Know Your Customer (KYC) methods and processes are critical to assess and monitor customer risk. They are also a legal obligation to comply with regulations and Anti-Money Laundering (AML) laws set by each country.
Here in Part 1 we tell you a bit more about KYC, and in Part 2 we tell you how we can help!
KYC is simply the steps taken by a financial institution or business to:
- Establish customer identity
- Assess fraud risks (legitimacy of funds etc.)
- Assess money laundering risks associated
Know Your Customer
The minimum requirements, generally speaking, are:
Institutions such as banks may require an identification number also.
During account opening, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (comparing the information provided by the customer with consumer reporting agencies, public databases, or new real-time methods) or a combination of both.
Levels of risk
KYC policies for banks depend on each institution and the levels of risk involved, but may consider:
- The types of accounts offered
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base
- The types of services the customer base use in their geographic location
Customer Due Diligence
Customer Due Diligence (CDD) is a critical element of effectively managing your risks and protecting yourself against criminals, terrorists, and Politically Exposed Persons (PEPs) who might present a risk.
There are three levels of due diligence:
- Simplified Due Diligence (“SDD”) are situations where the risk for money laundering or terrorist funding is low and a full CDD is not necessary. For example, low-value accounts.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and assess the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks.
Some practical steps to include in your customer due diligence program include:
- Ascertain the identity and location of the potential customer, and gain a good understanding of their business activities. This can be as simple as verifying the name and address of your customer from a national identity document.
- When authenticating or verifying a potential customer, classify their risk category and define what type of customer they are.
- Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as existing customers have the potential to transition into higher risk categories over time; in that context, conducting periodic due diligence assessments on existing customers can be beneficial. Factors one must consider to determine whether EDD is required, include, but are not limited to, the following:
- Location of the person
- Occupation of the person
- Type of transactions
- Expected pattern of activity in terms of transaction types
- Keeping records of all the CDD and EDD performed on each customer, or potential customer, is necessary in case of a regulatory audit.
It’s not enough to just check your customer once, you need to have a program to monitor your customer on an ongoing basis. The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Depending on the customer and your risk mitigation strategy, some other factors to monitor may include:
- Spikes in activities
- Out of area or unusual cross-border activities
- Inclusion of people on sanction lists
- Adverse media mentions
There may be a requirement to file a Suspicious Activity Report (SAR) if the account activity is deemed unusual.
Periodical reviews of the account and the associated risk are also considered to be best practice:
- Is the account record up-to-date?
- Do the type and amount of transactions match the stated purpose of the account?
- Is the risk-level appropriate for the type and amount of transactions?
In general, the level of transaction monitoring relies on a risk-based assessment.
How we can help