While being untraceable may seem ideal, anonymity online can create a liability for businesses and consumers in everyday online transactions. As a result, without proper processes and requirements in place, financial institutions inadvertently facilitate undetected fraud and enable money laundering and other criminal activities.
As a result, governments worldwide have instituted regulations called KYC or Know Your Customer, to protect consumers and businesses from the risks of fraud and other criminal activities. In this article, we’ll discuss the basics of what KYC is, how laws are applied, why KYC is important in banking and financial services, Know Your Customer requirements, and what technology exists to help affected businesses stay compliant.
What is Know Your Customer (KYC)?
Know Your Customer (or Know Your Client) is a set of regulations financial institutions must follow to verify the identity of their customers. KYC affects businesses with account creation or a customer login process online.
These regulations require banks, credit unions, and other financial institutions to verify the identity of customers at the time of opening accounts. They also need to retain this identity information so that they can trace these transactions back to their point of origin if legally necessary.
KYC measures exist to prevent criminal activities in banks, such as money laundering, fraudulent trading, and the financing of terror organizations. As a consumer, you can think of KYC as a business’ requirement to perform a “due diligence” check on each new and existing customer to verify their identity thoroughly.
How is KYC Regulated? The Bank Secrecy Act of 1970 and 2001 Patriot Act
Know Your Customer laws and requirements differ by country; we’ll use the U.S. version as our example. In the United States, the Bank Secrecy Act of 1970 put some of the first money laundering laws in place. Later, the 2001 Patriot Act was introduced with the aim to curb the financing of terrorist organizations and includes a section that amends the Bank Secrecy Act (BSA).
Amendments to the BSA include the CIP (Customer Identification Program) and the CDD Rule (Customer Due Diligence), and require financial institutions to keep accurate records of the individuals they do business with and take measures to carefully verify identities. Regulations continued to increase as technology in financial services advanced over the last two decades to include EDD (Enhanced Due Diligence).
International KYC regulations
In addition to adhering to rigorous provisions for ID verification within America, U.S. financial organizations must also ensure that overseas KYC provisions are followed before handling international clients. The IRS, for instance, has a list of 73 countries and territories with their own KYC rules and guidelines. These approved countries can receive information from the IRS in the case of an investigation through a qualified intermediary (QI) agreement.
Common types of KYC fraud in banks and financial services
Know Your Customer laws and requirements exist to prevent illegal activity before it happens. Properly implemented KYC verification can prevent identity theft, financial fraud, and money laundering. Let’s dive into these three use cases below.
Identity Theft
KYC requires more rigorous procedures for identity verification, preventing criminals from setting up false identities to use in the commission of further crimes. Security research firm Javelin estimates that $24 billion was stolen from 15 million consumers in 2021 via identity theft.
Identity theft is one of the leading causes of fraud across the world. TD details what a few signs of attempted identity theft could look like, including online activity with personal information you don't recognize and notice of a credit report inquiry you did not authorize.
Businesses must adopt additional authentication methods upon new and unknown logins to better prevent identity theft with KYC processes. These extended authentication methods include 2FA (two-factor authentication) or MFA (multifactor authentication), forced logouts, or CAPTCHAs. There are also additional verification methods, such as device identification, that don't disrupt or add extra steps to the login experience, which we discuss further below.
Financial Fraud
Once valid payment details of a consumer are stolen and in the hands of online fraudsters, it unlocks a world of opportunity for financial fraud to occur. For example, the 2022 IBM Global Financial Fraud Impact Report found that fraudulent card transactions and digital payments amounted to an average of $265 per year for each U.S. citizen, with 39% of Americans being the victim of some form of a financial security breach.
Financial fraud can occur at each step, including:
- New Account Fraud: A fraudster can use stolen identities to create accounts on behalf of a user without their knowledge.
- Account Login Fraud: If a fraudster has valid login credentials for a user, they can log in and obtain even more information about a user. They can even take over that account entirely, called account takeover (ATO).
- Payment Fraud: A fraudster can also make purchases using a compromised account or a stolen credit card.
To prevent financial fraud, financial institutions must verify customers at signup, login, and transaction times. Preventing this type of fraud is similar to methods of identity theft prevention. A few additional techniques for to prevent financial fraud can include:
- Instituting usage rules, such as failed login and transaction attempt limits.
- Not allowing saved payment information.
- Regular credential rotation.
- Enforcing password requirements.
Money Laundering
Money laundering is a type of financial fraud using stolen identities. For example, criminals set up dummy accounts to disguise the origins of money obtained through drug and people trafficking, smuggling, racketeering, and other activities.
As a recent U.S. Treasury Report puts it, “Criminals and professional money launderers continue to use a wide variety of methods and techniques, including traditional ones, to place, move, and attempt to conceal illicit proceeds.” Again, verifying the identity of account holders every step of the way is essential to preventing acts like money laundering. (Read more about money laundering fraud in our comprehensive money laundering guide.)
How do KYC regulations relate to Anti-Money Laundering (AML) laws?
Know Your Customer is part of a successful AML (anti-money laundering) compliance strategy for banks and financial institutions. Whereas KYC is responsible for verifying a customer is who they say they are, AML processes also include monitoring transactions for money laundering.
What do companies need to know about implementing KYC procedures?
Organizations must adhere to specific data security and identification procedures to counter these significant threats, which affect the lives of millions and amount to billions of dollars of stolen money annually. These procedures include:
- Customer Identification Processes (CIP) require individuals to present a driver’s license, passport, or other acceptable photo ID.
- Corporate ID requirements are certified articles of incorporation, partnership agreements, trust instruments, and business licenses.
- Further Financial Documentation, which includes additional materials for individuals and companies, may be required, including credit agency references, financial statements, and other forms of secondary assurance.
- Due Diligence is when companies are required to conduct risk assessments on their customers, analyzing transactions to look for any suspicious patterns of behavior that may require monitoring. Organizations may categorize their clients as requiring simplified or enhanced due diligence checks based on an assessment of risk factors.
- Continuous monitoring by companies is required to catch risk-related activities on customer accounts at any time. Automated processes are used to monitor transactions and flag unusual activity. Where such patterns are of concern, KYC regulations require the company to submit a Suspicious Activity Report (SAR) to law enforcement agencies, including the Financial Crimes Enforcement Network (FinCEN).
What are the accepted identification forms of KYC?
At the highest level, KYC processes require businesses to verify consumers at account creation with at least two forms of verified identification:
- Proof of government-issued ID with photograph (usually driver’s license or passport)
- Proof of address (usually bank statements or bills)
However, not everyone has a passport or a driver’s license. In these cases, they may substitute other documentary evidence. There is no KYC-specific list of approved ID documentation, but the full list of approved documents for photo ID from the U.S. State Department includes:
- U.S. passport book or card
- Valid driver's license with photo
- Certificate of naturalization
- Certificate of citizenship
- Government employee ID
- US military or military-dependent ID
- Current (valid) foreign passport
- Trusted Traveler IDs (including valid Global Entry, FAST, SENTRI, and NEXUS cards)
- Enhanced Tribal Cards and Native American tribal photo IDs
- Learner driver’s permit with photo
- Non-driver ID with photo
- Temporary driver’s license with photo
Officially accepted documents are updated and may change as new forms of ID are issued and approved and others retired. Therefore, we recommend using the above list as ONLY a reference of document types, not a source of truth, and checking with appropriate government departments for updates. In addition, every business is permitted to draw up a list of approved documentation as long as it remains assured of its ability to identify each customer correctly.
How can you streamline KYC implementation?
Fortunately, ID verification, account monitoring, flagging, fraud detection, and automated report generation technologies make KYC provisions less time-consuming and prone to errors. Risks can be scored and prioritized without hiring analyst teams to manually scan vast volumes of data. Such innovations have helped mitigate the increasing cost of KYC implementation, which Thomson Reuters estimated can cost major financial institutions up to $500 million annually to implement correctly.
For example, adding a device identification solution helps accurately identify users even with repeated visits. Fingerprint Pro is one of those solutions, and as the world's leading device identifier, it can detect repeat visits of potential bad actors and prevent fraudulent login attempts or transactions from happening in the first place.
Key takeaways
Know Your Customer, or KYC, exists to protect businesses that lend and store money for their customers. Banks and financial institutions have a requirement to not only protect their investments, but also to verify and protect their customers’ assets. With KYC laws and regulations in place, this is not an optional security measure. Financial institutions should look to different technology solutions to help detect and prevent fraud, and protect their customers.