What does it mean to Know Your Customer (KYC)?
Banks and other financial institutions have a responsibility to identify and evaluate the individuals and legal entities with whom they do business. They do this by gathering various levels of identifying information about the potential client during onboarding and throughout the client relationship. Certain information identifies customers as higher risk, which triggers additional questions and deeper ‘due diligence’ on the part of the company.
Why is KYC Important?
Understanding one’s clientele is more than just appeasing risk management principles for simple compliance, it is sound business practice. Proper KYC allows the bank, as a business, to fulfill several important functions. Among them:
Risk Management and Compliance
- Legal/ Regulatory Risk: KYC is required by law and regulation. Inadequate adherence to sound procedures creates a risk of prosecution or other enforcement actions
- Reputational risk is impacted by negative news that degrades the company’s reputation and trustworthiness.
- Credit risk factors. Customers might overstate their financial status or asset values and cause losses, interruptions to service, or other problems.
- Operational Risk: Enforcement actions may lead to excessive costs to remedy problems that could have been prevented with adequate front-line procedures.
Customer Service
- Financial institutions are a business and knowing your clientele is a prerequisite to serving their needs effectively.
- Data gathered during KYC can be used to offer the right products and services to make a customer feel taken care of and valued.
Business Relationship Growth
- Growth is the natural result of effectively serving the customer’s financial needs.
- KYC data helps segment the customer for marketing and business intelligence analysis.
What are the requirements of a KYC/CDD program?
In the US, FinCEN’s website spells out their 2016 CDD Rule:
“The CDD Rule has four core requirements. It requires covered financial institutions to establish and maintain written policies and procedures that are reasonably designed to:
identify and verify the identity of customers
identify and verify the identity of the beneficial owners of companies opening accounts
understand the nature and purpose of customer relationships to develop customer risk profiles
conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information
With respect to the requirement to obtain beneficial ownership information, financial institutions will have to identify and verify the identity of any individual who owns 25 percent or more of a legal entity, and an individual who controls the legal entity.”
Interpreting the Core Requirements in Practice
Regulations require frequent updating and are currently under review. Additionally, regulators may interpret requirements differently at institutions based on size and risk profile. These core requirements are subsequently interpreted by financial institution employees who write policies and procedures to implement the guidance. The below for requirements, in practice, are fulfilled in various functions carried out by financial crimes teams at these institutions.
Identify and verify the identity of customers
Check a valid form of identification. Make sure that the person opening the account is who they claim to be, or an authorized representative. Check articles of incorporation and registration or licenses for commercial accounts.
Identify and verify the identity of the beneficial owners of companies opening accounts
Who actually owns the company? Identify at the 25% level, but this means in aggregate. Therefore, if a person owns 10% of a business, and 75% of two other companies that own part of the first business, the math can quickly become complex. Even bankers who seek to be accurate may find it challenging to navigate towards the right answer.
Understand the nature and purpose of customer relationships to develop customer risk profiles
Various factors impact the level of risk to which a customer relationship exposes the bank. Some products, like international wires or remote-deposit capture for checks, are inherently risky for money laundering and fraud. Doing business with certain geographical jurisdictions is riskier than with others. Certain professions, industries, jobs and interpersonal connections introduce additional risks. Each of these factors must be assessed for each customer and relationship. Higher risk customers require ‘enhanced’ due diligence, usually in the form of documentation and additional detailed questions.
Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information
Accounts and relationships must be continuously reviewed for unusual activity. Certain information, depending on customer risk level, must be refreshed at certain time intervals. Additionally, using a risk-based approach, anomalies in transaction activity must be identified, reviewed, and explained. Financial institutions usually reach out to the customer to ask these questions, often at great expense in time and resources.
What are the steps of the KYC process?
Customer Identification Program (CIP)
Verifying identity using some legitimate form of documentation to make sure that the person opening the account is who they claim to be. The purpose is to validate that the customer is who they say they are or is authorized to act on the person or company’s behalf.
Customer Due Diligence (CDD)
Collecting basic information such as name, address, phone, and tax ID number as well as occupation and income level to create a customer profile record. Partially, this information helps generate a customer risk rating.
Customer Risk Rating (CRR)
This process adds questions to CDD information to determine the level of various types of risk that the customer poses to the institution. Questions involve identifying certain high risk categories of person or business, as well as determining if they live in or do business with higher risk geographical regions. Risk rating also takes into account the number and type of financial products to be used. These attributes are directly tied to financial crime/AML concerns. Customer segmentation by a variety of factors allows for precision transaction monitoring. Customers are then stratified according to the institution’s risk model and are subject to different monitoring for low, medium, and high risk clients.
Enhanced Due Diligence (EDD)
Higher risk customers will, depending on the risk tolerance of the financial institution, fill out additional information. Often this involves detailed questions about specific risks in that industry. It will include requests for documents and licenses, and descriptions of suppliers and customers. Customers will also need to estimate the value and volume of their use of certain transaction types such as cash deposits and wire transfers. This information is all used to segment the customer population and set thresholds for transaction monitoring and AML compliance. This process may include site visits to a corporate client’s location.
What is eKYC
Electronic gathering of KYC related information. Doing various KYC process steps online. Uploading copies of docs, taking selfies with the app, etc. (Fintech, apps, online banking).