KYC (Know Your Customer) Checklist: Simplified

Know Your Customer (KYC) programs are a way for financial institutions to verify the identity of their clients. Not only does it help ensure compliance with government regulations, but KYC is also an important step in preventing fraud and other illegal financial activities. Without it, businesses in the financial sector could be subject to government penalties and a loss of customer trust. In this article, we’ll take a deeper look at KYC best practices and run through an easy-to-understand compliance checklist.

Banks, transaction services, and other financial institutions are at risk of various types of fraud, including money laundering. KYC is part of global anti-money laundering (AML) regulations that all financial institutions and financial service companies must comply with. Compliance is monitored and enforced by various agencies, such as the Financial Action Task Force (FATF) and the Financial Crimes Enforcement Network, or FinCEN. 

KYC can be broken down into three components: client verification, customer due diligence, and ongoing monitoring. At its simplest, KYC programs verify the identity of the customers whose money the institution or service is going to be working with. This helps ensure the customer is who they say they are and can build greater client trust. 

But, beyond that, KYC programs also protect the financial institution or service from inadvertently doing business with financial criminals, whether they’re fraudsters, drug traffickers, or terrorists. Importantly, however, KYC is an ongoing process. It should not stop after onboarding but continue to monitor, review, and update customer information.

Identity verification is part of the onboarding process for all new customers and clients, and it’s also the first step in any KYC program. Financial institutions need to take the necessary steps to ensure that new customers are who they say they are. Equally important is verifying that the customer’s finances are, indeed, coming from a legitimate source. Otherwise, criminals could easily use the institution’s services to launder money. In the United States, identity verification is required by law under the Patriot Act (Section 326).

Ideally, a financial institution will use more than one type of identification. They may incorporate biometrics, such as fingerprint or facial recognition, to further increase security. Businesses can also use third-party identity verification tools and services to help streamline the KYC process.

Comparing KYC to KYB (Know Your Business)

Financial institutions that offer B2B services or deal with other businesses in some capacity must also comply with “Know Your Business” (KYB) regulations. A strong KYB program can help protect financial institutions and services from getting into bed with criminals. 

KYB was first introduced to the United States in 2016 by FinCEN to address what was perceived as a blind spot in existing AML regulations. The European Union followed suit by establishing KYB in the Fifth Anti-Money Laundering Directive. Similar to KYC, KYB involves verifying the legitimacy of a business’s ownership and their activities. 

Requirements include company address, registration and licensing documents, and identity verification for company directors and owners. KYB focuses in particular on ultimate beneficial ownership, or UBO. This determines who is benefiting from the activities of a business and could reveal the criminal nature of suspect organizations, such as shell companies. KYB also requires financial institutions to determine if the employees of a business have been involved in criminal activity, political corruption, or sanctions.

KYC compliance involves three steps: customer identification, customer due diligence, and enhanced due diligence. Each one is essential for compliance and thorough protection. In the following sections, we’ll break down each step’s requirements and provide some best practices for financial institutions.

1. Customer Identification Program (CIP)

As detailed above, identity verification ensures that a new customer has a legitimate identity and source of funds. Under the Patriot Act and the Bank Secrecy Act, institutions operating in the United States are required to obtain four pieces of verified ID. These documents must provide the customer’s legal name, date of birth, address, and some sort of identification number. It is best to use trusted sources, such as:

• Photo ID

• Voter ID

• Passport

• Driver’s license

• Employee ID

• Professional certification (e.g., Board of Education) card

• Official/notarized correspondence

CIP Best Practices Checklist:

• Obtain government-issued identification

• Verify customer address with a recent utility bill or bank statement

• Cross-check provided customer information against reliable databases (e.g., credit bureaus, government agency watchlists)

   

2. Customer Due Diligence (CDD)

The next step, customer due diligence, requires financial institutions to do some digging into the history of a new customer. This rule was established to both clarify and strengthen KYC compliance for U.S. banks, mutual funds, securities brokers/dealers, futures commission merchants, and commodities brokers. Under the CDD rule these institutions must identify and verify any “natural persons,” or beneficial owner, who controls a legal entity or who owns 25% or more of a legal entity.

Beyond verifying the identity of a customer, CDD involves establishing a clear understanding of the nature and purpose of the new business relationship. Financial institutions must also establish ongoing monitoring of the customer to watch for any suspicious activities that could indicate money laundering or other financial crimes.

CDD is best tackled using a risk-based approach. Certain types of customers present a greater risk to the financial institution than others, including:

• High-profile individuals more likely to have been or be exposed to blackmail, bribery, and corruption

• Nonresidents

• Cash-intensive businesses

• Money service businesses

It’s important to note that the scope of CDD may vary from customer to customer based on risk. Higher-risk customers should be subject to closer scrutiny (also known as Enhanced Due Diligence – see below). Once a profile has been created based on the customer’s activity, it should be regularly reviewed and updated based on the latest data.

CDD Best Practices Checklist:

• Perform an exhaustive background check on new customers, looking for a criminal history or a history of suspicious behavior

• Gather and document the customer’s business activities and transaction patterns

• Implement ongoing monitoring systems to look out for unusual transactions

3. Enhanced Due Diligence (EDD)

Enhanced Due Diligence is a CDD method that should be implemented for high-risk customers. It involves a higher degree of scrutiny, possibly involving extra identity verification and deep background checks. This increased level of scrutiny should continue into ongoing monitoring policies as well.

EDD Best Practices Checklist:

• Use risk assessment criteria (detailed above) to identify high-risk customers requiring EDD

• Collect detailed and granular information on their business operations, ownership (UBO), and broad financial background

• Implement multi-factor authentication (MFA) methods and biometrics for increased security

   

4. Best Practices for Ongoing Monitoring

Verifying the identity and history of a new customer should not be where KYC ends. Financial criminals can find ways to hide their activity for onboarding before using their new account for laundering money. The final step in KYC programs, ongoing monitoring is a “forever” step that looks for this type of savvy activity. Financial institutions should create a living profile for the new customer and update it regularly with new information. Continue watching their transactions for unusual activity – implementing automated monitoring systems can help with this. Periodically, financial institutions should conduct reviews and audits of their customers to make sure nothing has been missed.

Beyond the KYC program itself, financial institutions can take additional steps to ensure their compliance with anti-money laundering regulations. Most important is establishing clear KYC policies and documented procedures that can be replicated throughout the organization. Employees should be trained using these procedures and kept abreast of compliance requirements so that they are fully informed.

Automated systems and third-party tools can help reduce the friction involved in KYC. It is particularly useful during the ongoing monitoring stage of KYC, when the attention required of a company may exceed their bandwidth. Technology-based KYC solutions also provide a trove of data that can be referenced and even shared with partners.

Technology-based KYC adds a layer of digital security to help verify and protect the identity and activity of financial customers. This can include methods like multi-factor authentication, biometric-based authentication, and document authentication. Digital verification also allows financial institutions to scale their KYC programs as required and adapt to regional regulatory requirements. When implemented company-wide, it can help ensure data privacy and protection compliance as well as AML compliance.

An effective KYC program does not need to be a point of friction for new customers. Instead, it can be seamlessly integrated into the onboarding process and may even streamline the experience. Here’s how:

• Seamless Customer Onboarding:

  • Automate the verification steps to speed along the process without sacrificing reliability

  • Ensure smooth integration with onboarding processes by sharing data with departments and partners

     

• Training and Awareness:

  • Educate all staff on KYC requirements

  • Implement regular training programs to inform new hires and refresh seasoned employees on what is required

     

• Tech Implementation:

  • Adopt Identity Access Management (IAM) solutions to maintain security for customers and employees across multiple platforms and locations

  • Use advanced verification tools, such as biometrics, authentication tokens, machine learning, or physical security tokens

     

• Recordkeeping:

  • Maintain accurate records for audit trails and smoother ongoing monitoring

  • Implement secure data access management and storage solutions to protect sensitive customer data

     

• Regular Review and Updates:

  • Periodically review KYC processes and best practices to identify ways the program can be updated or improved

  • Monitor regulatory changes to ensure the KYC program remains in compliance

     

• Cross-Department Communication:

  • Foster interdepartmental collaboration to more easily share data and findings

  • Ensure consistent application of KYC policies throughout the organization to avoid weak spots

It’s vital for financial institutions and businesses to stay informed on the KYC requirements of every region they operate within. This can be complicated, however. Not all KYC compliance requirements look the same. Regulatory policies can differ based on geographical location and jurisdiction. Globally, all KYC requirements are built on the same foundational steps that we’ve looked at in this article: customer identification and verification, customer due diligence, ongoing monitoring, and the requirement to report suspicious activity to regional authorities.

In the United States, requirements are established under the Patriot Act and the Bank Secrecy act. The European Union lays out comprehensive KYC requirements in the Fifth and Sixth Anti-Money Laundering Directives. The United Kingdom follows suit, but also has its own regulations that include the Proceeds of Crime Act and the Money Laundering Regulations. In all three regions, KYC is legally mandated for businesses.

Compliance requirements grow more diverse as you expand your scope to Asia, Oceania, and South America. Some are more strict, others are more nuanced, and the specific type of verification required varies from country to country. Tech-based KYC solutions can help financial businesses keep track of the differences and adapt their programs based on local regulations.

Companies also need to tailor their KYC program based on the specific industry they occupy. Banking and financial industries, as we’ve covered, have the most rigorous requirements – understandably, given the nature of their business. 

Other industries, such as telecommunications, real estate, and e-commerce, have similar requirements. However, the focus and best practices can differ. For instance, e-commerce companies must verify both customer identity and merchant identity throughout their supply chain, involving KYB as well as KYC. Telecom, meanwhile, is a relative newcomer to KYC and has a greater focus on real-time verification. In both cases, the approach is shifting more and more towards verification methods that can be done on a smartphone or similar device using an app. And, in all industries, companies must balance their KYC methods with the customer experience.

Failing to meet KYC compliance can hurt a business’s reputation and finances. Indeed, since the year 2000, financial institutions around the world have been hit with more than $21 billion in fines for failing to meet regional AML regulations. Ping Identity can help financial institutions and other businesses achieve KYC compliance by seamlessly integrating multiple IAM solutions via one seamless AI-based platform. From identity verification and MFA, to threat protection, data governance, and more, find out how Ping can help you deliver secure customer and employee experiences in an ever-changing digital world.