Globally, Know Your Customer (KYC) is a fundamental part of Anti-Money Laundering (AML) compliance, which is a legal obligation for banks, financial service providers and other regulated entities. Essentially, regulated entities are required to know who their customer is before they engage in a business relationship with them, and also maintain an accurate view of their client throughout the lifetime of their relationship.
As such, KYC processes can be understood as the tools that regulated entities use in order to achieve compliance with AML rules and regulations, supported by the Financial Action Task Force (FATF) Standards. Inside the KYC toolbox you will find customer identification, Customer Due Diligence (CDD) processes and Ongoing Monitoring frameworks.
1. Customer Identification
Customer identification is an essential part of KYC that takes place right at the beginning of a relationship, during the customer onboarding process. The aim here is to identify the client by gathering basic personal information and obtaining a government-issued identity document to then verify that they are who they claim to be.
As such, the basic customer data that is initially collected includes:
- Full name
- Address
- Date of birth
- Social security number
Additionally, the customer’s contact information is collected, such as an email address and/or mobile phone number, in order to be able to contact the client. Where corporate clients are concerned, the basic customer information collected includes:
- Company name
- Company address
- Incorporation number
To achieve the first level of verification, the basic client information provided is cross-checked against supporting documentation such as a government-issued identity document (national ID, driver’s license, passport) or company incorporation documents where business entities are concerned. Alternatively, entities can validate the data by cross-checking against corporate registries or consumer reporting agencies.
Ideally, entities should opt for a digital onboarding solution in order to collect all the data and documents in one place, minimizing the risk of creating data silos and information gaps, while also fostering continuity for the next step of the KYC process, Customer Due Diligence.
2. Customer Due Diligence
Customer Due Diligence goes beyond customer verification and encompasses processes that help the entity understand their customer’s activities and assess the risk they may pose with regard to money laundering and terrorist financing.
Once a thorough customer verification procedure has been carried out and the entity has a robust understanding of the nature and purpose of the customer relationship, they are able to develop a risk profile for the client and categorize them into different due diligence thresholds according to their risk. This is known as a risk-based approach to AML and is thoroughly recommended for achieving compliance.
Institutions should implement the following differentiated due diligence procedures:
A. Simplified Due Diligence
As expressed through the title, Simplified Due Diligence (SDD) refers to the due diligence process most suitable for low risk customers with a proven track record. Customers are usually assigned to low-threshold due diligence when the nature of their account or business relationship is such that poses a low risk.
For example, a payment account for teenagers would likely be considered low risk and thus fall within SDD for the following reasons:
- Purpose and usage:
By nature, teenage accounts are basic payment or savings accounts with limited features and age restrictions that confine high-risk activities, such as large transfers or complex financial instruments. These spending accounts are usually used for everyday expenses, such as school supplies, entertainment, and small personal purchases, which are easily traceable and have predictable patterns.
- Low transaction volume and value:
As these accounts reflect the everyday expenses of an adolescent, they typically involve minimal transaction activity and small transaction amounts. This makes it highly unlikely for there to be a link with money laundering or terrorist financing, while any irregularity from the expected pattern would nevertheless raise concern, as patterns continue to be monitored.
Following the provided example, in practice SDD for a teenage payment account would include:
- Basic identity verification:
By collecting the basic information of the parent or guardian along with a government-issued identity document, the bank or FinTech would be able to verify their information, and open an account for their teenager.
- Reduced transaction monitoring:
Considering the nature and limitations of the account type, the account would be monitored less intensively compared to higher-risk accounts, while still keeping an eye on unusual patterns that may arise.
- Lower reporting requirements:
Again, considering the low-risk nature of the account type, the bank or FinTech would have fewer reporting requirements to adhere to.
B. Customer Due Diligence
Customer Due Diligence, also known as Standard Due Diligence, is the “go-to” standard for due diligence, typically associated with a moderate risk level, that is not low enough to qualify for SDD, but neither high enough to require Enhanced Due Diligence (EDD).
For example, an SME would typically fall under CDD, considering the company has straightforward structures and transparent operations, especially if operating in a low-risk industry such as agriculture. This is because:
- Transparent operations:
The nature of the agriculture business is straightforward and involves business relationships and activities which are easily understood and followed. This means that the sources of income and types of transactions tend to be predictable and tied to the seasonal nature of agricultural activities, matching the scale and scope of their business operations.
- Layers of oversight:
Agricultural businesses often operate under specific licenses and regulations that ensure they adhere to industry standards and practices. Additionally, in many countries, the agriculture sector is subject to significant government oversight and support, adding an extra layer of transparency and accountability. These factors make an association with money laundering and/or terrorist financing unlikely.
- Straightforward ownership structures:
When it comes to corporate clients, uncovering the company ownership structure and the Ultimate Beneficial Owners (UBOs) tends to be the most complicated step which can add to a customer’s risk-rating where matters are not transparent. In the case of agricultural SMEs, ownership structures usually straightforward, making it easier to identify and verify the beneficial owners, thus reducing risk.
In practice, CDD measures require the regulated entity to achieve the following:
- Identity verification:
Collecting company documentation and personal identity documentation for UBOs to verify the identity of the business owners and key stakeholders, while also gathering information about the business’s operations. To take the given example, the types of crops grown or livestock raised, the size of the farm, and the markets served.
- Understand the nature of the business:
The CDD process must capture the purpose of the account and how it fits within the business’s operations, contribute towards the greater context of the company. For example, the business model, revenue streams, and typical transaction types, must be understood.
- Transaction monitoring:
The better an entity understands the nature of their client’s business, the more accurate their applied transaction monitoring. Implementing ongoing monitoring along with periodic review can help flag any suspicious activity and track whether transactions align with the expected activities of the agricultural SME.
C. Enhanced Due Diligence
Enhanced Due Diligence is the highest level of scrutiny and investigation applied to customers that are considered to pose a higher risk of money laundering, terrorism financing, or other illicit activities. EDD goes beyond standard due diligence measures and involves additional steps to gather more comprehensive information and assess the risks associated with the customer. For example, the data collected attempts to capture business affiliations, links to high-risk jurisdictions, transaction volumes and values, and where corporate clients are concerned, ownership structures.
An example of a customer who qualifies for EDD would be a politically exposed person (PEP) seeking to open a high-value private banking account. This is because:
- PEP status:
PEPs are individuals who hold or have held prominent public positions with significant influence, such as government officials, heads of state, senior politicians, or high-ranking military officers. Due to their positions and access to significant funds, PEPs are considered to have a higher risk of being involved in corruption, bribery, or other illicit activities, making them subject to enhanced scrutiny under AML/CFT regulations.
- High-Value Private Banking Account:
The complexity of the high-net-worth individual’s financial profile, including diverse sources of wealth, multiple sources of income, complex financial structures, such as offshore accounts or investments in high-risk jurisdictions, raises concerns about the origin and legitimacy of their wealth. Furthermore it also means that they’ll be managing substantial assets and conducting high volume and high value financial transactions, which increases the risk of money laundering or other financial crimes.
Enhanced due diligence ensures that financial institutions have a deeper understanding of the customer’s background, sources of wealth, and potential connections to illicit activities, enabling them to assess and manage the associated risks effectively. Therefore, EDD measures include:
- Extensive background checks:
Conducting thorough checks on the customer, including verifying their identity, employment history, and political affiliations. This includes running PEP checks, sanctions screening against global and local watchlists, adverse media screening and checks within criminal registries.
- Source of funds:
Having and maintaining a strong understanding of the customer’s source of funds and wealth through detailed documentation and supporting evidence.
- Ongoing oversight:
For high-risk customers, it may be necessary to obtain senior management approval for the establishment of the banking relationship and subsequently monitor their account closely for any signs of unusual or suspicious behavior.
3. Ongoing Monitoring
Briefly mentioned in the previous section, the final layer of KYC is ongoing monitoring. This step involves constant monitoring of customer behaviour for unusual patterns to identify new, emerging risks. As customer behaviour is not static and, for example, the nature of a business may change with time, banks and financial institutions must keep an eye on accounts to promptly identify these changes.
Ongoing monitoring takes on various forms and helps entities maintain regulatory compliance.
A. Customer Review
Periodically, institutions carry out client account reviews in order to reassess the risk associated with the customer profile on the basis of new information, changes in behaviour or even updates in regulatory guidance. Therefore, maintaining up to date information on customers is an important prerequisite, and requires that clients are asked to periodically review of their own data.
By regularly monitoring and carrying out periodic reassessment of customer profiles, institutions can retain clarity over client business activities, sources of funds, and risk levels. The frequency of such a review coincides with the risk-categorization of the customer. For high-risk clients, or customers associated with high-risk jurisdictions, more frequent and detailed reviews are legally required. This includes detailed documentation of the findings and any actions taken in response to suspicious activities.
Thus, equipped with periodic customer reviews, compliance teams are able to quickly respond to new risks and potentially prevent the occurrence of financial crime.
B. Transaction Monitoring
Transaction monitoring often involves a mixture of sophisticated software systems and subsequent manual review. Technology helps to monitor transactions in real-time, flagging unusual or suspicious activities based on predefined criteria and risk parameters that align with the institutions’ risk-appetite. For example, setting up alerts for specific high-risk activities, such as large cash deposits, international wire transfers to high-risk countries, or transactions just below reporting thresholds.
Subsequently, when a transaction is flagged for review, the compliance officer steps in to assess the context and determine if further investigation is needed. The examination of a flagged transaction happens within the broader context of the customer’s account activity and usual transaction patterns to determine whether there has been a significant deviation from the customer’s expected behavior.
If escalation is needed, institutions must ensure they have clear procedures in place for escalating alerts to senior compliance staff or management for further investigation and decision-making. For example, it may be necessary to cross-check information with external data sources and screen customers against international watchlists.
C. Reporting
Regulated entities have an obligation to maintain thorough records of all monitoring activities, findings, and actions taken. As previously mentioned, the depth of documentation coincides with the risk-levels of the customer or the transaction.
Here, Suspicious Activity Reports (SARs) may come into play. Institutions need to file SARs with the appropriate regulatory authorities when suspicious activities are detected, providing detailed information about the nature of the suspicion and the transactions involved.
This means that compliance teams need to continuously stay informed of AML and KYC measures, the latest regulatory requirements, best practices, as well as any advancements regarding fraud and financial crime. Thus, awareness campaigns and staff trainings contribute towards an organization’s robust compliance strategy.
Automate KYC Compliance with norbloc
Having laid out the contents of the KYC checklist, it is incremental to highlight the silver bullet of the KYC toolbox — modular, scalable and flexible technology, the Sancus orchestration platform by norbloc. Understanding that the world of AML compliance is complex, that there are regulatory differences per industry and per jurisdiction further underlines the need for regulated entities to adopt technology that offers:
- Adaptability:
KYC solutions that have been designed to adapt to new regulations, offering functionalities for segmentation, custom risk calculators and modular and easy-to-create customer journeys, capture the reality of AML compliance and are equipped for the real world.
- Automation:
Automating sections of the KYC process, such as data collection, screening, SDD/CDD and monitoring means that clients are able to experience smooth customer journeys while compliance teams are able to allocate their time and attention where it is needed.
- Accuracy:
Another perk of automation and digital KYC is data accuracy; By pulling data directly from documents and from verified data sources to prepopulate customer workflows, organizations minimize the potential for human error and by extension, reduce the likelihood for fines.
Read more
Disclaimer: This is for general information only. The information presented does not constitute legal advice. norbloc does not accept responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.