Knowing who your customer is and enacting protocols to prevent financial crime are ongoing challenges for financial institutions. Significantly, financial institutions (including banks, credit unions, and Fortune 50 financial firms) must comply with a set of increasingly complex regulations for customer identity verification called KYC. In this article, we’ll cover KYC requirements in the U.S.
KYC, otherwise known as “Know Your Customer” or “Know Your Client,” is a set of procedures for verifying a customer’s identity before or while doing business with banks and other financial institutions. Compliance with KYC regulations can help keep money laundering, terrorism financing, and more run-of-the-mill fraud schemes at bay. By first verifying a customer’s identity and intentions at the time of account opening and then understanding their transaction patterns, financial institutions are able to more accurately pinpoint suspicious activities.
Financial institutions have become subject to ever higher standards when it comes to KYC laws. They must spend more money to comply with KYC—or be subject to steep fines. These regulations mean that almost any business, platform, or organization that interacts with a financial institution to open an account or engage in transactions will have to comply with these obligations.
What is KYC in banking?
KYC means Know Your Customer and is a standard due diligence process used by financial institutions and other financial services companies to assess and monitor customer risk and verify a customer’s identity. KYC ensures that a customer is who they say they are.
Under KYC, clients must provide credentials that prove their identity and address. Verification credentials can include ID card verification, face verification, biometric verification, and/or document verification. For proof of address, utility bills are an example of acceptable documentation.
KYC is a critical process for determining customer risk and whether the customer can meet the institution’s requirements to use their services. It’s also a legal requirement to comply with Anti-Money Laundering (AML) laws. Financial institutions must ensure that clients are not engaging in criminal activities by using their services.
Stay informed. Sign up for Plaid's newsletter on the latest in financial services and tech.
Why is KYC important?
By law, KYC is required for financial institutions to establish the legitimacy of a customer’s identity and identify risk factors. KYC procedures help prevent identity theft, money laundering, financial fraud, terrorism financing, and other financial crimes. Non-compliance can incur heavy penalties.
KYC requirements were introduced in the 1990s to fight money laundering. Following the 9/11 attacks, the US passed stricter laws around KYC as part of the Patriot Act. These changes had been in the works prior to 9/11, but the terrorist attacks provided the political momentum needed to enact them.
Title III of the Patriot Act requires that financial institutions deliver on two requirements to comply with the heightened KYC obligations: the Customer Identification Program (CIP) and Customer Due Diligence (CDD). Current KYC procedures embrace a risk-based approach to counteract identity theft, money laundering, and financial fraud:
Identity Theft: KYC helps financial institutions establish proof of a customer’s legal identity. This can prevent fake accounts and identity thefts from forged documents or stolen identity documents.
Money Laundering: Both organized and unorganized criminal sectors use dummy accounts in banks to store funding for narcotics, human trafficking, smuggling, racketeering, and more. By spreading the money out across a long list of accounts, these criminal sectors seek to avoid suspicion.
Financial Fraud: KYC is designed to prevent fraudulent financial activities, such as using fake or stolen IDs to apply for a loan and then receive funding with fraudulent accounts.
What’s the difference between AML and KYC?
The difference between AML (anti-money laundering) and KYC (Know Your Customer) is that AML refers to the framework of legislation and regulation that financial institutions must follow to prevent money laundering. KYC is more specific and relates to verifying a customer’s identity, which is a key part of the overall AML framework.
Financial institutions are responsible for developing their own KYC programs. However, AML legislation can vary by each jurisdiction or country, which means that financial institutions must develop KYC procedures that comply with each set of AML standards.
Who needs KYC?
KYC is required for financial institutions that deal with customers during the opening and maintaining of accounts. When a business onboards a new client, or when a current client acquires a regulated product, standard KYC procedures generally apply.
Financial institutions that need to comply with KYC protocols include:
Wealth management firms and broker-dealers
Finance tech applications (fintech apps), depending on the activities in which they engage
Private lenders and lending platforms
KYC regulations have become an increasingly critical issue for almost any institution that interacts with money (so, just about every business). While banks are required to comply with KYC to limit fraud, they also pass down that requirement to those organizations with whom they do business.
Learn how Open Banking is changing the world of finance
What triggers KYC?
Triggers for KYC can include:
Unusual transaction activity
New information or changes to the client
Change in the client’s occupation
Change in the nature of a client’s business
Adding new parties to an account
For example, as a result of initial due diligence and ongoing monitoring, a bank might flag certain risk factors like frequent wire transfers, international transactions, and interactions with off-shore financial centers. A “high-risk” account is then monitored more frequently, and the customer might be asked more often to explain his transactions or provide other information periodically.
What are the three components of KYC?
The three components of KYC include:
Customer Identification Program (CIP): The customer is who they say they are
Customer Due Diligence (CDD): Assess the customer’s level of risk, including reviewing the beneficial owners of a company
Continuous monitoring: Check client transaction patterns and report suspicious activity on an ongoing basis
Customer Identification Program (CIP)
To comply with a Customer Identification Program, a financial institution asks the customer for identifying information. Every financial institution conducts its own CIP process based on its risk profile, so a customer may be asked for different information depending on the institution.
For an individual, this information could include:
A driver’s license
For a company, this information could include:
Certified articles of incorporation
Government-issued business license
For either a business or an individual, further verifying information might include:
Information from a consumer reporting agency or public database
A financial statement
Financial institutions must verify that this information is accurate and credible, using documentation, non-documentary verification, or both.
Customer Due Diligence (CDD)
Customer due diligence requires financial institutions to conduct detailed risk assessments. Financial institutions examine the potential types of transactions a customer will make in order to then be able to detect anomalous (or suspicious) behavior. Based on this, the institution can assign the customer a risk rating that will determine how much and how often the account is monitored. Institutions must identify and verify the identity of any individual who owns 25% or more of a legal entity, and an individual who controls the legal entity.
While there’s no standard procedure for conducting due diligence, institutions can think of them in three tiers:
Simplified Due Diligence (“SDD”): For low value accounts, or when the risk of money laundering or financial terrorism is low, a full CDD may not be necessary.
Basic Customer Due Diligence (“CDD”): At this level of due diligence, financial institutions are expected to verify a customer’s identity and level of risk.
Enhanced Due Diligence (“EDD”): High-risk or high-net-worth customers may require more information gathering so that the financial institution has a deeper understanding of the customer’s financial activities and risks. For example, if a customer is a Politically Exposed Person (PEP), they may be at greater risk for money laundering.
Continuous monitoring means that financial institutions must monitor their client’s transactions on an ongoing basis for suspicious or unusual activity. This component embraces a dynamic, risk-driven approach to KYC. When suspicious or unusual activities are detected, the financial institution is obligated to submit a Suspicious Activities Report (SAR) to FinCEN and other relevant law enforcement agencies.
What are KYC requirements?
The two basic mandatory KYC documents are proof of identity with a photograph and a proof of address. These are required to establish one's identity at the time of opening an account, such as a savings account, fixed deposit, mutual fund, and insurance.
List of documents commonly accepted as standard proof of identity:
Voter’s identity card
Photo identity proof of central or state government
Ration card with photograph
Letter from a recognized public authority or public servant
Bank pass book bearing photograph
Employee identity card of a listed company or public sector company
Identity card of university or board of education like ISC, CBSE, etc.
List of common identity documents which are accepted as standard proof of address:
Voter’s identity card
Electricity bill or telephone bill (including mobile, landline, wireless, and similar types of connections), not more than six months old
Bank account statement
Consumer gas connection card or gas bill
Letter from any recognized public authority or public servant
Credit card statement
House purchase deed
Lease agreement along with last three months rent receipt
Employer’s certificate for residence proof
How much does KYC cost?
Financial institutions have reported spending $60 million annually, based on research conducted by Consult Hyperion in 2017. Some are spending up to $500 million each year on KYC, according to a 2016 Thomson Reuters survey.
Beyond the immediate cost of implementing processes, KYC has other costs associated with time and customer churn. Onboarding can take as long as one to three months, and 12% of businesses reported changing banks due to KYC issues.
Non-compliance with KYC regulations can lead to steep fines, and these fines are increasing. In 2013 and 2014, $4.3 billion in fines were levied against financial institutions, a sum that quadrupled the fines of the nine previous years combined. As an example, JP Morgan was fined more than $2 billion for a failure to report suspicious activities.
KYC regulations have far-reaching implications for consumers and financial institutions alike. Financial institutions are required to follow KYC standards when working with a new client. These standards were set up to fight financial crime, money laundering, terrorism funding, and other illegal financial activity.
Money-laundering and terrorist financing often relies on anonymously opened accounts, and the increased emphasis on KYC regulation has led to increased reporting of suspicious transactions. A risk-based approach with KYC can help eliminate the risk of fraudulent activities and ensure a better customer experience.