Financial institutions and other regulated industries are fraught with high risk compliance challenges. Identity theft, money laundering, fraud and terrorism are concerns of these businesses and organizations. Compliance audits such as anti-money laundering (AML) are in place to ensure suspicious activities or customers can be identified quickly. Knowing your customer and identity verification is one way to lessen this risk.
KYC: Know Your Customer
Knowing your customer is goes beyond knowing their name. Knowing your customer means verifying and understanding who they are and what transactions they will be conducting within your organization. KYC is an acronym for a policy that is used in the banking industry to manage risk. The policy typically includes:
- How they will validate the identity of the customer
- Monitoring of the customer activity
- Assessment of risk and risk management
A Customer Identification Program (CIP) is a process set up to collect and verify the identity of the customer. Verifying their identity ensures that the corresponding data - name, address, social security number and so on - is legitimate and correct. The documentation is typically run against a third party database to validate its authenticity. Fraud and identity theft can be prevented with this first step.
Creating an expectation of customer activity is another way to mitigate risk. When accepting a customer, they will already have a profile of expected activity from previous financial institutions. Their transaction activity will be monitored against their expected behavior and recorded profile. If any activity seems suspicious or outside the norm, a trigger will alert someone of potential risk with the associated customer.
Another part to the Customer Identification Program is to determine the customer's risk with regards to money laundering, terrorist activity or identity theft. Organizations use OFAC and other databases to manage the customer risk. OFAC or Office of Foreign Assets Control checks to see if customer is knowingly or unknowingly contributing to terrorist, fraud or human trafficking activity.
Doing due diligence on every customer is required by the USA Patriot Act of 2001. Every new customer will undergo a basic form of id verification and risk assessment. Enhanced Due Diligence (EDD) is required for larger customers and transactions.
Enhance Due Diligence is a similar but tiered and more involved process to KYC including:
- Verification and validation of the customer's identity
- Establishment of the customer's profile
- Identification of relevant adverse information and risk
- Assessment of the potential for money laundering and/or financing of terrorist activity
The success of these customer identification processes is crucially dependent on the documentation of the process and the data obtained. Just as with any other process that is susceptible to non-compliance, documentation should be available if audited. The organization should also keep all records of approved or not approved customers so that a clear concise trail of decision making is available.
Obtaining data from third party databases can be burdensome as some searches, such as OFAC, only allow 5 searches at a time. Many banking institutions choose to work with vendors who have a portal or direct connection (API) to connect to databases with ease and security. Alleviating the manual process or entering one customer at a time can save both time and money.