Digital KYC: What is it, and How To Do It

What is Digital KYC?

Digital Know Your Customer (KYC) is the process by which banks and other financial institutions verify the identity of their clients online to assess the risk they might pose before establishing a business relationship. Digital KYC, also called eKYC, is a cornerstone of compliance with anti-money laundering (AML) regulations and is vital for preventing financial crimes.

The foundations for KYC date back to the Bank Secrecy Act (BSA) of 1970 (itself an amendment of the 1950 Federal Deposit Insurance Act). Charting the course for anti-money laundering protocols, the BSA mandates that banks collect and report certain financial information to regulatory authorities, such as FinCEN.

The 2001 Patriot Act is the basis of modern KYC compliance. In the wake of 9/11 and the rise of the internet, the Patriot Act amended the BSA to impose stricter requirements on financial institutions to verify the customers with which they do business.

Who needs Digital KYC?

KYC regulations primarily impact financial institutions and any business that deals with money transfers, lending, or investments. This includes credit companies, insurance companies, fintech firms, and even non-profits that handle large donations. Different sectors and even individual banks may have specific KYC requirements based on the nature of their business and associated risk. For instance, casinos might follow different KYC protocols than banks, though the fundamental aim of preventing illicit activities remains consistent.

What are the KYC requirements?

As we mentioned, the required information collected from customers will vary from sector to sector and even bank to bank. However, Section 326 of the Patriot Act sets forth minimum compliance requirements that include:

(a) verifying the identity of any person seeking to open an account to the extent reasonable and practicable;
(b) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information; and
(c) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.

Based on the minimum requirements and each institution's risk appetite, financial institutions prepare a Customer Identification Program (CIP) appropriate to the nature of their business and its size. At a minimum, every business falling under the Patriot Act must have a CIP containing:

• A written program
• Four pieces of identifying information (often referred to as the 'core four') - a customer's: name, date of birth address, and identification number.
  1. Identity verification procedures
  2. Record keeping
  3. Comparison with government lists (ensuring the customer doesn't appear on any OFAC or other government sanction lists).
  4. Customer notice (the financial institution must its customers know it's requesting information to verify their identities).

The goal of a CIP is for a business to "form a reasonable belief that it knows the true identity of each customer." As this is not a fixed standard, the burden each business shoulders to truly 'know its customer' will differ. For example, a business operating in a less risky space might only need to collect the core four pieces of information, while others may require detailed financial statements during the onboarding process.

Digital KYC processes are a part of the firms' CIP requirements. Digital KYC is used to verify the identity of the customer.

How can you conduct digital KYC?

The goal of digital KYC is to collect and verify information from customers. You can accomplish this in multiple ways (each with its trade-offs).

1. Documentary eKYC — Software is used to scan a customer's identification document (ID, Driver's License, Passport, etc.) and compare the information on the document to the information the customer inputs.
   1. Pros: If the software uses good machine learning models, you can be confident that the identification card has not been tampered with.
   2. Cons: Added friction to scan your identification card, and without a selfie, it is harder to verify that the person onboarding is the same person on the identification card.
2. Documentary eKYC with a selfie—Software scans a customer's identification document, and then the customer takes a selfie. The software compares the selfie to the picture on the identification document.
   1. Pros: High fidelity identity verification.
   2. Cons: The most amount of friction.
3. Non-Documentary eKYC — Software is used to compare the information collected from a customer (Name, DoB, SSN) to major databases like credit bureaus.
   1. Pros: Frictionless experience for the user.
   2. Cons: A lot of fraud cannot be caught by checking information in a database.
4. Knowledge-Based Authentication (KBA) eKYC — Software presents customers with questions based on information in their credit profile, like "What street have you lived on?" By answering the questions correctly, customers can verify their identity.
   1. Pros: Frictionless experience for the user.
   2. Cons: The answers are often Google-able, so we cannot prevent much fraud..

What is the difference between KYC and KYB?

Digital KYC applies when banks, financial institutions, or fintechs onboard individual people, but there are times when businesses need to be onboarded as well. That is called Know Your Business (KYB).

The goals of KYC and KYB are similar: prevent bad actors from accessing the financial system, but they differ in the information they collect and verify. We will dive deeper into KYB in another blog post.

If you need a digital KYC provider, schedule a call below. We have designed Footprint to seamlessly onboard and verify users while securely vaulting their information, and we would love to share more.