The Importance of KYC
As businesses increasingly interact with people in the digital world, it’s become easier to transact millions of dollars within seconds. However, not all transactions are legal or intended for their claimed purpose. Some involve stolen funds or illegal activities like terrorism, while others may be connected to identity theft, fraud, bribery, and more.
To address these concerns, governments, and regulatory bodies have implemented policies to make financial transactions safer. One such policy is KYC, or Know Your Customer, which requires businesses to verify the identity of their customers before engaging in financial transactions
What is KYC?
KYC, short for “Know Your Customer,” is a regulation that mandates businesses to gather information about their customers to authenticate their identities. The process involves verifying customers’ identities, financial records, activities, and associated risks, which is referred to as “Effective KYC.” KYC is critical in the financial sector, and non-compliance can lead to fines, sanctions, or reputational damage, especially if it leads to money laundering, terrorism financing, corruption, or other illegal activities.
KYC was implemented globally to curb financial crimes, and it is a fundamental practice that protects organizations from fraud and losses that may arise from illegal transactions. It also ensures that other customers are protected in the long run. The importance of KYC must be balanced, and it is essential to carry out the process before enrolling customers or conducting business with them.
Components of KYC
1. Customer Identification Program (CIP):
CIP is one of the components of KYC imposed under the USA Patriot Act in 2001. According to the “Customer Identification Program – CIP”, financial institutions are to collect four pieces of identifying information:
- Date of birth
- Identification Number
It’s important to note that financial establishments may collect additional information beyond the four basic pieces of data, such as a selfie, email address, phone number, and even Personally Identifiable Information (PII) through authoritative databases. They may also collect information such as IP addresses, especially if a customer is deemed high-risk. The type of data collected may vary depending on the company and its location. However, the four pieces of data listed above are typically the minimum requirements to establish a customer’s identity and comply with anti-money laundering (AML) and know-your-customer (KYC) regulations. Customers should also review the privacy policies of financial institutions to understand the data they collect and how it is used.
2. Customer Due Diligence (CDD)
CDD is the component that deals with the process in which all the customer’s details or credentials are collected and verified. This process helps evaluate the customer’s risk profile for suspicious account activities.
This process is enforced by the Financial Crimes Enforcement Network (FinCEN). The goal is to improve transparency within the financial sector and to prevent criminals from using companies to carry out fraudulent or harmful activities. Below are the four core requirements provided by FinCEN:
- Identify and verify the identity of customers.
- Identify and verify the identities of the owners of companies opening accounts (i.e. anyone who owns 25% shares or more).
- Understand the nature and purpose of customer relationships to develop customer risk profiles.
- Conduct ongoing monitoring to identify and report suspicious transactions.
CDD refers to the process of collecting and verifying user data. It requires a high level of diligence and carefulness, as some customers may submit fake or forged credentials. This is one of the weaknesses of the traditional KYC procedure. To address this issue, FinCEN introduced various levels of CDD that provide more information about the customer and help to better understand the risk they pose.
The level of CDD that applies to each customer is determined by their risk score, which is calculated during the customer’s due diligence process. The following are the different levels of CDD:
- Simplified Due Diligence (SDD): This is the lowest form of due diligence to be carried out on a customer. With SDD, there is no requirement to verify customer’s identity, the business relationship should just be monitored, which could then trigger the need for basic or enhanced due diligence later.
- Basic Due Diligence (BDD): While SDD doesn’t verify the collected data about the customer, Basic Due Diligence (BDD) is simply about collecting customers’ data and verifying it at the time of onboarding the customer.
- Enhanced Due Diligence (EDD): EDD is a process that involves additional checks on customers to ensure the legitimacy of their funds. It requires collecting more information for higher-risk customers, such as politically exposed persons, high-net-worth individuals, and owners of companies with unclear ownership structures. EDD also involves monitoring for unusual transaction activities or continuous triggers. One of the key steps in EDD is ongoing monitoring of customer activities, which is done after gathering additional information about the client’s transactions with other parties.
3. Continuous Monitoring (CM)
Customer monitoring (CM) is another component of customer due diligence that involves monitoring users’ transactions and activities over time. If any suspicious activity is detected, a Suspicious Activity Report (SAR) must be filed with FinCEN and other relevant law enforcement agencies. The SAR must be filed within 30 calendar days of detecting any facts that make up the basis for a suspicious activity report. The report should include details of the suspect, and if no suspect is identified during the initial detection, the financial institution may wait an additional 30 days to monitor and detect the concerned customer or user. However, under no circumstances should the filing of the SAR be delayed for more than 60 calendar days after the initial detection.
This 2013 webinar was held by FinCEN to educate institutions on how to file Suspicious Activities Reports using the new E-Filing System.
In simpler terms, here is a summary of the basic information KYC seeks to establish:
- Establish the customer’s identity.
- Prove that the customer’s source of funds is legitimate.
- Assess money laundering or terrorism financing risk associated with that customer for close monitoring of the customer’s activities in accordance with the anti-money laundering (AML) requirements.
Benefits of KYC For Companies
Some of the benefits of KYC to a company is that it helps you to understand:
- Who your customers are in this fast-paced digital world.
- How to interact with them and serve them.
- How to protect them and the organization as a whole.
By knowing each and every one of your customers, you provide a layer of protection to your organization as a whole.
What is eKYC?
eKYC, also known as Remote KYC, is a digital alternative to the traditional in-person KYC procedure that has been used for decades. Although eKYC and KYC are often used interchangeably, eKYC refers specifically to digital KYC processes. eKYC stands for “Electronic Know Your Customer,” and it is an online process that reduces the costs and bureaucracy associated with in-person KYC processes.
With eKYC, customers submit their identifying documentation electronically through a computer or mobile phone user interface, just as they would with in-person KYC. However, eKYC is faster, cheaper, and more secure than traditional KYC processes. Additionally, electronic systems typically have robust fraud detection algorithms that analyze identifying documentation for special security features, which humans may miss.
eKYC systems are typically used when interacting with institutions such as banks, cryptocurrency exchanges, and online wagering sites. More recently, eKYC systems have been used to create digital or even decentralized identities.
Benefits of eKYC versus KYC
According to an independent survey by Thomson Reuters about KYC procedures, it took 30% of respondents over two months to onboard a new client and 10% over four months to do the same. This is too long a time and will definitely affect the client-business relationship. It will also negatively impact the brand, reducing the generated revenue because some customers abandoned the entire process. eKYC being a faster process, will help many sectors to cut down on all unneeded redundancies in their KYC procedures.
2. Customer Experience
eKYC is a quicker process for the customers, at the same time, easy to use. The entire process is primarily mobile or internet-based, and seeing that most customers are internet literate makes the experience smooth and convenient.
To some, eKYC systems could be expensive, but considering the speed, improved accuracy, the sleek experience it gives to the customer and better scalability, it is actually worth the cost.
Any mistake in the process of collecting data through the traditional process means it has to be repeated, which is more time, additional cost, and more stress on the customer, but eKYC eliminates this as it can automatically check for errors and quickly fix them.
With the nature of regulations, constantly changing regulations need a compliance system that must be flexible enough to change easily. The traditional process of KYC finds it hard to cope with the constant changes, but with eKYC, workflows can be changed in no time.
Other benefits of eKYC include its efficiency, ease of integration, tracking & reporting of data etc.
Who Needs To Be KYC Compliant
- Banking Sector and other financial institutions, including payment companies, fintech, credit unions etc.
- Insurance Establishments/Organizations.
- Regulated Industries, such as gambling facilities.
- Digital Wallet Providers.
- Real Estate Agencies.
- Asset Management Firms.
- Dealers Of High-Value Goods
- Trust Formation Services
- Cryptocurrency Exchanges.
The Cryptocurrency Industry and KYC
The KYC regulation previously did not apply to crypto exchanges or cryptocurrency generally, but in 2019, SEC, FinCEN, and CFTC made a collective statement that classified crypto exchanges as money service businesses (MSBs). This subjects crypto exchanges to KYC and AML policies and requirements under the Bank Secrecy Act of 1970.
Why Does The Crypto Industry Dislike KYC?
The intention for KYC was said to be positive because it seeks to protect the citizens, companies and prevent illegal activities like terrorism funding and money laundering. However, the crypto industry generally dislikes KYC due to two main reasons: privacy and decentralization.
Privacy is one of the key selling points of cryptocurrency. The transparent nature of the blockchain coupled with the anonymous nature of cryptocurrency wallets made “following the money” simple, yet it was from one anonymous wallet to another. The anonymous nature of crypto, much like the anonymous nature of the early Internet, was seen as a change to the status quo, allowing untold numbers of people the ability to transact without government oversight, a key selling feature of cryptocurrency. KYC processes, therefore, were often viewed as the opposite of the crypto ethos.
Decentralization, another key selling point of cryptocurrency, ensures that there’s no one entity that can monitor, block or deplatform a user. On the other hand, KYC typically means that a single centralized entity will hold numerous identities in its database. These databases of PII are often referred to as honeypots, as they lure hackers to them much like a pot of honey lures bears, bees and more. These centralized honeypots are also the antithesis of the cryptocurrency industry.
The existence of KYC in cryptocurrency transactions isn’t the only reason for the dislike. It is that KYC actually serves as a symbol of more regulations in the future. Many users bought into cryptocurrency because it is believed not to be government controlled or regulated, but presently, they see different regulations sneaking in through the back doors. For example, a bill called the “Digital Financial Assets Bill” was recently rejected by the Governor of California – in September 2022. The bill aimed to create more oversight over crypto companies in California. This bill proposed for crypto businesses and exchanges to acquire a special license from the California Department of Financial Protection and Innovation before operating within California.
This rejected law is similar to the law in New York, which asks crypto companies to acquire a “BitLicense” for virtual asset services. These are just a few different regulations against the crypto community, not to mention the proposed bill by the Treasury Department in December 2020. This proposed regulation enforced centralized exchange users that want to transfer cryptocurrency worth $3,000 and above to a personal wallet to provide the personal information of the wallet’s owner. Not just that, but if the transaction amount is more than $10,000 within a day, exchanges must obtain personal data and send information about the transaction to FinCEN. The request from the government for KYC led the way for most of these other regulations. This, apart from other valid reasons, is why there is a dislike for KYC in the crypto community because KYC serves as a form of a symbol that many regulations are on the way.
KYC indirectly aims to strip cryptocurrency of its uniqueness of anonymity of transactions. Beyond the fact that crypto will lose one of its uniqueness with the existence of KYC policies, it also means that users stand a chance of possible attacks if their data is stolen from the centralized data server. There are many re-occurring situations of hackers stealing records of users from centralized data sources, which has led to cybercrime committed in another person’s identity, i.e. identity theft.
The fear or dislike in the cryptocurrency industry for KYC can be justified if viewed from the user’s perspective. This is where decentralized identity comes in, as it is private, secure, and decentralized.
Decentralized Identity is an open-standards-based identity framework that uses digital identifiers and verifiable credentials that are self-owned and independent, and it enables trusted data exchange.
In simpler terms, decentralized identity is a growing technological solution that empowers users to control their online identity through the use of an identity wallet. Decentralized Identity also gives users complete control over the amount of information they choose to share with the requesting service. This way, the user can better manage their identity’s privacy online. For example, a user can prove to be a graduate of a UK University to a 3rd party service provider without disclosing his graduating grade (first class, second class, upper division (2.1) or second class, lower division (2.2) etc.). Another decentralized identity user can prove to a 3rd party service app or website that he is 30 years old without revealing his actual date of birth.
This decentralized identity solution is one of the leading issues Identity.com has been working to solve. As members of the W3C and the DIF, Identity.com is building toward a secure, permissionless, and pseudonymous ecosystem. We give developers the toolkits they need to provide users with easy-to-verify, reusable and contextual digital identification that remains in their control.