While KYC (know your customer) regulations grow more and more stringent, it becomes harder for banks to stay compliant and keep up with the competition in the market.
In this article, we’ll walk through the key aspects of KYC and provide 9 KYC recommendations that will help you streamline your verification processes while upholding regulatory standards. We’ve carefully supplemented it with lots of examples from recent cases of how banks and other fintech companies failed with their KYC compliance, what remediation followed (if any), and what consequences they faced. Use it as a checklist for your current or future solution.
What is AML and KYC in banking
As a general concept, KYC (Know Your Customer) is a set of standards and measures for user identification and verification. They protect businesses and individuals from fraud, money laundering, identity theft, and other illegal activities. KYC solutions are the tools that help companies comply with these standards.
In banking, KYC is often used interchangeably with AML (anti-money laundering). However, the two are not the same. Compared to KYC, AML implies a wider range of measures to prevent money laundering aside from KYC: monitoring for unusual activity spikes, using geographical locations to track activity, related reporting, and so on. Meanwhile, KYC refers specifically to identifying and verifying the client: it is one of the things that helps implement AML. But it’s not only a subset of AML measures: KYC check’s domain is broader and also covers the prevention of other fraudulent activities like identity theft for non-financial reasons.
Disclaimer: We will talk only of the eKYC, or online know your customer in banking. All recommendations are aimed at automating and digitizing as many of your business’s operations as possible.
KYC process explained
After the user creates their account, the KYC check begins. To identify their client, a bank checks their documents and confirms them in a state-issued registry. Then, it verifies that the person in the papers and the service user are the same person: biometric checks are a popular method for this. To conduct additional checks, the bank can ask for device location access and request other information.
The technical side of the know your customer process involves integrations with systems authorized to verify personal information. The bank collects user data needed for the KYC check, encrypts them, and sends them to such a system. These data get a token assigned to them. The system compares the tokens to those it has associated with the verified information. Depending on the result, the system issues a token confirming or rejecting the verification and sends it back. If the verification is successful, the user may proceed to the service.
What KYC regulations require your business to do
In short: if your business handles clients’ money, implementing KYC is a must. It includes crypto trading platforms, real estate, brokerage houses, online casinos, and other businesses from the financial sector and adjacent fields. While there still are some no-KYC crypto exchange services, their number gets smaller every month — governments strive to make such companies AML-compliant no less than other financial institutions.
The specifics heavily depend on the country your company operates in, but the general trend shows that KYC requirements will continue growing to include more money-related businesses.
Businesses analyze their clients’ behavior all through the customer lifecycle. The information banks need depends on the stage of this lifecycle and the specific characteristics of a client. General KYC requirements distinguish the following stages:
- Customer Identification Program (CIP) serves the purpose of verifying a client’s identity. Such processes take place during signup and in all transactions that require identity verification — like transferring large sums of money.
- Customer Due Diligence (CDD) is a standard set of risk management procedures for clients that don’t qualify as high-risk by default. Some institutions also conduct Simplified Due Diligence as a separate set of measures: this implies risk management for low-risk clients.
- Enhanced Due Diligence (EDD) covers the cases of risk management for high-risk clients. Such would be PEPs (politically exposed persons), non-residents, those who showed unusual business behavior patterns, etc. If your business involves anonymous transactions, it likely falls under this category.
- Ongoing monitoring against illegal activities is what banks do after they onboard the client. It takes place all through the client’s lifecycle.
The same stages apply to KYB — Know Your Business procedures that involve identifying corporate clients.
In Surf, we have developed apps for fintech companies since 2011. We’ve implemented complex KYC/KYB solutions for multiple banks in the EU and outside of it. And we’re happy to use our expertise for your project.
Make your project AML-compliant with KYC solutions integrated by Surf
Discuss my projectKYC checks: Methods
Most identification methods fall under one of the 3 categories: biometric identification, document check, or screening against watchlist.
Biometric
Unique physical characteristics allow for conducting highly precise identification. The types typically used in remote banking are:
- Facial recognition. A client uploads their selfie photo or video, and the bank’s system checks a set of parameters — usually more than 100 — and confirms the client’s identity. Most modern banks that offer remote services implement this type of checks. Face payments, which are popular in China, also function due to this type of recognition. Facial recognition also involves analyzing static pictures, but they are more vulnerable to fraud and therefore not widely used by banks.
- Voice recognition. This type of check usually takes place during a voice call, when clients have to confirm some of their transactions. Citibank and HSBC are among the banks that use this technology.
Now biometric checks usually imply the use of AI. Formally speaking, AI is not legally required for such checks, but it elevates their precision and accelerates the process.
Documents
Much like with offline identification, this check requires the documents that qualify as identity confirmation at the state level. Those typically include passports, IDs, driver’s licenses, and other types of identity documents. The bank’s app or website requests users to take a picture of such a document and provide a template for each option.
Apart from taking photos, users can also upload specific data from their documents. Some means of identification are numbers in nature — those are SSN, NIN, BSN, and other taxpayer identification. In that case, users simply type that number in.
Document check doesn’t always involve screening of the physical document. For example, IDs in most EU countries have NFC chips, which makes verification faster and simpler for clients. The same technology is used for payments by smartphone — the technology is in active use in Western countries and is expected to gain even more popularity over the next decade.
Watchlist screening
This check doesn’t require actions on the user side. After the system identifies the client as a person, it checks them against the lists that are necessary in each specific case. Sanction screening is a part of this check. Banks may also check if the client fits their inner requirements and doesn’t appear on their blacklist.
How to comply: Know Your Customer Checklist
Tip 1: Follow national legislation meticulously
Laws may and do vary across different countries. California has the CCPA that protects customer privacy. There is FATF which originated in the UK and is now used internationally. The EU operates under GDPR — plus, each EU country has its own legislation. With all this factored in, going global is no small feat.
Due to these variations, your perfectly compliant business in country A can qualify as illegal in country B. For example, Lithuania, Thailand, and multiple other countries are not on the IRS’s list of KYC-compliant countries as of May 2024. This means that financial businesses from these countries might face problems trying to enter the US market.
What happens when you don’t
Neglecting the laws of countries where your business is active can result in enormous penalties. Responsible institutions tirelessly fine banks for failing to duly monitor high-risk clients. A few recent examples are:
- Coinbase received a $50M fine from the NY Dept of Financial Services for inadequate transaction monitoring and the lack of tools to conduct it in 2023.
- Gatehouse was fined $1.77M by the U.K. Financial Conduct Authority for inadequate CDD in 2022.
- Deutsche Bank, alone in 2023, had to pay $261M in fines: $186M fine for poor AML and $75M to the Epstein accusers because the bank missed the red flags in Epstein’s account, as stated in the court’s decision.
Not to mention the total of $4.3B in fines for Binance’s failure to comply with AML. KYC is only a part of this case, and it doesn’t seem possible to calculate how much of it was exactly for the KYC issues. However, the company’s failure to implement due controls affected the court’s decision.
And it’s not just fines. Sanctions often include restrictions on operations, increased scrutiny from regulators, revocation of licenses, or even imprisonment.
How to do it better
Find relevant legislation and act according to the framework set in them. Be especially careful in the US, because states have different laws, and in the EU: though the union countries have a lot in common, there is no one-and-only legislation for KYC and AML so far. And keep up with changes and regularly update your data: for example, the EU countries have recently agreed to establish an AML Authority, which can change the legal landscape regarding KYC in Europe.
Key regulations and responsible institutions:
- Globally: FIUs worldwide; FATF as an international financial crime watchdog and its guide on AML/CFT.
- EU: eIDAS (electronic identification, authentication, and trust services); EU AML Authority — coming soon, national legislations apply.
- UK: Good Practice Guide to help you set up your KYC system; FCA as an authority.
- USA: AMLA, Bank Secrecy Act, Patriot Act; FIU and FinCEN as key authorities.
Tip 2: Train staff and establish secure work procedures
If your super-innovative solution is in incompetent hands, it won’t work properly. Moreover, your business will fall victim to data security breaches that appear due to negligence like sending sensitive info over a personal (and possibly compromised) email.
What happens when you don’t
In 2020, Westpac, the Australian bank, committed millions of AML breaches. As the report mentions, the bank’s staff failed to catch the red flags in suspicious accounts. The problem was systemic: Westpac didn’t have the employees with the skills that would allow them to interpret the signs correctly, and the organizational structure was unclear — which means that the distribution of responsibilities regarding KYC wasn’t clear either.
How to do it better
The same case serves as a good example if we consider what followed. After settling the suit with AUSTRAC (the Australian financial authority) and paying an equivalent of $854M in fines for these and other violations, the bank implemented the new risk assessment methodology and made enhancements to other systems and policies regarding AML. Another structural change was the new AML role roster: it clearly listed the responsibilities of each professional involved in KYC, AML, and CFT procedures. Plus, Westpac conducted a group-wide AML + CFT* training program and Board workshops to improve understanding of AML and CFT obligations.
*CFT — countering the financing of terrorism
The bottom line here is that training your employees and organizing work processes is as important as implementing proper technical solutions.
Tip 3: Check and upgrade your solution continuously
Tech can quickly become deprecated without proper support and upkeep. You will struggle more with the ever-increasing strictness of regulations and may even compromise your data security.
And even if the solution is not deprecated, it may not cover all of your business’s needs for growth and prosperity. If you use an old solution, your risk is missing out on market competition, when your counterparts improve and upgrade their tech.
Best practices
After Revolut upgraded its solution, it reduced the app’s result delivery time by 38 seconds and started getting 12% more clients. This is why your business needs to assess and upgrade the solutions regularly — it can bring significant business improvements.
Another case is N26. Fighting against fraudulent accounts, the app implemented a more advanced IDV technology. Now, N26 requires a client to move their head to prove this is a real person, not an image.
So, make sure your face recognition does liveness checks: otherwise, you might leave your business vulnerable to fraud with static images used for identification. The same goes for documents: apart from tilting the document like in the picture above, you can make your app ask to make a recording of the document or do live checks otherwise.
Our team has extensive experience with integrating KYC solutions for banks. If knowing your customers is crucial for your business, Surf is here to help. We develop cutting-edge apps for neobanking, ensuring the utmost stability and security.
Help your business get to know its clients
Discuss my KYC projectTip 4: Make good use of AI
This point stems directly from the previous one: AI and ML tools are the most recent tech innovations. We put it separately to highlight the specific benefits of implementing this technology.
Fewer documents needed. Many modern know your customer solutions implement AI, making it almost an industry standard by now. Due to the higher precision of AI-enhanced checks compared to other methods, companies started implementing document-free verification. Among those are TransferGo (a digital money service) and MoonPay (a crypto payment solution).
Reduces costs and time. AI systems with optical character recognition (OCR) can automatically extract and analyze data from IDs and other customer documents for KYC identity verification, which saves time on text interpretation. Make sure your OCR distinguishes between similar-looking characters (for example, Latin and Cyrillic): if it doesn’t, this can increase verification failures, which affects customer experience and leaves you deprived of the clients you otherwise might have gained.
Enhanced security. AI algorithms can analyze vast amounts of data from various sources to identify suspicious patterns, transactions, and activities indicative of fraud, money laundering, or other financial crimes. With these data, companies can build comprehensive risk profiles for customer due diligence and ongoing monitoring.
Higher data analysis precision. This enhances the accuracy of risk assessments and reduces false positives compared to traditional rule-based systems. And since false positives directly affect the number of clients a bank onboards, lowering the number of such errors can bring more clients to the bank.
AI facial and voice recognition are examples of how neural network technologies allow implementing highly complex KYC in banking.
What happens when you don’t
Voice recognition without AI leaves huge exploitable gaps for fraudsters. Let’s take Wells Fargo as an example. The bank uses voice password technology for over-the-phone KYC verification — clients are required to literally repeat «My voice is my password» in their own voice to get into the system. This method is highly failure-prone, which Vice has proven in 2023: Joseph Cox, Vice’s reporter, managed to authenticate as a Wells Fargo client using an AI-generated copy of their voice.
Due to several security failures of this kind, the bank received an inquiry from the US Senate demanding explanations on how it handled voice data and what it did to remediate after the problems were discovered. Since then, the internet hasn’t heard any news on how the bank improved its system to avoid such security breaches. The website still says:
How to do it better
Citibank uses Text Independent or Free Speech Voice Biometrics technology. It interprets multiple characteristic speech features like pronunciation, emphasis, speed, and timbre, which allows identifying people no matter what they say. USAA is another one of the banks implementing such KYC technologies. The bank’s system creates a «voiceprint» based on 100+ characteristics, which is as unique as a fingerprint, and employs anti-AI checks to make sure the voice isn’t artificially generated.
AI also allowed companies to perpetuate their KYC processes — this allows extending it to more operations — and use behavioral KYC identity verification, as the USAA’s voice recognition system does.
Tip 5: Elevate security with blockchain
Smart contracts, a signature feature of blockchain technology, allow making transactions decentralized, immutable, and transparent. This enhances security by eliminating the need for intermediaries and reduces each procedure’s time.
Many Canadian banks like Scotiabank and Royal Bank of Canada use blockchain technology in their KYC procedures. Digital identities established with blockchain are tamper-proof, which protects banks and their clients from fraud and identity theft. At the same time, blockchain helps streamline client onboarding, making the process faster and eliminating repetitive tasks that bank employees would need to perform without the technology.
Tip 6: Make sure you collect enough data
Especially from accounts and operations that stretch across different countries. Whenever money crosses borders, exploitable gaps may appear in your KYC solution — and those open the doors for fraudsters. If your business fails to collect all the necessary data, it might miss the risky cases of offshore activity and tax evasion.
What happens when you don’t
Discrepancies in Revolut’s US and EU payment systems allowed criminals to withdraw $23M in funds, making transactions between different countries. This resulted in a net $20M loss for Revolut: they managed to recover a part of the stolen funds.
How to do it better
N26 used to have issues with fake IDs — criminals could get into the system by exploiting security loopholes. The company fixed this problem: it implemented stricter checks and made overall enhancements. Its anti-faking checks we’ve mentioned before were likely a follow-up of this case.
Tip 7: Take care of your clients and don’t leave out UX
Trying to implement KYC completely at the clients’ cost is a bad practice. Sometimes, companies require their clients to fill out lengthy questionnaires during signup for the sake of statistics. Statistical information is indeed important, but it might be better to move the non-urgent questions to some point later in the customer journey.
According to the 2023 Study by Forrester, 85% of financial crime compliance executives say enhancing the customer experience is their top priority.
For digital businesses, almost all of the customer experience occurs in an online domain. This means the UX of online resources such as websites and apps affects CX directly and massively.
A good case
We helped a group of five banks rebuild the loan application process so that their clients could easily do it online. It included optimizing the customer journey, reducing the number of screens during the application process, and integrating online KYC checks.
Tip 8: Should errors happen, remediate ASAP
When companies face accusations of know-your-customer or AML violations, one of the requirements typically stated in court rulings is remediation. Companies must take measures to rectify the harm done, and failing to do so is heavily fined.
What happens when you don’t
Repeated cases get more severe penalties. We’ve mentioned the fines Deutsche Bank had to pay in 2023: previously, the bank was fined $125M for engaging in criminal financial activities in 2021. The case of 2023 involved a $61M higher fine.
Tip 9: Cut manual KYC procedures to a minimum
Doing IDV the traditional way — manually — takes lots of time both from the bank and from the client. If potential clients have to wait days and weeks for checks to come through, they can lose patience and leave for a service that works faster. Now, people have become used to doing things digitally, and banking is no exception. Providing online know your customer services is a must today.
A good case
We automated KYC verification for one of the top-15 EU banks so that its clients could open bank accounts online. The required document and biometric authentication also take place entirely online: the bank’s app connects with an online governmental service and verifies user data against the data in that service. The complex logic of the service doesn’t interfere with the customer experience: for users, the process is simple and straightforward.
How fintech companies do KYC checks
Let’s take a look at how different fintech companies go about KYC at different stages of a customer’s lifecycle.
Venmo: Possible without IDV
Venmo clients can pass identity verification only in the app — the website doesn’t offer IDV. It is still possible to use the service without verification, but it comes with limitations: clients can only send up to $300 and receive up to $1000 weekly. To identify, the clients need to provide their SSN and government-issued ID.
Unlike other similar apps, Venmo allows authenticating with Google or Facebook accounts
Capital One: QR codes
When Capital One clients visit a branch or a cafe, they can quickly authenticate using personal QR code. It’s not a one-and-only code for the entire client’s lifecycle: the app generates it on the spot.
Citibank: Voice checks
Citibank uses voice authentication instead of security questions when confirming operations over the phone. The National Institutes of Health stated that a person’s voice is about as unique as their fingerprints. To ensure high precision, the bank implements an AI-based system.
N26: Video calls
For clients based in Germany, the service provides an option to make a video call instead of taking pictures. This is an in-app procedure — clients don’t switch to any other services to make a call. The company implemented such an option due to the regulations Germany has regarding KYC checks.
Banks may also ask clients to say a specific phrase during signup. This can be a simple recording as well as a video.
KYC: In-house or outsource
Since KYC solutions handle highly sensitive data, the crucial aspect of implementing them is ensuring top-level security in all the organizations involved. This is what should affect your decision on outsourcing KYC the most: whether your company can create such a secure environment and whether the outsourcing company is a good fit in your case.
It is also important to factor in the current and future needs of your business. While outsourcing solutions tend to be a more scalable option, your own KYC technology may integrate better with your systems, since this is exactly what you build it for.
78% of the True Cost Of Financial Crime Compliance Study respondents are looking to outsource some of their activities related to KYC and AML in the coming years. Outsourcing has been a general trend in IT and banking, catalyzing the digital transformation of modern financial companies.
Whichever option you choose, make sure your business is strict about legal compliance and actively keeps up with the progress. We at Surf are always glad to help you with your KYC project: our expertise allows us to integrate complex systems and ensure the highest security and stability.
Build a KYC-compliant neobanking app. Fast.
Discuss KYC for my project