Before implementing an internal Know Your Customer (KYC) program for your institution, you need to understand the basics. For many in non-traditional finance, the concept of KYC can be confusing and overwhelming.
Generally, KYC procedures are designed to answer the following questions:
- Who Are You?
- Are You Risky?
- Are Your Behaviors Risky?
Who Are You? (Identity Verification)
When entering a traditional financial institution such as a bank, a customer presents themselves along with their identity documents. The employee of the institution will verify the identity documents (passport, driver’s license, etc.) and verify that the individual presenting themselves is the same as the individual on the passport.
This process works sufficiently for face-to-face interactions, but it proves ineffective in digital finance, where there are no face-to-face interactions between customer and institution. Where the customer cannot present themselves, new technologies must be adopted to verify their identity.
This begins with an image of the identity document (passport, driver’s license, etc.) being scanned and verified to ensure formatting, structure, and security measures are in place. Where possible, these documents will be checked against local, regional, and national ID databases. Once the ID document has been verified, the document must then be matched to the individual presenting it. This can be done using a photo taken via a mobile phone or webcam (a selfie), or through more complex liveness detection using video.
Are You Risky? (Anti-Money Laundering)
Financial institutions, both traditional (fiat) and emerging (blockchain, DLT, etc.) are required to conduct AML (Anti-Money Laundering) checks on all their customers. These checks are designed to ensure that individuals and entities using the financial system are not sanctioned or otherwise involved with financial crimes or terrorism.
AML checks are usually divided into the following segments:
- Sanctions Screening. Depending on the jurisdiction of the customer and the business, different sanction bodies must be screened. Globally, there are fewer than 20,000 unique individuals and entities sanctioned. These are considered extremely high risk, and in most cases, businesses are prohibited from transacting with these individuals or entities.
- Politically Exposed Persons (PEP) Screening. PEPs describe anyone who holds a significant public office, ranging from local leaders (mayors) to national and international government leaders, as well as their immediate relatives and close associates. PEP risk is much different than the other areas of risk listed here. Depending on the business and the product, it may be completed acceptable to transact with some or all PEPs. That being said, PEPs must be monitored more closely than other customers due to the risk of corruption and bribery.
- Law Enforcement and Regulatory Enforcement Screening. In addition to the high-risk individuals and entities listed within sanction bodies, numerous law enforcement and regulatory enforcement agencies publish lists of high-risk individuals and entities involved with crimes that may be relevant to AML screening. Care should be taken to ensure the types of crimes being reported by these agencies match the risk types being monitored for AML. As an example, information provided by the SEC would be valuable for AML screening purposes, whereas information provided by the USDA is less likely to be relevant.
- Adverse Media Screening. Individuals and entities covered by sanctions, law enforcement, and regulatory enforcement screening only include those who have been identified and investigated by government agencies. There are many situations, such as high value or high-risk transactions, where institutions must be considerably more risk-averse, and therefore, must look at multiple independent investigative news sources to research their customers and other third-party relationships.
For high-value deals and relationships, additional due diligence beyond traditional screening methods may be necessary. Enhanced due diligence reports are provided by third-party investigative services. These reports are generated on request and provide a far deeper level of risk evaluation than traditional screening.
Are Your Behaviors Risky? (Transaction Monitoring)
In traditional finance, an individual’s behaviors, both within an institution and among institutions, are closely monitored for patterns that may indicate potential criminal or other high-risk activities. These procedures look for transactions that are out of the ordinary for either the account holder or the type of account.
Additional patterns may look at the sources and destinations of transactions, high levels of cash transactions, and groups of transactions that may look suspicious when considered as a whole. Based on this monitoring, a financial institution may cancel transactions, close the account, and/or report the transactions to financial regulators and law enforcement.
Within the blockchain space, transaction monitoring takes on a completely new form. For blockchains with a public ledger (such as Bitcoin, Ethereum, Dash, etc.), the entire transaction history of everyone within the network can be evaluated and risk profiled. When combined with detailed investigations on wallets tied to criminal activities, the power of transaction monitoring within the blockchain significantly increases.
The ease of identification of exchanges, DarkNet markets, mixing services, and terrorist groups, along with the finance connections with other wallets, makes for a much richer, deeper investigative tool to identify risk and ensure this risk is being reported to the proper authorities.