Know Your Customer (KYC) is a set of processes surrounding verifying identity that many different types of businesses need to follow – by law – so it’s important that you get them right! Here we provide a little background information about KYC and why it is important, along with five best practices to get you started with understanding and applying KYC within your business.
What is KYC?
KYC is the acronym for Know Your Customer, which is a way for businesses to verify the identity of customers or business entities. For instance, simply because someone writes a name, address, and phone number into a form on a website, doesn’t mean that these are their real details.
KYC is a process that financial companies use to perform due diligence in ensuring the customer is who they say they are. KYC is also used in other specific industries and services, including government departments, and utility companies, among others.
Why KYC is Important
Hav ing an airtight KYC process in place guarantees that your business is not only safeguarding itself but also puts potential customers’ minds at ease. Identifying users’ legitimacy also confirms that a company is following trustworthy and legal practices, thus solidifying reputability.
The KYC stage is something that is not only necessary but indispensable to one’s business. This is particularly true for certain sectors where the possibility of money laundering practices may be more prevalent. From financial services, payments, real estate and even online gambling: whether sports betting or no deposit casino providers – to mention but a few. Within these specific industries and areas, KYC is required under law, and failure to comply with KYC obligations can result in steep fines and sanctions. For other businesses, KYC may not be required. For instance, hairdressers wouldn’t need to verify their client’s identities, there is no difference in whether the client is using a fake name or not.
KYC often goes hand in hand with AML practices; that is Anti-Money Laundering activities within this business, that will also be required by law. This involves risk assessments, employee due diligence, and systems and controls to prevent money laundering activities.
KYC and Minimum Identity Verification
To verify a person’s identity the minimum requirements are typically their name, and address or date of birth. To verify these details, primary forms of identification will include a passport, driver’s license, residency card, or other government-issued identification with a photo. Other primary identification without a photograph includes other government-issued IDs such as birth certificates and health card cards. Secondary identification comprises documents such as utility bills showing a name and address or a bank statement: these are documents that have already had customer verification completed under strict KYC practices. Usually, in digital KYC, at least two forms of identification are needed. In person, there may only be the requirement for one form of identification; for instance, providing your license to check you are of age when buying alcohol.
KYC and Data Handling
Due to the sensitive nature of the data involved in KYC processes – Personally Identifiable Information (PII) – data must be collected, transported, and stored using secure processes. This may involve end-to-end encryption as well as encryption at rest. Beyond security, there must be robust controls in place for when identities are not verified correctly, suspected fraud is encountered, risky individuals are encountered, or politically exposed persons are identified through the processes.
KYC and Verification Timeframes
Different business types have different requirements within the law for when they must complete verification. Verification must always be completed before the business allows the customer to access and use their services. Under no circumstances must a customer be able to use a KYC-restricted service within prior verification.
KYC and Handling Mismatches
Businesses that encounter customers who have a mismatch in their identification must have rules and procedures in place to either provide more information or deny them as a customers. For instances where customers might be at risk, for instance, for a homeless person that is trying to sign up for a government-supported service, there must be procedures to help try and verify identity without typical forms of ID. This might include things like personal references. For other services, such as an alcohol delivery service, they will simply deny a customer who cannot produce a typical form of ID.
Many businesses also must comply with KYC reporting practices, detailing the customers they have verified, which customers were denied and why, and which customers needed different forms of identification than usual. In reporting these to the authorities, there must be documentation such as times and dates and even the place of access. These auditable records must also be kept under strict security guidelines to prevent the chance of any PII being leaked.