Know your customer (KYC) requirements continue to grow in volume and complexity. The challenge is managing, storing and employing data to satisfy regulators while maintaining healthy and profitable business relationships. In this white paper, we explain the core components of an effective KYC procedure, from understanding the base regulations to the key considerations required at each stage of the process.
What is KYC?
KYC is a legal requirement to verify the identity of your customers and assess and monitor the risk of doing business with them. It is an important part of the due diligence process required to comply with anti-money laundering (AML) and combating the financing of terrorism (CFT) legislations.
Why is KYC needed?
Organised crimes, such as money laundering, are universal and affect all of society. With advances in technology, these crimes are becoming more and more sophisticated and organisations need to work even harder to identify potentially fraudulent activity. An efficient KYC process will manage risk, achieve regulatory compliance and provide the best protection possible for your organisation and its counterparties from financial crime.
Aside from regulatory compliance, establishing a solid set of internal policies and procedures for confirming the identity of business counterparties, assessing the risk of doing business with them and monitoring this status over time can only be positive for the organisation in the long term.
What are the regulations and how have they evolved?
KYC guidelines are part of the international standard for anti-money laundering measures and combating the financing of terrorism and terrorist acts, which are set by the Financial Action Task Force (FATF). The FATF is an intergovernmental organisation, founded in 1989 on the initiative of the G7, to develop protective policies that can flow into national legislation and regulatory reforms. To date, FATF has issued 40 recommendations on money laundering and nine on terrorism financing. Each country must interpret and comply with these recommendations so there are nuances in the way they are enacted across jurisdictions, creating an extra layer of complexity for organisations trading multi-nationally.
AML regulations were first established to fight organised crime and drug trafficking but subsequent events such as the September 11th terrorist attacks in New York in 2001 and the global financial crisis of 2008, as well as a series of high-profile fraud, money laundering and tax evasion cases highlighted the many risks inherent in business relationships and the holes in the regulatory framework designed to mitigate them. This brought a new era of regulatory scrutiny and resulted in the implementation of increasingly complex regulations, for the financial industry in particular.
In 2020 alone, two further AML directives (AMLD5 and AMLD6) were added by the European Union, each expanding the scope of the previous directive. Amendments reflect the changing technological landscape, extending the coverage to include certain crypto-asset activities, for example, and adding cyber-crime as a predicate offence.
Penalties have also become more severe. Those found to be ‘aiding and abetting’ money laundering activities are now subject to the same penalties as those directly involved, for example, while the minimum imprisonment term for money laundering offences has been increased from one to four years.
A risk-based approach to KYC
Taking a risk-based approach is central to an effective KYC process. This means focusing attention where it is most needed – using a structured method for data gathering so that it is clear when further details are required. Policies and procedures will vary depending on the nature of the risks involved, based on the type of products being transacted, the industry, and country in which trading is taking place.
To ensure that the KYC procedures are fit-for-purpose, companies must continually review and revise, remaining proactive in seeking out information about money-laundering trends and threats as well as relying on the expertise and experience of their KYC or customer due diligence (CDD) analysts. Part of this means tracking FATF guidance, which is issued at sector and country level.
Which industries are subject to the regulations?
KYC regulations initially applied only to the financial industry but this has now been expanded to cover more and more industries deemed at higher risk from money laundering for various reasons, from being targets for financial crime through to enabling identification fraud. Sector-specific guidance from the FATF includes the following:
- Trust and company service providers
- Accountancy firms
- Real estate agents
- Precious metals and stones dealers
- Legal professionals
- Fintechs such as mobile and online payment services
- Virtual currencies
See here for more information: FATF industry guidance
Regardless of whether or not your organisation is legally obliged to comply with current rules, it is certainly wise to consider the potential risks of KYC procedures and the broader anti-money laundering processes.
All regulations follow the FATF Recommendations as the international standard, so the core compliance requirements are the same. However, because each country will have different legal, administrative and operational frameworks, there are some nuances in what is required.
While it is impossible to provide an exhaustive list of all the requirements for each jurisdiction, the risk-based approach dictates that organisations conducting business multi-nationally require an extra layer of due diligence. The FATF identifies jurisdictions with strategic AML/CFT deficiencies in two public documents that are issued three times a year:
- FATF Public Statement (call for action)
- Improving Global AML/CFT Compliance: On-going Process (other monitored jurisdictions)
Four stages of KYC compliance
There are four broad stages that typify the KYC process at all organisations:
1) Customer Identification Procedure (CIP): is the starting point for any KYC process. It involves the physical collection of identification documents, either in scan format via email, by traditional post or preferably through a centralised repository or register.
This process gathers mostly self-reported government-issued documents, proving the identity of the company and key personnel, including:
- Proof of identity (POI) document with photo, such as a passport or driving licence
- Proof of address (POA) document, such as a utility bill or bank account statement, which must be dated within the past three months.
- Certificate of Incorporation (for Companies, LLP, trusts)
Organisations using centralised repositories gain from end-to-end encryption and electronic authentication at this stage. The latter, used alongside an electronic signature, establishes greater confidence in a customer’s identity by proving that the data received has not been altered after being signed by its original sender.
2) Verify identity information: once the identity data is collected, the accuracy and validity of this data needs to be independently verified and cross-checked. This stage involves checking for inconsistencies or causes for concern, typically using third parties or external sources such as:
- Registries (for example in the UK, Companies House or the FCA register)
- Company websites
- Politically-exposed persons (PEP) screening
- Sanctions checking
- Adverse media screening sites or service providers (to be sure that the customer is not on any of these lists).
3) Risk assessment: the next stage is to understand the purpose and intended nature of the business relationship, building up a detailed customer profile based on factors such as the company’s business activities, partnerships, office locations, business entities, ownership structure and the sources of its assets and income.
Combining this with the data gathered and verified in stages one and two should be sufficient to make an accurate assessment of the risk associated with the business relationship and a risk score can be assigned. Counterparties that are low risk will then be subject to basic due diligence procedures while higher risk relationships are subject to enhanced due diligence (see explanations below).
4) Ongoing monitoring and review: stage four requires companies to monitor transactions to ensure that they are consistent with what the firm knows about the customer (based on the onboarding process of stages 1-3) and review this information regularly to ensure it is kept up to date.
The process can be automatic, manual or a combination of both, and includes screening for any new mentions in the media or the inclusion on sanction lists, as well as any changes to organisational structure or ownership. Customer due diligence measures must be re-confirmed where there are any doubts about the adequacy of this data.
Accurate, complete and up-to-date KYC information is vital for the company to be able to determine the correct risk level and continue to assess the viability of the business relationship, questioning activity where necessary. Best practices for financial institutions include establishing automated transaction monitoring systems with periodic refreshing of due diligence information every six to 12 months, based on the risk score of the customer.
What happens if suspicious activity is detected?
Maintaining these detailed records of customer data means that reports can be submitted to the relevant authority if customers engage in certain transactions or financial activities. Firms must have procedures in place to identify suspicious transactions – such as activity in unexpected locations or in an abnormal size – quickly and accurately. It is important to establish risk scenarios so that any divergence from customer behaviour patterns or thresholds determined during the risk assessment process raise an alert, highlighting transactions or accounts that warrant greater investigation or analysis.
Firms must have a nominated officer who has a legal obligation to report any knowledge or suspicions of money laundering to the relevant authority via a Suspicious Activity Report (SAR). Staff must report any concerns to the firm’s nominated officer, who must then consider whether a report is necessary.
Suspicious activity reports are triggered by any activity that goes against expected behaviours established in the risk profile, for example when transactions breach specified monetary thresholds. There are strict rules governing the process of submitting these reports, and it is particularly important to avoid alerting a potential offender to an investigation, known as ‘tipping off’, as this carries serious penalties.
Customer due diligence (CDD)
As mentioned above, while the regulations stipulate that companies must have policies and procedures in place in relation to customer due diligence and monitoring, they do not prescribe in detail how this must be done; only that the measures taken must be commensurate with the risk level.
There are two different levels of CDD based on the potential risks involved in the business relationship:
1) Basic (or simplified) due diligence applies in situations where the risk is perceived as low. As a result, the information needed to verify a customer’s background is less thorough.
Documents required for basic due diligence will typically include:
- Company trading name
- Company number
- Tax number
- Details of directors, partners, owners (mobile numbers, emails, home address, tax number)
- Company bank details (name of bank, branch address, account number, IBAN/Swift code)
2) Enhanced due diligence (EDD) applies in situations deemed higher risk including where:
- Customers are linked to higher-risk countries or industry sectors
- Customers have unnecessarily complex or opaque beneficial ownership structures
- Unusual, complex or large transactions have occurred
- Politically-exposed persons are involved
With EDD, there is a higher level of scrutiny with detailed background checks on any entity or individual.
Staff who approve new or ongoing business relationships must satisfy themselves that the firm has obtained adequate and comprehensive CDD – or EDD if relevant – information before doing so.
Maintaining audit trails
It is an organisation’s responsibility to prove its KYC compliance to the relevant authority. This means documenting and retaining relevant records on all clients. Failure to do so brings significant risk in terms of financial cost, reputational damage and potential judiciary consequences.
For how long must records be kept?
All records must be kept for five years after the business relationship ends in case they need to be presented for a regulatory audit. These requirements supersede any right to erasure requests under data protection laws such as GDPR.
Harnessing the power of technology
From using biometric data to artificial intelligence and machine learning, technological advancements continue to drive progress in the KYC space. Embracing this new technology will enable better ways to identify customers, run due diligence checks and perform ongoing monitoring and reporting.
Most companies choose to automate their KYC on some level, with tools designed to complement the expertise of their employees.Onboarding and initial risk assessment are prime areas for automation for all companies while bigger companies will require a full monitoring system. Using these smart technology tools streamlines the onboarding process by standardising the types of information required to carry out customer due diligence. Efficient KYC tools offer a single, secure digital vault that enables KYC or CDD analysts to collect, organise and track all the relevant documents so that data is readily accessible when they need it.
Achieving the right level of automation for your organisation improves the accuracy and efficiency of the process, enabling regulatory compliance while also reducing friction for customers.
The importance of keeping informed
Ensuring best practice in KYC and broader AML relies on staying informed at all levels – from the continuous monitoring of customers to staying abreast of relevant regulatory reform and the technology that can support compliance.
- Build a responsible business culture where all employees understand the importance of KYC and the broader AML protocol and accept responsibility for its successful implementation.
- Create a framework to deliver ongoing training to employees on how to fulfil compliance obligations according to internal policies and changing external regulations, as well as to understand the consequences of non-compliance.
- Critically review current processes against the standards and the direction of travel through a risk-based lens and ensure in-built flexibility to adapt to future changes.
Choosing CoorpID as your strategic partner
CoorpID solves the problem of turning complex regulations into company policies – it offers an intuitive solution that provides a real-time overview and a central location to store and manage all KYC-required data. This centralised hub is designed to maximise the quality of the KYC process for both regulated companies and their customers by streamlining collaboration, driving efficiency and providing the highest levels of security.
Key features include:
- Secured centralised vault for encrypted data storage
- Transparent status overview
- Consented access
- Audit and activity tracker
- Visual entity builder
- Progress dashboard with real-time guidance on requirements
- In-tool communication
To learn more, and book a demo, visit: CoorpID Demo
ACRONYMS AND ABBREVIATIONS
AML – anti-money laundering (refers to laws, regulations, and procedures designed to stop criminals from disguising illegally obtained funds as legitimate income).
CDD – customer due diligence
CFT – combating the financing of terrorism (preventing funding of activities intended to achieve religious or ideological goals through violence).
CRS – the common reporting standard. This was developed by the Organisation for Economic Co-operation and Development and is an information standard for the automatic exchange of information regarding financial accounts on a global level, between tax authorities. Its purpose is to combat tax evasion.
CTF – counter-terrorist financing
KYC – know your customer/client
PEP – politically-exposed persons
PII – personally identifiable information (e.g. name, date of birth)
POA – proof of address
POI – proof of identity
PSD2 – EU regulation to protect online payment
Regtech – a technology that facilitates regulatory processes. The main functions of regtech include regulatory monitoring, reporting and compliance.
STR – suspicious transaction report
UBO – ultimate beneficial ownership
There are a multitude of authorities responsible for protecting against anti-money laundering and a raft of related regulations. These include:
FATF: Headquartered in Paris, the Financial Action Task Force is an intergovernmental organization that designs and promotes policies and standards to combat financial crime. Most developed countries are members/supporters of the task force. A large number of international organizations participate as observers including Interpol, the International Monetary Fund (IMF), the Organization for Economic Cooperation and Development (OECD), and the World Bank.
Australia – the AML/CTF Act Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (no 1) is overseen by the Australian Transaction Reports and Analysis Centre (AUSTRAC)
Belgium – the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash is overseen by the National Bank of Belgium
Canada – the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) 2000 is overseen by theFinancial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s financial intelligence unit
France – the Anti-Money Laundering Act (AMLA) is overseen by the Autorité des Marchés Financiers (AMF)
Germany –the Money Laundering Act (2002) is overseen by BaFin
Hong Kong – the Hong Kong Monetary Authority (HKMA) sets out the relevant anti-money laundering and counter-financing of terrorism (AML/CFT) regulations
India – the Prevention of Money-Laundering Act (PMLA), 2002 is overseen by the Reserve Bank of India
Italy – the Legislative Decree 231/2007 is overseen by the Italian Financial Intelligence Unit, part of the Bank of Italy
Japan – Act on identification of customers by financial institutions 2003
Luxembourg – the Anti-Money Laundering (AML) laws and regulations, 1993
Mexico – Federal law for the Prevention and Identification of Operations with Resources from Illicit origin, 2013
The Netherlands – Money Laundering and Terrorist Financing (Prevention) Act (Wwft). The Dutch National Bank and the Central Financial Intelligence Unit are the main authorities
Singapore – AML/CFT requirements are largely overseen by the Monetary Authority of Singapore
South Africa – The Financial Intelligence Centre Act 38 (FICA) of 2001
South Korea – Act on Reporting and Use of Certain Financial Transaction Information
Switzerland – Swiss Financial Market Supervisory Authority (FINMA) 2007
UK – The Money Laundering Act, 2017 (MLA) is overseen by the Financial Conduct Authority (FCA).
US – The Financial Crimes Enforcement Network (FinCEN) is the primary AML/CFT regulator and operates under the authority of the United States Treasury Department. The Financial Industry Regulatory Authority (FINRA) set rule 2090 (Know Your Customer). The Bank Secrecy Act (BSA) 1970, USA Patriot Act (2001) are the key regulations.
FATF recommendations: FATF Recommendations 2012.pdf (fatf-gafi.org)
Guidance from the UK’s FCA: Financial crime: a guide for firms – part 1 (fca.org.uk)
The Joint Money Laundering Steering Group (guidance for UK financial institutions): https://jmlsg.org.uk/
Global anti-money laundering forum for lawyers: IBA Anti-Money Laundering Forum – IBA Anti-Money Laundering Forum (anti-moneylaundering.org)
PWC’s quick reference guide provides regulations for each territory: pwc-anti-money-laundering-2016.pdf