Why perpetual know-your-customer (pKYC) is the next evolution of compliance procedure 

Alex Buckwald is Head of EMEA Client Insights at Alloy, a company that enables global financial institutions and fintechs to balance identity risk with growth. Alex spent some time with us to chat about a very specialised subject – pKYC. This stands for perpetual Know Your Customer, an evolution of KYC that involves automatically maintaining up-to-date customer records in near-real time. 

Here’s what he told us in our recent podcast interview:

A shift from the old world of diligence

pKYC is replacing traditional periodic reviews. Until now, if you’re onboarding with a company and you’re low risk and a good actor, and your intention is to use the company as it is intended to be used, then no additional checks will need to be carried out for another three or four years. 

This is the old world. It’s a periodic approach where most of the profile is verified for a set period. pKYC, on the other hand, is much more continuous, and it gives you an overview of customer profiles throughout their lifecycle with you as a business. 

At its core, it’s about bringing to the surface the important changes that happen to that customer as soon as they happen. This allows compliance teams to review, action, and escalate them without them becoming a big problem. This is a hot topic today because fraudsters are moving so fast.  

Dynamic and proactive

Regulators don’t want to see companies simply meeting the regulation – they need them to put in a little extra work. Ultimately, companies have a desire to do that as well – they don’t want to just check the box that says they are compliant. They also want to provide their customers with an element of trust – proving that they are a safe pair of hands. Key to this is ongoing monitoring, which is a shift that makes compliance dynamic and proactive. It can also make it a USP for companies as opposed to just a tick-box exercise. 

Through the customer’s eyes

It’s vital to think about onboarding from a CX point of view. If you’re a user of a certain platform, and you’re being asked for your life history in a timescale that may or may not make sense, it’s less than ideal. If someone is fortunate, they might just be rescored, meaning that they won’t need to provide everything all over again. But if you’re less fortunate, the company might want to do a complete recheck as if they’re onboarding you afresh. Thankfully, that doesn’t happen so much now, but it’s still a risk with some of the larger financial institutions. 

If you are being asked to provide endless reams of documentation every time you want to change your email address, it’s going to start to turn people off, and they’re going to look for other platforms that don’t require as rigid of a level of diligence.

Utilising everyday tools

Today, companies need to have less intrusive ways of verifying people, such as biometric verification, which we’re all used to now. Providing a document can sometimes be a little bit onerous. You might not always have a passport or driver’s license on you. Your face, on the other hand, is always on hand. 

We’re especially seeing acceptance of biometric verification with higher value changes. This might look like updating details on your account, which might impact where money is being sent. One of the easiest things that attackers can do is to make a change to account numbers and sort codes. If that’s just secured behind a password, which is often guessable or easily stolen, it starts to become a risk area. Introducing biometrics here, sometimes alongside a document, is where we’re starting to see some movement.

The compounding effect

If someone is making a raft of changes – they’re updating their email, their phone number, their address etc – it starts to become concerning, and diligence might need to be stepped up. People are also starting to realise, given the level of cyber risk that we’re all exposed to today, that a bit more friction is not necessarily a bad thing. In fact, you could argue that it promotes the idea of trust. You’re telling people, “We as a business have these processes in place to protect you, to protect others, and to protect ourselves”. 

No one is ripping up the rule book just yet

We aren’t going to see other elements of the process disappear entirely. We’re not going to see, for example, database checks in the UK going anywhere, because they’re very valuable and they provide a lot of information, especially if you need to verify something very specific, like a bank account or confirmation of payee. We’re also still seeing a lot of interest in registry updates for businesses. 

Biometrics remains core to the process, but it’s a piece of the bigger puzzle, which is trying to ensure that you are onboarding and monitoring all your customers on an ongoing basis.

Tips for starting to make changes

Start small. Deliver impact, but do so incrementally. Don’t try to implement pKYC across everything straight off the bat. Instead, consider starting with your logins, for example, or any other changes that you deem as high risk. Then, assess the triggers on your platform for shifts in risk that you want to keep an eye on.