Like the transaction monitoring space, Know-Your-Customer (KYC) is a highly competitive and complex space where different types of customers need different types of solutions.
KYC is one of the primary steps in the journey to a productive and profitable mutual relationship between a bank or financial services provider and its customer. The principle is simple – you should know to whom you’re providing services to ensure they’re not a criminal, financing terrorism, or engaging in nefarious acts that could cause harm.
But how do you conduct KYC repeatably and at scale without adversely impacting customer experience in a competitive marketplace?
There’s no one answer – the building blocks are outlined by regulation, but how you choose to slot them together to satisfy your business needs, risk-based approach, and budget is up to you.
“OK,” you think, “but tell me, Lucinity, I thought your service is AML – I know who my customer is by the time you’re in the mix?!”
Well, allow us to quote someone who has been there and done it before – from building societies to the fastest-growing fintech in the land:
“The amount of times I’ve said, it’s a complete continuous thing, it’s all interconnected, every single bit of it from the minute you gather that info and data right the way through to when you eventually exit or they are dormant.”
- Ben Tallick, Amazon Payments UK
Thus, in order for us to fully grasp AML, it's important to understand the processes connected to it, including KYC.
So, let’s outline the Pillars of KYC and what they mean:
Defining a risk/compliance policy is where it all begins. A lot of work goes into a risk/compliance policy, which is why a strong leader is a must, as they write the policy and ensure it is followed. Leaders must consider a wide range of factors. For example:
- What sort of customers are you going after?
- Where do they live?
- What kind of products are you selling to them?
- How will you deal with them if they are suspicious?
- How will you take a risk-based approach?
The risk-based approach will inform how you undertake KYC and everything about your customers from a compliance perspective. In short, a risk-based approach asks, “How do I align with regulatory requirements, and how do I deal with my customers if something goes wrong?”
A good policy should also outline how you think about the riskiness of your customers and what are the markers of financial crime risk. Nothing in life is free of risk – what the regulators ask is that you consider every customer interaction and consider how much risk you are willing to tolerate.
Next, the relevant stakeholders should agree on defining what is most important. These depend on several factors – are you a young start-up whose primary concern is winning new customers, and thus, your risk appetite is pretty high? Or are you a player who has been around for a while, has a solid client base, and needs to innovate, launch new products, or open new markets?
Maybe a simple KYC process is for you...
Maybe you're an established provider that is very complex and has many products, or you’re internationally established and have many different regulatory obligations to navigate.
If that is the case, every data point available to you and every customer touchpoint should be like manna from heaven as a mitigating factor or disqualification criterion. Maybe you’ll need lots of experience, judgment, and best practices to interpret the data and guide the decision on whether or not to admit that customer to your hallowed halls.
Maybe enhanced due diligence (EDD) is par for the course...
Now you have a policy – how do you follow it? That, in short, should determine your processes.
Different risk profiles require different mitigation strategies. For example, you’re an electric money institution (EMI), and your primary product is a digital wallet for UK individuals with an average load balance of £100. You may choose to run a Simplified Due Diligence (SDD) process in the interests of customer experience. In this case, a risk assessment that considers customers, products, channels, and transactions may allow you to set up an SDD patch for low-risk customers with cost savings on staff, processes, and systems. Knowing your customer starts with knowing your risk – consider where your customers live, the relative value of your product offering, and how your customers will likely interact with your products. In this example, given the high-quality nature of UK Credit data, relative lack of sanctions risk (though you cannot take this for granted – run a check!), and the low product risk (basically, not large sums of money), you can implement straight-through processing (STP), which is a customer onboarding journey that is untouched by human hands.
However, let’s say part of your product’s capabilities is P2P remittances, and your customer chooses to send funds to a higher-risk jurisdiction designated by the Financial Conduct Authority (FCA). Well, your process should be robust enough to ensure that if that customer is going to send money to that country, you have the foresight of that and can ensure that those funds are not proceeds of crime or likely to be used for criminal ends. This might be where you choose to have enhanced measures where your team is involved. In this case, your staff should be appropriately trained and experienced to look at the customer in more detail to determine the likelihood of money laundering.
You may also require an understanding of where the customer got this money. Source of Funds (SoF) or Source of Wealth (SoW) is commonly required to ensure your business isn’t putting dirty money into the global banking system. There are many ways to validate the SoF, but fundamentally, it comes down to asking, "where did you get this money?”
You may have a host of products offered, and all of them should have defined and documented processes outlining how you manage risk and undertake KYC. Your processes should outline who looks at the case, when, and which checks you run on them, with increasing levels of seniority, right up to the point where your MLRO or regulated staff must approve the onboard personally. Ultimately, they are responsible for balancing business appetite for risk with compliance!
The lifeblood of 21st-century KYC is data. It sounds a little obvious, but to make any informed decision, you need data. There are three primary checks that comprise basic KYC (for individuals or ‘natural persons’):
- Electronic ID (eID): Confirming that a person exists through data-only sources provided by a credit bureau, scraping electoral rolls, telco data, mortality registers, etc.
- Politically Exposed Persons (PEPs)/Sanctions: Databases that continuously monitor the names of sanctioned individuals from significant lists which you can screen your customers against (Office of Foreign Assets Control (OFAC), EU, UK, etc.)
- Identity Verification (iDV): A check which will biometrically confirm that a person’s face matches their passport, driver’s license, or national identity card and can be used to verify that they are who they say they are
- Adverse Media (also known as negative media): A check of public records and news sources to identify any negative or potentially damaging information that imply potential risks associated with a customer
Some combination of the above checks will comprise a rudimentary KYC check. Once upon a time, it was necessary to undertake these checks in person (remember the days when you’d have to come into your bank with paper forms and your passport?) Now, with data, the KYC process is faster and more convenient.
There are thousands of data providers and different data-powered checks to enable you to make better decisions with varying degrees of efficiency. Often, data is driven into your core systems by API to enable the previously mentioned STP.
Different checks can be used strategically based on customer risk and your budget. Returning to the earlier example of our UK digital wallet provider and their desire for a smooth, quick customer onboarding journey – they may decide that just an eID check with a PEP/Sanctions screen is enough for them to be comfortable to onboard their UK customers.
However, what if their customer indicates they will be remitted to a higher-risk jurisdiction? Well, they may choose to add in an ID check to verify more thoroughly that not only does that person exist but to prove that they are the one applying.
These three checks are the building blocks of automated or auto/manual hybrid KYC. Still, there are a vast plethora of further ones – from anti-fraud solutions that can check whether a specific device has been tagged in an instance of fraud or IP address check to confirm the person is where they say they are. In some circumstances, even video ID providers can get your customer on a video chat with an expert to confirm that the person is alive, well, and not under duress.
The other means of collecting data is asking the customer, so when you’re designing your application flow, think about the trade-off in how much data you want the customer to provide (often just name, address, and DoB is enough to run checks) versus how much you ask them to fill out forms, which can be tedious. The negative impact of filling out laborious forms can impact your customer attrition rate. Customer data collection should almost correlate directly with the value of your services – more risk, more questions!
RegTech, as it is known, is an ever-evolving marketplace for small, venture capital (VC) backed solution providers right through to private equity (PE) backed companies and even a public company or two, all vying to help you satisfy your regulatory requirements.
Regarding KYC, we’ve already touched on some solutions-providers offering different types of checks underpinned by data. The question is, how do you stitch it all together?
Client Lifecycle Management (CLM) is a category that has really come to light in the last several years and is often positioned as “Customer Relationship Management (CRM) for Compliance.”
Usually, CLM will offer the ability to pre-define your risk policies, build your various workflows, and, often, automate the risk-scoring and required checks with pre-built API integrations to data providers. SaaS-based case management platforms support the processes needed for manual escalations and review processes.
There’s always a question of build vs. buy when assembling your technology stack – how do you manage the cost of designing and building an automated onboarding solution while ensuring it is fit-for-purpose, scalable, iterative, and provides a great customer experience?
There is no shortage of brilliant technology providers in the marketplace – choosing the one that is right for you can be a challenging but incredibly valuable process.
Tying it all together
Bringing it all together, KYC is about managing your risk while maintaining a positive customer experience.
Always happy to have a chat!