Fintech and KYC regulations
Know Your Customer or KYC is a business practice for organizations to protect themselves and their customers from fraud. It goes without saying that in many countries, all across the world, a company may face big fines, reputation damages and other legal issues if it does business with a criminal who uses the provided service for money laundering or other illegal transactions. In order to stay protected companies have incorporated KYC standards to better know who they are dealing with.
For Fintech companies, in the digital era, it is ever so important to protect its customer base from such manipulations of the system. They need to take steps to prove customer identity, analyze activities to make sure the source of customer’s funds is legitimate and to measure risks associated with the customer.
What should a Fintech company pay more attention to?
In the 21st-century identity theft is quite a common occurrence with around 17 million people affected yearly only in the US accounting for almost $17 billion in damages. Due to this it goes without saying that the first priority is to check the identity of the customer. This can happen using the Customer Identification Program (CIP).
As different institutions around the world have their own standards for this we will be mentioning two major contributors: the United States Government recommendations and Financial Action Task Force (FATF), a non-government organization with the mission to fight money laundering. Both have come up with their own set of rules to achieve the desired outcome to correctly identify the customer.
Fortunately not everyone needs to develop their own internal methods of KYC as it can be outsourced to one of the trusted KYC providers for the financial industry, which creates reliable service to keep the companies safe from sketchy customers. What do these companies do and how do you, a fintech company, keep yourself safe?
As a starter the recommended requirements are 4 different types of information: Name, Date of Birth, Address and Identification number. Just gathering this information is not enough though. Data should be verified in a short amount of time, which can be done by cross-checking information with public databases and consumer reporting agencies. Policies may change depending on the institution and the service requested. Some services require facial identification with the ID, which can be done by locally owned AI that will verify the identity through picture scanning or outsourcing this to a company that does this for the living (Veriff comes to mind).
The second step is to verify if the customer can be trusted or not. Customer Due Diligence (CDD) recommendations serve exactly this purpose. It’s important to keep in mind that dealing with criminals, terrorists or even potentially exposed persons (PEPs) can create numerous legal issues for the company.
To classify such incidents there are three main levels of due diligence:
Simplified Due Diligence (SDD) – Low-risk situations for example very low-value accounts.
Basic Customer Due Diligence (CDD) – The most common situation where a company verifies customer identity and assesses the risks associated with said individual.
Enhanced Due Diligence (EDD) – High-level situations where a company requests additional information to provide a deep understanding of the risks associated with the said customer.
There are some more steps in between CDD steps to understand which level of Due Diligence is required for this specific customer. It may include things like gathering information about the location and nature of business activities, classifying the risk category to define which CDD level to use, continuous research into the customer information to get real-time risk assessment since someone may not be a risk at the time of registration but may turn into one in future. For this, a company may acquire additional information including but not limited to location, occupation, type of transactions, expected methods of payment etc.
The third and also integral part is to keep track of your customers in real-time, which means that there should be ongoing monitoring of the database. To pay attention to all of the transactions there is a necessity to have some kind of an artificial intelligence that will help out with the workload. It should oversee transactions, accounts and should detect out of the area or unusual activities, activity spikes and sanction lists where a customer may end up due to their other illegal activities. In case the activity on the account is deemed unnatural Suspicious Activity Report (SAR) can be filled out.
Know Your Business (KYB)
It goes without saying that not only individual customers but corporate accounts also need to be verified. This is done by taking more or less the same precautions as with individual customers. Retrieving company information like address, registration number, status and key management personnel, analyzing ownership structure and percentages, identify ultimate beneficial owners (UBOs), perform KYC checks on individuals involved. This process raises the price of the service more and more, which a lot of companies do not wish to take, which makes outsourcing these tasks to a separate company even more charming.
Electronic KYC Verification (eKYC) as the way of the future?
Electronic Know Your Customer Verification is becoming more and more popular in the age of technology as it provides certain benefits in comparison to normal KYC checks as eKYC is faster considering the fact that normal KYC checks may take up to a couple of months to finish. In the end it has a very negative impact on customer experience, however, eKYC optimizes this process. Apart from speed there is a case with accuracy, whereas the eKYC service can very quickly and automatically check for mistakes and resolve them. Workflows for electronic KYC can be adapted to the new ruleset very fast very quickly. It also requires no extra training or meetings on the company’s part. Data can be easily analyzed as the information is already present in digital form, which makes audits and reporting much easier. All of this taken together makes the process infinitely more cost-efficient.
In modern times more and more companies start relying on mobile users to prove the ownership or the identity of the person. In Estonia, for example, such programs as Smart ID are used to identify the user via their phone by banks like Swedbank and SEB bank, government organizations, micro-financing companies etc.
If anything this creates an extra layer of very comfortable verification method for the customers and for the companies to use.