Setting Up an AML Compliance Program Part II: Know Your Customer
May 05, 2021
We started this series by providing a framework for assessing the risks of money laundering that your financial institution faces. We recommend reading through that framework if you haven’t already.
Once you have assessed your unique risks, you’ll want to work through each of the five pillars of a strong AML program:
- Assess Risk
- Know-Your-Customer (KYC)
This post focuses on the second: the Know Your Customer practice area. Thanks to its very literal name, it shouldn’t be a surprise that this practice area is all about understanding who your customers are and how they will typically interact with your institution.
Let’s go over the basics of the second core AML compliance area and how it may apply to your company.
What’s the Point of KYC?
When you are in the money business, it’s a good idea to know who you’re dealing with. Companies in the financial industry need to know who their customers are – who they are processing transactions for, lending money to, or providing savings accounts to. This is what the Know Your Customer (KYC) practice area is all about: the data and procedures used to identify your customers.
So why not just ask your customers who they are? This is certainly a good starting point, but you can’t trust criminals to give an honest answer. An “ask but verify” approach is a better way to operate.
KYC touches on one of the deepest, most fascinating concepts of the modern world (in our opinion): identity. How do you know someone is who they say they are? How do you verify identity, keeping in mind that you have to do it in different settings. How do you know someone signing up for your service online is the person they claim to be?
Identity verification is a fascinating problem, particularly on the web. You won’t need to solve the problem for the entire Internet, but you will need to have a compliant KYC program if you want to operate a financial institution. Luckily there are data sources and identity verification techniques that can help you put together a KYC program.
Know Your KYC Data
Getting the KYC process right from the get-go will save many headaches later on. The first step is to determine the information you need to know from new customers and ensure that your onboarding process collects it.
Common KYC information for individuals include name, address, date of birth, and some sort of ID number. Corporate KYC, sometimes called “Know Your Business” or KYB, requirements include company vitals and ownership structures, as well as individual-level data.
The full set of appropriate customer KYC data fields and the verification processes will vary significantly between companies. As an example, banks are subject to something called the “Customer Identification Program” or “CIP” which carries a specific set of requirements where Money Services Businesses have a bit more flexibility. To figure out what other information to collect, the appropriate speed of verification, and the risk level of your specific institution, consider:
- Methods of opening accounts
- Types of identifying information available
- Size of your company
- Customer base
- Geographic customer subgroups
- Product/Service use customer subgroups
These considerations can help you figure out what you need to know about your customers – it depends on the unique risks faced by your service. When setting up your KYC program, we also recommend talking to an expert.
The KYC compliance program should then check the customer-provided data against public records, vendor databases, and your company’s own research. The intent of this process is to know whether your customer has any warning signs or risk signals you should be aware of before providing them with your financial services.
KYC and Onboarding Customers
The KYC practice area has a direct impact on how customers sign up for your financial services. The customer onboarding process is generally where KYC information is collected, and it’s helpful to think KYC information coming from two primary channels:
- Information that the customer provides directly to you (e.g. name, email, etc.)
- Information that you can obtain about the customer from other sources
KYC data sources commonly look at public records, court records, employment history, education, residence history, and other information about people. This information can be licensed from KYC vendors, and does not need to be collected directly from your customers.
In the digital setting, financial service providers view onboarding flows as a competitive differentiator: the easier your sign up flow, the less drop off you will have when people try to join your service. Peer-to-peer payment apps like Venmo, Square Cash, Paypal, and others have spent years optimizing these onboarding flows, and are constantly refining their KYC procedures to reduce the amount of information that users have to provide directly.
That process of optimization is beyond the scope of this article, but the key to remember is KYC information can be obtained through both of the channels mentioned previously: directly from the customer or in the background through KYC data providers.
An optimal program would leverage RegTech KYC solutions that integrate well with technology for other practice areas, such as investigations and suspicious activity report filing. A common issue we see in KYC is licensing the data, but failing to integrate it into compliance workflows. With the KYC data well integrated with case management and workflows, compliance teams are forced to switch between systems and look through fairly raw data sources in order to complete investigations – it’s a lot of time spent on tedious work.
This is one of our core focus areas at Hummingbird: integrating KYC directly into the case management and investigation flows. With the information pre-integrated, investigators spend a lot less time hunting around for things.
While knowing your customer marks an initial step in setting up a compliance program, it is only the first pillar. To help, Hummingbird will be releasing in-depth investigations into the other three practice areas: monitoring, investigations, and reporting.
Look for Part III and answers to the question, “Should you buy, or build, an AML transaction monitoring system?”
Read Part I: Start Here
Read Part III: Transaction Monitoring
Read Part IV: AML Case Investigations
Read Part V: Filing SARS