KYC Process: The Complete Guide

In an increasingly competitive landscape, banks and financial services organizations face pressure to deliver remarkable customer experiences to attract and retain both institutional and retail customers. The KYC process begins with a customer’s first interaction during onboarding. First impressions matter, and an inefficient customer onboarding could put customers and revenue at risk. On the other hand, friction-free onboarding can result in top customer experience scores which can give banks the advantage of a 15% revenue increase, are correlated with significant other advantages for banks, including a 15% revenue increase, according to McKinsey research.

4 reasons the KYC process presents a complex challenge to banks:

1. Extensive data and document verification. Regulations require financial institutions to collect vast amounts of documentation for customer identity verification and to detect fraudulent activity.
2. Siloed systems and data: Financial institutions store data in multiple, disconnected legacy systems. Without centralized data, the customer may be asked multiple times for contact details, proof of identity, proof of address and other information for contact details, proof of identity, proof of address and other information during the onboarding process.
3. Lack of digital processes: Data is often captured via paper documents and email which requires manual data entry. Plus, many files require manual review to weed out false positives for signs of suspicious financial activity. 
   According to McKinsey, around 10% of a bank’s workforce is assigned to financial crime–related activities, with KYC reviews typically being the costliest of these.
4. Changing regulations. As financial crime evolves in the banking sector, so does regulatory compliance. Banks need to continually update their KYC processes to remain compliant.

In today’s digital world, both B2C and B2B customers are accustomed to getting fast results via digital channels. They expect the process of opening an account or starting a relationship to be quick and digital. Likewise, customers demand fast onboarding, fast and convenient financial transactions, and a high degree of transparency into the data used in the KYC process.

Financial crime often spikes during an economic downturn, leading to increased scrutiny and rising fines from regulators. At the same time, banks and financial services organizations may find themselves grappling with IT budget constraints. The solution isn’t to reduce KYC efforts, since that exposes banks to financial losses as well as to fines from anti-money laundering (AML) regulatory authorities. It's much better to implement KYC process strategies and supporting technologies that help prevent fraud and mitigate regulatory risk, while improving convenience, speed and transparency for customers.

Know Your Customer (KYC) is a legal requirement for financial institutions to know who their customers are before they work with them. Mandated by global and local regulations, the goal of KYC is to prevent financial crimes such as money laundering, fraud, terrorism financing, and identity theft.

Failure to comply with stringent KYC regulations can result in stiff penalties. In 2021, US financial institutions paid approximately $2 billion in fines for non-compliance with KYC regulatory requirements. With AML threats on the rise, scrutiny on financial institutions is expected to increase.

While KYC starts with identifying the customer before doing business with them, it doesn’t end there. Compliance is a crucial part of client lifecycle management (CLM), which tracks the customer throughout their association with the financial institution.

CLM includes onboarding, KYC/AML activities, account maintenance, product openings, tax declarations, data management, rules management, customer service, offboarding, and more.

Regulations change, businesses change, and people and their circumstances change. Therefore, effective KYC cannot rely on point-in-time information used during onboarding. To protect themselves from non-compliance and reputational damage, banks must implement a holistic and continuous KYC process.

The KYC end-to-end process, or KYC lifecycle, includes:

• KYC verification and due diligence: During onboarding, verification and due diligence confirms the customer’s identity and assesses their level of financial crime risk.
• KYC remediation: Over time, KYC remediation updates out-of-date customer data to make sure risk profiles have not changed.
• KYC monitoring: Ongoing investigation and monitoring must occur to uncover transactions or events that suggest an AML risk.

When performed manually, this complex process requires many person-hours. Additionally, the tedious nature of the work does not help with employee retention in an already difficult labor market.

This is where automation tools come into play, helping automate the KYC process and using machine learning and AI to detect risk factors. While some manual investigations will always be needed, automation streamlines the process and escalates only certain issues that require further investigation, reducing demand on employees.

Given the scope of the KYC process and its importance to both customer experience and security, a growing number of IT and line-of-business professionals are coming into contact with KYC procedures. Whether you’re learning more about the KYC process yourself or breaking it down for others, it’s important to know the key issues and how to explain them in plain terms. The KYC process includes four main components:

1. Customer identification program (CIP)
2. Customer due diligence (CDD)
3. Enhanced due diligence (EDD)
4. Ongoing monitoring

The first step in the KYC verification process, a customer identification program (CIP) kicks off when a new customer wants to open an account. Its aim is to confirm that the customer is who they say they are.

A CIP requires a customer to provide four identifying pieces of information: their name, date of birth, address, and identification number. For corporate customers, this information is required for all signers on an account. The bank verifies each customer’s identity by comparing a government-issued ID (such as a driver's license, passport, and/or social security number) to government or third-party databases to confirm that the ID is genuine and matches the customer.

After confirming who the customer is, customer due diligence (CDD) assesses the risk the customer poses to your business by screening them against government watchlists (including global PEP, SIP/SIE, RCA, and terrorist lists) and looking into their past transactions, credit history, geographic location (e.g., are they in a country with lax AML laws?), and so on.

For business customers, the bank must review additional documents such as executive bios and annual reports. Analyzing this data provides a comprehensive picture of the customer’s activity and likely future actions.

While banks need to vet all customers, certain businesses are more likely to pose an AML risk. For example, banks want to ensure that customers in maritime shipping conduct their own customer due diligence because of the increased risk of illegal trafficking by terrorist organizations.

What is a PEP?
A politically exposed person (PEP) is someone with power or influence and access to large budgets. They are therefore more at risk of being targeted for attempts at bribery, corruption, money laundering, and terrorist funding.

What is an SIP/SIE?
A special interest person or entity has been convicted of or investigated for serious financial or organized crimes such as money laundering, terrorism, and illegal trafficking. While it is not illegal to do business with an SIP/SIE, they pose an increased risk.

What is an RCA?
Also known as “PEPs by association,” relatives and close associates (RCAs) are at risk of being drawn into financial crimes. RCAs include spouses, children, siblings, legal advisors, and business associates of a PEP.

If due diligence finds a customer to be a risk for money laundering, terrorism funding, or other serious financial crimes—based on, say, their geographic location, past transactions, the nature of their business, or political exposure—further due diligence may be in order.

EDD is a rigorous process that includes:

• Collecting additional documentation and credentials from the customer and third parties. This can include information regarding a person’s title, the positions they hold in a business, and the influence they have. For a business customer, the bank may ask for the identities of board members, articles of incorporation, partnership agreements, and business certificates, for example.
• Investigating the origin of funds.
• Tracking ongoing transactions.
• Reviewing media reports.
• Conducting on-site visits.
• Reporting unusual or suspicious activity or transactions.

Your customers’ businesses evolve, forging new partnerships and associations and undertaking new business ventures. Since financial institutions are liable for criminal activity in an account, regular screening enables timely detection of suspicious activity or changes to the customer’s risk profile. Important aspects to evaluate include their suppliers, regions of operation, supply chain routes, relationships with politically exposed persons, media coverage, leadership changes, and more. You should use analytics tools that automatically flag such changes and bring them to the attention of analysts, risk managers, and senior managers for review.

Customer onboarding sets the tone for all future interactions in the end-to-end KYC process. Reducing onboarding time and complexity results in happier clients and lower application abandonment rates—not to mention reduced costs and faster time to revenue.

KYC process and data complexity make it exceedingly difficult for organizations to manage their end-to-end customer journeys. They often end up with a lot of fragmented, diverse systems, with time-consuming, error-prone, manual processes bridging the gaps.

Successful KYC processes at leading banking and financial services organizations share three characteristics:

Fast access to high-quality data is foundational to a strong KYC process. This data illuminates risks and tracks how risks may change during the customer lifecycle.

Critical data includes sanctions and watchlist screening, transaction monitoring, executive bios, company reports, and credit and lending history, for starters. Identifying, extracting, and analyzing data sets like these helps form a more comprehensive picture of a customer’s activity. However, this is where data silos and legacy technology inhibit many organizations from doing analysis in real time.

This is where a platform for process automation that has data fabric capabilities built in can change the dynamic a great deal. A data fabric approach includes a virtualized data layer that sits on top of all a bank’s systems, enabling employees to access any data source used by the organization in real time. The bank can solve the data silos problem without replacing legacy systems.

The kind of access to data a data fabric provides gives banks the insights necessary to complete an investigation and provide compliant reporting and auditable data trails—automatically. For global banking organizations, intelligent automation has become crucial to addressing complex regulatory obligations and managing risk.

A modern mix of automation technologies includes elements like intelligent document processing (IDP) to extract relevant data from documents and machine learning (ML) to better recognize patterns and eliminate false positives in fraud detection efforts.

As another example of how leading banks are accelerating the KYC process with intelligent automation, AI algorithms can help analyze AML alerts faster than compliance teams alone can. Automation can also improve visibility into your decision-making process, helping you reach informed decisions faster.

Banks that want to improve KYC process speed should prioritize workflows that can be reused many times and tweaked as regulatory demands evolve. At the KYC detection stage, companies typically use niche software designed for activities such as transaction monitoring and name screening, as well as case management software. Case management software is a prime candidate for reusing workflows because every case includes basically the same steps:

• Create a case.
• Triage the case.
• Assign the case to someone.
• Review and remediate the case.

Being able to store and reuse those elements creates a large speed advantage and improves quality because you’re using vetted, proven components at every stage of the workflow.

Successful companies build a case once and repeat it each time using the same automated processes with connected APIs. This is scaling at pace, with shared elements across the KYC lifecycle that can be leveraged at different points in time.

US government legislation to combat money laundering is not new. In 1970, Congress enacted the Bank Secrecy Act (BSA)—also known as the anti-money laundering (AML) law—to require banks and other financial institutions to help detect and prevent money laundering and terrorism financing.

In its earliest iteration, BSA/AML required banks to keep records of cash purchases, report cash transactions exceeding $10,000, and report suspicious activity that might signify money laundering, tax evasion, or other financial crimes.

While those rules still apply, newer amendments to BSA/AML imposed more stringent regulations, with hefty fines for non-compliance. BSA/AML incorporates provisions of the 2001 USA Patriot Act, which requires every bank to adopt a customer identification program.

BSA/AML policies, procedures, and controls are often referred to as the five pillars of AML:

• Compliance officer - Designate a compliance officer to oversee the entire AML process.
• Internal procedures - Develop internal processes and controls for uncovering any potential AML activities.
• Training program - Establish an employee training program to ensure ongoing adherence to BSA/AML procedures.
• Independent testing - Regularly audit your AML compliance using accredited third parties.
• Customer due diligence - Perform in-depth customer risk assessment by verifying the identity of customers and their level of risk.