When people talk about conducting KYC checks, they commonly mean the process that takes place at onboarding, i.e. identifying your customer and verifying that identity.
For a best in class KYC programme, it should be considered as an ongoing process to help you comply with requirements and continuously feed back into risk management and business strategy.
It is a process designed to ensure you know who your customer is, what activity you should expect from them, and the overall risk they present to your business. This enables you to monitor that risk and mitigate it.
KYC is one of many three letter acronyms across regulations and guidelines that touch on the process you put customers through to engage with your business. As you will already know, it stands for ‘Know Your Customer’. There is also CIP, IDV, or is it CDD? Perhaps EDD? To make things more complicated, these can sometimes change across geographies, with some regulators preferring one set of terminology over another.
KYC can be thought of as the umbrella term, under which the other items sit. A Customer Identification Programme (CIP) is how US regulation refers to gathering basic customer information (name, address, date of birth for an individual and an ID number) to form a ‘reasonable’ belief that the true identity of the customer is known. Identity Verification (IDV) tools can be used to verify that identity. It is increasingly common to use electronic and non-documentary means to do this. CIP would also include a check against relevant sanctions lists.
This is the first phase of Customer Due Diligence (CDD), whereby more information is obtained regarding the individual or entity. Things to consider could include where the individual or entity is based, whether they are a politically exposed person (PEP), the line of business they are in or more details about their management or corporate structure. If any of this information means the customer should be considered ‘high risk’, enhanced due diligence (EDD) may be applied.
This information helps your business determine the expected activity from that client, for example, the volume, value, and frequency of payments across an account. You can set transaction monitoring scenarios accordingly. Throughout the relationship, when those thresholds are breached, you can seek information about where this unusual behavior is coming from, report it if suspicious, and realign expectations if this is to be a new normal for that customer. You can decide on an ongoing basis whether this is a relationship you wish to continue with.
Global regulations highlight KYC as fundamental to a strong AML compliance program. Without KYC, you’re not gathering the data you need to effectively structure your AML program and take a risk-based approach, comply with regulations and prevent financial crime.