The Sumsuber

Best practices for KYC/AML

6 min read

KYC Checks: Policy and Risk-based Approach to Know Your Customer

In response to growing concerns about the consequences of poor compliance with KYC/AML regulations, many regulators and legal entities around the world are revisiting the basics of the subject.

With strict KYC/AML compliance at the core values of our company, we have an unnatural advantage in the compliance business, so here is our guide on what it means to Know Your Customer.

What is KYC?

A KYC check is a mandatory process of identifying customers and having knowledge of their background.

KYC requires customers to prove their authenticity by providing a Proof of Identity, Proof of Address in some cases and other relevant documents.


Major difference between KYC and AML is that the KYC process is just part of a broader AML program. By definition, AML program refers to a set of policies, requirements and measures aimed at combating money laundering. All legal entities, including banks and ICO companies, are mandated by law to have an AML program in compliance with their local AML requirements.

Why KYC is Important

KYC protects company stakeholders from potential fraud by shady customers and it’s also in the best interest of the company’s management and investors, especially if there is a lot of money involved.

When a legal entity complies with Know Your Customer requirements, they automatically reduce the financial risks of their business partnerships with various customers.

KYC and Blockchain: ICOs and STOs

ICOs are required to conduct KYC checks to avoid trouble with the SEC and also be able to open bank accounts for withdrawing and keeping funds. KYC checks are also mandatory for STOs because these tokens are considered marketable securities.

If an ICO or STO fails to comply with regulations, fines and possible termination will follow suit. An example is the case of the Blockvest ICO which was shut down by the SEC because backers falsely claimed the token was approved.

KYC in FinTech

KYC checks are mandatory for FinTech companies because they offer financial services and even have partnership agreements with banks. Failure to strictly follow KYC requirements will likely result in heavy fines and termination. For example, Blue Global LLC was fined a sum of $104 million by the FTC and was shut down later on. Another example is UK-based Eclipse Finance, shut down by the FCA over false claims.

KYC in Banking

The sole purpose of KYC in the banking sector is to prevent the use of banks for money laundering. The bank’s KYC process must be in compliance with AML requirements or risk incurring hefty fines and damaging their reputation.

A peculiar case of fines was when the Commonwealth Bank in Australia was fined a sum of $700 million by AUSTRAC for compromising local AML requirements that resulted in millions of dollars flowing through to drug importers.

Another case is Danske Bank in Estonia, where over $227 billion originating from Russia may have been laundered through its accounts.

KYC/AML Risk-based Approach

A risk-based approach streamlines your company’s AML program by taking into account specific risk factors that indicate a high probability of money laundering activity.

Generally, a company’s AML policy places customers in different classes according to their risks. Hence the depth of due diligence required for any particular customer depends on their class of risk.

KYC Regulators

Regulators like the Financial Action Task Force FATF consists of only 37 countries. These countries however have their own KYC requirements regardless of their membership status. Although it is assumed that their requirements should be guided by the FATF recommendations, it is not compulsory because the FATF recommendations are non-binding. There are other regulators like the European Commission EC, whose directives are obligatory for its members. But the EC’s KYC/AML requirements are in line with the general regulations.

Another regulator is FINMA, formally recognized as a regulator only in Switzerland and Liechtenstein, but their recommendations are also used in many other jurisdictions because of the Swiss banking system.

KYC requirements and regulations are essentially the same all over the world, not minding the different regulators out there. Hence the term ‘reasonable assurance’ or ‘reasonable steps’.

KYC Laws: e-KYC and online ID Verification

For better understanding of e-KYC, we have grouped some countries by method of verification below:

Selfie-based ID Verification

In countries like Malaysia, Liechtenstein and the Cayman Islands, KYC requirements either permit selfie-based identification or do not strictly forbid the use of this technology.

Speak to one of our KYC experts today.


For reference, here’s an excerpt from the Malaysian law:

To verify a customer’s identity through selfies or face ID, the system is expected to enable the reporting institution (RI) concerned to effectively perform customer verification, such as by being able to support facial recognition through video, video call or photo taken through ‘selfie’, and subsequently perform facial matching against the photo on the customer’s ID“.

Video-based ID Verification

In Austria, Germany, Luxembourg, Portugal, Spain and Israel, legal entities are permitted to use “video-based identification” in the e-KYC process.

For reference purposes, here’s a fragment of the Online Identification Regulation issued by Austria’s Financial Market Authority:

The obliged entity shall make screenshots of potential customers and of their official photo identification documents.The potential customer shall be required to tilt their official photo identification document in front of the camera in such a way both horizontally and vertically, to allow the holographic security features to be checked by specially trained employees”.

Recommendations contained in Technical Guideline TR-02102 of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) must be complied with.

“Video identification must be performed in real-time and without interruption. In order to ensure the integrity and confidentiality of audiovisual communication between the employee and the potential customer, only end-to-end encrypted video chats are permitted”.

So what does this regulation actually mean? It technically gives jurisdictions the right to use software applications with real-time encryption features like Skype for video identification.

Another organization performing e-identification via Skype is Majestic Financial; a licensed Payment Institution operating under the supervision of the Bank of Lithuania.

If the law is unclear on e-KYC

In some cases the use of online KYC customer identifications like ‘sign-on Internet procedures’ and ‘electronic identification‘ are neither prohibited by law nor stated as a necessity. The regulations just state that organizations should take additional security measures during enhanced due diligence.

In this case, if the organization needs to collect proof of identity, correctly assess the risks posed and perform ongoing monitoring, it can utilize any e-KYC process and be compliant simultaneously.

Common KYC Policy and Procedures

Providing customers with a KYC form or template is often the first step in verifying their identity. Each legal entity should have its own KYC template suited to the nature of its business.

To be compliant with regulators’ recommendations like FATF and FINMA, KYC Customer Due Diligence is sufficient in most cases. However, Enhanced Due Diligence EDD and ongoing monitoring procedures are compulsory for high-risk customers, particularly in FinTechs.

Common KYC template: Customer Due Diligence 

  1. Collecting data on potential customers is the first step;
  2. Independently verify the data collected;
  3. Database name checks to detect relevant Adverse Media, PEPs and sanctioned individuals;
  4. Determine if conducting Enhanced Due Diligence (EDD) is necessary.

For more information, here is a thorough guide to Customer Due Diligence, its importance and detailed steps.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence or EDD is also a KYC process necessary for only high-risk customers. Here’s a KYC compliant approach to EDD :

For Individuals:

  1. Obtain additional identifying information;
  2. Conduct media and Internet database checks to understand the veracity of Adverse Media involving customers;
  3. Make the decision to do business with them.

KYC EDD For Legal Entities:

  1. Conduct an on-site visit;
  2. Analyze the customer’s source of funds and check for UBOs;
  3. Periodically monitor high-risk accounts for unusual or unexpected activity;
  4. Make the decision to do business with them.

Follow the link for more details on these Enhanced Due Diligence Steps

  • Ongoing Monitoring Ongoing monitoring is a part of Enhanced Due Diligence, but is usually conducted separately. Transactions and accounts should be regularly analyzed for money laundering or terrorist financing risks and to ensure that they are in line with the expected level of activity. This is important because a customer’s risk profile may change over time.
  • Keeping RecordsRetaining all records in accordance with the company’s retention policy is a key aspect of a perfect AML program regardless of which KYC process was conducted. The records can be stored on a secure server in compliance with local data laws such as GDPR, and made available to regulators when necessary.


Seeing that we have divulged loads of information, we created this checklist to help you catch up and remember the crucial points in this article.

  • Employing a risk-based approach is recommended to reduce compliance costs;
  • Using online ID Verification or e-KYC services is as effective and also compliant with regulations;
  • Conduct KYC CDD. To do this you need to collect the potential customer’s Proof of Identity and Proof of Address in some cases;
  • Conduct KYC EDD if necessary. For this you need additional identifying details such as proof of wealth. Also perform media checks and on-site visits;
  • Ongoing Monitoring. Periodically monitor high-risk accounts for unexpected or unusual activities.

Always retain customer data in compliance with GDPR and other local privacy laws.

Need help with your KYC process?

Here at Sum&Substance, our automated KYC/AML compliance solutions are approved by both international and local regulators. By seamlessly verifying your customers, we lift the burden on your company and increase your customer retention rate. To get in touch with us, leave a request.

Frequently Asked Questions about KYC

Why is KYC mandatory?

KYC is mandatory by law and is the most accurate and powerful way to expose and prevent money laundering and fraud.

What is the first step of the KYC procedure?

The first step of the KYC procedure is to collect the personal data from a client.

Where can I learn more about the KYC checks?

Businesses can, and must, learn about the KYC requirements from a regulator in their jurisdiction. Read our blog for more insights on KYC/AML and compliance.