Businesses all over the world face various criminal threats, including money laundering, terrorism financing, and identity theft. If businesses fall victim to these crimes, they may also face stiff penalties from regulators—compounding the financial and reputational losses already incurred. That’s why it’s critical to implement effective fraud prevention methods, which brings us to KYC.
To filter out fraudsters and prevent money laundering, businesses implement Know Your Customer (KYC) checks. This process is aimed at identifying and verifying clients before commencing a business relationship. However, to do this properly, businesses should know what information and documents to collect, as well as the particular steps of the verification process. We’ve put together this KYC guide to help you sort this all out.
KYC checks aim to collect and verify information provided by clients. The procedure is required by a variety of regulations, such as those provided by the Financial Action Task Force and the EU’s 4th and 5th AMLDs.
During the onboarding process, KYC checks usually consist of the following steps:
A full explanation of the differences between identification, verification, and authentication can be found here.
After completing the steps above, businesses should continue monitoring their clients’ profiles and transactions. If they notice suspicious activity, it must be reported to a specially designated institution. For instance, UK businesses have to report suspicious activities to the UK National Crime Agency (NCA).
Businesses also have to keep records of all collected information for a certain amount of time, as specified by the relevant jurisdiction (usually five years).
To identify a client, at minimum the following information must be collected:
Additional information should be collected depending on the requirements of a given jurisdiction. For example, in the US, businesses ask for a tax identification number for US citizens or an identification number for non-U.S. persons.
Information submitted by clients should be verified against government-issued documents—or against information obtained from an independent and reliable source—to ensure the customer has not provided false or stolen identification documents or incorrect information.
Usually, businesses must also verify the document’s digital authenticity. This means checking for:
Businesses may use either manual or automatic approaches to verifying these documents. The manual approach can slow down the process of verification, since customers can often provide a large amount of data—and processing it ‘by hand’ takes time. Moreover, the human eye may be unable to spot today’s forged documents, which are growing increasingly advanced. In comparison, the automated approach uses a combination of verification procedures which compare documents against various open data sources and check for graphic modification. This significantly increases pass rates, speeds up onboarding, and brings down associated costs by 43%.
The purpose of identification and verification is to link the customer to the identity provided and to verify that this person is indeed who they claim to be. This is done through one or a combination of the following technical means:
The means by which verification is performed depends on the jurisdiction and/or company policy. For instance, in Germany, regulated businesses are required to carry out video identification to onboard their clients remotely.
Businesses need to screen customers against sanction lists, watchlists, Politically Exposed Persons (PEPs) lists, and other relevant sources.
Ongoing monitoring is obligatory since a сustomer’s profile could change throughout the course of a business relationship. If, for instance, compromising information is unearthed about the customer during this process, additional due diligence measures should be implemented.
Customer Due Diligence (CDD) refers to the measures that businesses take to assess the money laundering and terrorism financing risks of a given customer. Like KYC, CDD involves collecting and verifying information on clients to mitigate the risks of money laundering and financing of terrorism. Accordingly, the CDD process involves:
A customer’s risk level may increase or decrease based on a variety of risk factors related to their geography and the particular products, services, transactions or delivery channels risk. Where a customer is assessed as carrying a higher risk, it will be necessary to seek additional information in respect of the customer, depending on the product sought. This procedure is called Enhanced Due Diligence.
It should be noted that not all high-risk clients are automatically involved in criminal activities; rather, they indicate higher risk factors that warrant closer attention.
Businesses need to retain the receipts and records of transactions, as well as the identity information of their clients. The retention period varies depending on the country. For example, Canada requires businesses to keep the record of their clients for five years, while in Austria the period is ten years.