What is Know Your Customer (KYC) — and why does it matter?

Know Your Customer (KYC) is a two-pronged process of verifying the identity of individual customers to ensure they are who they claim to be and then evaluating those individuals to understand the risks they may pose to your business. KYC matters because it helps businesses build trust, assess risk, and meet regulatory requirements while safeguarding against fraud. 

In today’s digital world, it’s more important than ever to know who your customers really are. And not just so you can figure out the best way to interact with them, but also because verifying who’s behind the screen can protect both your business and customers — and depending on your industry, it may be mandatory.

Below we take a closer look at what KYC is, its main components, the types of businesses it typically applies to, and why it’s so important. We also discuss the key challenges businesses often face when implementing a KYC strategy and offer other advice to help you get it right.

The meaning of Know Your Customer (KYC)

KYC stands for Know Your Customer, but it’s also known as customer due diligence, know your client, or simply identity verification.

At its heart, KYC involves verifying current and prospective customers’ identities so you understand who you’re interacting with. You can think of it as doing a mini background check before doing business with a customer. Note: A customer can be an individual or a business, though KYC for businesses is often called corporate KYC or Know Your Business (KYB).

So, the meaning of Know Your Customer is simple: it’s about confirming who you’re doing business with, before trust becomes a risk. 

Note: A customer can be an individual or a business, though KYC for businesses is often called corporate KYC or Know Your Business (KYB).

What is corporate KYC (KYB)?

While vetting individuals is one element of compliance, companies must also create KYC processes for businesses they want to work with — and the people behind those businesses.

In practice, corporate KYC, or Know Your Business, includes:

1. Verifying the business: First, companies should collect and verify corporate information such as the business name, address, registration number, and any relevant business registration documents.

2. Identifying UBOs: Ultimate beneficial owners (UBOs) are individuals who control the company or have a certain percentage of ownership, usually 25%, and must be identified as part of KYB.

3. Performing KYC on the business’s UBOs: Finally, companies must perform in-depth KYC checks on anyone determined to be a UBO.

What’s the difference between KYC and AML?

KYC and AML are closely related, and you’ll often see them grouped together, as both involve verifying customers’ identities. To put it simply, AML includes but isn’t limited to KYC.

In other words, KYC falls under the umbrella of AML regulations. They’re often grouped together because verifying and continuously monitoring individuals as part of your KYC process can help filter out individuals linked with money laundering and terrorism.

Keep learning: What is the difference between KYC and AML?

What are the 3 main components of a KYC program?

KYC verification programs don’t look the same at every business.

As mentioned above, KYC regulations can vary by geography. For example:

• Companies in Europe have to follow 6 EU Anti-Money Laundering Directives (AMLDs) and eIDAS

• Companies in the US need to follow the Bank Secrecy Act (BSA) and the USA PATRIOT Act — not to mention additional local regulations, such as the California Consumer Privacy Act (CCPA).

KYC programs also vary because regulations tend to be non-specific to allow for maximum flexibility and applicability of the law to changing trends and technology. The more specific the regulation, the more opportunity there would be for a company to claim they are exempt and thereby opt out of adhering to the requirements.

In general, though, Know Your Customer usually involves three main risk-based approaches to counteract identity theft, money laundering, and financial fraud:

1. Customer identification program (CIP)

A customer identification program, or CIP, is exactly what it sounds like — a program for verifying identities and ensuring a customer is who they say they are.

How you actually go about obtaining and verifying personal information, though, can vary. At a minimum, you usually need to collect and verify four pieces of identifying information: 

• The individual’s name

• Date of birth

• Address

• Identification number 

However, you can also add additional layers of verification — by requesting a selfie, running identifying information through authoritative databases, and assessing other signals, such as IP address, for example — if you deem an individual or situation to be at higher risk.

You’re relatively free to customize your program based on your use cases, risk tolerance, customers, and other factors. For example, you can tailor:

• How you do KYC, e.g., in-person or remote (also known as eKYC, which is often faster and more convenient, as most of the population already has an electronic identity), and what information you collect to verify identities. For example, do you want customers to submit driver’s licenses, passports, SSN cards, or utility bills? Do you want to add a biometric selfie to ensure the same person is submitting the government ID? 

• When you do KYC, e.g., how often you want to run sanctions and adverse media lists, and what actions trigger reverification (withdrawing money, changing account details, etc.).

2. Customer due diligence (CDD)

Customer due diligence (CDD) involves assessing business customer risk. It’s enforced by FinCEN and requires financial institutions to follow four requirements according to the CDD Final Rule:

• Identify and verify customer identities

• Identify and verify the identities of beneficial owners (anyone who owns 25% or more) of companies that want to open an account

• Understand customer relationships and develop risk profiles

• Continuously monitor customers and transactions

Depending on the risk level that each customer and situation presents, you can employ different levels of CDD:

• Simplified due diligence is for situations where there’s a low risk of fraud, money laundering, or terrorism — for example, if a client is going to maintain a low balance with only domestic transactions and minimal cash needs.

• Standard due diligence is for customers and situations and involves collecting and verifying basic information to decrease risk.

• Enhanced due diligence is when you collect additional information for higher-risk individuals (such as high-net-worth individuals or anyone who’s a politically exposed person) and situations. For example, you may want to verify the source of their funds, continually monitor their transactions, and investigate their line of work and relationships with other known individuals.

Having different levels of due diligence is helpful because it means you don’t have to automatically turn away risky customers. Instead, you can use progressive risk segmentation to modify the user’s experience based on signals you receive during the verification process. If your system deems a user as a higher risk, you can simply add additional checks.

KYC vs CDD: Comparing key aspects

Here’s a visual representation of the information outlined above:

‍Dive deeper into the differences and nuances between KYC and CDD.

3. Continuous monitoring

Continuous monitoring is exactly what it sounds like — monitoring individuals and their transactions over time and reporting anything suspicious by submitting a Suspicious Activities Report (SAR) to FinCEN and other relevant law enforcement agencies.

Some red flags you may want to watch out for include:

• Unexplainable activity spikes

• Activity in geographic areas and industries known for money laundering and other financial crimes

• New inclusions on PEP, sanctions, and/or adverse media lists

Your due diligence in understanding KYC information

Depending on your industry, your customer base, and where transactions take place, due diligence requirements can vary greatly. Your business needs, comfort with risk, staff bandwidth, and budget will also dictate the design of a KYC program.

You might have a sensitive client base that expects top-tier service, and therefore, you might manage your due diligence process completely in-house using your team of specialists and technology to manage all documents and regulations. 

If your clients are more motivated by efficiency, you might hire a third party to complete all the requirements using automated systems. 

Or you might fall somewhere in the middle, for example, using a third-party to support initial onboarding of clients and document reviews, and have internal staff use third-party systems when the client situations become more complex.

Why should I care about KYC? The purpose of Know Your Customer programs

Having a KYC program isn’t just important if you want to avoid regulatory fines (though that is one of the reasons we’ll cover below). As mentioned earlier, the purpose of Know Your Customer is to benefit your business and customers alike. You should care about KYC because:

It can protect your customers and help you build trust

While identity verification can add some friction to your onboarding process, customers may appreciate that you’re taking steps to secure their account, vet your marketplace, protect them from account takeovers and other types of identity theft, and more.

It can help reduce fraud and financial crimes

While KYC processes won’t eliminate fraud completely, knowing who your customers are can help you weed out bad actors and ultimately curtail crimes that can spawn from fraud, such as money laundering and terrorism funding.

It’s often required

In some industries, you need a KYC program to meet compliance requirements. If you don’t comply with KYC/AML laws, you could be fined or even imprisoned. Your business could also face growth limitations such as asset caps or being forbidden to expand into certain markets, as has happened to other businesses in the past.

Keep learning: Understanding KYC Compliance: A Comprehensive Guide

Who needs to comply with KYC regulations?

In the US, the Financial Crimes Enforcement Network (FinCEN) specifically mandates financial institutions to follow KYC requirements. Regulations can vary from country to country, but regulated entities often include:

KYC for financial transactions

Where it was once limited to just banks, the breadth of industries with KYC obligations continues to expand in order to keep pace with technology and the criminal minds that commit financial fraud. 

Know Your Customer is like a guard at a gate, creating a barrier and knowledge check at the largest entry point before illicit funds can enter the monetary system. Today, traditional banking is just one of many targets that need protection.

KYC for banking

In the banking sector, KYC is all about risk management — by knowing more about their customers, banks can reduce the risk of fraudulent transactions, reduce the likelihood of their system being used to commit crimes such as money laundering, and reduce the potential for non-compliance with guidelines from entities including FinCEN and the Financial Industry Regulatory Authority (FINRA).

KYC requirements also extend beyond traditional retail banks to include fintech and “neobanks” that operate primarily or entirely online. Regardless of how they operate, banks must ensure that they implement KYC processes that effectively capture, confirm, and verify customer data before allowing any transactions to proceed.

Keep learning: Know Your Customer (KYC) in banking: A comprehensive guide

KYC for credit unions

KYC for credit unions is similar to that of banks, with the caveat that many credit unions still operate brick-and-mortar locations to better serve clients’ needs. Because of that, credit unions may find themselves in the unique position of having in-person clients who nonetheless want to conduct some transactions digitally.

As a result, credit unions need Know Your Customer solutions capable of bridging the digital/physical divide and ensuring that no matter how clients choose to conduct their transactions, their identity is confirmed and their account details are secure.

KYC for payment companies

Payment companies facilitate the exchange of funds between two (or more) parties online. As a result, they need strong KYC processes to ensure the parties on each side of the transaction are who they say they are.

Payment companies need robust KYC solutions capable of capturing and verifying customer data in real time to both reduce total risk and bolster confidence — if customers are confident that their personal data is being handled securely and verified effectively, they’re more likely to continue doing business with the payment company.

KYC for insurance agencies

Insurance agencies collect a variety of data from customers, including personal, medical, and financial information, to determine policy limits, deductibles, and premiums. As a result, insurance providers must have a strong KYC program capable of ensuring that customers are who they say they are.

As an example, imagine an insurance agency issues a policy to an individual masquerading as someone else or based on false information provided. Given the robust regulatory oversight in the insurance industry, this could lead to significant losses and fines for failing to meet compliance standards.

KYC for regulated industries, such as gambling facilities

Gambling facilities — both online and in-person — process massive amounts of money every day. From money taken in as players spend to payouts made on big wins, the constant flow of cash demonstrates why casinos and other gaming enterprises need to know exactly who they’re dealing with and what type of risk they represent.

For example, gambling establishments might ask for financial data along with personal information to make sure players can cover their debts if the odds don’t go their way.

Keep learning: The importance of KYC for online gambling

KYC for cryptocurrency exchanges

While cryptocurrency exchanges used to be relatively unregulated, they are now required to implement Know Your Customer programs that both reduce the risk of fraud and deter potential money laundering.

Given the anonymous nature of many crypto platforms, KYC may focus more on verifying trusted ID addresses, evaluating watchlists, and ensuring that customers provide complete documentation regarding their source of funds.

Keep learning: The importance of KYC for crypto exchanges

KYC for digital wallet providers

As mobile-based payments become more commonplace, the number of digital wallet providers is rapidly increasing — and each provider must ensure they employ robust KYC programs to reduce the risk of fraudulent transactions.

Without effective KYC, fraudsters might be able to use someone else’s payment data and connect key financial sources, such as debit accounts or credit cards, to their digital wallet — and the digital wallet provider could be held responsible for the ramifications. Effective evaluation of customer data up-front reduces this risk.

KYC for asset management firms

Asset management firms often handle massive sums of money for their clients.

Here, KYC is critical to ensure that new clients looking to open an account and make substantial investments are thoroughly vetted before any transactions take place. In particular, it’s important for asset management firms to ensure potential customers aren’t listed on international watchlists or politically exposed person (PEP) lists.

KYC for real estate agencies

Real estate agencies often deal with high-value, urgent, and cross-border transactions ranging from hundreds of thousands to millions of dollars for a single purchase. As a result, comprehensive KYC information should be a key component of the sales and purchasing process.

If agencies can ensure that potential clients are who they say they are, they can proceed with confidence when it comes to putting in offers or closing sales deals. Lacking this customer information puts agencies at risk of non-compliance and the potential loss of licensure.

Keep learning: AML for the real estate sector: Risks and best practices

KYC for trust formation services

Trust formation services help individuals or families establish legal trusts and estates, which facilitate the transfer of assets and reduce their potential tax burden.

Given the large monetary volumes often involved in trust management, there’s a growing need for robust digital KYC solutions that allow attorneys, notaries, and other staff to quickly and easily verify the information of both trustees and beneficiaries.

KYC for dealers of high-value goods

The advent of digital storefronts and worldwide shipping has made it possible for dealers of high-value goods, such as art and precious gems, to make deals online. In many cases, these goods are rare or irreplaceable, meaning they generate substantial interest from legitimate buyers and bad actors alike.

Effective KYC processes are therefore critical to verify parties on both sides of a high-value transaction and ensure regulatory compliance.

Note: While not all industries are obligated to carry out KYC operations, any business can adopt these processes to improve its overall security. In fact, most businesses that deal directly with consumers do implement some sort of identity verification program, as it protects both the business and its customers. As the world becomes increasingly digital, more and more industries will likely be required to follow KYC regulations in the future.

What are the biggest KYC challenges?

Despite offering benefits and being a necessity in many industries, KYC does not come without its challenges. Left unchecked, these can limit how effective your KYC program is and even open you up to the very risks that it was designed to mitigate. Some of the most important KYC challenges to keep in mind include:

• Difficulty accurately assessing risk: Businesses sometimes collect too little data during the KYC process, making it difficult to get a clear picture of the risks a customer poses. One solution is to collect more (and a greater variety of) data so you can build a more thorough risk profile of your customers through fraud signals.

• The need to comply with global regulations: Businesses operating in multiple jurisdictions must comply with the KYC laws and regulations in each of those locations. This can make KYC quite the complicated prospect, especially when we consider that KYC is always changing. Leveraging a flexible KYC solution ensures that you’ll be able to adapt your processes if and when changes become necessary.

• Balancing conversion and risk: KYC often gets a bad rep amongst product and marketing teams because, by its very nature, it introduces friction to the sign-up or account creation process. This friction can lead to drop-offs or lower conversions if you’re not careful. Risk-based segmentation, in which you tailor the level of friction to each user depending on how much risk is present, can help you combat this. 

• Preventing fraud at scale: If a bad actor manages to skirt your defenses once, they will likely do so many times to create as many fraudulent accounts as possible, which they’ll then use to carry out their attacks. While this can be difficult to detect via manual processes, link analysis makes it easier to identify potential fraud rings at scale. 

• Minimizing errors and false positives: Mistakes during your KYC process can either mean that fraudsters are gaining access to your platform and services when they shouldn’t be, or that legitimate users are being mistakenly flagged as fraudulent — causing them to lose access that they should have. Adjusting your name match requirements to account for these possibilities is one important step you can take to control for these issues. 

• Manual processes: When KYC is conducted manually, it opens the door for errors, friction, and slower approval times. Smart automation makes it much easier to perform KYC at scale without compromising on quality. 

KYC laws and regulations worldwide

Depending on where your business operates and where your customers are located, your KYC obligations and KYC processes will differ. Regulatory requirements vary depending on the region. Examples of KYC laws and regulations worldwide include:

Canada

In Canada, KYC regulations are defined under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and all regulated companies must report KYC data to the Financial Transactions and Reports Analysis Center (FINTRAC).

Keep learning: KYC Canada: Learn about regulations to remain compliant

Australia

In Australia, all organizations subject to KYC reporting regulations must collect and verify customer data before providing any financial or transactional services. KYC regulations are managed by the Australian Transaction Reports and Analysis Center (AUSTRAC).

See also: A comprehensive guide to KYC in Australia

The European Union

In the EU, rules such as 4AMLD, 5AMLD, and 6AMLD require companies to collect, verify, and keep records of customers’ personally identifiable information (PII) in addition to screening customers against PEP and adverse media lists to assess overall risk.

Brazil

In Brazil, digital account opening and transaction processing are covered by KYC laws to reduce the risk of fraudulent transactions. The Central Bank of Brazil has also created an authenticated digital identity portal to streamline account opening.

Egypt

In Egypt, companies must obtain and verify individuals’ data, including name, address, and date of birth, using government-issued identification cards, passports, or weapons licenses. If an individual is identified as a PEP, financial entities must take “special customer due diligence measures.”

Kenya

In Kenya, the Financial Reporting Center (FRC) is responsible for ensuring compliance with KYC regulations. To meet customer identification requirements, businesses must confirm customer data via passports, birth certificates, or driver's licenses, obtain a verified address and source of income, and ensure they have written confirmation from the customer’s previous financial institution attesting to their identity.

KYC statistics

These KYC statistics reveal just how critical Know Your Customer processes have become in today’s compliance landscape. From rising financial penalties to operational bottlenecks, organizations around the world are feeling the pressure to streamline and strengthen their KYC programs.

• ~95% of Hong Kong-based banks said that KYC/AML checks are one of their top regulatory expenses.

• ~85% of Hong Kong-based banks are in favor of a shared KYC utility that would allow client information to be pooled and shared between banks.

• 31% of financial institutions use a centralized source of information to decide risk and collect KYC information.

• 42% of financial institutions consider collecting accurate UBO information very challenging.

• Only one-third of financial institutions said cutting KYC costs and effort is a high priority.

• Watchlist activities account for roughly 33% of AML compliance costs.

• 96% of compliance officers say their KYC processes require scrutinizing Asian language documents.

• Financial penalties rose from $1B in 2020 to $3.4B in 2021.

What is KYC automation, and how does it help businesses?

Historically, many KYC processes were performed manually. Customer IDs were collected and authenticated by eye; data was cross-checked against authoritative sources by hand; transactions were routinely monitored and audited by a human auditor; etc. 

While these steps can still be performed manually, it’s difficult to do so at scale. The good news? Virtually every single KYC process can be either fully or partially automated, depending on your needs. This makes it easier for you to keep up with high volumes in today’s digital age. It also speeds up approval times and decreases the risk of human error — a win-win for both your business and your customer. 

Keep learning: Best practices for automated KYC verification.

Get to know Persona's Know Your Customer solutions

Since AML and KYC procedures can add friction to your user experience — no one wants to hand over PII — it’s important to ensure your process is as streamlined and secure as possible. 

With Persona’s Know Your Customer solutions, most identity verification decisions take just 5 seconds, so users can get verified quickly and be on their way. You can also customize everything from the theme to the copy so every flow is native to your brand, and reach users in more than 200 countries and territories in over 20 different languages.

Perhaps more importantly, Persona’s KYC solutions can also help your business meet constantly evolving KYC/AML compliance standards and regulation changes, as we’ve done for companies such as Coursera and Square.

Our full suite of KYC tools gives you everything you need to build a custom eKYC program and tailor your identity experience for each use case and customer. For example, you can put customers through a more rigorous process if they want to withdraw cash versus just opening an escrow account, and you can allow individuals who don’t have an SSN to verify their identity another way or add extra verification steps if the individual’s PII was leaked in a data breach.

Choose from one of the industry’s widest ranges of automated ID verification components — from government IDs and selfies to database and document verification — to verify users upon signup, and continuously monitor them throughout the customer lifecycle with recurring reports, such as:

• Watchlists

• Adverse media

• Email and phone risk, and more.

Ready to get started? Get in touch or register to start exploring Persona’s KYC solutions today. Or, join our community to talk directly to our product team. We’d love to chat!