In brief:
- Know Your Customer (KYC) is a financial institution’s regulatory and legal obligation to combat fraud and financial crime by verifying the identity of its customers
- Banks, fintechs, and other financial institutions can use both “documentary” (government ID, etc.) and “non-documentary” (credit reports, public databases, etc.) evidence to verify a customer’s identity
- Combined with Know Your Business (KYB), KYC ensures that a fintech, bank, or other financial institution does not assist in money laundering, fraud, or other financial crimes
Fintechs, banks, and other financial institutions are required to ensure that the customers they are doing business with are not involved in crimes such as money laundering, financing terrorism, sanctions evasion, or committing fraud,
To do this, entities operating in any financial industry are legally required to verify their customers’ identities with a due diligence requirement known as Know Your Customer (KYC).
In this guide to KYC, we’ll cover all the essentials, including:
- What is KYC verification?
- What kind of information and documents are used in KYC verification checks?
- What a proper KYC process looks like
- What happens if a customer doesn't pass KYC verification?
- How to automate the KYC process
Let’s start with the basics about KYC verification:
KYC verification or “Know Your Customer” verification is the process of verifying the identity information of customers you are onboarding onto a financial platform, and is primarily required of businesses operating in banking, lending, fintech, and other financial industries.
Why are KYC procedures required?
In short, KYC is required due to United States’ Anti-Money Laundering (AML) laws. These were first codified in the Bank Secrecy Act (BSA) of 1970, then were further refined in the USA PATRIOT Act of 2001.
The BSA was mainly concerned with money laundering and scrutinizing foreign transactions. The USA PATRIOT Act added complexity to customer identity verification by requiring that banks and other financial institutions implement a Customer Identification Program (CIP). The overall process of verifying customer identities is now commonly known as KYC.
{{related-content-block="/blog/know-your-customer-rule"}}
What is the difference between KYC and Know Your Business (KYB)?
In 2016, the US government issued an expanded set of identity verification guidelines for business accounts known as Know Your Business (KYB). These are essentially the same requirements as KYC, applying the same mentality to the need for businesses to check the identities of who they are doing business with, including who owns a company and that the business is legitimate.
The actual process of KYC and KYB is similar, as both involve verifying identity information. The main difference between these two regulatory requirements are the specific entities being verified. With KYC, individuals are being verified. With KYB, business entities and people associated with those businesses are being verified.
Who is required to do KYC verification?
Any bank, fintech, or financial institution who handles money is generally required to implement KYC checks. If that business also has other businesses as customers, then they’re also required to implement KYB checks. While it's most commonly done during onboarding, it's important that you do adequate KYB checks throughout your customers’ lifetime.
Combined, KYC and KYB due diligence programs ensure a company isn’t aiding bad actors and abetting financial crimes.
A KYC program can operate using two types of information - documentary and non-documentary. This is what each looks like:
Non-documentary KYC customer identification
In many cases, a KYC check can be performed with non-documentary evidence (also known as “keyed-in verification.”) For example, a customer provides their social security number and the bank or other financial institution verifies that information against a public (or private) database.
This customer-provided info is sufficient for some institutions to verify a customer’s identity. Non-documentary evidence may include:
- Comparing customer provided information to public databases
- Pulling a customer’s credit report
- Checking references with other financial institutions
- Obtaining the customer’s financial statements
But what if this check fails?
Documentary KYC customer identification
If the first KYC check fails that doesn’t necessarily mean that the customer is committing fraud or should otherwise be denied an account. There are many reasons why a KYC check might fail or require more verification, including:
- The customer is young, with limited credit history
- The customer recently changed their name
- The customer is a recent immigrant to a new country
If non-documentary evidence isn’t sufficient to verify customer identity, an entity can fall back on documentary evidence.
This might mean asking the customer for documents such as:
- A copy of their driver’s license
- Passport
- Social Security Card
- Other identifying documents
Some KYC programs even require the potential customer to submit a selfie or video of themselves holding their identification.
As a downside, asking for documentary evidence creates more friction in the onboarding process, which might cause customers to drop out or seek out a competitor.
CIP rules also impose recordkeeping requirements on any entity subject to these regulations. Businesses who perform KYC checks must keep a record of the information they used to make a KYC decision. In general, they must keep this documentation for at least five years after the customer has closed their account.
In effect, documentary and non-documentary sources can be used in conjunction to verify that a customer really is who they say they are.
Banks, fintechs, and other financial institutions are required by law to implement a KYC identity verification process, but the regulations aren’t specific as to which exact measures each business must take.
On the bright side, this means that these institutions are able to incorporate best practices and their own risk tolerance when implementing AML/KYC programs. For instance, a small credit union that only serves a local area sees lower risk activity than an international bank with money moving across twenty countries. In this case, the small credit union's KYC requirements may be less stringent.
But every entity must still ensure that they have a written KYC procedure and that it encompasses the FDIC’s rules for a Customer Identification Program (CIP). Here’s how to build yours in a 6-step checklist:
- Appoint or hire a designated KYC Compliance Officer - This person would be responsible for building out, iterating, and enforcing your KYC program, company-wide
- Establish company-specific KYC policies & training - Determine who is responsible for what aspects of KYC, what information you’ll check, how you’ll collect it, and make sure all team members receive the necessary training
- Take a risk-based approach company-specific KYC policies - Find the risk level and threshold that works for your company, finding the balance between not allowing fraud to occur in your platform, while not creating too much friction for your customers
- Verify KYC information across multiple sources - Choose your authoritative and alternative data pipelines to check the customer-submitted information and verify it is accurate
- Set up ongoing monitoring - Once a customer gets on the platform, you still need to make sure you have measures in place to detect if their status changes, or they start doing suspicious things that might indicate they are committing fraud now, even if their identity initially passed KYC screening
- Automate KYC checks using software - At scale, you can’t manually review every customer, so automate the parts of the process you can (like verifying identity information against sources) using KYC software
According to FDIC rules, banks, fintechs, and other financial institutions must also implement policies on what to do if a KYC verification takes longer than usual. In this case, a bank may allow an unverified customer to use their account on a limited basis.
Of course, verification can also fail. In that case, the institution is obligated to deny the customer’s account. But no fintech or other financial institution wants to lose out on a customer due to faulty KYC processes. And that’s where automated KYC comes in.
Automating KYC is key when scaling your business, because manual reviews will take up too much of your time, and often they won’t be necessary for most customers you are trying to onboard.
Our top tips for automating the KYC verification process are:
- Integrate rule-based decisioning - Establish rules that will flag any customers that don’t meet your requirements, and customize these based on your business
- Expand your access to data - The more data you can evaluate and verify identities against, the greater your accuracy will be when it comes to KYC
- Make use of AI - AI-powered tools can automatically perform parts of the KYC process, especially when it comes to data collection
Check out our full guide on automating this process below:
{{related-content-block="/blog/kyb-automation"}}
Enable your KYC process from end-to-end with Middesk
We partner with Socure, the leading platform for digital identity confirmation. Together, we offer both Know Your Business (KYB) and Know Your Customer (KYC) services to both Middesk and Socure customers. Even better still, our clients can automate the Customer Due Diligence (CDD) process to save time and resources onboarding new businesses.
Schedule a demo with the experts at Middesk to learn how you can start verifying business and customer identities, speed up onboarding, reduce risk, and lower client acquisition costs. If you want to see how we can help your KYB or KYC processes right now, check out our on-demand product demo of Middesk Verify to see how it works in action:
{{gated-content-block="/events/productdemo-verify-june-2025"}}
