In brief:
- Know Your Client, or KYC, is the process of financial institutions verifying their clients’ identities and other details to ensure they are who they claim to be, and present a low enough risk of being (or becoming) involved in financial crime.
- Know Your Client involves collecting client identity information and other details, matching them against credible sources, judging how risky a client is based on them, and planning for ongoing risk assessments if the client checks out.
- The legal guidelines for Know Your Client are the five pillars of the 1970 Bank Secrecy Act (BSA) and the six requirements for customer identification programs (CIPs) created by the 2001 USA PATRIOT Act.
Companies usually have some familiarity with their clients, but what do they really know about their customers? Do they understand their clients’ business intentions? How can they be sure clients aren’t abusing their services for fraud or other crime, and aren’t likely to in the future?
In the financial industry, institutions are required to know these things by law. They have to follow a series of legal and regulatory guidelines for verifying clients’ identities, as well as being reasonably sure clients aren’t (or won’t be) involved in crimes like money laundering or terrorist financing. Collectively, these guidelines are sometimes called Know Your Client.
This article will offer a thorough overview of what Know Your Client is, including how to perform it, what laws and regulations it has to follow, and tools you can use to make it easier. Here’s what’s in store:
We’ll start with the basics of Know Your Client, including what it is and who needs to conduct it.
So what is Know Your Client? What kinds of businesses need to follow its rules? And why does it exist in the first place? This introduction to KYC will answer those questions.
What is Know Your Client and why does it matter?
KYC, or Know Your Client, is the process of a business checking a (potential) client’s identity credentials to determine if they’re valid and unique to that person. It also involves analyzing other information about the person to gauge their risk of intending to commit financial crime.
Did you know?
Know Your Client is sometimes also referred to as Know Your Customer (KYC) or sometimes Know Your Business (KYB). You will often see all of these terms used interchangeably by financial institutions and regulators. if you want to control who visits your profile.
Know Your Client compliance is about making sure your clients are who they say they are, and are making transactions for the reasons they claim to be doing so. Discrepancies in identity details or unusual account activity can indicate a client is attempting to commit fraud, money laundering, terrorist financing, or some other manner of illegal financial dealings.
Who needs to conduct Know Your Client procedures?
Generally, U.S. law requires any business the Bank Secrecy Act (BSA) classifies as a financial institution to conduct Know Your Client checks on its customers. These include traditional banks, fintechs, lending institutions, securities brokers/dealers, currency exchanges, payment service providers – basically any company that deals in products or services related to managing or moving money.
Know Your Client laws also apply to certain types of businesses that frequently process high-value transactions. Criminals can use these businesses to launder large amounts of money at once by purchasing expensive goods or services with illicit funds, then selling or cashing them out later to get legitimate money back. Such businesses include:
- Insurance companies
- Real estate brokerages
- Casinos & other gambling services
- Travel agencies
- Vehicle dealerships (including aircraft and watercraft)
- Pawn shops
Though necessary, KYC obligations can put a real strain on these types of businesses – especially when they’re just starting out. To help out, Middesk has created a framework for balancing compliance with growth at every stage of a business – whether you’re screening individual people or even other businesses.
{{gated-content-block="/insights/kyb-for-every-stage-of-a-business"}}
The Know Your Client process can be broken down into five major steps.
1. Collect applicable client information
If you’re onboarding a new client, you need to ask for certain identifying information about them in the application process. At a minimum, this should include the client’s full name, home address, birth date, and number on a piece of government-issued identification. You may ask for other kinds of information depending on your company’s current risk appetite.
As a requirement for your Customer Identification Program (CIP), you need to inform clients ahead of time what kinds of information you need them to disclose, and what kinds of supporting documentation they need to provide (if applicable). You should also explain the reason behind collecting each of these things. Another part of your CIP should be to require clients to promptly notify you if their information changes so you can make sure your data on file is up to date.
2. Verify a client’s information is valid and uniquely theirs
Whether you’re collecting a client’s identity information for the first time or reviewing changed information for an existing client, you need to determine two things about it. The first is if the information is valid when cross-checked against multiple trusted sources. It may be immediately apparent that some pieces of information are problematic, in that they’re missing or don’t follow the proper formatting. For example, if you had to verify Employer Identification Numbers (EINs) – a type of business tax ID number – they would have to be 9 digits long, use the syntax “XX-XXXXXXX”, and have certain valid 2-digit prefixes from the IRS.
The second thing you need to verify is that the identity information actually belongs to that client. A criminal may use someone else’s identity – whether that person knows it or not – as a cover to defraud you while making you think that the other person is the one exhibiting suspicious behavior.
A criminal may even create a synthetic identity out of modified, stitched-together, or even completely made-up ID information. Stopping synthetic identity fraud is even more difficult than stopping regular identity theft because the fraud can’t be traced back to a single real entity and reversed. Instead, you’re chasing an entity that only exists on paper.
3. Assess the client’s potential risks
The next part of Know Your Client is due diligence: determining how likely a client is to target or use your company for fraud or other financial crimes. Obviously, if there are omissions or discrepancies in their ID information, that’s an early warning sign they may not have honest intentions.
However, you need to look at information about the client beyond just their ID credentials, including asking:
- Where are they from?
- How wealthy are they?
- Do they occupy a prominent political or social administrative position?
- How have they banked and done business in the past?
- Are they on a sanctions list or other financial watchlist?
- Have they been involved in crime before?
- Is the news reporting they allegedly did something bad?
While that’s not an exhaustive list, it should give you a starting point regarding questions you need to ask to judge how much risk a client presents to your company.
4. Dive deeper into the client’s risk factors if necessary
If you decide a client is on the cusp of the amount of risk your company is willing to accept, you should apply enhanced due diligence (EDD) to more accurately assess their risk. That means looking at factors such as:
- Who the client has close relationships with, and whether those people are high-risk
- Whether the value of the client’s physical assets matches up with their level of income
- Who the client has done business with, how, why, and what was exchanged
- What’s being said about the client in news, press releases, reports, and social media
- If the client can be visited at their actual address
5. If the client checks out, plan for ongoing due diligence
At this point, you may decide a client is too risky for your company and reject their application – or, if you’re reviewing an existing client, start the process of offboarding them. But even if you decide to onboard or retain them because they present an acceptable level of risk to your company, you still need to keep an eye on them. Their situation could change in a way that increases their risk profile, such as if they become a politically exposed person (PEP). Or they may start exhibiting suspicious transaction behavior.
You need to have a plan for monitoring a client’s financial activity for irregularities, as well as any changes to their identity details that may alter their risk profile. Ideally, you’ll be able to set up real-time compliance monitoring that focuses on aspects of the client that present the most risk to your company. This lets you take action faster if something changes for the worse.
For more information on how Know Your Client procedures work and why they’re necessary, visit the link below.
{{related-content-block="/blog/know-your-customer-kyc-and-why-its-required"}}
The two main Know Your Client regulations you need to know about are the Bank Secrecy Act, which includes 5 pillars, and the USA PATRIOT Act, which has 6 CIP requirements.
The Bank Secrecy Act (BSA)
First passed in 1970, the Bank Secrecy Act established U.S. rules for keeping financial transaction records, including reporting any transactions valued over a certain amount. Its goal was to stop the laundering and concealment of money earned through fraud and other criminal acts.
The BSA outlines 5 key pillars that financial institutions need to implement to have an effective anti-money laundering (AML) program:
1. Choose a compliance officer
An institution needs to either elect or appoint an employee to be the head of its AML compliance efforts. This person is in charge of making sure the institution is following the other four pillars and is adapting to regulations as they change.
2. Create and execute internal AML policies
This is where the institution has to outline how it will meet its AML commitments. This should include policies on verifying customer identities, monitoring transactions, reporting suspicious activity, and periodically conducting internal audits.
3. Develop guidelines for customer due diligence (CDD)
An institution must also set policies on how it will measure the risk clients could become (or already are) involved in money laundering or other financial crime. These can include signals such as country of origin, political status, wealth, news coverage, previous involvement in crime, and presence on sanctions or watch lists. The institution must also explain how it will modify its AML processes to deal with clients of varying risk levels.
4. Train employees on AML
An institution should have a plan for familiarizing employees with how to fulfill their AML obligations, as well as how the institution’s internal AML/CDD processes work. This should be applied whenever a new employee is onboarded, and every few months as a refresher on what the protocols are. Training should also be regularly updated to address both common signs of financial crime and current financial crime trends.
5. Schedule external audits
It’s also important for the institution to have its AML program regularly tested by an accredited outside firm. This lets an independent party confirm whether or not the institution is AML compliant. It can also reveal aspects of the institution’s AML program that could be improved.
The USA PATRIOT Act (Patriot Act)
This 2001 USA PATRIOT Act, mostly known for its anti-terrorism provisions, was also a foundational piece of Know Your Client legislation. It amended the BSA to mandate that financial institutions develop customer identification programs (CIPs) towards preventing terrorists and other criminals from using their services.
CIPs obligate financial institutions to collect identity information from their clients and determine if it’s both valid and unique to each client, as well as whether it appears on any US sanctions lists. They also require financial institutions, in the interest of privacy laws, to give clients advance notice of this information collection and explain what its purpose is.
Furthermore, they demand that financial institutions keep client information on file until it is no longer needed for compliance (e.g. updating, auditing, and reporting). Finally, each financial institution must have a written version of its CIP.
In creating CIPs, the PATRIOT Act stipulated that financial institutions must at least meet (or outline how they will meet) each of these 6 CIP requirements:
1. Document the CIP and its methodology
A financial institution (FI)’s CIP has to be written down in full somewhere, either physically or digitally. It should not only include descriptions of the other 5 processes, but should also outline the main risk factors considered in developing these processes. Such risk factors can include the FI’s location, client volume, average client risk level, service offerings, account opening procedures, and ID information justifiably needed for identity verification.
2. Let clients know ahead of time what ID information is needed, and why
For the sake of privacy and consent, an FI has to give adequate notice that it will be collecting its clients’ ID information and any other relevant supporting documentation. It should also explain why it’s collecting this information and what the benefit is to clients: the FI can keep legitimate customers safe by weeding out criminals who want to use fake or stolen IDs to abuse the FI’s services. This, in turn, should instill clients with greater confidence in the FI.
3. Collect ID information required to verify clients
To sufficiently verify client identities, an FI needs to at least collect from clients their full name, home address, birth date, and a number from a government-issued ID document. The FI may collect other Know Your Client information from clients (phone numbers, email addresses, etc.), but it should be able to justify why collecting this information is necessary in the context of the FI’s risk appetite.
4. Verify client identities using their provided ID information
After collecting its clients’ ID information, an FI needs to check that each set of information is both valid and uniquely tied to the client who submitted it. This can involve cross-checking ID details against a client’s other government-issued ID documents, government databases, and other private companies that require client ID information (credit bureaus, telecom companies, other FIs, and so on).
An FI needs to collect and verify enough information to be reasonably sure, in light of the FI’s risk appetite, that a client is who they say they are. However, it doesn’t want to do this for more information than is justifiable, as this adds unnecessary friction to the verification process.
5. Screen clients against sanctions lists and other risk indicators
Once an FI has filtered out fake clients or applicants, it needs to assess risk for the real ones. At a minimum, it should check databases from government and intergovernmental agencies to find out if a client (or the country they’re from) is sanctioned or under greater financial supervision. This can indicate a client is illegal to deal with.
For example, U.S. FIs should know how to run an OFAC check to see if a client is on a sanctions list from the Office of Foreign Assets Control, usually indicating it’s forbidden to deal with that client by U.S. law.
6. Store customer information securely until it’s no longer needed for compliance
The FI needs to keep all copies of ID documents and other identifying information on a client throughout the course of that client’s lifecycle, plus five years beyond its end. This allows the FI to track changes to a client’s identity information over time, helping them spot potentially suspicious patterns in KYC reviews. It also helps the FI prove to auditors that it’s maintaining compliance, as well as cooperate with regulators and law enforcement officials investigating financial crime.
In the next section, we’ll look in greater detail at what both of these laws require in terms of Know Your Client checks.
So how do you collect (and potentially analyze) the information you need for KYC from clients? What kind of Know Your Client questions do you need to ask to properly assess a client’s risk level?
For some ideas on where to start, check out these three Know Your Client form templates that all work a bit differently, and see what we think the pros and cons of each one are.
1. ACCA Client Risk Assessment Tool and Know Your Client Form
Available formats: Excel
Cost: Free
A template meant to be used as a starting point for conducting a KYC screening. It includes space for some essential information to collect about a client, as well as some basic due diligence questions. It also includes tabs for follow-up reviews as part of ongoing monitoring, as well as a matrix of questions that helps you assign clients a risk value.
These are all good things, but the template might not include due diligence questions relevant to your particular company’s specific use case (or to current regulations – it was last updated in mid-2021). It’s also tedious to do this recording and analysis work manually in a spreadsheet, especially if you have a large client volume; you should use specialized software instead.
2. Jotform KYC Form
Available formats: PDF, software
Cost: Free, but requires signing up for a free account.
This sample Know Your Client form focuses on basic client identity and address details, requiring clients to provide documentary proof of both. It even includes a function for uploading photos and document scans as visual proof. It also has a space for the client to sign the form to declare they’ve given accurate information. It’s a fillable digital document, so it can be sent, received, and filled out by anyone virtually anywhere online.
The form covers the basic ID information needed for KYC – full name, home address, date of birth, and government-issued proof of identity. However, it doesn’t go very far beyond that into other information that could be useful for risk assessment and enhanced due diligence; you have to add those sections yourself through Jotform’s Form Builder.
3. Educators Financial Group Know Your Client Form
Available formats: PDF
Cost: Free
What’s great about this Know Your Client template is that it covers a number of client details a financial institution might want to know for the sake of due diligence. These include a client’s income, assets, liabilities, net worth, and level of investment knowledge. It also includes their intentions in opening an account (type, objectives, risk appetite, and timeline) and their potential status as a politically exposed person. A handy appendix at the end provides explanations for different terms and options.
Where this template falls short is though it can be reset, it can’t be modified after it’s saved. As a PDF, it also can’t be edited to include spaces for other information that might be relevant to your company’s specific circumstances.
Conducting KYC screening involves several steps that each require you to perform several tasks. So use this handy Know Your Client checklist to make sure you’ve covered everything you need to for the sake of compliance.
- Notify clients you need their ID information: CIP requirements (and privacy laws) obligate you to let clients know what ID information you may need from them for KYC, and why. Being transparent here can help win client trust.
- Collect client ID information: At minimum, you need a client’s full name, home address, birth date, and a number from one of their government-issued ID documents to properly conduct KYC. You can collect more information in line with your risk appetite, but not more than you’ve already told clients you need from them.
- Verify client ID information: Check client identity details against multiple credible sources to make sure they’re both valid and belong exclusively to that client.
- Conduct due diligence: Use ID information gathered from the client, along with other public information about them, to assess how a client may present risks to your company and what their overall risk level is.
- If necessary, investigate the client’s risks further: If the client is near your cutoff for an unacceptable risk level, you should examine their risk factors in detail (with their consent, of course): relationships, income vs. assets, transactions, public sentiment, etc. This will help you make a final decision.
- If onboarding or retaining, plan for monitoring & reviews: Remember to still keep an eye on clients for suspicious activity, and review their profiles occasionally to reassess their risks in light of what your company is willing to handle over time.
Manually performing these steps for each of your clients can be a real drain on your time, human resources, and profitability if you have hundreds or even thousands of clients. Fortunately, there are software programs that can automate – and even enhance – many of these tasks for you. We’ll introduce you to some of them in the next section.
It’s much easier to efficiently put your Know Your Client policy into action when you have the right tools behind you. Here are three of our top recommendations.
1. Middesk
Middesk is usually used for verifying identity information in business-to-business relationships. However, this requires finding out who owns a business and checking their identities. So through its integration with Socure, it can also do Know Your Client.
The benefit is you get the most complete data on the market of U.S. business owners and other corporate officials. Plus, you get it directly from Secretary of State offices, other U.S. government agencies, and other official sources.
The data contains plenty of signals that help you assess risk, including negative media coverage, presence on U.S. or global sanctions lists or financial watchlists, presence on PEP/RCA lists, and even their online presence.
How pricing works: Contact us for a demo and pricing information.
Best for: KYC when clients are U.S. business owners, or are other notable people associated with U.S. businesses.
See how Middesk’s business verification software lets you conduct Know Your Client and Know Your Business checks together on a single platform.
2. Persona
Persona has several different ways to collect and verify client IDs including document processing, facial recognition through selfies or liveness detection, near field communication data transfer, and more. It can also check client devices for passive risk signals, such as which devices are being used and where they’re logging in from. Persona can even do link analysis to see if your client has ties to anyone else who may have a high risk level.
How pricing works: Tiered subscription plan – lowest one starts at $250/month for a year; the other two you need to contact Persona to inquire about.
Best for: ID verification system with multiple verification methods and risk signals that can be customized to meet your specific KYC needs.
3. Alloy
Alloy specializes in a part of Know Your Client that’s sometimes overlooked: ongoing monitoring. After all, KYC at onboarding or in review is just a snapshot of a client’s identity and risk profile; their situation could change rapidly, and you need to be ready to react.
Alloy helps by consulting over 200 credible sources to verify the information in custom ID and risk profiles you create for your clients. If a piece of information changes or you decide it’s no longer relevant to your KYC, Alloy will adjust their ID and risk level accordingly.
How pricing works: Request a demo for more information.
Best for: Using data collaboratively to monitor client risks in real time.
To evaluate a full list of additional options, check out our article on the best Know Your Client software.
Automate Know Your Client verification with Middesk
You don’t have time to sit around confirming clients’ identities and assessing their risk factors by hand. You have too many clients, your business moves too fast, and there’s too little room for error. So rely on Middesk’s team-up with Socure to check client identities and risk factors quickly and efficiently while your compliance team focuses on the big cases or other company-growing tasks.
See how easy and thorough we can make your Know Your Client work by reaching out to us for a demo today.
