What You Need To Know About “KYC – Know Your Customer”

Businesses interact with people daily. Products are sold, services are rendered, and monetary transactions take place. This happens faster in this digital world, and millions of dollars can be transacted within seconds, but not all transactions are legal. Not all transactions are intended for the purpose they claim to be for. Some are stolen funds or for illegal activities, e.g., terrorism. In some situations, the people behind some transactions are not who they say they are. There are cases of identity theft, fraud, terrorism financing, bribery, etc. These concerns gave birth to policies that regulate businesses with a focus on making financial transactions safer. KYC is a result of such policies and regulations.

What is KYC?

KYC is an acronym for “Know Your Customer”. This regulation firmly instructs businesses to collect information about their customers to confirm if these customers are who they say they are. KYC is the process of validating the identity of your customers. This can be done before they’re enrolled as customers or while doing business with you. KYC is not just knowing your customer based on face value. It can go as detailed as knowing their financial record/activities and attached risks. This can be termed “Effective KYC”.

KYC is of utmost importance to financial sectors and institutions compared to other industries. It is so important that you could be fined, sanctioned or experience reputation damage for not verifying your customers’ identity claims and information. This could be severe if your company’s lack of due diligence leads to money laundering, terrorism financing, corruption or other illegal activities.

One of the intentions that brought about the implementation of KYC globally is the attempt by the government to curb financial crimes. Beyond the government’s intentions that brought about the regulation, KYC is also a fundamental practice that protects your organization from fraud and losses that can come from illegal funds and transactions.

It also protects your organization and your other customers in the long run.

Components of KYC

1. Customer Identification Program (CIP):

CIP is one of the components of KYC imposed under the USA Patriot Act in 2001. According to the “Customer Identification Program – CIP”, financial institutions are to collect four pieces of identifying information:

1. Name
2. Date of birth
3. Address
4. Identification Number

This list doesn’t mean that different financial establishments cannot choose to collect additional information like a selfie, email addresses, phone numbers, and even go the extra mile of running Personally Identifiable Information (PII) through authoritative databases. This can give birth to collecting other information like IP addresses, especially if a customer is see as a high-risk customer. Basically, data collected by different companies vary from place to place, but the four pieces of data listed above are the basic expectations.

2. Customer Due Diligence (CDD)

CDD is the component that deals with the process in which all the customer’s details or credentials are collected and verified. This process helps evaluate the customer’s risk profile for suspicious account activities.

This process is enforced by the Financial Crimes Enforcement Network (FinCEN). The goal is to improve transparency within the financial sector and to prevent criminals from using companies to carry out fraudulent or harmful activities. Below are the four core requirements provided by FinCEN:

1. Identify and verify the identity of customers
2. Identify and verify the identities of the owners of companies opening accounts (i.e. anyone who owns 25% shares or more)
3. Understand the nature and purpose of customer relationships to develop customer risk profiles
4. Conduct ongoing monitoring to identify and report suspicious transactions

CDD deals with both the collection and verification of users’ data. This means more diligence or carefulness has to be employed, knowing that some customers can submit fake or forged credentials (this is one of the weaknesses of the traditional procedure of KYC). Considering this weakness that can bring about forged credentials, FinCEN introduced different levels of CDD as this gives more information about the customer and helps to better understand the risk a customer poses.

The level of CDD that applies to each customer is a result of the customer’s risk score. This risk score is known or calculated when onboarding the customer, simultaneously as the customer’s due diligence process is going on. Below are the different levels of CDD:

• Simplified Due Diligence (SDD): This is the lowest form of due diligence to be carried out on a customer. With SDD, there is no requirement to verify customer’s identity, the business relationship should just be monitored, which could then trigger the need for basic or enhanced due diligence later.
  
• Basic Due Diligence (BDD): While SDD doesn’t verify the collected data about the customer, Basic Due Diligence (BDD) is simply about collecting customers’ data and verifying it at the time of onboarding the customer.
• Enhanced Due Diligence (EDD): EDD is basically some extra check on your customers to certify the legitimacy of their funds. It involves collecting additional information for higher-risk customers with possible traces or continuous triggers about unusual transaction activities. This could include politically exposed persons, high-net-worth individuals, owners of companies with an unclear ownership structure, etc. One of the key steps in EDD is continuous monitoring of customer activities, this is done after gathering additional information about the client’s activities with other individuals.

3. Continuous Monitoring (CM)

CM is the other component of customer due diligence that monitors users’ transactions and activities over time. If any suspicious activity is noticed, a Suspicious Activities Report (SAR) is to be made to FinCEN and other relevant law enforcement agencies. The Suspicious Activities Report (SAR) is expected to be filed within 30 calendar days after the initial day of detecting facts that made up the basis for a suspicious activity report.  SAR is to be filed with the details of the suspect. If no suspect was identified during the initial detection, the financial institution could wait for additional 30 days to monitor and detect the concerned customer or user. But in no scenario must the filing of SAR be more than 60 calendar days after the initial detection.

This 2013 webinar was held by FinCEN to educate institutions on how to file Suspicious Activities Reports using the new  E-Filing System.

In simpler terms, here is a summary of the basic information KYC seeks to establish:

1. Establish the customer’s identity.
2. Prove that the customer’s source of funds is legitimate.
3. Assess money laundering or terrorism financing risk associated with that customer for close monitoring of the customer’s activities in accordance with the anti-money laundering (AML) requirements.

Benefits of KYC For Companies

Some of the benefits of KYC to a company is that it helps you to understand: 

1. Who your customers are in this fast-paced digital world.
2. How to interact with them and serve them.
3. How to protect them and the organization as a whole.

By knowing each and every one of your customers, you provide a layer of protection to your organization as a whole. 

What is eKYC?

eKYC, also known as Remote KYC, is a digital alternative to the usual in-person KYC procedure that has been around for decades. eKYC is the acronym used to describe digital KYC processes, although many use eKYC and KYC interchangeably. It stands for “Electronic Know Your Customer”, and it is an online process that minimizes the costs and traditional bureaucracy of in-person KYC processes because it is done remotely.

With eKYC, the customer submits the same documentation electronically, providing their typical identifying documentation through a computer or mobile phone user interface. This process is faster, cheaper and more secure. Additionally, these electronic systems typically have robust fraud detection algorithms, analyzing the identifying documentation, special security features, something that humans often miss. 

eKYC systems are typically used when interacting with institutions like banks, cryptocurrency exchanges, and online wagering sites. More recent systems leverage eKYC systems to create digital or even decentralized identities. 

Benefits of eKYC versus KYC

1. Speed

According to an independent survey by Thomson Reuters about KYC procedures, it took 30% of respondents over two months to onboard a new client and 10% over four months to do the same. This is too long a time and will definitely affect the client-business relationship. It will also negatively impact the brand, reducing the generated revenue because some customers abandoned the entire process. eKYC being a faster process, will help many sectors to cut down on all unneeded redundancies in their KYC procedures.

2. Customer Experience

eKYC is a quicker process for the customers, at the same time, easy to use. The entire process is primarily mobile or internet-based, and seeing that most customers are internet literate makes the experience smooth and convenient.

3. Cost

To some, eKYC systems could be expensive, but considering the speed, improved accuracy, the sleek experience it gives to the customer and better scalability, it is actually worth the cost.

4. Accuracy

Any mistake in the process of collecting data through the traditional process means it has to be repeated, which is more time, additional cost, and more stress on the customer, but eKYC eliminates this as it can automatically check for errors and quickly fix them.

5. Adaptability

With the nature of regulations, constantly changing regulations need a compliance system that must be flexible enough to change easily. The traditional process of KYC finds it hard to cope with the constant changes, but with eKYC, workflows can be changed in no time.

Other benefits of eKYC include its efficiency, ease of integration, tracking & reporting of data etc.

Who Needs To Be KYC Compliant

1. Banking Sector and other financial institutions, including payment companies, fintech, credit unions etc.
2. Insurance Establishments/Organizations.
3. Regulated Industries, such as gambling facilities.
4. Digital Wallet Providers.
5. Real Estate Agencies.
6. Asset Management Firms.
7. Dealers Of High-Value Goods
8. Trust Formation Services
9. Cryptocurrency Exchanges.

The Cryptocurrency Industry and KYC

The KYC regulation previously did not apply to crypto exchanges or cryptocurrency generally, but in 2019, SEC, FinCEN, and CFTC made a collective statement that classified crypto exchanges as money service businesses (MSBs). This subjects crypto exchanges to KYC and AML policies and requirements under the Bank Secrecy Act of 1970.

Why Does The Crypto Industry Dislike KYC?

The intention for KYC was said to be positive because it seeks to protect the citizens, companies and prevent illegal activities like terrorism funding, money laundering, etc. Why then does the crypto industry generally dislike KYC? This can be answered in two words: privacy and decentralization. 

Privacy is one of the key selling points of cryptocurrency. The transparent nature of the blockchain coupled with the anonymous nature of cryptocurrency wallets made “following the money” simple, yet it was from one anonymous wallet to another. The anonymous nature of crypto, much like the anonymous nature of the early Internet, was seen as a change to the status quo, allowing untold numbers of people the ability to transact without government oversight, a key selling feature of cryptocurrency. KYC processes, therefore, were often viewed as the opposite of the crypto ethos.

Decentralization, another key selling point of cryptocurrency, ensures that there’s no one entity that can monitor, block or deplatform a user. On the other hand, KYC typically means that a single centralized entity will hold numerous identities in its database. These databases of PII are often referred to as honeypots, as they lure hackers to them much like a pot of honey lures bears, bees and more. These centralized honeypots are also the antithesis of the cryptocurrency industry.

The existence of KYC in cryptocurrency transactions isn’t the only reason for the dislike. It is that KYC actually serves as a symbol of more regulations in the future. Many users bought into cryptocurrency because it is believed not to be government controlled or regulated, but presently, they see different regulations sneaking in through the back doors. For example, a bill called the “Digital Financial Assets Bill” was recently rejected by the Governor of California – in September 2022. The bill aimed to create more oversight over crypto companies in California. This bill proposed for crypto businesses and exchanges to acquire a special license from the California Department of Financial Protection and Innovation before operating within California.

This rejected law is similar to the law in New York, which asks crypto companies to acquire a “BitLicense” for virtual asset services. These are just a few different regulations against the crypto community, not to mention the proposed bill by the Treasury Department in December 2020. This proposed regulation enforced centralized exchange users that want to transfer cryptocurrency worth $3,000 and above to a personal wallet to provide the personal information of the wallet’s owner. Not just that, but if the transaction amount is more than $10,000 within a day, exchanges must obtain personal data and send information about the transaction to FinCEN. The request from the government for KYC led the way for most of these other regulations. This, apart from other valid reasons, is why there is a dislike for KYC in the crypto community because KYC serves as a form of a symbol that many regulations are on the way. 

KYC indirectly aims to strip cryptocurrency of its uniqueness of anonymity of transactions. Beyond the fact that crypto will lose one of its uniqueness with the existence of KYC policies, it also means that users stand a chance of possible attacks if their data is stolen from the centralized data server. There are many re-occurring situations of hackers stealing records of users from centralized data sources, which has led to cybercrime committed in another person’s identity, i.e. identity theft.

The fear or dislike in the cryptocurrency industry for KYC can be justified if viewed from the user’s perspective. This is where decentralized identity comes in, as it is private, secure, and decentralized. 

Decentralized Identity is an open-standards-based identity framework that uses digital identifiers and verifiable credentials that are self-owned and independent, and it enables trusted data exchange.

In simpler terms, decentralized identity is a growing technological solution that empowers users to control their online identity through the use of an identity wallet. Decentralized Identity also gives users complete control over the amount of information they choose to share with the requesting service. This way, the user can better manage their identity’s privacy online. For example, a user can prove to be a graduate of a UK University to a 3rd party service provider without disclosing his graduating grade (first class, second class, upper division (2.1) or second class, lower division (2.2) etc.). Another decentralized identity user can prove to a 3rd party service app or website that he is 30 years old without revealing his actual date of birth.

Identity.com 

This decentralized identity solution is one of the leading issues Identity.com has been working to solve. As members of the W3C and the DIF, Identity.com is building toward a secure, permissionless, and pseudonymous ecosystem. We give developers the toolkits they need to provide users with easy-to-verify, reusable and contextual digital identification that remains in their control.