Reasonable Assurance: Designing Effective Risk-Based Approaches (with KYC essence)
The essential steps on the way to reducing your company's compliance risks to a minimum

Is it possible to be entirely sure that the KYC procedures your company implements are impeccable? The work of a compliance team should not be underestimated, since it is in the best interests of businesses to protect themselves against all possible risks, both financial and legal.

Specifically as regards non-face-to-face business relationships, these risks are more numerous than ever. Criminals engage in identity stealing of all types, such as providing an ID that is false or belongs to another individual, "spoofing" (impersonating a legitimate customer via their account number or password), use of "sniffers" (devices capable of eavesdropping on telecommunications traffic, capturing passwords and data in transit), etc.
Cryptocurrencies, Gaming Industry, and Money Laundering
The cryptocurrency revolution has made money laundering easier than before; tracking electronic transactions is a complex task when the person behind them is undetectable.

Solutions like ZCash and Monero are examples of cryptocurrencies that provide unlinkable anonymity, which may be used in all sorts of illicit activities, from drug trade to contract killings.

This "anonymity veil" has by now been drawn over the entire world economy.

Even the most non-obvious industries, like gaming, are no more immune to financial crime. In popular games, such as World of Warcraft, it is possible to convert money into virtual goods or cash, which can later be converted back into money — an opportunity already spotted by criminals.

So what is the optimal strategy for any financial institution in this new reality? We suggest that the best way to conduct your KYC (Know-Your-Client) policy is by the principle of reasonable assurance.

    Risk-Based Approach
    Essentially, it means that the risks related to financial crime can never be completely mitigated. Regardless of how reliable your sources are or how skilled in research your KYC team is, you can never be 100% certain that all your customers are who they claim to be and hide no criminal intentions.

    Therefore, it is vital to create a KYC policy that comes as close as possible to this ideal. We are constantly communicating with the local regulatory authorities worldwide and thus designed a complex of basic recommendations based on this foundation. As a result, your precautions will not only suit the legislators but will also be not too complicated and burdensome for the company.

    Partly, this flexible solution is possible because legislators normally leave wide discretion for companies regarding their KYC policy details. However, this freedom of action and the absence of any precise instructions result in great overall uncertainty.

    Most companies simply cannot fit their activities into the KYC framework, even banks. Among banks that have been fined for AML and KYC violations are all 10 of the biggest banks in Europe – HSBC, Barclays, and Lloyds from the UK, French quartet BNP Paribas, Crédit Agricole Group, Société Générale, and Groupe BPCE, Germany's Deutsche Bank, Santander of Spain and Dutch bank ING.

    Others to have been fined in recent years include the British banks RBS and Standard Chartered, Italy's Intesa Sanpaolo SpA, UBS Group and Credit Suisse of Switzerland, Spain's Banco Bilbao, Dutch institution Rabobank, and Nordea Bank of Sweden.

    In these circumstances, the wisest solution for any business would be to delegate its KYC procedures to a neutral actor that only specializes in KYC compliance and is relatively independent from the main policymakers, such as national legislators or the largest banks.

    What KYC is All About
    The notion of reasonable assurance does not suggest that companies should take a hands-off approach when it comes to preventing financial crimes. The business sector must still acknowledge the importance of AML and KYC procedures, making its top priority to oppose the financing of terrorism and money laundering. Instances like FATF, FCA, CySEC, FINMA, MAS, GDPR, PDPC Singapore, and others lay down their own specific recommendations and practical guidelines.

    However, it is up to compliance teams to navigate within these requirements by adopting the risk-based approach and designing a compatible KYC model. For instance, making a profile of your low-risk and high-risk clients can result in allocating a reasonable budget and certain work time for each category of customers.

    The key aspect for companies when creating their AML and KYC policies is to understand that no model can be entirely flawless but it can be effective and unhindered.
    Basic Model Includes:
    • Data Collection
    One of the first conventional steps would be to collect such data as the customer's name, date of birth, proof of address (the documents may vary depending on a person's location; utility bills can serve as an example), and scan copies or photos of the confirmatory documents. The best practices require to present the ID and a selfie with it.

    • Data Checking and Storing
    It is obligatory to confirm that the received documents are authentic and belong to the particular customer. After having been collected, all the necessary data should be securely stored and regularly updated.

    • Internal AML Policy
    Each company should have a certain set of rules to standardize and mitigate the risks of money laundering, fraud, terrorism financing, and other similar crimes. Apart from standardizing, the internal AML policy should clarify the methods of dealing with the aforementioned risks.

    • Compliance Officer
    It is vital for a company to appoint a compliance officer, who is responsible for enforcing the AML and KYC policies and reporting suspicious activities all the way to FIU, if necessary.

    Besides simply following the practical guidelines issued by the local authorities, companies should know exactly how to act in situations that are not envisaged in such guidelines, making sure they always remain well-informed about any legislative changes and adjust accordingly.

    At Sumsub we are committed to helping our customers to operate inside the law. For several Eastern European and Asian countries, we even helped to build the entire AML system.
    A Few Words On AML

    The reasonable assurance definition is not only about the KYC, but also about every single representative of the industry, whether it is a bank, a forex broker, or an online casino, that must have a set of rules enabling it to spot and fight money-laundering schemes.

    These rules must be compatible with the local AML laws and recommendations of national and regional financial authorities. Although the latter are not strictly binding, non-compliance with them might draw unnecessary attention to your KYC policy.

    Consequently, every company should design their own risk model, based on a few major factors. Those factors include guidelines from the local authorities, a company's field of work, consumer profile, the volume of money that their customers operate with, etc. Although you cannot fully eliminate the risks with the right techniques, you can come very close to it.

    What measures can help you lower the risks, based on international practice?

    The KYC designs may differ depending on the various factors such as location or company's professional field. However, there are some basics that every company must consider.
    At Sumsub we strive to offer solutions that fully conform to the requirements of the authorities and take a cautious approach.
    As a basic module, we offer a slightly wider complex of practices than a regular KYC, to provide greater assurance and lower the risks.

    • Document integrity check, comprehensive analysis for signs of tampering or modifications, for example, photoshop edits.
    • Authentication check that allows determining authenticity and legitimacy of documents and whether they have been forged or altered.
    • Security feature check for manual searches for possible forgeries of documents' digital images.
    • Verification of documents through third-party databases for validation and AML screening, including CDD, EDD, and KYB when necessary.
    • Face match and face liveness detection, including matching a selfie with an image of the person's face in the provided document.
    • Address check via utility bills or bank statements, depending on the location.
    What It Means In Practice

    If you need all of the verification procedures to be up to standard, we recommend you to have a look at our additional materials that describe the specifics of customer due diligence, enhanced due diligence and detailed information on the KYC checks.

    So what exactly is reasonable assurance? We would say it's a set of measures that helps to find a balance between institutional recommendations and a safe model that works specifically for your company.

    We understand that dealing with regulatory requirements and the necessity to contact directly with authorities might seem overwhelming. Our company has broad experience in the area as we've explored the specifics of KYC and AML regulation worldwide.

    We're inviting you to have a chat with our expert or have a look at our demo, so you can have an idea of how to make your business safer.
    Read next: