Know Your Client, better known as KYC, is the process of gathering sufficient information about an individual, user, or entity to identify whether they represent any risks, including AML (anti-money laundering) and CFT (countering the financing of terrorism) flags.
A typical KYC process can be summarized in three steps:
- Compiling written documentation of policies and procedures,
- Consistently following these procedures with every business relationship, and
- Being able to prove that you did so for the lifetime of the account.
However, many business owners believe that their current KYC procedures are adequate─when, in fact, they fall far short of what is required.
Below, we explore the top 5 myths about KYC and discuss the truths that dispel these myths.
Top Five Myths of KYC
“I use a digital ID provider, so I have KYC.”
Unfortunately, the term KYC in most countries is neither regulated nor defined by legislation and regulators. This means that any company with a facial-matching tool, document authentication service, or sanctions screening API can brand their products as a “KYC” tool.
However, none of these solutions on their own will enable your team to fulfill the legal and regulatory obligations (when taking a risk-based approach). In almost every case, companies will need to do much more than simply check and authenticate an identity document to achieve true compliance.
“KYC only applies to financial services companies.”
This is categorically untrue for countries around the world. Your obligation and liability to know your clients and identify whether your business is complicit in facilitating the laundering of illicit funds does not change, regardless of the scenario or industry─whether you are running a bank, a tech company, a gambling website, a securities offering, a law firm, or a tobacco store.
Regulators focus so closely on finance because of how easily the industries of finance and digital assets can be used to launder money. This does not mean other industries – even laundromats – are exempt from ensuring their business is not used to launder money or finance terrorism.
“KYC is a useless process and should be abolished.”
It can be difficult to measure the impact of KYC, as compliance generally seems to make every process more drawn out and more expensive. Whether you are trying to raise capital, start a new project, or just go about your business operations, this friction can be incredibly frustrating.
Yet behind all the red tape, these tools save lives every day─we have seen real-world cases of asset trading platforms and tokenized securities offerings that are being used to fund terrorist attacks, enslave young children into the sex trade, and deal in the trafficking of humans.
Don’t be fooled: the work you do, despite the “red tape” of compliance, is making a real and positive impact on the world around you.
“KYC only applies to my investors.”
This is often overlooked by startups raising capital. A good KYC program will assess the quality of all your business relationships─not just the investors, but also your employees and advisors─which are critical to your project’s short- and long-term success.
We have seen countless cases where great projects have failed because they had business contracts with the wrong parties, their bank accounts frozen, or found themselves and their investors added to global watch lists─all because they failed to run proper due diligence on an overseas bank they use, the custodian they worked with, or the advisors they brought onto their project.
Especially in a quickly evolving market─where fraudsters, hackers, and identity thieves are wreaking so much havoc─it is important that your KYC policies and procedures take a holistic view of your business from beginning to exit.
“I did KYC on all my users already, so I am covered…right?”
Again, this is incorrect. KYC is not a “one-and-done” process─only a small part of KYC and AML screening is about the initial onboarding and identification of a user.
Think of KYC as the part where you hone in on who your clients are so you have enough information to ensure your AML screening processes are effective, efficient, and not outrageously expensive. Once you accept the client, user, or investor into your screening process, you will need to ensure your risk assessments, transaction monitoring, and periodic review procedures are effective enough to catch problems that could arise during the lifetime of the account.
For fintechs, especially those who leverage third-party banks, payments providers, or aggregators, your compliance obligations only begin at the point of investor onboarding.
So how can you ensure compliance in a world of acronyms such as KYC, AML, CFT, PEP, GDPR, PIPA, PSD2, MIFIDII, and more?
First, we recommend finding a professional with deep experience in AML─and do some due diligence on them! You would be surprised at how many KYC or AML experts are out there with questionable histories themselves.
Second, talk to previous clients and competitors of these professionals. The trustworthy players in the AML and KYC world have a good reputation within their industry, and talking to a few of their competitors can be quite illuminating.
Quality AML consultants are not in the industry just for the money, but rather because they truly believe in the work they are doing. They will let you know if one of the professionals on your shortlist is someone you would want to steer clear of when choosing a reputable provider.
Now that you know what these myths are, you must be asking:
“What does a good KYC and AML program look like in simple, practical terms?”
The following list of questions will help you and your team understand the key objectives and functional requirements of a strong compliance program.
Who are you?
This is the very beginning of the process and often starts with an onboarding questionnaire or web form registration. You will want to gather enough information to understand who your client is─in the real world, online, and in the world of financial oversight and regulation. Identify and gather their legal name, identity documents, physical address(es), digital fingerprints, bank accounts and digital asset wallet addresses associated with the individual or company in question.
Are you really you?
This step ensures that the user behind the screen is the same person on the legal documents being submitted. Depending on the country the investor is from, this step must be done in a very specific manner.
You can identify the required procedures for authenticating the user against their identity by checking the FIU (financial intelligence unit) requirements for the country in which the user lives. Acceptable processes vary greatly by country, including everything from credit bureau checks to liveness or live video interviews.
Are you known to be risky, and does that impact this transaction?
Many KYC systems on the market simply “ping” sanctions and watchlist databases with an API and respond back with “match” or “no-match”. The same goes for PEP screening and Adverse Media. This is rarely acceptable, as the databases often do not have sufficient data for you to properly identify if the match is actually the right person. Imagine names such as “John Smith”, “Wei Shun”, or “Sun Kim”, where you could literally have hundreds or thousands of matches but they may not actually be the person you are dealing with.
You could choose to blindly reject anyone unlucky enough to have the same name as someone who is a PEP, or has significant matches in Adverse Media, but that will negatively impact your business. A good compliance program will help you assess, process, and document the reasoning behind your decisions when you do decide to accept funds from someone who is a potential match.
Are your actions risky?
On the flip side from point #3, if your investor passes all the KYC checks but is sending you funds without an identifiable source of wealth, you could be in trouble. How deep your due diligence and screening processes go will often depend on factors such as transaction amount, source of funds, source of wealth, jurisdiction of domicile, jurisdiction of residence, occupation, and industry.
To avoid spending countless hours doing this for a minuscule investment, it is best practice to set automation parameters for different thresholds – for example, if you are onboarding users from a country with a sanction on tech companies in China, the occupation and industry of your investor could be a red flag, especially if the funds are coming from a corporate-owned bank account or digital wallet.
Has anything changed on one of the above?
As you design your compliance program, you will need to implement policies on how you categorize and assess risk, whether you accept all risk levels, and how often you review and re-verify the KYC on any client. Simple things like an investor’s passport expiring should be updated, ideally before the expiration date. More complex things, such as periodic review and transaction monitoring policies, may need to be updated after you complete the annual review of your compliance program and policies.
Using software to streamline these procedures, such as the tools offered by iComply, will not only save you time and money, it will put you ahead of most major financial institutions who spend, on average ten hours per year reviewing KYC for each client which typically costs 15-20% of their gross annual revenue. These costs are not sustainable and threaten the survival of your business. Taking a proactive approach to modernizing your compliance program can improve client satisfaction, help you access new markets, and decrease the cost of client acquisition.
