In response to growing concerns about the consequences of poor compliance with KYC/AML regulations, many regulators and legal entities around the world are revisiting the basics of the subject.
With strict KYC/AML compliance at the core values of our company, we have an unnatural advantage in the compliance business, so here is our guide on what it means to Know Your Customer.
A KYC check is a mandatory process of identifying customers and having knowledge of their background.
KYC requires customers to prove their authenticity by providing a Proof of Identity, Proof of Address in some cases and other relevant documents.
Major difference between KYC and AML is that the KYC process is just part of a broader AML program. By definition, AML program refers to a set of policies, requirements and measures aimed at combating money laundering. All legal entities, including banks and ICO companies, are mandated by law to have an AML program in compliance with their local AML requirements.
KYC protects company stakeholders from potential fraud by shady customers and it’s also in the best interest of the company’s management and investors, especially if there is a lot of money involved.
When a legal entity complies with Know Your Customer requirements, they automatically reduce the financial risks of their business partnerships with various customers.
ICOs are required to conduct KYC checks to avoid trouble with the SEC and also be able to open bank accounts for withdrawing and keeping funds. KYC checks are also mandatory for STOs because these tokens are considered marketable securities.
If an ICO or STO fails to comply with regulations, fines and possible termination will follow suit. An example is the case of the Blockvest ICO which was shut down by the SEC because backers falsely claimed the token was approved.
KYC checks are mandatory for FinTech companies because they offer financial services and even have partnership agreements with banks. Failure to strictly follow KYC requirements will likely result in heavy fines and termination. For example, Blue Global LLC was fined a sum of $104 million by the FTC and was shut down later on. Another example is UK-based Eclipse Finance, shut down by the FCA over false claims.
The sole purpose of KYC in the banking sector is to prevent the use of banks for money laundering. The bank’s KYC process must be in compliance with AML requirements or risk incurring hefty fines and damaging their reputation.
A peculiar case of fines was when the Commonwealth Bank in Australia was fined a sum of $700 million by AUSTRAC for compromising local AML requirements that resulted in millions of dollars flowing through to drug importers.
Another case is Danske Bank in Estonia, where over $227 billion originating from Russia may have been laundered through its accounts.
A risk-based approach streamlines your company’s AML program by taking into account specific risk factors that indicate a high probability of money laundering activity.
Generally, a company’s AML policy places customers in different classes according to their risks. Hence the depth of due diligence required for any particular customer depends on their class of risk.
Regulators like the Financial Action Task Force FATF consists of only 37 countries. These countries however have their own KYC requirements regardless of their membership status. Although it is assumed that their requirements should be guided by the FATF recommendations, it is not compulsory because the FATF recommendations are non-binding. There are other regulators like the European Commission EC, whose directives are obligatory for its members. But the EC’s KYC/AML requirements are in line with the general regulations.
Another regulator is FINMA, formally recognized as a regulator only in Switzerland and Liechtenstein, but their recommendations are also used in many other jurisdictions because of the Swiss banking system.
KYC requirements and regulations are essentially the same all over the world, not minding the different regulators out there. Hence the term ‘reasonable assurance’ or ‘reasonable steps’.
For better understanding of e-KYC, we have grouped some countries by method of verification below:
In countries like Malaysia, Liechtenstein and the Cayman Islands, KYC requirements either permit selfie-based identification or do not strictly forbid the use of this technology.
For reference, here’s an excerpt from the Malaysian law:
“To verify a customer’s identity through selfies or face ID, the system is expected to enable the reporting institution (RI) concerned to effectively perform customer verification, such as by being able to support facial recognition through video, video call or photo taken through ‘selfie’, and subsequently perform facial matching against the photo on the customer’s ID“.
In Austria, Germany, Luxembourg, Portugal, Spain and Israel, legal entities are permitted to use “video-based identification” in the e-KYC process.
For reference purposes, here’s a fragment of the Online Identification Regulation issued by Austria’s Financial Market Authority:
“The obliged entity shall make screenshots of potential customers and of their official photo identification documents.The potential customer shall be required to tilt their official photo identification document in front of the camera in such a way both horizontally and vertically, to allow the holographic security features to be checked by specially trained employees”.
Recommendations contained in Technical Guideline TR-02102 of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) must be complied with.
“Video identification must be performed in real-time and without interruption. In order to ensure the integrity and confidentiality of audiovisual communication between the employee and the potential customer, only end-to-end encrypted video chats are permitted”.
So what does this regulation actually mean? It technically gives jurisdictions the right to use software applications with real-time encryption features like Skype for video identification.
Another organization performing e-identification via Skype is Majestic Financial; a licensed Payment Institution operating under the supervision of the Bank of Lithuania.
In some cases the use of online KYC customer identifications like ‘sign-on Internet procedures’ and ‘electronic identification‘ are neither prohibited by law nor stated as a necessity. The regulations just state that organizations should take additional security measures during enhanced due diligence.
In this case, if the organization needs to collect proof of identity, correctly assess the risks posed and perform ongoing monitoring, it can utilize any e-KYC process and be compliant simultaneously.
Providing customers with a KYC form or template is often the first step in verifying their identity. Each legal entity should have its own KYC template suited to the nature of its business.
To be compliant with regulators’ recommendations like FATF and FINMA, KYC Customer Due Diligence is sufficient in most cases. However, Enhanced Due Diligence EDD and ongoing monitoring procedures are compulsory for high-risk customers, particularly in FinTechs.
For more information, here is a thorough guide to Customer Due Diligence, its importance and detailed steps.
Enhanced Due Diligence or EDD is also a KYC process necessary for only high-risk customers. Here’s a KYC compliant approach to EDD :
Follow the link for more details on these Enhanced Due Diligence Steps
Seeing that we have divulged loads of information, we created this checklist to help you catch up and remember the crucial points in this article.
Always retain customer data in compliance with GDPR and other local privacy laws.
Here at Sum&Substance, our automated KYC/AML compliance solutions are approved by both international and local regulators. By seamlessly verifying your customers, we lift the burden on your company and increase your customer retention rate. To get in touch with us, leave a request.
KYC is mandatory by law and is the most accurate and powerful way to expose and prevent money laundering and fraud.
The first step of the KYC procedure is to collect the personal data from a client.
Businesses can, and must, learn about the KYC requirements from a regulator in their jurisdiction. Read our blog for more insights on KYC/AML and compliance.