London Governance & Compliance Academy

Do You Really Know Your Clients? Introducing KYC

Original article is available at Do You Really Know Your Clients? Introducing KYC – The Association of Governance, Risk and Compliance (AGRC)

What is KYC?

When you last opened an account at the bank, you will probably have been asked who you are – your identity – and also questioned about the origin of the funds that you proposed to deposit in the account. This is all about the concept of know your customer (KYC) and is the point at which many of us will have already interacted with KYC, perhaps without knowing anything about it. Know your customer/client is essentially concerned with verifying the identity of customers before and during any business undertaken with them and aims to prevent illegal activities such as money laundering or fraud. This protects both the company and the client and is an important part of the wider anti-money laundering regulations that are being enacted worldwide.

Because of the dramatic growth of money laundering worldwide, it has become increasingly necessary for businesses to ensure that their proposed clients, or anyone involved in monetary transactions with them, are compliant with anti-bribery and anti-money laundering (AML) policies. This means that relevant financial institutions now require often quite detailed due diligence information. Regulations were initially only imposed on financial institutions, but increasingly they now apply to the non-financial industry, fintech, virtual asset dealers and even non-profit organisations.

At its core, KYC is about knowing a customer’s identity, understanding what their financial activities are and being clear as to their source(s) of funds, before finally assessing or evaluating any risk that this might pose. This is clearly in the interest of a business or organisation, for their own protection from fraud and losses. But arguably of even greater significance are the potential fines, sanctions and reputational damage that could ensue if an organisation helps enable money laundering or terrorist financing through its negligence in this area.

The requirements for KYC inevitably vary in different jurisdictions and also depend on the industry concerned, and it is clearly the responsibility of the business or organisation to be fully abreast of the local and specific requirements that apply to them. In banking, for example, there is a requirement to identify customers, beneficial owners of businesses, and the nature and purpose of customer relationships. Within the investment industry, it is necessary for advisors to be aware of their client’s investment knowledge and financial profile. In some situations, Know Your Customer’s Customer (KYCC) prevents fraud operating in second-tier business relationships. Know Your Business (KYB) further extends the KYC laws to verify businesses, and particularly features the need to know the Ultimate Beneficial Owners (UBOs), among other things. This is important in identifying fake business entities and shell companies.

Who needs KYC?

Financial institutions that open and maintain accounts with customers are required to know their customers and abide by the KYC regulations. KYC is an increasingly critical issue for almost any institution that interacts with money, including banks, credit unions, fintech tech applications, lending platforms and private lenders and also wealth management firms and broker-dealers. In a short article like this, it isn’t possible to outline all of the requirements or the scope of KYC legislation for different jurisdictions and industries. In general, though, in the United States, organisations should review the anti-money laundering (AML) regulations, many of which have been in place for decades, and in particular they should understand the requirements of Title III of the Patriot Act (2001). In Europe, the sixth Anti-Money Laundering Directive – AMLD 6 – came into effect in 2021 and draws together previous standards right across the union. Other jurisdictions have similar provisions, and in fact over 190 countries have committed to recommendations from the Financial Action Task Force (FAFT).

Should we bother with KYC?

The KYC processes can perhaps primarily be seen as a global imperative of protection for the wider financial community. Viewed from this perspective, each organisation is forming part of the barrier wall against corruption and financial fraud and the huge damage that these can wreak. Of course, there are also the profound and possibly devastating effects that fines, sanctions and the loss of reputation could have on a person or their business. These two factors alone should make it clear why KYC is necessary, but there is yet another important perspective, the significant advantages of a robust KYC process.

Ensuring an effective KYC approach is in place will be cost efficient and is likely to raise conversion rates and optimise customer acquisition costs. It will also greatly decrease the likelihood of later friction or difficulties in the relationship with clients. Having a better understanding of a client identity cannot fail to improve business transactions with clients, and it is also probable that the regulatory KYC process will encourage a more effective and ordered record-keeping process, which will certainly have positive knock-on effects on the rest of the business.

How does KYC work?

This does depend to some degree on which side of the Atlantic you find yourself, and, as has already been said, different specific requirements affect different industries. That said, there are essentially three components to KYC:

Customer Identification Program (CIP)

CIP requires that a number of pieces of identity information about a client must be obtained. This would typically mean that the client’s name, date of birth, address and identification number are checked. Essentially, is the customer who they say they are? The process of verification may include both documentary and non-documentary methods, perhaps including comparing the information provided by the customer with other recorded information elsewhere. These actual procedures need to be codified and made totally clear to all personnel concerned in the process.

Customer Due Diligence (CDD)

It is necessary for all of a customer’s credentials to be collected to further verify their identity and particularly to evaluate their risk profile for suspicious account activity. CDD further reviews the beneficial owners of a company, where this is relevant. This is about assessing the trustworthiness of the potential client and is a critical element in protection against risks involving criminals, terrorism, and Politically Exposed Persons (PEPs). There are different levels of due diligence, and these are very much dependent on the level of risk that the person or business presents, especially with regard to the extent of risk of infiltration and possible connections with terrorism and money laundering. Notable features here might include the location of the person, their occupation, the type of transactions they make, patterns of activity and methods of payments.

Ongoing monitoring or Enhanced Due Diligence (EDD) of accounts

Organisations need to be aware that there is always the possibility of a client’s transition into higher categories of risk over a period of time. Conducting due diligence cannot be a one-time activity. Systems and triggers need to be established to ensure that changes in condition are picked up, promptly. This is likely to involve the ongoing monitoring of financial transactions and accounts, probably based on some form of threshold. Spikes in activities, unusual cross-border activities, changing sanctions and even adverse media coverage or reports can all be filed in a Suspicious Activity Report (SAR), where appropriate.

This introductory visit to KYC should have given you the groundwork and also, hopefully whetted your appetite for further detail in a forthcoming blog, covering the impact of KYC on cryptocurrencies, the links to AML, electronic KYC verification and also mobile KYC.