Understanding KYC law and how to meet compliance regulations

KYC stands for know your customer. In essence, KYC is a due diligence process that financial companies must follow in order to verify the identities of their customers and assess risk. 

KYC laws aim to reduce fraud, money laundering, and terrorist financing. But, what are the main KYC requirements and how can companies ensure they comply with KYC laws? Let’s take a look.

Who legally needs to have a KYC process?

KYC laws used to only target financial institutions. However, today KYC is considered to be an obligatory requirement for a number of financial and non-financial entities.

The complete list of regulated entities that are impacted by KYC requirements varies from one country to another. This is because different countries are governed by different rules relating to AML and KYC. For example, in the US, firms must comply with the Bank Secrecy Act and the USA Patriot Act. Meanwhile, in Europe, KYC and AML are governed by the AMLD regulations.

However, generally speaking, the list of regulated entities includes:

• Financial institutions
• Banks
• Fintech companies
• Credit unions
• Gambling entities and casinos
• Wallet providers and cryptocurrency exchanges
• Wealth management firms and broker-dealers
• Private lenders and lending platforms

That said, KYC regulations are becoming increasingly critical for any institution that interacts with money. This is because, while banks are required to comply with KYC to limit fraud, they also pass down those requirements to all organizations they do business with.

KYC processes greatly reduce the risk of fraud. Plus, KYC is essential for preventing money laundering and the financing of terrorism. For this reason, KYC procedures should be at the heart of any company’s AML efforts.

Understand the legal components of KYC compliance

The KYC process contains three legal components, which are often referred to as pillars. These are:

Customer identification program

A customer identification program (CIP) became compulsory in the US in 2001 under the USA Patriot Act. This piece of legislation made it mandatory for all banks to implement written CIPs based on their size and customer base. It also made it mandatory for banks to implement CIPs into their larger AML policies.

As part of a CIP, a company must gather basic pieces of information from the customer, including their:

• Name
• Date of birth
• Address
• Identification number

As well as gathering this information during the account opening process, the institution must also verify the identity of the account holder within a reasonable time. The procedures for verifying customer identities include checking the customer’s official identity documents and comparing the information provided with data from consumer reporting agencies and public databases.

The exact CIP processes a financial institution must put in place depend on:

• The type of services or accounts they offer
• Their method of opening accounts
• The types of identifying information available
• The company’s size, location, and customer base

To meet legal requirements, these processes must also be clarified and codified.

Customer due diligence

The second pillar of KYC compliance is customer due diligence (CDD). When conducting CDD, a business must verify the customer’s identity and evaluate the level of risk they pose.

There are three levels of due diligence:

• Simplified Due Diligence (SDD): SDD can be used in situations where the risk for money laundering or terrorist financing is low and full CDD is not required
• Customer Due Diligence (CDD): CDD is the most-commonly used form of customer due diligence. The customer’s identity is verified and their level of risk is accurately measured
• Enhanced Due Diligence (EDD): EDD is reserved for high-risk customers such as politically exposed persons (PEPs). It’s the most onerous form of due diligence, as extra information must be collected from the customer. This is then used to create a deeper understanding of the customer’s potential activities. This way, the institution can mitigate associated risks.

As part of your customer due diligence program, you should:

• Ascertain the identity and the location of each potential customer
• Gain an understanding of their business activities and the nature of the business relationship you’re entering 
• Classify the customer’s risk category and define what type of customer they are
• Store all relevant documentation digitally
•  Ascertain whether EDD is necessary
• Keep records of all the due diligence actions carried out on each customer/potential customer in case of a regulatory audit

Ongoing monitoring

But, checking a customer once and then never reviewing their activities and transactions again isn’t sufficient to ensure security and regulatory compliance. For this reason, ongoing monitoring is the third pillar of KYC.

Financial institutions must understand each customer’s typical account activity. By taking this step, the institution can catch irregularities and eliminate risks as they arise. If a customer’s risk profile changes or their transaction volumes and amounts start to shift dramatically, this could be a sign of fraudulent activity. Your business has an obligation to spot this and report it.

Documentation requirements for KYC law compliance

There are two main types of KYC document: proof of identity documents and proof of address documents. 

During the KYC process, customers must provide an updated, unexpired government-issued identification document that proves their nationality or residence. This document must include a photograph or a similar safeguard. The company can then use the information in this document to decide whether the user should be able to open an account.

Generally speaking, customers are asked to provide one of the following forms of ID:

• ID cards
• Driving licenses
• Passports

On top of this, in some instances, individuals may be asked to provide further verifying information, such as:

• Financial references
• Information from a consumer reporting agency or public database
• A financial statement

Once the business has received the required documentation, they will check that the information is valid and credible. They will do this by verifying the authenticity of the document and using digital identity verification processes.

Once the authenticity of the document has been established and the business has ascertained that the information is credible, the individual will be asked to provide a selfie. This will first be checked for realness and liveness. If the image passes these checks, biometric authentication methods will be used to confirm that the person in the image is also the person pictured on the identity document.

What causes re-verification requests?

Once a customer’s identity has been verified and they’ve passed due diligence checks, they can be onboarded. However, this does not mark the end of the KYC process. On occasion, you may need to re-verify customers and pass them through an updated KYC process.

The triggers for KYC re-verification change on a business-by-business basis. However, common triggers include:

• Unusual transaction activity (such as unusually high transaction amounts or volumes)
• New information becomes available about the customer
• The customer’s occupation changes
• The nature of the customer’s business changes
• The customer wishes to add a new party to their account
• The customer starts to make overseas transactions
• The customer starts to conduct transactions with high-risk individuals or in high-risk countries

For example, a bank may onboard a customer who they believe poses a minimal level of money laundering risk. However, six months into the relationship, they may notice that the customer has suddenly started to complete frequent wire transfers and international transfers. 

As a result, this account now poses a much higher level of money laundering risk and needs to be monitored more closely. As part of the re-verification process, the customer may be asked to explain their actions. Other KYC-related information may also need to be updated to reflect the change in circumstances.

The cost of legal KYC compliance for businesses

Of course, implementing KYC processes is costly for businesses. Estimates suggest that, in 2021, financial institutions spent more than $37 billion on AML and KYC-related tools and operations. 

On top of this, the cost of KYC compliance extends far beyond tools and pieces of software. This is because the creation of KYC processes also requires an increased time investment. Plus, if the processes are too burdensome, they’ll lead to an increase in customer churn and a decrease in conversions.

That said, although implementing KYC can be both challenging and costly, it’s a legal necessity. On top of this, the cost of not complying with KYC requirements can be astronomical. This is because fines for non-compliance are continually increasing.

In 2013 and 2014, $4.3 billion in fines was levied against financial institutions. For context, this was quadruple the amount that was issued in the previous nine years combined.

Since then, monitoring has increased further and requirements for financial firms have also become even stricter. In the first half of 2021 alone, 80 banks were fined almost $3 billion for AML and KYC-related violations.  

Plus, although the financial penalties for non-compliance are high, it should also be noted that financial institutions that fail KYC checks also face a number of other penalties for non-compliance, including a loss of trust from customers and irreversible reputational damage. As a result, although it can be costly to implement KYC processes, this cost should be viewed as non-negotiable.

How Veriff can support your business with KYC law and compliance

If your business needs to comply with KYC requirements, we can help. Here at Veriff, we’ve developed an AML and KYC screening solution that can help you satisfy regulators. As an added bonus, it can also help you increase customer conversions.

By deploying our online identity verification service alongside politically exposed persons and sanctions checks as well as adverse media screening and ongoing monitoring, it reduces risk for your business at every turn.

By increasing accuracy and simplifying the onboarding process, it can also increase conversions by up to 30% and reduce false positives by up to 70% (when compared with legacy technology).

See how Veriff’s KYC compliance solutions can help you - Book a demo

Interested in learning more about how our AML and KYC screening solution can help your business meet its regulatory requirements? Book a personalized demo with our experienced team today. We can show you exactly how our software can help you achieve compliance.