Seven best practices for managing KYC

Know Your Customer processes are carried out to verify a customer's identity before they are given access to a financial product that could be used for money laundering. But what are the seven best practices for performing KYC and managing risk? Let's take a look.

Know Your Customer, otherwise known as KYC, is a financial services industry standard that requires regulated financial institutions (FIs) to gather an array of information about a new or existing customer before they are given access to a product or service.

A KYC due diligence process is executed on applications for financial products with the intention of ascertaining whether or not a person or a business is legitimate and can therefore be trusted as a client. It is also something that happens on an ongoing basis to ensure clients are not using accounts for criminal purposes.

The act of KYC can cover a lot of ground and the data collected can vary hugely depending on a FIs' customer base, the jurisdictions it operates in and appetite for risk. KYC might include anything from checking identities and addresses to making enquiries into an ownership structure or the financial position of a customer/business. Each due diligence process however is about building a picture of risk and helping the FI establish trust in the person or business they will be transacting with.

These KYC protocols are necessary for FIs to be compliant with anti-money laundering (AML) regulation. They also protect banks, investment advisors, wealth managers, payment providers etc., from onboarding financial criminals - those involved in fraud and money laundering. But KYC processes more broadly protect customers too as they ensure the health of the whole financial ecosystem.

KYC in a digital economy

There is a vast array of financial services now available across the physical and digital economies. Many financial products today are only available online and there has been a real upswing in demand for digital-first or digital-only services created by the pandemic and increased globalisation.

However, the shift towards a digital economy changes the risk factors FIs need to consider when it comes to KYC. Before giving access to financial services, the FI may need to think about AML compliance across different jurisdictions; how easy or hard it is to check names and registries in different countries - compliance structures can become complicated quickly, and access to data can be patchy in different areas of the world.  

With customers able to apply for a full spectrum of digital financial services such as banking, borrowing, savings, investment, insurance, and digital payments – all of which can be done remotely without the FI ever having seen or met their client – FIs need a comprehensive but flexible approach to assessing risk and access to reliable data sources.

Why does KYC happen at the start of an application?

Know Your Customer processes are in fact carried out throughout a customer's lifecycle. But, they are present at the beginning of the application process specifically to verify a customer's identity before they are given access to a financial product that could be used for money laundering. AML regulations exist to ensure FIs don’t facilitate financial crime – directly or indirectly. Regulations and best practices around KYC are about preventing money laundering and the offences associated with money laundering such as people trafficking and terrorist financing.

The way FIs choose to comply with AML regulations can vary depending on the institution’s appetite for risk. And that’s fine, as long as they are compliant with AML laws, don’t facilitate crime and report on suspicious activity the regulation doesn't dictate anything specific. How a FI interprets and performs KYC is really down to them, but they must be prepared to face the consequences of non-compliance, which include large fines and even jail terms.

To achieve compliance, financial institutions should take an approach to KYC that works for the business, its customers, products and so on. This means creating and applying a suitable risk policy, sourcing reliable data to verify new customers, assessing risk on an ongoing basis and reporting suspicious activity.

Essential steps in KYC

The three aims of KYC are to:

1. Verify the identity (and any other credentials) of an individual or corporate customer before they are given access to financial services

2. Manage risk and avoid becoming embroiled in financial crime and crimes related to money laundering

3. Monitor customers on an ongoing basis to report suspicious activity and ensure ongoing compliance with AML regulation

What KYC process will a customer go through?

The staples of KYC are common across FIs - decide the criteria for a low, medium or high risk customer profile; gather data to build a picture of risk for each client; once the risk profile is understood, decide what to do i.e., onboard the customer, carry out further reviews, or deny service/off-board.

Most FIs use Regulatory Technology (RegTech) to help automate the process of risk-profiling customers. RegTech improves efficiency of compliance checks, helps control the cost of managing compliance activity and supports better customer experiences.

The best RegTech solutions enable a FI to interpret its risk policy into a digital KYC workflow for customers to journey through automatically. The FI will begin by mapping the process of tasks and outcomes, then use data checks to verify essential information which populates the risk-profile. Based on the risk profile, next steps can be implemented, for example low risk customers who satisfy all checks may be onboarded automatically. This is known as straight through processing (STP).

However, medium and high risk customers may require additional information to progress their applications, which can be flagged in a RegTech solution. It's common for FIs to request additional documentation from clients for enhanced due diligence, and this can be automated via forms sent to the customer. Or, there might be a requirement for manual review which involves a process of enhanced due diligence carried out by a KYC analyst or compliance manager.

It's worth noting that because of the complicated nature of KYC, and in particular corporate due diligence, there will rarely be an instance where 100% STP is ideal. The nuance of compliance is such that FIs will nearly always need people available to complete reviews and make marginal decisions, so as not to inadvertently exclude people from financial services as well as keeping bad actors out of the business.

RegTech solutions can automate checks, gather data and help answer questions, and this can be used by the KYC analyst or compliance officer to make a final judgement call.

Seven best practices for managing KYC

Each institution will have its own KYC process and customer journey. The best ones are tailored around customers, jurisdictions, and the products being offered. Typically though, FIs with the best KYC processes have these 7 attributes, they -

1.     Use RegTech to automate KYC processes before providing access to financial services

2.     Build an onboarding journey that delivers compliance efficiency and great customer experiences

3.     Create a risk policy that’s right for the business, its products, customers and the jurisdictions it operates in

4.     Define a risk model i.e., what low, medium and high risk customer profiles look like

5.     Automate data checks to create a profile of risk for each customer, using trusted and reliable data sources

6.     Set team responsibilities for progressing tasks, deciding outcomes, and escalating cases for review

7.     Test the KYC policy and refine it on an ongoing basis to maintain compliance and excellent customer experiences

Get in touch

If you are designing an approach to KYC or want to update your AML compliance processes, PassFort can help. We offer flexible KYC solutions designed around your risk policy and the customers you serve. Automate the workflow of tasks and data checks needed to onboard a new customer – whether they are an individual or business client – having made risk-based decisions.

PassFort also understands that compliance is an ongoing process, so rerun checks at time for perpetual KYC, and also adapt your workflows and data provider network when the need arises.

Get in touch with the PassFort team to discuss KYC any time - we would love to hear from you.