This guide is based on our learnings as Regtech leaders over the last 5 years. It provides a high level summary of the fundamental aspects of KYC compliance that you need to know both when onboarding new customers, and when looking into the existing customers. These tips will help your company meet regulatory guidelines, stay out of trouble and avoid fines.
1. There Are No Tricks
to KYC Compliance
KYC or Know Your Customer is the process of a business verifying the identities of its prospective customers to detect and avoid fraud, money laundering and terrorist activities. CDD (Customer Due Diligence) is a more formal name for capturing and evaluating that base level of information during the lifetime of the customer. Customers who appear to pose a higher level of risk are required to go through an EDD (Enhanced Due Diligence) process. Generally EDD is conducted on high risk individuals at account origination, and can (should) also be conducted periodically throughout the relationship to catch changes in risk.
There are no “tricks” or ways around KYC compliance. If you want to stay compliant, you should avoid shortcuts. This means that you need to evaluate all of the prospects who are applying for your service, and you must perform periodic assessments on your existing customers to see if anything has changed. Don’t look for the easy way out. Those that do will eventually be hit with hefty fines.
Transparency is central to KYC regulations. It is about preventing criminals from misusing companies to disguise their illegal activities and the proceeds from those activities. Transparency must be instilled in the company culture from top to bottom, especially when dealing with regulators. If it looks fuzzy or odd, it probably is. If there is not enough documentation, it might raise a red flag. And chances are it won’t stand-up under regulatory scrutiny.
3. Establish a Strong Relationship with Regulators
Developing a strong relationship with regulators will go a long way toward building trust and good faith. A strong relationship will include:
- Two-way communication – updating the regulators on a regular basis and providing prompt responses are essential
- Clear communications – ensuring that the same messaging comes out from all parts of the company using language that regulators understand
- Proactivity – communicating proactively when you find issues, instead of regulators s searching and finding them
- Collegiality – demonstrate a consistent professional manner in your dealings with regulators.
These areas form the basis of a strong relationship between a company and its regulators.
4. Regulators Must View
Your Company as
Trust is built over time. It is a continuous process that requires effort from the start. If you work on the areas outlined in section 3, you are well on your way yo establishing trust between your company and the regulators.
5. Work with Compliance Professionals to Build Compliance Capabilities
There are many industry bodies and working groups whose aim is to support companies in learning about and building compliance capabilities. Join them and help foster dialogue. Being antagonistic or playing against the industry will get you nowhere.
There are many companies that can help you build your KYC compliance program. (We know a bunch – Feel free to reach out to us if you are looking for a resource to frame up your KYC program.)
6. 23 CRR-NY 200.15 (h) of the New York BitLicense outlines a good framework for KYC
“ Each licensee shall also maintain, as part of its anti-money laundering program, a customer identification program.
(1) Identification and verification of account holders. When opening an account for, or establishing a service relationship with, a customer, each licensee must, at a minimum, verify the customer’s identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the Office of Foreign Asset Control (“OFAC”), a part of the U.S. Treasury Department. Enhanced due diligence may be required based on additional factors, such as for high risk customers, high-volume accounts, or accounts on which a suspicious activity report has been led.
(2) Enhanced due diligence for accounts involving foreign entities. licensees that maintain accounts for non-U.S. persons and non-U.S. licensees must establish enhanced due diligence policies, procedures, and controls to detect money laundering, including assessing the risk presented by such accounts based on the nature of the foreign business, the type and purpose of the activity, and the anti-money laundering and supervisory regime of the foreign jurisdiction.
(3) Prohibition on accounts with foreign shell entities. licensees are prohibited from maintaining relationships of any type in connection with their virtual currency business activity with entities that do not have a physical presence in any country.
(4) Identification required for large transactions. Each licensee must require verification of the identity of any account holder initiating a transaction with a value greater than $3,000.”
7. KYC is Indispensable for Your Company’s Reputation
Although developing and maintaining a rigorous KYC compliance process might seem like a hassle, it can actually increase revenue due to the perception it creates about your company. A better reputation leads to more customers.
Trust has always been a vital part of online businesses. And, while some new models such as shared economies, marketplaces and exchanges are more reliant on trust than the typical online retailer, it’s still vital to all. If your business is a place where customers aren’t sure that they will be attacked by fraudulent actors and schemes, then they won’t do business with you at all. Good KYC practices not only weed out the bad actors that pose a risk to your company, they also weed out the bad actors that pose a risk to your other customers. Ultimately, clients are more willing to do business with you if they feel safe and secure.
8. KYC Compliance Saves You
Just as a good KYC policy can help your reputation, it can also save you money by avoiding fines and revenue lost to competitors. An automated KYC process also saves your analysts time, which boosts company efficiency and lowers costs.
9. You Must Own
You must keep records and audit trails of every transaction, as well as the documents or data you’ve used in user verification. Failing to do so can cause you losing your money transmitter license.
10. When Performing Sanctions Screening
Sanctions Screening is a regulatory requirement enforced by regulatory bodies across countries to protect the financial system from being used by bad actors to either fund illegal activities or clean up the gains from it. Sanctions screening, specifically is where you compare the applicant names in front of you against sanction screening lists.
However, besides checking for a match, be diligent about finding false positives. Be sure to check IDs, search the web for negative news and evaluate additional documents that your clients can provide.
11. Conduct Enhanced Due Diligence Where Needed
In case of suspicious activity or a sanctions match, you’ll need to run another round of due diligence, called enhanced due diligence (EDD). Get additional information to better understand the risk that that prospective customer poses.
Send the user a questionnaire, research them, and, keep them in the loop.Ask customers to provide name, location, job, salary, and source of funds. Keep a record of the responses you receive. Follow up with regular research. Check their names for scandals, places they travel, and anything that could explain their behavior. Provide your customer with a transactional behavior form, allowing them to explain their transactions. Keep a record! Use a case management solution.
Use your records to see if the explanations provided account for the behavior, both historical and in the present.
Keep watching. Be vigilant!
12. When in Doubt,
File a Report
It’s always safer to file a report. Update your records at least once a year for users you’ve identified on the PEP (Politically Exposed Persons) list, resend questionnaires and keep your information updated.
While your company may be under one jurisdiction, depending on (the location of) your customers, you may have to comply with a variety of different regulations your clients may be subject to, including but not limited to: US PATRIOT ACT and BSA requirements, OFAC Lists, SDN Lists, and Lists Made By Other Governments. It’s better to screen against all of these lists from the start. We live in a borderless world.
14. Money Transmitting
Has Moved from 2D to 3D
Technology provides a variety of methods to transmit, and you must keep track of all of them. Instead of just tracking sender and receiver (2D), your filter must include all these elements: sender, receiver, and method (3D); so your compliance team is able to look at alerts and identify anomalies to determine true hits or false positives.
15. Document Your
Whether or not you are blocking a transaction or stopping a client, regulators are looking for insight into the reasons for your actions. You need to have documented reasoning for every action you take.
Regtech systems are more readily able to capture the high volumes of compliance information that online businesses generate, including process and decision information. They store it for later reporting or further analysis. This puts you and your company in better standing with regulators.
16. If You Do
You May Get Fined
OFAC is not a very forgiving group. Don’t leave it to chance, don’t pick a manual process and manual system. You’ll never keep up. Don’t cut corners, you’ll make a mistake. If you do, getting fined is a matter of time.
17. CTR is Required
in Excess of $10,000.00
This means filings are not required until the transaction amount is $10,000.01 or greater.
However, if it is an unusual amount, or unusual behavior from the customer, you need to keep a record and potentially file a Suspicious Activity Report (SAR). All of these discussions need to be reported up to executives, so that they’re fully aware of what’s going on.
18. Once You Identify
a Suspicious User,
You Must Speak With Them
This way you can find out whether or not their behavior is normal. Out-of-band (OOB) mechanisms are important.
19. Out of Band Mechanisms
Should Be Built /into
the User Experience
Out of band (OOB) mechanisms help verify the identity of individuals. This might by a code that is delivered to an authorized device, that must then be entered on your website, or it might be a biometric verification like voiceprint. In either case, OOB mechanisms are most effective when they are a natural part of the KYC process and user experience. If implemented well, your users won’t feel added friction in the validation process.
Responding to OOB questions is a good sign. Even if the answer they give isn’t correct, or if the data doesn’t match. There is a very positive correlation to trying to respond versus ignoring it. If the response of the OOB is not satisfactory, follow up with a live conversation if possible — don’t take it for granted either.