If you’ve ever been to Germany and tried to buy a prepaid sim card, you’ll have been surprised by the difficulty of this usually easy procedure.
Once you buy a sim card, you need to activate it and then complete a live video identification.
Yes, in order to top up your phone with €10 you need to pass a video identification, in which you prove the authenticity of your identification document and confirm your personal details. The security officer on the other end of the call checks the holograms, ID number, runs a sanction screening and a host of other security measures.
It’s not easy. Why is this?
The September 11 attacks reshaped the legislative landscape. Overnight, regulators across the world began drawing up laws to fight terrorism and prevent such a devastating attack from happening again.
The Patriot Act was quickly passed in the US, and it wasn’t long before the EU published the 2nd AML Directive. Both pieces of legislation significantly increased the regulatory pressures concerning Anti-Money Laundering (AML) and Anti-Terrorism Financing (ATF) on businesses.
18 years later, corporations of all sizes are compelled to perform customer due diligence (CDD) checks in order to ensure that they are not servicing individuals involved in criminal activity. A key component of CDD is “Know Your Customer” (KYC), a set of rules outlined by each country, designed to effectively identify both customers and criminals.
As you can tell from the example illustrated above, the KYC checks vary from country to country but typically involve personally identifiable information like:
- Full Name
- Email Address
- Home Address
- Phone Number
- Copy of ID
- ID Number
- ID Expiration Date
The kind of information that would be hard to fake and relatively easy to verify.
What KYC does your business need to perform?
Regardless of location, business owners must fulfill certain day-to-day customer due diligence requirements. This includes verifying your customers’ identity (KYC) and applying a risk-based scoring model to understand how your service can be exploited to aid terrorism or launder money.
We’ve put together a free AML risk assessment for you to download here, but the KYC requirements are a little trickier. They differ significantly by country and you will have to do some research to find out what information you are required to collect and verify.
Of course, the information needs to be collected and verified before a business relationship can begin. The verification process is difficult and opaque. In Germany a live video identification or personal meeting is required in order to verify an ID document. In the US and UK, simply collecting a copy of the passport or ID card is usually enough, although this may soon change.
Once the veracity of the document is established, businesses need to conduct sanction screenings to ensure that the prospective customer is not wanted by Interpol and other agencies. Building this kind of solution in-house is time and cost-intensive so dedicated compliance solutions are often used instead.
If the screening comes back positive — ie the customer is wanted by an intelligence agency — businesses are compelled to report the individual to local authorities or the FATF immediately. The business relationship should be terminated as well, in order to prevent money laundering and terrorism financing.
Finally, KYC procedures are ongoing, meaning that even once a customer successfully passes KYC, businesses need to monitor their behaviour. Suspicious activity, like regularly changing home addresses or noteworthy transactions, should be questioned and reported if no satisfactory explanation can be found.
What does KYC mean for your business?
On December 2, 2015 the San Bernardino (CA) terrorist attack left 14 dead and 22 seriously injured. The perpetrators had managed to receive a loan from a prominent US fintech platform, which was later used to finance the attack.
This example helps to illustrate how criminals seek to misuse legitimate businesses to finance terrorism and launder money. For business owners it should be a wake-up call that shows the horrific damage that can be done if KYC and AML procedures are not done properly.
Know Your Customer requirements are not a paper tiger. Harsh penalties exist and are often levied when businesses fail to comply. As a result you should endeavour to fulfill your customer due diligence duties and implement a rigorous KYC procedure.
Of course, this can have a negative impact on your customer experience. Live video identifications and lengthy onboarding flows often cause exasperation and clients can drop off during the process. To minimize the negative impact, many organizations turn to dedicated compliance solutions, which shoulder the regulatory burden while keeping customers happy.
Identifying PEPs through sanction screenings
One important aspect of the risk-based approach is that some individuals require enhanced due diligence, not because they are criminals, but because of other characteristics. This is a crucial aspect of KYC.
Politically Exposed Persons (PEPs) for example, refers to individuals who have held high positions of power in public office. PEPs should be treated with enhanced due diligence, because they typically have more opportunities than ordinary citizens to launder money and engage in criminal activity.
Businesses need to be able to identify PEPs and apply more rigorous KYC requirements. This is not an easy task, which is why many services turn to dedicated compliance solutions.
Additionally, citizens of certain countries should be treated with a higher level of caution and enhanced due diligence. Supra-national institutions like the FATF and the EU maintain sanction lists for this purpose. Citizens of states with weak protection against corruption, like North Korea for example, are more likely to successfully launder money or finance illegal activity.
We’ve provided a detailed introduction of AML Sanction Screenings for you here, and name some of the most important lists for businesses to consider.
How does KYC impact data management?
With the passing of GDPR in 2016 data protection has become a crucial aspect of day-to-day operations. Know Your Customer requirements add further complexity, as highly sensitive information needs to be collected and verified, while the customers privacy is maintained at all times.
This makes handling the data of European citizens more difficult than ever, and we’ve put together this GDPR checklist to help you stay compliant. Nevertheless, the burden is significant and will likely only increase as the US and Asia begin to draft legislation which strengthens the privacy of customers.
The key for businesses is to collect, verify and manage this data in a compliant manner and evaluate it in accordance with an AML-risk framework. This is no easy task so here are some things to keep in mind: Data…
- Should be easily auditable
- Should be accessible to customers
- Should not be readily available to staff members without good reason
- Should be deleted upon the customer’s request if the law permits it
- Should be encrypted and protected from outside attacks
Clearly KYC procedures increase the amount of data businesses need to store about their customers, and this poses challenges. Data management is an increasingly important topic and should be included in your KYC workflow.
How is KYC done properly?
Know Your Customer (KYC) is a constantly evolving discipline and any guide as to how it should be done is outdated by the time it’s published.
Additionally, the correct KYC procedure will depend on your niche and legal jurisdiction. The best course of action is to identify the appropriate regulatory body and seek their advice. In the case of the USA (Fincen), Germany (Bafin), the UK (FCA) and others clear guidance is provided.
As a rule of thumb, financial services and gambling sites, as well as merchants of high value goods should perform Know Your Customer checks before accepting a customer. Should your organization fall into any of these categories, it is wise to get in touch with the appropriate authority and seek their advice.
Most likely they will require you to collect all relevant information that may be used to identify individuals and ensure that they are not associated with illicit activity.
Conclusion — What is KYC?
In this article we not only discussed what Know Your Customer is, but also explained the importance of a risk-based approach. If you do not already have an AML risk assessment for your business, make sure to download our free example.
Most importantly, we discussed why businesses need to perform KYC checks and the potentially devastating consequences of failing to do so.
Overall, the burden of building effective KYC checks in-house is often prohibitive, which is why dedicated compliance solutions like KYC-Chain are often utilized instead.
Get in touch for a free DEMO and to see how we can help you on your path to compliance.