Unless you work in the finance industry, it’s likely you’ve never heard of anti-money laundering (AML) or know your customer (KYC). Up until somewhat recently I had not heard of either of these acronyms, let alone understood the complexities around them. At DEPT® we’ve been working with clients to build NFT marketplaces, often using the open source white-label NFT marketplace solution we developed for the Algorand blockchain as the foundation. I’ve needed to better understand these concepts since we’ll be adding support for KYC in the marketplace implementations for our clients, as well as integrating into the white-label solution, though the specific KYC needs will vary based on the business.
We’ll go through AML/KYC at a high level and discuss options available to you and what to look for when choosing a SaaS provider. Heads up, there’s going to be a whole lot of acronyms in this article, and in the AML/KYC world there’s an acronym around every corner. Below is a cheat sheet of relevant acronyms to refer to.
- KYC = Know Your Customer
- AML = Anti-Money Laundering
- CIP = Customer Identification Program
- CDD = Customer Due Diligence
- EDD = Enhanced Due Diligence
- SSN = Social Security Number
- PII = Personal Identifiable Information
- PEP = Politically Exposed People
- BSA = Bank Secrecy Act
- MSB = Money Services Business
- FinCEN = United States Financial Crimes Enforcement Network
- BaFIN = German Federal Financial Supervisory Authority
What is KYC and who needs it?
AML legislation is enacted with the intention of preventing financial crimes, and the relevant laws and regulations vary by country, though there are accepted international standards. Financial institutions have to abide by local laws and regulations, and a specific AML program is put in place according to the risk profile of the business and where it’s operating. KYC is an integral part of any AML program, where a customer’s identity is verified, and they are screened and assessed for their risk.
In the United States, the Financial Crimes Enforcement Network (FinCEN), a bureau within the Treasury Department, is responsible for enforcing the Bank Secrecy Act (BSA). The BSA is a set of laws and regulations for financial institutions that require such institutions to assist government agencies in detecting and preventing money laundering. These laws apply to money services businesses (MSBs), which are defined by FinCEN to include any person doing business as a currency dealer or exchanger, a check cashier, an issuer or seller/redeemer of traveler's checks, a money transmitter, or the US Postal Service. MSBs are required to implement an anti-money laundering (AML) program, as well as keep records and file reports to FinCEN.
Circle, for example, is registered as a money transmitter with the U.S. Treasury Department, requiring them to comply with BSA laws and have an AML program in place. When creating a Circle account there are KYC verification steps needed, and when using Circle’s services, businesses can enter a KYC reliance agreement which requires them to establish their own AML program according to Circle’s guidelines. In higher risk situations KYC is required to exchange funds using Circle.
Outside of the United States, there are other regulating bodies responsible for enforcing their country’s laws and regulations to prevent money laundering. An AML program should be developed according to the nature of the business as well as the relevant local legislation. KYC protocols will need to be put in place to understand the customers you’re doing business with.
What does identity verification look like?
A KYC plan can have multiple components, and starts with a customer identification program (CIP) where information is gathered from a customer and verified. Identity verification can include gathering identifying information for the customer (i.e., name, address, date of birth, SSN, etc.), biometric measures such as photos and videos, checking documents (i.e., passport, proof of residency, etc.) or even person-to-person verification where a trained representative verifies the individual’s identity. The type of verification done will depend on the AML program and the risk assessment for the business.
Let’s go through an example verification flow for a customer on a platform where KYC is required. The CIP includes information gathering, document verification, and biometric verification. First a customer creates an account and provides information about themselves during onboarding, including their full name and date of birth. After onboarding, the customer would like to make purchases on the platform, and needs to verify their identity. They are prompted to confirm the details they provided during onboarding, and provide additional details such as an identification number. The customer is in the US and provides their SSN. A verification check is run, and if there’s a confirmed match that’s cleared verification, the customer can continue with the purchase. However, in this case there’s an issue with the verification (i.e., suspicion or no clear match), so the customer is asked to provide document(s), of which they choose to use their passport. After uploading the passport successfully, the customer is prompted to take a selfie, and facial recognition is used to assess the likeness of the photo from the document. If there’s a cleared match, the user is considered verified on the platform and can continue with the purchase.
The next phase of the KYC plan is customer due diligence (CDD) or enhanced due diligence (EDD), where a customer is screened and background checks are performed to assess their risk. EDD is carried out for higher risk customers, which includes a more rigorous assessment. In the example, the customer’s details would be checked against government watchlists, PEP and adverse media lists, as well as sanctions lists. If there’s a confirmed positive hit, there needs to be a plan in place on how you’ll freeze funds and report the match to the relevant government bodies.
The final step of a KYC plan is continuous monitoring. Continuous monitoring is the process to re-screen customers against watchlists, sanctions and PEP lists, and is important to identify increased risk after the initial verification. Another form of ongoing monitoring that may or may not be important for you to do regularly, is monitoring to identify changes in a customer’s details (i.e., address or name change).
There are numerous providers who have products which can be leveraged to implement KYC for your business, from identity verification to screening and ongoing monitoring. Many providers have similar features, and it can be difficult to know what to look for. Next we’ll go through what you may want to look out for when deciding on the provider.
How do you choose a provider?
When you’re looking for a KYC provider, there’s multiple things to consider. We’ll discuss each in more detail.
- What detection techniques are supported?
- Is there customer screening and ongoing monitoring?
- What options are available for relevant locales?
- How does it work?
What detection techniques are supported?
Services may use different terminology for features provided, but often include verification of personal identifiable information (PII) and proof in the form of documents such as government identification. Another common verification method is biometric verification such as facial recognition using photos/videos, and some services offer person-to-person verification where customers are meeting with a live representative.
Depending on the provider, different detection techniques may be offered. The type of verification needed should be determined based on the unique needs of the business. Be aware of local regulations which could dictate which techniques are required. For example, in Germany video detection is mandatory under AML law according to the Federal Financial Supervisory Authority (BaFIN).
Is there customer screening and ongoing monitoring?
As discussed, CDD/EDD and ongoing monitoring are important components of a KYC plan, and you’ll want to confirm there’s support for all stages of your business’ plan. CDD is very important in preventing money laundering, where customers are screened against watchlists, sanctions and PEP lists. Ongoing monitoring is often done in addition, screening against these lists on a regular basis. Check if there are webhooks available to get updates from the provider when risks are identified.
It also may be important to identify changes in a customer’s information, such as a name or address changes. Determine if you need this support and at what interval you need to get updates, and see what providers offer in this way.
What options are available for relevant locales?
Find a KYC provider that offers document support for any countries where your business is operating. If you plan to use an all-in-one type solution, confirm localization is offered for languages you plan to support.
How does it work?
There’s a lot of variability in the different providers, so you’ll likely want to try out any solution and the tools provided before making a final decision. Are there relevant SDKs available? What’s the user flow going to look like with this tool? How’s the documentation? If it still seems like a good solution after an initial scope, request a sandbox account for future testing.
In addition, make sure you’re comfortable with how to find customers in your system, and know what information you need to store in order to match your customers to the records kept by your KYC SaaS provider. Depending on the AML program, you will be required to hold onto customer records for a certain length of time. For instance, FinCEN requires records be kept for at least 5 years in some cases, and you’ll be expected to provide that information if requested.
An anti-money laundering (AML) program and it’s know your customer (KYC) requirements will vary based on the business and the risk associated. The components of a KYC program can include: a customer identification program (CIP), customer due diligence (CDD) and enhanced due diligence (EDD), and ongoing monitoring. Identify KYC SaaS providers that have relevant detection techniques and screening capabilities, and work with them to determine the best plan based on your business’ needs.
You’ll want to be careful about choosing a solution up front, especially if there’s reporting requirements that make you responsible for keeping customer records for a length of time, since you may need to persist your subscription with that provider for the amount of time you’re required to hold onto records.
I hope this information was a helpful jumping off point in the world of AML and KYC verification, and welcome any feedback. If this is a lot to absorb or you’re still feeling lost, I know a great agency you can reach out to :)