Implementing KYC Standards in Financial Services and Banking

Main Thoughts

• The KYC process can vary for different businesses that deal with money.
• KYC is employed not only by banks and other financial market players, but also by credit unions, asset managers, and other businesses.
• ID Verification apps must have Document Liveness Protection and some other must-have features.
• CIP procedures vary for different customers in accordance with the level of risk they pose.

Protecting financial institutions and their clients against exorbitant amounts of ever more sophisticated fraud needs to start as early as during customer onboarding. Know Your Customer (KYC) is a comprehensive process, designed specifically to ensure this, as well as help combat money laundering, terrorist financing, and corruption. In fact, banks, various lenders and financial services companies are not the only three types of companies that use KYC. Other businesses that deal with somebody else’s funds, like credit unions, payment Fintechs, brokerage firms, cryptocurrency exchanges and asset managers employ industry-specific variations of this process too. For financial institutions, implementing KYC is mandatory in accordance with the various Anti-Money Laundering laws.

So… How does KYC work?

KYC As a Process and the Procedures, Requirements, Tools, and Best Practices It Includes

Simply put, overall the KYC process aims to achieve three goals:

1. Reliably establish and verify customer identity.
2. Provide insights into the nature of the customer’s activity with a view to making sure their funds have a legitimate origin.
3. Assess the money-laundering risks associated with the customer’s funds.

The KYC process comprises three main stages:

Customer Identification Program (CIP) – is a set of measures or procedures that allow establishing both the identity of a customer and the fact that the customer exists. Currently, no mandatory set of CIP procedures exists, and banks and other financial institutions must form a reasonable belief about what these procedures must include on their own.

A bank or financial services company first needs to collect customer data that can vary depending on the bank’s or company’s size, location, types of accounts they maintain, and the customer identification methods they choose to employ. As an absolute minimum, for private entities, the data to be collected includes the customer’s name, data of birth, place of birth, address, and Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN).

In the case of business entities, the data to be collected must include the Company Name, Business Address, Incorporation Date, Issuance documents, Ultimate Business Owner (UBO) information, Employer Identification Number (EIN) and Company Registration Number (CRN).

However, CIP isn’t limited to data collection only. One must ensure that the customer does not appear on any Government-issued sanctions lists of terrorists or terrorist organizations, financial watchlists, and Politically Exposed Persons (PEP) lists, and adverse media.

It is also necessary to perform Data Authorization by comparing the collected data with the corresponding records in public or government databases. Such databases can include issuing databases, like, for instance, AAIWA (DMV records) and TIN (IRS records), but not only. The databases, maintained by financial institutions, credit bureaus, and phone carriers can serve for the purpose of database verification too. It is also a must to keep records on any record-related requests, discrepancies that have occurred, and the ways these discrepancies have been resolved. Notably, customer data is to be stored for no less than 5 years after the account closure.

The collected customer data is juxtaposed with the customer’s valid Government-issued ID. The authenticity of the ID is determined using a specialized ID Verification app.

One’s roster of one’s CIP procedures can always be expanded with any additional verifications that make sense, for example, ones that can exist in a certain geographical context.

Customer Due Diligence (CDD) – a mission-critical part of the KYC process that begins right during customer onboarding and lasts throughout the customer lifecycle on an ongoing basis. The customer’s data is evaluated with a view to determining the risk that the customer can pose. The bank must create risk profiles for their different customers and collates the customer data they obtain against these profiles.

CDD can vary for the different risk levels identified. It falls into:

• Simplified Due Diligence, where the risks are low and the bank can only ask for a valid Government-issued ID and check this ID.
• Standard Due Diligence, where an average level of risk is assumed and the customer needs to undergo some reliable Identity Verification.
• Enhanced Due Diligence, where the risks are high and enhanced diligence measures need to be applied. The bank can inquire the customer about the source of their funds, nature of their business relationships and their corresponding obligations, and reason for a specific transaction.
• Continuous Monitoring, one must perform ongoing monitoring of all customer activities with a view to making sure no suspicious transactions occur.

Key KYC-Related Business Processes (ID and Identity Verification)

Implementing KYC is virtually impossible without the corresponding automation. Putting it simply, you need a software application or applications to support two key KYC-related business processes: ID Verification (establishing the authenticity of a Government-issued ID) and Identity Verification (verifying the identity of the presenter of this ID). Quite often, modern digital identity verification solutions provide all of this functionality in one software package.

While choosing a KYC-compliant and efficient ID Verification app, one must take into account a host of factors. First of all, to be able to seamlessly onboard customers, who hail from different geographies, your ID verification app must be able to process around 12000 various documents that serve as IDs in 247 countries of the world, including the ability to process various different document formats, alphabets, and languages. It must have a Face Image Quality evaluation capability, a Document Liveness Detection feature (or the ability to tell the original document from a copy by reading holograms or using their other properties, like, for example, the moire effect or Optically Variable Ink (OVI).

In addition to performing ID verification, the software you use for customer onboarding must also determine whether the presenter of the ID document is the true document holder. This is done using some reliable Identity Verification technology, like advanced Face Recognition.

Comprehensive digital identity verification solutions can include several more functions that allow one to ensure that the person you are onboarding as a customer really exists and that you’re dealing with this person. This can include database checks, anonymous IP detection, checks against financial watchlists, PEP lists, and Government-issued sanctions lists, adverse media checks, address checks, deep phone number validation, and more.

When it comes to Identity Verification, it should be said at once that not all the Identity Verification methods can be considered reliable enough to serve for KYC purposes. For example, the more simple and widespread Photo-based verification is too easy to trick for fraudsters.

A much more reliable Identity Verification method one can use for KYC purposes is Online Face Recognition. However, it is essential to make sure that the Face Recognition app you choose includes some advanced Live Detection capabilities to stave off the so-called presentation or spoofing attacks, including those that include using masks, photographs, and other means of fraud. Such Live Detection functionality can include passive checks (like scanning the natural movements of the user’s face like blinking), active ones (like requesting the user to tilt their head to the side or give a smile), and hybrid checks (a combination of the former and the latter). These kinds of techniques are quite efficient in dealing with presentation attacks that use 2D snaps or video replays.

Unfortunately, one must bear in mind that conventional Live Detection techniques may sometimes fall short of being able to counter attacks that involve 3D deep fakes (like, for example, 3D masks). These deep fakes are getting more and more sophisticated all the time, and have to be countered using other means. For example, it is believed that well-developed Face Recognition apps that include a 3D deep perception capability are capable of detecting 2D fakes.

Besides, one can also go for one of the multimodal security solutions that use several different means of Identity Verification, which will reduce the odds of a deep fake fraud happening even further.

In order to make subsequent customer authentication more reliable, the KYC procedure can include collecting customers’ biometric data.
Biometric Identity Verification is an extremely reliable approach of Identity Verification that is capable of countering virtually any presentation attack. Biometric Identity Verification comprises several methods, all of which focus on unique human physical traits that cannot be counterfeited.

Probably, the most robust and practicable method of biometric Identity Verification is Iris Recognition that verifies identity by scanning the iris of the human eye. Iris Recognition can be performed using a special camera or a mobile device with an iris scanner.
Another biometric Identity Verification method that boasts extremely high reliability and accuracy is Fingerprint Scanning. One can use Fingerprint Scanning in remote KYC with the help of mobile devices that include fingerprint scanners.

Voice Recognition is a less frequently employed Identity Verification method that is rapidly gaining popularity now. It can verify identity by analyzing the unique biological factors that make each human voice different. The advanced digital identity solutions that use Voice Recognition are believed to have 80-98% accuracy.

One more, less known biometric method called Vein Recognition analyzes the veins of the human palm and can now also be used in KYC due to the advent of mobile devices with palm scanners and palm-scanning apps for IOS and Android.