With increasing global regulations and supervisory scrutiny, businesses all over the world are facing mounting pressure to implement robust Know Your Customer, or KYC, processes.
As a term, KYC refers to the set of procedures that businesses and financial institutions are required to implement to verify the identity and assess the risk associated with their customers. KYC involves gathering information and documentation from customers to ensure they are who they claim to be and to evaluate their suitability for engaging in a business relationship.
KYC in and beyond financial services
In general terms, the purpose of KYC is to prevent fraud, money laundering, terrorist financing, and other financial crimes by establishing the identity, background, and financial activities of customers.
For this reason, it’s easy to imagine why KYC requirements originated, and for a long time only applied to the financial services industry. KYC regulations were established to combat the most pressing money laundering and financial crime risks by mandating financial institutions to verify the identities of their customers, understand their financial activities, and assess their risk profiles before agreeing to “move money” for them, especially across national borders.
Over the last few decades, KYC has become a crucial component of regulatory compliance well beyond financial services, starting to cover sectors as diverse as real estate, the art market, the legal sector and precious stone and metal merchants, among others.
The key components of a robust KYC process
A robust KYC (Know Your Customer) process typically includes several key components to ensure comprehensive customer due diligence. These include Customer Identification, Identity or business verification, Assessment of the customer’s risk profile, On-going monitoring, and Reporting and Record-Keeping.
Let’s look at each one of them in detail.
- Customer Identification
In its essence, identification means collecting a defined set of data about the customer. For individuals, the customer’s full name, nationality and date of birth are the central data points across most jurisdictions. But local regulations often prescribe additional mandatory information, such as the customer’s address, ID number or employment status. For corporate entities, the core data points are the company’s name and type, registration number, and incorporation or creation date. Additionally, information about controlling persons and beneficial owners must be collected, and most jurisdictions require similar data on those as they prescribe for individuals.
- Identity or business verification
For individuals, the identification performed in phase 1 is supported by a verification step to ensure that the identity data submitted by the customer is correct and complete. Traditionally, verification is done by comparing the submitted data to extracted data from documents. For example, comparing the customer-supplied name and date of birth to the name and date of birth details on a photo ID (which is often done electronically and through AI-based systems as well). When the individual’s address is requested, in many jurisdictions it is traditionally verified through a comparison with an address on a utility bill or, in a digital process, geo-locationing via GPS. In jurisdictions with e-KYC regulations such as the UK, simpler processes can be sufficient, such as comparing the submitted data to information found in independent reliable databases.For business clients, the verification phase requires the review of collected company documents to ascertain the information about beneficial owners and controlling persons or entities. Many jurisdictions provide official company registry filings that identify directors and shareholders of company entities in separate documents. Other jurisdictions collate all company information in a comprehensive document called a registry extract. In other countries, though, little or no data or documents are available from official sources. In these jurisdictions, financial institutions have to rely on documents from the onboarded customer. Often third parties confirming the documents as “certified true copies” are used to mitigate the risk of fraud in these circumstances. Where available, the verification process can be sensibly shortened if the onboarding institution retrieves the documents directly from a government source, like a digitised company registry.
- Assessment of the customer’s risk profile
The Financial Action Taskforce (FATF), aka the global rule-setter for anti-money laundering, recommends local regulators to promote the so-called risk-based approach. Simply put, this means that higher-risk customers should undergo more extensive due diligence. Risks are usually assessed on the basis of several factors, such as a specific customer’s industry, geographical location, transaction patterns, politically exposed person (PEP) status or adverse media flags to determine the level of due diligence required. These factors are then combined into a risk category: Low, Medium or High-risk case. For each risk category, the financial institution then defines different levels of due diligence requirements, which can usually be distinguished between simplified due diligence (SDD) and enhanced due diligence (EDD) processes. During the onboarding phase, this translates into requiring a more or less comprehensive set of documents from the customer. For corporate customers, it might also impact whether regulated organisations fully verify the controlling individuals, or determine different thresholds of ownership percentage to trigger a full verification step for the beneficial owners.
- Ongoing monitoring
The risk-based approach plays a key role also during the fourth area of the KYC process, which is ongoing monitoring. Here, the risk associated with a customer determines the frequency and variety of continuous checks performed on an existing client.
Global and local watchlists are dynamic in nature. New sanctions are enacted from time to time, courts and news sources identify further cases or previously listed names are removed as new information becomes available. As a result, watchlist providers update or insert hundreds of records daily. To fulfil the ongoing due diligence requirements, financial institutions need to repeat the screening of already onboarded customers on a regular basis and review any cases with new screening results.For individual customers, a key task is the continuous monitoring against AML watch lists to ensure no new matches are found. Other tasks are periodic checks for expired proof of identity documents and regular address updates and, if necessary, documented proof of the new address. Transaction monitoring is another important component.For corporate entities, the complexities grow as their identity and structure is dynamically changing over time. The list of Directors, controlling entities or the ownership structure can change any business day. As a result, on-going monitoring in this case needs to include a continuous screening of the entity itself, including of all entities and controlling persons in the whole ownership structure up to the ultimate beneficial owners. And due to the dynamic nature, Financial institutions should also perform periodic updates of the controlling entities and ownership structure to ensure that the UBO information at their disposal is still accurate and, where relevant, verify the identity of the new directors or controlling individuals and include screening identity documents for expiry on an on-going basis.
- Reporting and Record-Keeping
Finally, a key step in any KYC process is maintaining accurate and up-to-date records of all customer information, including identification documents, risk assessments, and transaction history, as mandated by regulatory requirements. In fact, under the FATF recommendation 11, financial institutions are required to keep a record of all data and documents used during the KYC process. Record keeping thereby becomes part of the output of a well-designed customer due diligence process.For individual customers, regulated organisations should have access to the collected data and document set, showcasing the customer’s name, nationality, date of birth, proof of identity, and proof of address. For corporate customers, financial institutions need to keep all the entity data and document sets of parent companies, plus relevant data and document sets for shareholders and controlling entities. Compliance teams should also be able to show a full audit trail of all decisions and actions taken by staff and by automated systems utilised by the team.
By integrating all of these key components into a holistic KYC process, businesses can establish a robust framework for customer due diligence, mitigating risks, preventing financial crimes, and ensuring compliance with applicable regulations to protect their business reputation as well.
The rise of KYC automation and RegTech solutions
While KYC requirements have been around for the last couple of decades, it’s only in the last five to eight years that we have witnessed a decisive rise in understanding and applications of KYC automation technology.
KYC automation has the power to revolutionise the traditional KYC process, bringing efficiency, accuracy, and cost-effectiveness to customer due diligence. By leveraging regulatory technology, aka RegTech, businesses can streamline and expedite the KYC process, saving time and resources by digitising manual tasks, eliminating redundancies, and enhancing compliance.
In particular, technology can play a crucial role in every phase of the KYC process we just analysed, from identification and verification, to risk assessment, on-going monitoring and record-keeping.
For instance, advanced solutions like Know Your Customer utilise Optical Character Recognition (OCR) and Artificial Intelligence to extract information from identification and company documents, reducing manual data entry errors and reliably identifying Ultimate Beneficial Owners in a matter of seconds. Furthermore, automated workflows and rule-based engines with integrated AML screening enable systematic risk assessments, ensuring consistent and objective evaluations of customer profiles. An automated solution is also able to easily assign review dates and perform on-going monitoring independently, only alerting compliance teams in the case of AML red flags or material changes in company structures. Finally, immutable audit trails and automated KYC reporting ensures flawless record-keeping, making businesses and compliance teams audit-ready at all times.
In conclusion, since the beginning of this millennium, KYC procedures have been introduced as a requirement all over the world to prevent the proliferation of money laundering and other crimes across financial services and other high-risk sectors.
To help regulated institutions meet these new requirements – which can be summarised in the phases of Customer Identification, Identity or business verification, Assessment of the customer’s risk profile, On-going monitoring, and Reporting and Record-Keeping – in more recent years KYC automation has become more prominent in the industry. RegTech providers specialised in KYC automation help businesses improve efficiency, reduce the time required for onboarding customers, enable quicker transactions and enhance the overall customer experience. Automation also minimises errors resulting from manual processes, ensuring accurate and reliable compliance checks. Additionally, it lowers operational costs by eliminating the need for extensive manual labor, allowing businesses to allocate resources more strategically.
Partnering with an expert in KYC automation can simplify implementation and maximise the benefits. Experienced providers bring to the table years of on-the-ground learning, helping compliance teams avoid mistakes and hurdles they would not necessarily be aware of otherwise.
By choosing configurable and highly modular solutions, teams can also ensure a smooth integration with existing systems, creating seamless and secure information workflows across different departments or business functions.
To learn why customers across 11 sectors and 18 jurisdictions have already chosen to partner with us to automate their KYC processes end-to-end, explore our Clients’ page or request a live demo of our solutions today.
Last updated on September 11th, 2023 at 12:52 pm