KYC, meaning Know Your Customer or Know Your Client, refers to the processes conducted to verify the identity of a customer and assess the risk of the business relationship with them.
KYC is a crucial regulatory requirement for fintech companies and other institutions with financial responsibilities (like banks, credit institutions and insurance providers). Laws and regulations oblige those actors to validate the identity documents their clients provide. That’s equally true if the clients in question are legal entities instead of persons. KYC also requires companies to evaluate the clients’ financial status and monitor their monetary accounts for suspicious transactions.
The goal: Adhere to Anti-Money Laundering (AML) and Countering the Financing of Terrorism regulations, prevent fraud and constrain the access of users, who don’t fulfil certain standards of credibility.
But Know Your Customer policies are not just boundaries. They also act as competitive factors. KYC yields insightful data on one’s own services and customers.
It thus helps establish a reputation as a secure and trustworthy company as well. And trust is likely the most valuable asset for any financial business today — at least KYC-approved customer bank data is in high demand elsewhere.
So it’s time for a deeper look into the meaning and definition of KYC, its chances and its challenges.
This Know Your Customer Introduction for Fintechs Contains:
- A definition of KYC
- A discussion of key KYC-related concepts such as AML or EDD
- An overview of legacy KYC procedures and their modern counterparts
- A list of typical challenges fintech companies face with KYC
Now, shall we?
KYC in Fintech and Finance: A Definition
Know Your Customer is a series of data-driven processes adhering to specific standards and regulations.
Those measures form a line of defence against financial crimes: Tax evasion and terrorist financing just being two of the more notorious. Companies or even governments that don’t enforce the requirements of KYC law have to prepare for a judicial sequel.
By executing KYC processes, fintech companies ensure that their clients:
- …are who they claim to be
- …fulfil the requirements to use certain financial services
- …do not misuse the product or platform to commit a crime
- …maintain a trustworthy, low-risk business relationship with them
Whenever a financial business is accepting a new customer, they have to execute a profound identity check. As part of this, users may be asked to supply documents for proving personal key data:
Proof of Identity
- Driver’s License
- Other types of Photo ID
Proof of Address
- Bank account statement
- Utility bills
- House purchase documents
- Employer’s proof of residence
- Other valid documents containing residency status
With the initial onboarding completed, KYC is far from concluded, however. In fact, it is a continuous process: A fintech company is required to regularly reassess their clients’ risk and fraud levels, closely monitoring the client’s business relationship with them. Thus risk management, customer due diligence and continuous transaction analysis are also crucial aspects of Know-Your-Customer in almost any case.
If unusual activities turn up a new KYC evaluation process begins. The same applies when business- or finance-related qualities change over the client’s lifecycle. This includes changes such as:
- The client’s occupation changes
- The client’s business changes
- The client wants to give other parties permission to use the account
International and Local KYC Regulations
KYC law is an increasingly complex ruleset, not only for fintech companies. Banks and monetary service providers have to adhere to an international security standard for the verification of identities and to anti-money laundering regulations. At the same time, local standards are in place in almost every country in the world.
For example, the European Banking Authority (EBA) has published a series of Anti Money Laundering Directives. They form the basis for the EU’s legislation and overrule national practices. In the US, it’s the Patriot Act of 2001, which tightened the KYC first recorded in the Bank Secrecy Act.
Depending on the nature of the client (single person, corporation, etc.) and the business model of the financial service provider itself, KYC procedures may differ a lot. In reaction to the Panama Papers, for example, the 4th EU Directive demands increased transparency regarding beneficial ownership in business relations. This actually takes KYC for fintech to the next level, making it important to Know Your Customer’s Customer (KYCC) as well. However, clients engaging in small transactions can expect looser KYC requirements.
PSD2 and KYC in Europe
PSD2 is the abbreviation for Payment Service Directive 2. It’s a regulatory directive, put into force by the European Commission in 2015. Mainly affecting banks and payment service providers, PSD2 marked an important step in open banking, as it loosened the banks’ exclusive access to a customer’s account data. In the EU, customers can now instruct their banks to share their account data with third-party providers of financial services.
At the same time, third-party companies have to register as Payment Initiation or Account Information Service Providers (PISPs and AISPs). The same is true for internet giants edging into the market with their own payment applications.
All these single aspects of Know Your Customer contribute to the regulatory challenge financial companies are facing daily. It’s certainly nothing to take lightly: Financial institutions are held accountable for misuse of their service in defiance of anti-money laundering rules. And what’s required from banks is also required from their fintech counterparts.
AML and CFT
For fintech challengers, KYC can be a puzzling field to navigate. To fully grasp it, we should start with the two most basic terms of the trade.
Anti-money laundering or AML is the regulatory field of which KYC is part. Its purpose is to stop the generation of financial income through illegal means. In this role, AML has been a factor in international banking law since about 1989. Then the Financial Action Task Force was founded. The FATF established international regulations for fighting money laundering and related crimes.
AML legislation saw a series of big overhauls in the past. Two of the more recent were increased attention on terrorist financing after 9/11 and expanding regulations after the 2008 financial crisis. With the rise of digital banking and payment, new problem areas began to manifest. In their G20 report from July 2018, the FATF identifies a new pressing issue: AML standards for cryptocurrency and crypto-asset transactions.
CFT or Combating the Financing of Terrorism – you might also read Counter Financing Terrorism – is a subset of AML. As the name suggests, it refers to measures preventing the funding of terrorism, whether domestic or across borders.
As a requirement for fintech, finserv companies and financial institutions of all kinds, CFT is a fairly recent addition. Only after the attacks of 9/11 and the subsequent push by the Financial Action Task Force, countering terrorist financing became a compliance requirement. Before, responsibility for such proceedings did not lie with financial anti-crime and compliance authorities.
Today, more and more countries follow CFT rulesets. This is also due to a practice known as “naming and shaming”, where the FATF officially calls out countries that don’t actively prevent terrorist financing. And no country with international economic ambitions wants to be a member of that club.
The 4 Levels of KYC for Fintechs: CIP, CDD, SDD and EDD
We can break KYC measures down into four successive levels of thoroughness: CIP, CDD, SDD and EDD. All of them are followed by continuous monitoring and documentation of the customer’s transaction behaviour, especially in the case of a high-security status.
Customer Identification Programs or CIP are the baselines of these KYC levels. CIP refers to measures taken by a financial company or an external agency to verify the identity of a new customer.
To do so, the program in question inquires basic data, like name, address and so on. This information gets counterchecked then, using databases with identification data and criminal records. Additional information could be required, too: Individual customers may have to state their profession and reveal the purpose of their business, as well as their financial flows. Body corporates have to provide even more specific information such as:
- … the type of the organization they belong to and its business model.
- … the industrial sector or market they belong to, including industry code.
- … the property, size and structure of their organization.
- … the financial ratio.
CDD is short for Customer Due Diligence. The name says it all: Financial companies must be diligent when it comes to accepting customers — and they are held accountable for customers who use said company’s system for criminal activity.
To be compliant with anti-money laundering legislation, a detailed analysis of the new client’s identity follows the initial CIP. The focus here lies on risk assessment and projecting the customer’s transaction habits.
CDD is the standard due diligence procedure for KYC in the fintech sphere. That’s because many customers fit neatly into the medium-risk category. However, it is also possible that a fintech company identifies a customer as low-risk, allowing it to proceed with SDD. On the other hand, if the CDD screening results in a high-risk evaluation, KYC is taken to the EDD level.
SDD stands for Simplified Due Diligence. It is a faster due diligence process, aimed at low-risk clients. The description “low-risk” might fit a customer if they only look after very fraud-proven and low-value products and/or have no connections to high-risk jurisdictions, for instance.
It’s a big if: Regulators have ensured that SDD is not used as a shortcut by firms, who just want to grant customers a better experience. Before customers even come into question for SDD procedures, they must have gone through a detailed assessment of their risk profile. This task is elaborate and rests on the company conducting the KYC – a reason why few fintech firms pursue SDD.
EDD, written out as Enhanced Due Diligence, is only necessary if the customer’s business is potentially risky. This is the case with so-called Politically Exposed Persons (PEP), for example. The term describes people in positions of power, who thus have greater exposure to (and higher opportunity for) bribing, corruption and money laundering.
Dealing responsibly with such high-risk customers requires additional data on the customer’s identity and business activities, to counter potential infractions. The screening broadens to include detailed press coverage of the client as well as data about their wealth sources. This results in the assessment of how likely the customer is to commit money laundering, identity theft or terrorist fundraising.
KYC Legacy Systems and the Digital Age
It’s not a surprise that banks and their fintech counterparts go to great lengths to assure compliance. Customers are adopting online payments and electronic wallets at an increasingly rapid rate. Financial transactions can occur anywhere, potentially across borders and in an instant. On the one hand, this technological shift enables new types of finance-related cybercrimes, like hacking and online credit card fraud. And it also extends the channels for illegal transactions.
The COVID-19-induced lockdowns of 2020 and 2021 brought this problem back into focus. The number of new customers to onboard staggered within a relatively short time frame, which forced many financial service providers to transform large partitions of their former Know Your Customer procedures.
If we ask regulators, it was about time: A KYC Market Report by CEB stated in 2016, that the systems by which banks identified their customers were depressingly outdated. Some traditional KYC systems even derived from a time, when financial services were mostly stationary; the client had to be physically present in a banking branch to access them. Identity verification was a simple matter of seeing the client and collating the ID and other paper documents he brought with official records.
New Know Your Customer Technologies
Now, modern information technologies have largely taken over. Not only did this make onboarding possible from the comfort of customer’s homes, but it also helps alleviate the human factor as a source of errors, allowing for focused data processing and analytics. While the occasional legacy system is still in place here and there, KYC and AML software has become a highly innovative field, informed by modern technologies like…
- Video Calls: Voice and face identification via remote video chat
- Biometrics: Identification through biometrical features
- Social Biometrics: CDD and EDD by evaluation of social media activity
- Artificial Intelligence: Approvement of documents via self-learning algorithms
- Semantic Analytics: Context-sensitive analysis of finance-related texts
- Blockchain: Sharing of KYC related data without intermediaries
Regulatory technology (or RegTech) like this has the potential to make KYC processes a lot faster, more accurate and transparent.
The Challenges of KYC Compliance for Fintechs
Given the inventiveness of organized cybercrime, financial service providers can use all the RegTech novelty they can get. Legislation and KYC technology providers are in an ongoing race with money launderers and fraudsters.
Yet, there is more to Compliance than just making sure, your fintech company adheres to KYC regulation. In many regards, it’s also about the “How”, as you have to reconcile Know Your Customer requirements with cost-effective operations and a satisfying customer experience.
Compliance can be a costly affair, not only for fintech startups. A global report by Thomson Reuters numbers the annual KYC compliance costs for financial institutions in 2016 to around $60 million. Some financial firms are even spending more than $500 million a year. And two years later, two-thirds of the financial service firms stated they would increase their total compliance budget in the coming years.
There is a crucial problem with regards to budget, though: What’s bearable for large banking institutions, can seriously impair the budget of your fintech startup or SME. That’s especially true if you just entered a new market or go through a fundraising phase. However, chances are you don’t offer an array of services as wide as that ole banking goliath. Focussed services come with fewer AML rules that still apply to them.
Modern RegTech solutions present opportunities to reduce compliance costs. If the KYC software you use is efficient, you save on the “operations” end of the calculation, at least in the long run. In preventing criminal acts, your company builds up consumer trust and thus generates growth and revenue.
Customer and Business Onboarding
Registration screens and KYC data queries often form the initial contact customers make with a fintech or banking service. Thus, providing frictionless identity verification is of the utmost importance for fintech companies and banks.
It’s an aspect of customer relations ripe for improvement. According to Thomson Reuters (2016), 89 per cent of clients report bad KYC experiences. At least 13 per cent even changed to another service provider as a result. A study from the following year also found out that the KYC process during the onboarding, despite being mostly digital, is quite time-consuming: Banks take an average of 24 days to complete the onboarding of a customer. For corporate customers that number climbs even higher, to up to 120 days for a single all-in-all onboarding process.
Faster Know Your Customer solutions, like identity check via video chat, promise more satisfied customers. Also, concepts like Continuous Client Due Diligence see increasing adoption: Here the customer’s risk rating is not initially determined by one long KYC onboarding process and subsequent reviews. Instead, a data-driven approach is chosen, in which the customer’s activities are used to form a real-time risk profile, without the need for periodic reassessments.
Trust and Data Protection
Aside from UX, customer relations have a second dimension as well: Trust. On the input side, a company must trust that the data passed on by customers is both truthful and relevant until it can be examined.
In turn, the companies have to act responsibly when handling the data entered by customers – and when they dig for new data in their transaction histories. Consequently, data protection has evolved into its very own regulatory field, which is a crucial aspect of KYC as well. In Europe, it got a big update with the General Data Protection Regulation (GDPR) – a ruleset fintech companies might find easy to comply with by nature, as some commentators suggest.
In fact, the notion is not far-fetched: Exemplary, secure management of data can present a major competitive advantage, as it shows your companies trustworthiness. Compliance, supported by top-notch technology, lets your company appear more reliable in the eyes of potential business partners or investors.
KYC And Expanding Into Other Markets
“Contactless payment” and “borderless finance” are written all over the banking and fintech industry nowadays. But if your fintech company intends to expand into new, national markets, you will notice that KYC might become a lot more complicated. Different regions of the world feature different AML, CTF and KYC regulations – with international guidelines on top.
In addition, other laws might exist which greatly impact your KYC measures: For example, Russia requires service providers to store all data of Russian customers within Russian borders – of course, that applies to KYC-related data sets as well.
Excursus: Cryptocurrency and KYC
In the field of blockchain and cryptocurrency, regulation comes with its own set of challenges. KYC is hard to accomplish in decentralized crypto environments. Yet, there is a high demand for Know Your Customer procedures for financial services based on cryptocurrencies.
And initiatives with a focus on crypto KYC are continuously rolled out. For instance, in 2017, the European Parliament and the European Central Bank laid the foundations for KYC and AML for the crypto sphere with a new ruleset. For KYC it is already applied. The regulation targets crypto exchanges, which have tightened their process of verifying accounts. Before the regulation took effect, unverified users used to conduct transactions up to a certain limit. Now, they have to undergo a basic KYC screening before they can use a crypto exchange platform at all.
In our current time of digital disruption, KYC and AML are in a constant state of change. That puts fintech companies and challenger banks in a position of opportunity and risk at the same time. As high-tech industries, they might be in the perfect position to integrate KYC procedures into their already data-driven software infrastructures.
On the other hand, budget limits and requirements regarding international expansion – as part of an app featuring payment orchestration, for example – can put fintechs in tight spots. External KYC and AML service providers can ease the pressure, combined with a flexible, API-based software framework for one’s own platform.
After all, KYC is about knowing your business as much as it is about knowing your customers.