Know Your Customer (KYC)
What Is KYC?
KYC (Know Your Customer) is a process of customer identity verification performed on a regular basis to eliminate bribery, corruption, and other illegal financial activities. It’s also a requirement of international AML (Anti-Money Laundering) regulations.
Who Is Impacted?
KYC requirements apply to most finance related institutions like banks, investment management firms, insurance companies, etc. Regulatory authorities want businesses to introduce strong “due diligence” policies, procedures and systems to assess, monitor and manage risks posed by customers and to prevent financial crime.
KYC Risk Rating
KYC risk rating is formed based on the customer data gathered by financial institutions. The company evaluates each client for possible participation in financial crimes and assigns a certain rating to it. There are 3 standard types of KYC risk ratings:
Low Risk (SDD — Standard due Diligence)
Standard due diligence is the lowest level of verification. Companies use it when there is little chance or risk that customers engage in money laundering or terrorist financing.
Medium Risk (CDD — Customer due Diligence)
Customer due diligence is a basic analysis of the client. The company verifies a customer’s identity to a sufficient level of confidence.
High Risk (EDD — Enhanced due Diligence)
Enhanced due diligence means increased control over customers who are more likely to participate in financial crimes due to their nature of business or operations.
KYC risk rating ensures compliance with global regulations such as AML, KYC and CTF/CFT standards. Each client passes several levels of verification and may be required to submit additional documents such as a source of income, confirmation of registration address etc. If the risk rating is high, the company will constantly and carefully track the customer’s transactions. If the risk rating is low, the company will still control the client but not as intensely.
Customer Due Diligence (CDD)
Customer Due Diligence or CDD, is the process whereby relevant information about the customer is collected and evaluated for any potential risk for the organization or money laundering/terrorist financing activities.
CDD is essential for KYC, and although these processes differ around the globe, they have a single aim—to identify customers, their operating activities and their risk profile. The customer’s risk profile is assessed and followed by basic Customer Due Diligence, Enhanced Due Diligence (EDD) or Simplified Due Diligence (SDD).
The standard CDD flow normally includes the following steps:
Step 1: Asking for essential user data
Every customer due diligence begins by obtaining basic information about the client.
- Full name;
- Residential address;
- Contact number and an email address;
- Place and date of birth;
- Marital status;
- Government-issued identification and tax number;
- Specimen signature.
This list is not necessarily the same across all jurisdictions. Once these basic data are submitted, a business can analyse it and figure out which way to go next.
Step 2: Data screening
Data screening is the next stage of performing CDD. Here, it all about risk evaluation. Customer data is checked via name-screening databases to evaluate the risk category. In other words, here we decide whether customer due diligence checks should remain standard, eased to simplified due diligence, or reinforced to enhanced due diligence.
If the country of residence of a person is considered a high-risk region or if the individual’s data is already registered and constantly monitored in the public domain, the scenario may require special treatment.
Step 3: Following the right due diligence track (SDD, CDD, EDD)
There are different levels of CDD to evaluate and check different users. For example, a politically exposed company executive might require EDD, while CDD will be enough for an account-holder with low transaction values.
1. What if customer due diligence is enough?
The most standard and frequently practiced user verification and onboarding flow is CDD.
Any onboarding flow that didn’t find simplified or enhanced due diligence needed.
This is a basic KYC process with customer background checks to measure the risk they pose, before dealing with them.
Note: CDD is the requirement in many jurisdictions and applies to financial institutions as well as to crypto businesses.
2. What if you need simplified due diligence?
Financial regulators don’t necessarily require each user to go through CDD, a simplified flow might be fine for low-risk customers. SDD is a minimum check that can be carried out on a user.
Usually, if the client is a well-known public authority, listed on a regulated market, or their transaction is below a certain amount, to remove unnecessary friction they are exempt from tougher CDD checks.
Unlike in standard or enhanced due diligence, SDD doesn’t require the verification of your customer’s identity.
Note: Each jurisdiction will set their own rules and thresholds as to when SDD is enough to check a client.
3. What if you need enhanced due diligence?
Looking the other way, there are plenty of suspicious cases that require careful examination across data sources. Users with higher-risk of money laundering (ML) or terrorist financing (TF) must be put through EDD.
Factors that trigger enhanced due diligence are beneficial ownership, politically exposed person (PEP) identifier, connections with high-risk countries, high transaction amounts, or involvement in high-induced activities.
The additional checks within EDD can be anything from requests for more information, to the verification of identity or source of income. As a part of the EDD, the business relationship with a risky customer starts only once there is an approval from the senior management.
Note: Check in with the regulatory rules and thresholds in your jurisdiction to be certain of when a client will have to go through EDD.
EDD and SDD are not only something that can be demanded by certain legislation, but it is also an adequate measure that companies implement to benefit their platform. You can be getting rid of extra questions to your low-risk clients or implementing extra checks to keep your platform safe from criminal actors and any money laundering related activity.
Step 4 (ongoing): Customer monitoring
The story doesn’t end once you have onboarded a client and established business relationships. Due diligence keeps going as there is always a chance of your client’s profile changing — getting into a PEP list, involving itself in high-risk transactions, or committing fraud.
Again, keeping an eye on the client’s transactions and the risk-rating of their profiles, guarantees that a business can promptly react to any crisis, or rather, prevent it and stay compliant with the regulator they are registered with.
Staying manual vs. going automated
It is safe to say that automation would be a better choice in every considerable aspect.
- Quick to verify and onboard customers (0.30-2 min) and good at increasing conversion;
- Cost-efficient and don’t require hiring many people to control the process;
- Extensive coverage as clients can be precisely checked and screened across dozens of databases within seconds.
- Inaccurate and slow (~10 min) as people are more error-prone and need more time to review data manually. It also won’t be possible to reach many of the available data sources;
- Expensive as it needs a big team of compliance professionals to do the job.
While manual checks can potentially work for small local businesses, for big corporations it is highly impossible to onboard thousands of users manually. Nowadays, when businesses are looking for better, faster, more efficient solutions, modern KYC/AML software is the answer to all of the most burning ML and TF risk-related needs.