KYC
What exactly is it & why so important?

Have you ever looked at a word so many times that its meaning started to blur? KYC is probably the most common acronym in fintech, and certainly the most common acronym on our own website. Before you scour the internet to find out what it all means, we’ve tried to answer all the questions you might have here, so let’s take this opportunity to review the FAQs of KYC.

KYC stands for Know Your Customer. In practice, it’s a set of legally mandated protocols meant to prevent financial crimes like money laundering and, in the process, protect banks, financial institutions and other organizations from the risk of fraud.

Regulated industries have KYC requirements. Depending on the country you’re doing business in, the strictness of these requirements can vary a great deal. There are KYC requirements on a personal level:

  • Identity verification for the person who’s opening the account: ensuring they are who they say they are
  • Customer due diligence: determining the risk of doing business with this individual
  • Ongoing monitoring of the account

And there are KYC requirements on a business-to-business level:

  • Business verification: is the company a real business entity?
  • Customer due diligence: determining the risk factor for engaging with this company
  • Continuous monitoring of the business and its accounts

Typically, organizations designate a compliance officer to oversee the implementation of KYC and Anti-Money Laundering (AML) standards. Their responsibilities include ownership of the system and ensuring that processes are followed and updated as per the regulatory body’s changing requirements and properly instilled in the team.

For regulated businesses, such as banks, lenders, and money transfer services, KYC is mandatory. Failure to comply with KYC regulations can result in huge fines for your institution. In Europe, KYC negligence has run up a $1.7 billion dollar bill since 2009, and they were over $5 billion in fines globally in 2021.

During the centuries when people opened and operated their bank accounts in person, KYC compliance was done in person with a physical ID check. And KYC was particularly important during the bootlegging era. From the Prohibition years onward, criminals dedicated themselves to laundering their money to obscure the criminal origins of the money and stay out of jail.

For Al Capone, this was very close to a literal money laundering, as his laundering technique of choice was …. laundromats. As the 1930s ended, money laundering techniques grew more sophisticated.

The first American Anti-Money Laundering law to make it in the books was the Bank Secrecy Act of 1970 or BSA. The BSA assigned oversight to banks, requiring them to report any transaction, domestic or international, worth more than $10,000. Sixteen years later, the Money Laundering Control Act finally specified money laundering as a crime in its own right.

But it wasn’t until the Patriot Act of 2001 that KYC as we know it was enshrined in law. In the aftermath of 9/11, politicians and civilians alike demanded stricter oversight to prevent the financing of any future terrorist activities. Title III: International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001 was an act of Congress in its own right as well as being a section of the greater Patriot Act, and it worked to close the loopholes of the previous two Acts.

Know Your Customer compliance after 9/11 is comprised of CIP and CDD: Customer Identification Program(s) and Customer Due Diligence. CIP requires that financial institutions verify the identities of new applicants before granting them an account, making sure that they and their business are each legitimate. CDD, on the other hand, is about maintaining vigilance, assigning new customers with a risk rating, monitoring the size, distance and frequency involved in their transactions and reporting any suspicious activities.

These American standards spread around the world, and now most nations have KYC compliance laws that financial institutions need to follow.

KYC and AML are often used together, but there are key differences between the two.

Both terms are used to describe best practices that became mandatory for businesses in the United States after the introduction of the Patriot Act. It’s impossible to be vigilant against money laundering without keeping a keen eye on who you’re doing business with. Nevertheless, the terms aren’t quite interchangeable.

AML policies require a designated compliance officer. This officer is often in charge of the KYC compliance as well, but regulatory bodies only mandate someone be personally accountable for AML. These regulatory bodies also usually require AML compliance to include training regimens, regular effectiveness reviews, external testing and ongoing reporting of suspicious transactions.

KYC compliance is a key part of AML compliance, but the two terms are not one and the same.

These are the three components of KYC:

1. Customer Identification: making sure you know who your customer is
2. Customer Due Diligence: making sure you know the risks involved with beginning a relationship with this customer. How do they make a living, what kind of activity can you expect from their account?
3. Customer Monitoring: making sure your customer behaves in the way you’d expect and hope them to

For a more in-depth answer to this question, you can check out our thorough exploration of effective KYC compliance.

KYC regulators vary by country, region and industry. If you want to explore KYC regulation by country, this Pricewaterhousecoopers guide is comprehensive.

But the situation is more nuanced than that. Depending on your company’s industry and location, you may have multiple different regulators to answer to.

There are international organizations that set standards, such as the Financial Action Task Force (FATF). Governments enact laws that act as compliance frameworks. Regulators, who are government agencies assigned to oversee sectors, then provide direction, oversight and rulings.

Certain industries are obliged to greater regulation than others, and regional regulations play a large part in this. The gaming industry, for example, doesn’t have a national overriding regulating body. But casinos are subject to regulation on the state level. There are federal banks that are obliged to federal regulations, and regional banks that are under the purview of state regulatory bodies.

KYC compliance isn’t optional, but different organizations can be held to different standards based on their level of risk. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) are two common KYC processes. CDD is the basic level of scrutiny for an onboarded customer, while EDD is the level of scrutiny that your institution might bring to a PEP, a customer doing business in a country without adequate AML standards, or someone unverified by CDD alone.

PEP stands for politically exposed person. PEPs are noteworthy politicians, judicial officials, military leaders, and senior executives and party members — people whose power and position exposes them to bribe attempts and unsavory businesses offers, and their immediate family and associates.

PEPs are more likely to be classified as high risk, but they are not automatically classified as high risk.

While there are some prescriptive rules, the risk-based approach is more about the companies themselves taking steps to understand the risks and deal with them accordingly.

  • How much money is involved in the account?
  • How many transactions are happening per month?
  • How regular are the transactions?
  • How much money is involved in each?
  • Who are these transactions between?
  • Where in the world are these transactions occurring?

First and foremost, KYC compliance is required by law around the world. KYC compliance helps prevent fraud and other crimes by preventing flagged individuals from compromising a financial ecosystem and providing fewer avenues for criminals to launder their money. KYC compliance also helps safeguard your reputation and establish international credibility with your competitors and your customers.