that harness the power of KYC as a competitive advantage. Here are some easy strategies for doing so:
- Develop a comprehensive KYC strategy that allows you to meet all obligations at once - The need to identify, verify and securely store data can require multiple stakeholders across an organization. The most time and cost-efficient solution is one that provides a single source of truth, allowing a business to know where it stands at all times regarding KYC compliance.
- Ensure your CIP minimizes friction for your users - The less frictionless a KYC verification you employ, the more likely you are to successfully onboard users. Finding a solution that deemphasizes complexity will naturally result in a more inviting experience for onboarding customers. This will increase your conversion rates.
- Take advantage of network effects, if possible: The essence of KYC is to help businesses better understand their customers while decreasing overall risk to the financial markets. A KYC solution that securely stores customer data can provide enhanced insights into both the legitimacy of a potential user and their propensity to be a 'good actor'. These solutions can reveal if a prospective customer has a track record as a 'good actor' with other financial institutions, providing your business with another tool for assessing business risk.
We built Footprint to satisfy teams' comprehensive needs when it comes to KYC compliance. Footprint enables teams to safely onboard users, verify them, securely vault the data they receive, and routinely perform ongoing compliance checks. Footprint truly is the last KYC form you’ll ever need. You can learn more here.