Fintechs, banks, and other financial institutions are required to ensure that the customers they are doing business with are not involved in crimes such as:
To do this, entities that handle and move money are legally required to verify their customers’ identities with a due diligence requirement known as Know Your Customer (KYC).
In short, KYC is required due to United States’ Anti-Money Laundering (AML) laws. These were first codified in the Bank Secrecy Act (BSA) of 1970, then were further refined in the Patriot Act of 2001.
The BSA was mainly concerned with money laundering and scrutinizing foreign transactions. The Patriot Act added complexity to customer identity verification by requiring that banks and other financial institutions implement a Customer Identification Program (CIP). The overall process of verifying customer identities is now commonly known as KYC.
In 2016, the US government issued an expanded set of identity verification guidelines for business accounts. These requirements are known as Know Your Business (KYB).
Any bank, fintech or financial institution who handles money is generally required to implement KYC checks. If that business also has other businesses as customers, then they’re also required to implement KYB checks. Combined, KYC and KYB due diligence programs ensure a company isn’t aiding bad actors and abetting financial crimes.
The actual process of KYC and KYB is similar. Both involve verifying identity information. The main difference between these two regulatory requirements are the specific entities being verified. With KYC, individuals are being verified. With KYB, business entities and people associated with those businesses are being verified.
Banks, fintechs and other financial institutions are required by law to implement a KYC identity verification process, but the law doesn’t spell out exactly what measures each business must take.
On the bright side, this means that these institutions are able to incorporate best practices and their own risk tolerance when implementing AML/KYC programs. For instance, a small credit union that only serves a local area sees lower risk activity than an international bank with money moving across twenty countries. In this case, the small credit union's KYC requirements may be less stringent.
But every entity must still ensure that they have a written KYC procedure and that it encompasses the FDIC’s rules for a Customer Identification Program (CIP).
What does that mean?
In many cases, a KYC check can be performed with non-documentary evidence. (Also known as “keyed-in verification.”) For example, a customer provides their social security number and the bank or other financial institution verifies that information against a public (or private) database.
This customer-provided info is often sufficient for institutions to verify a customer’s identity.
Non-documentary evidence may include:
But what if this check fails?
If the first KYC check fails that doesn’t necessarily mean that the customer is committing fraud or should otherwise be denied an account. There are many reasons why a KYC check might fail or require more verification, including:
If non-documentary evidence isn’t sufficient to verify customer identity, an entity can fall back on documentary evidence.
This might mean asking the customer for documents such as:
Some KYC programs even require the potential customer to submit a selfie or video of themselves holding their identification.
As a downside, asking for documentary evidence creates more friction in the onboarding process, which might cause customers to drop out or seek out a competitor.
CIP rules also impose recordkeeping requirements on any entity subject to these regulations. Businesses who perform KYC checks must keep a record of the information they used to make a KYC decision. In general, they must keep this documentation for at least five years after the customer has closed their account.
In effect, documentary and non-documentary sources can be used in conjunction to verify that a customer really is who they say they are.
According to FDIC rules, banks, fintechs and other financial institutions must also implement policies on what to do if a KYC verification takes longer than usual. In this case, a bank may allow an unverified customer to use their account on a limited basis.
Of course, verification can also fail. In that case, the institution is obligated to deny the customer’s account.
But no fintech or other financial institution wants to lose out on a customer due to faulty KYC processes. And that’s where automated KYC comes in.
We recently partnered with Socure, the leading platform for digital identity confirmation. Together, we now offer both Know Your Business (KYB) and Know Your Customer (KYC) services to both Middesk and Socure customers.
Want to learn how you can start verifying business and customer identities, speed up onboarding, reduce risk and lower client acquisition costs? Learn more about Middesk.