While being untraceable may seem ideal, anonymity online can create a liability for businesses and consumers in everyday online transactions. As a result, financial institutions inadvertently facilitate undetected fraud without proper processes and requirements and enable money laundering and other criminal activities. As a result, governments worldwide have instituted regulations called KYC or Know Your Customer, to protect consumers and businesses from the risks of fraud and other criminal activities.
In this article, we’ll discuss the basics of what KYC is, how laws are applied, why KYC is important, what are some of the core requirements of Know Your Customer, and what technology exists to help affected businesses stay compliant.
What is KYC?
Know Your Customer (or Know your Client) is a set of regulations financial institutions must follow to verify the identity of their customers. KYC affects businesses with account creation or a customer login process online.
These regulations require banks, credit unions, and other financial institutions to verify the identity of customers at the time of opening accounts. Then, they need to retain this identity information so that, should it be legally necessary, financial institutions can trace these transactions back to their point of origin.
KYC measures exist to prevent criminal activities such as money laundering, the financing of terror organizations, and fraudulent trading. As a consumer, you can think of KYC as a business’ requirement to perform a “due diligence” check on each new and existing customer to verify their identity thoroughly.
What are the KYC laws and regulations?
Know Your Customer laws and requirements differ by country; we’ll use the US version as our example. In the United States, the legislation goes back decades to the Bank Secrecy Act of 1970, which put some of the first money laundering laws in place. More recently, the 2001 Patriot Act aimed to curb the financing of terrorist plots, including a section that amended the Bank Secrecy Act. The act now requires financial institutions to keep accurate records of the individuals they do business with and take measures to verify identity carefully called the CIP (Customer Identification Program) and CDD (Customer Due Diligence). Regulations increased as technology in financial services advanced over the last two decades.
As well as adhering to rigorous provisions for ID verification within America, US financial organizations must ensure that overseas KYC provisions are followed before handling foreign clients. The IRS, for instance, has a list of 73 countries and territories with their own KYC rules and guidelines. These approved countries can receive information from the IRS in the case of an investigation through a qualified intermediary (QI) agreement.
What is KYC Intended to Prevent?
Know Your Customer laws and requirements exist to prevent illegal activity before it happens. In particular, properly implemented KYC verification can prevent identity theft, financial fraud, and money laundering. Let’s dive into these three use cases below.
KYC requires more rigorous procedures for identity verification, preventing criminals from setting up false identities to use in the commission of further crimes. Security research firm Javelin estimates that $24 billion was fraudulently obtained in 2021 through identity theft, affecting 15 million consumers.
Identity theft is one of the leading causes of fraud across the world. TD details what a few signs of attempted identity theft could look like including online activity with personal information you do not recognize and notice of a credit report inquiry you did not authorize.
Businesses must adopt additional authentication methods upon new and unknown logins to better prevent identity theft with KYC processes. These extended authentication methods include 2FA (two-factor authentication) or MFA (multi-factor authentication), forced logouts, or CAPTCHAs. In addition, additional verification methods exist that do not disrupt or add to a login experience, such as device identification, which we discuss further below.
Once valid payment details of a consumer are stolen, and in the hands of online fraudsters, this unlocks a world of opportunity for financial fraud to occur. For example, the recent 2022 IBM Global Financial Fraud Impact Report found that fraudulent card transactions and digital payments amounted to an average of $265 per year for each US citizen, with 39% of Americans being the victim of some form of a financial security breach.
Financial institutions must verify customers at signup, login, and transaction to prevent financial fraud. However, fraud can occur at each step:
- Account Creation Signup: A fraudster can use stolen identities to create accounts on behalf of a user without their knowledge.
- Account Login: If a fraudster has valid login credentials for a user, they can log in and obtain even more information about a user and even take actions to take over that account entirely.
- Checkout/Transactions: A fraudster can also make purchases using a compromised account or a stolen credit card, causing cause further damage.
Preventing this is similar to methods of identity theft prevention. A few additional techniques for financial fraud can include:
- Instituting usage rules, such as failed login and transaction attempt limits.
- Not allowing saved payment information.
- Regular credential rotation.
- Enforcing password requirements.
Money laundering is a result of financial fraud with stolen identities. For example, criminals set up dummy accounts to disguise the origins of money obtained through drug and people trafficking, smuggling, racketeering, and other activities. As a recent US Treasury Report puts it, “criminals and professional money launderers continue to use a wide variety of methods and techniques, including traditional ones, to place, move, and attempt to conceal illicit proceeds.”
Again, verifying the identity of account holders every step of the way is essential to preventing acts like money laundering.
How does KYC Legislation relate to Anti-Money Laundering (AML) Laws?
Know Your Customer is part of a successful AML (anti-money laundering) compliance strategy for banks and financial institutions. Whereas KYC is responsible for verifying a customer is who they say they are, AML processes track past just identification verification and include the complete cycle of monitoring transactions for money laundering.
What KYC Provisions are Companies Expected to Make?
Organizations must adhere to specific data security and identification procedures to counter these significant threats, which affect the lives of millions and amount to billions of dollars of stolen money annually. These procedures include:
Customer Identification Processes (CIP) require individuals to present a driver’s license, passport, or other acceptable photo ID.
Corporate ID requirements are certified articles of incorporation, partnership agreements, trust instruments, and business licenses.
Further Financial Documentation, which includes additional materials for individuals and companies, may be required, including credit agency references, financial statements, and other forms of secondary assurance.
Due Diligence is when companies are required to conduct risk assessments on their customers, analyzing transactions to look for any suspicious patterns of behavior which may require monitoring.
- Organizations may categorize their clients as requiring simplified or enhanced due diligence checks based on an assessment of risk factors.
Continuous monitoring by companies is required to catch risk-related activities on customer accounts at any time. Automated processes are used to monitor transactions and flag unusual activity. Where such patterns are of concern, KYC regulations require the company to submit a Suspicious Activity Report (SAR) to law enforcement agencies, including the Financial Crimes Enforcement Network (FinCEN).
What KYC ID Requirements are Mandatory?
At the highest level, KYC processes require businesses to verify consumers at account creation with at least two forms of verified identification:
- Proof of government-issued ID with photograph (usually driver’s license or passport)
- Proof of address (usually bank statements or bills)
However, some of these individuals may have neither a passport nor a driver’s license and may substitute other documentary evidence. There is no KYC-specific list of approved ID documentation, but the full list of approved documents for photo ID from the US State Department includes:
- US Passport book or card
- Valid Driver’s License with Photo
- Certificate of Naturalization
- Certificate of Citizenship
- Government employee ID
- US military or military-dependent ID
- Current (valid) foreign passport
- Trusted Traveller IDs (including valid Global Entry, FAST, SENTRI, and NEXUS cards)
- Enhanced Tribal Cards and Native American tribal photo IDs
- Learner driver’s permit with photo
- Non-driver ID with photo
- Temporary driver’s license with photo
Officially accepted documents are updated and may change as new forms of ID are issued and approved and others retired. Therefore, we recommend using the above list as ONLY a reference of document types, not a source of truth, and checking with appropriate governmental departments. In addition, each organization is permitted to draw up its list of approved documentation so long as it remains assured of its ability to identify each customer correctly.
What Solutions Exist to Make KYC Easier to Implement?
Fortunately, ID verification, account monitoring, flagging, fraud detection, and automated report generation technologies make KYC provisions less time-consuming and prone to errors. Risks can be scored and prioritized without hiring analysts’ teams to manually scan vast volumes of data. Such innovations have helped mitigate the increasing cost of KYC implementation, which Thomson Reuters estimated can cost major financial institutions up to $500 million annually to implement correctly.
For example, adding a device identification solution helps accurately identify users even with repeated visits. Fingerprint Pro is one of those solutions, and with a 99.5% accuracy rate, it can detect repeat visits of potential bad actors and prevent fraudulent login attempts or transactions from happening in the first place.
Know Your Customer, or KYC exists to protect businesses that lend and store money for their customers. Banks and financial institutions alike have a requirement to not only protect their investments but also to verify and protect their customers’ assets. With KYC laws and regulations in place, this happens on a regulated level and is not an optional security measure.