KYC is at the core of financial services’ fight against financial crime. Whilst Know Your Customer processes are a regulatory obligation, KYC is also important for establishing trust with the people and organisations you are doing business with and, if performed well, can also enhance customer relationships by making them more seamless and efficient.
What is Know Your Customer (KYC)?
Know Your Customer obligations focus on establishing that your customers are who they say they are and that the information they give you about themselves as individuals or businesses is accurate and corresponds to the truth. This then allows you to accurately assess the risk of that customer to your business, in line with your firms’ policies. These obligations apply not just at onboarding but endure as long as that customer has a relationship with your firm.
Financial services businesses must have robust KYC frameworks in place as part of their compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. Other industries - such as accountants, real estate, gaming and gambling - are also subject to similar requirements but financial services is one of the highest risk industries in terms of AML. There are other good reasons for KYC processes too, such as ensuring the advice you give to customers about products and services is suitable for their investment objectives and risk appetite.
KYC can be thought of as three sets of activities.
- Client identification and verification – validating the identity of individuals and businesses to establish that they are who they say they are
- Customer due diligence (CDD) – obtaining and verifying all the data about a customer that your firm needs to perform the necessary level of due diligence
- Customer risk assessment – determining the level of financial crime risk that the customer poses to the firm
Ultimately, the requirements for financial services firms to perform KYC checks stem from the global recommendations set by the Financial Action Task Force. Recommendation 5 sets out FATF’s expectations for CDD and states that ‘the principle that financial institutions should conduct CDD should be set out in law. Each country may determine how it imposes specific CDD obligations, either through law or enforceable means’[1].
KYC obligations then become enshrined in national law. In the UK, there is a combination of four main legislative acts[2], the last of which includes the requirements under the EU’s Fifth Anti-Money Laundering Directive. In the US, a new AML act was passed in 2020, strengthening the US’s legal defences against anti-money laundering and complementing the existing legislation[3].
Why are KYC regulations needed for banks and financial services companies?
Just like the legitimate economy needs access to capital and funds and a place to deposit earnings and revenue, criminals have exactly the same requirements. The problem is, they have to make their illicit gains appear legitimate – which is essentially what money laundering is. Criminals are highly sophisticated and have perfected the art of exploiting loopholes and weaknesses in the global financial system to render their illegally gained money clean. It is estimated between 2% and 5%[4] of global output per year can be attributed to the proceeds of crime. Based on 2019 global output figures, that indicates somewhere between $1.7 and $4.3 trillion is illicitly obtained in any given year.
KYC regulations are therefore needed to prevent criminals from using the financial system for nefarious purposes by preventing them from gaining access in the first place.
How do I carry out KYC checks?
Firms have KYC policies that set out the types of KYC checks that are required based on certain characteristics of the business and the client – such as type of customer (retail vs corporate), products, geographic location of the customer etc. These characteristics all feed into the financial risk profile of the customer and will determine the level of due diligence that is required.
As mentioned above, KYC can be split into three separate activities.
- Customer Identification
Potential customers must provide information that allows financial firms to check and verify their identity. At a minimum for individuals, this will be name, address, date of birth and proof of identity such as a driving licence, national identity card (if applicable) or passport.
For corporate customers, the minimum data required is the full name of the company, registered number, registered office in the country of incorporation and principal business address (if different from the registered office).
Financial firms will then verify this information with trusted independent sources to exclude the possibility of identity theft and to make sure they are not a politically exposed person or are on a sanctions list.
For digital channels, where seamless and quick onboarding is expected by customers, new methods of identity verification have developed using live video verification, biometrics and optical character recognition.
- Customer Due Diligence
Further levels of due diligence are required, particularly when onboarding corporates. Financial firms have an obligation to identify the ultimate beneficial owner of a company – those who stand to gain financially from the business. This information is often available from Corporate Registries such as Companies House in the UK, but this does vary from country to country.
Identification and validation of the source of funds or source of wealth may also be necessary.
Extra levels of due diligence, known as Enhanced Due Diligence (EDD) are required when customers are deemed to be high-risk or in other circumstances which also pose a high risk. These could be transactions or customers in high-risk countries, customers who have been identified as Politically Exposed Persons, customers where false identifying information has been provided or where there are other suspicious factors.
- Customer Risk Assessment
This occurs in parallel with some of the customer identification and due diligence activities. All the data collected about a customer is used to determine the level of AML / CTF risk that a customer poses to the firm. The level of risk will then determine the level of scrutiny required during the lifetime of that customer in terms of monitoring transactional activity and in reviewing the customer’s information over time.
When do I need to conduct KYC checks?
KYC regulations stipulate that KYC checks must be performed before any business relationship is entered into between a potential customer and the financial firm. This is known as the onboarding process and is a key control to prevent bad actors from gaining access to the financial system.
However, the regulations also require that customers are monitored on an ongoing basis. There are two elements of ongoing monitoring – that of the customer’s transactional activity (known as transaction monitoring) and ensuring that the documents and information gathered about a customer for the purposes of applying customer due diligence remains up to date. The latter is also part of KYC activities and has traditionally been performed on a periodic basis, depending on the risk of the customer. High-risk customers are usually reviewed annually to ensure all their information is up to date and that nothing that impacts the risk assessment has changed. Medium and low-risk customers tend to be assessed every three and five years respectively.
Recently, the inefficiency and high cost associated with periodic reviews have motivated firms to move to a different way of doing things. Firms are now looking at perpetual or trigger-based KYC, where a change in information about a customer prompts a review. This process is often automated, using data and technology to create alerts which are then reviewed by the KYC team.
What is the risk if KYC isn’t done properly?
Clearly, if KYC checks are not completed properly or robustly enough, the risk is that financial criminals will gain access to the financial system and use it to launder illicit funds gained from a variety of crimes that cause enormous human harm and suffering. These so-called ‘predicate’ crimes include human trafficking, drug smuggling, gun-running and endangered animal smuggling, often performed by dangerous organised crime gangs.
There are other impacts though, including falling foul of regulators. Global fines for anti-money laundering failures amounted to a total of $3.2 bn in 2020[5], showing that CDD failures formed the largest number of cases in the AML fines issued. Along with the financial impact of these fines comes the reputational damage - AML fines attract widespread media coverage and, along with issues like the FinCEN leaks, call into question the trustworthiness of these institutions in handling customers’ money with care and diligence.
Such significant financial sanctions reputational impacts are clearly an important incentive for firms to get their KYC processes right, but we should also always remember the real reason that sits behind these regulations – and that is protecting the global financial system from exploitation by bad actors.
[1] http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html
[2] Proceeds of Crime Act 2002, The Terrorism Act 2000, Terrorism Act 2000 and Proceeds of Crime Act 2002 (Amendment) Regulations 2007, Money Laundering Regulations 2017 and Money Laundering Regulations 2019.
[3] Bank Secrecy Act (BSA) 1970 and The Patriot Act 2001
[4] The United Nations Office on Drugs and Crime (UNODC) study to determine the magnitude of illicit funds generated by drug trafficking and organised crimes estimated that in 2009, criminal proceeds amounted to 3.6% of global GDP, with 2.7% (or USD 1.6 trillion) being laundered. In 1998, the IMF stated in 1998 that the aggregate size of money laundering in the world could be somewhere between two and five percent of the world’s gross domestic product
