September 6, 2016
Every stakeholder in the card-not-present ecosystem has Know Your Customer (KYC) compliance requirements. Depending on the kind of business, where it is located in the world and under what regulatory authority it falls, compliance reaches varying levels of complexity and non-compliance can be costly or can even threaten a company’s existence.
Recently, Palo Alto, Calif.-based identity and risk-management solution provider IdentityMind Global assembled a panel of KYC experts to talk about the challenges and responsibilities of different members of the CNP value chain. While the panel had specific recommendations depending on the role a company plays in the ecosystem, a list of fundamentals emerged that pertain to anyone trying to establish the identity of a new or current customer for KYC purposes. Some are tips that will help your company meet regulatory guidelines, stay out of trouble and avoid fines. Others are benefits that accrue to companies that exhibit exemplary KYC programs.
1. There are no tricks
Companies that take shortcuts and look for an easy way out are companies that will eventually be hit with hefty fines.
2. Make transparency a running theme
Transparency is something that should be instilled in the company culture from the top down, especially when dealing with regulators.
3. Establish a strong, healthy relationship with regulators
Demonstrate a consistently professional manner and develop a relationship with regulators. This goes a long way in building trust and good faith.
4. Working with the industry is the most effective mechanism for compliance
Being antagonistic or uncooperative does not help. It will only create a bigger mess.
5. This section of NY’s BitLicense is a good KYC model
- Identification and verification of account holders. When opening an account for, or establishing a service relationship with, a customer, each licensee must, at a minimum, verify the customer’s identity, to the extent reasonable and practicable, maintain records of the information used to verify such identity, including name, physical address, and other identifying information, and check customers against the Specially Designated Nationals (“SDNs”) list maintained by the Office of Foreign Asset Control (“OFAC”), a part of the U.S. Treasury Department. Enhanced due diligence may be required based on additional factors, such as for high risk customers, high-volume accounts, or accounts on which a suspicious activity report has been filed.
- Enhanced due diligence for accounts involving foreign entities. licensees that maintain accounts for non-U.S. persons and non-U.S. licensees must establish enhanced due diligence policies, procedures, and controls to detect money laundering, including assessing the risk presented by such accounts based on the nature of the foreign business, the type and purpose of the activity, and the anti-money laundering and supervisory regime of the foreign jurisdiction.
- Prohibition on accounts with foreign shell entities. Licensees are prohibited from maintaining relationships of any type in connection with their virtual currency business activity with entities that do not have a physical presence in any country.
- Identification required for large transactions. Each licensee must require verification of the identity of any accountholder initiating a transaction with a value greater than $3,000.
6. KYC can positively impact a company’s reputation
Although developing and maintaining a rigorous KYC process might seem like a hassle, it can actually increase revenue due to the perception it creates of your company. A better reputation leads to more customers.
7. Clients feel safer
Good KYC practices prove how serious your company is. Clients will be more willing to do business with you if they feel safe and secure.
8. KYC saves you money!
Good KYC policy protects your bottom line from fines. An automated KYC process also saves your analysts time, which raises company efficiency and boosts revenues.
9. When performing Sanctions Screening:
Besides checking for a match, be diligent about finding false positives. Be sure to check their ID and any other documents they’ve sent.
10. In case of suspicious activity or a sanctions match, send the user a questionnaire. Do research. Keep the user in the loop
Ask for name, location, job, salary and source of funds. Keep records of responses. Follow up with Google research. Check names for scandals, places they travel to or anything that could explain their behavior. Provide customers with a transactional behavior form, allowing them to explain their transactions. Keep a record!
11. Monitor suspicious users for consistency
Consult your records to see if their explanations properly account for their behavior, both historical and in the present. Keep watching them.
12. When in doubt, file a report
It’s always safer to file a report. Update records at least once a year for users you’ve identified on the PEP list and questionnaires periodically to keep your information updated.
13. You need to include US PATRIOT ACT and BSA requirements, OFAC list, SDN list, and lists made by other governments
While your company may be under a certain jurisdiction, depending on your customers, you will have to comply with a variety of different regulations. It’s better to screen against all of these lists from the start. We are no longer bound by geographic boundaries.
14. Money transmitting has moved from a 2D process (sender/recipient), to a 3D one
This includes the Internet and a variety of methods to transmit—your filter must have all of these elements in mind, so your compliance team is able to look at alerts and identify anomalies, determine whether they are true hits or false positives.
15. Document your actions!
Whether you are blocking something or not blocking something, regulators are looking for insight into the reasons for your actions. You need to have documented reasoning for every action you take.
16. OFAC is NOT forgiving—if you do something wrong, you WILL get fined
17. Filings are not required until a transaction hits $10,000.01
HOWEVER, if it is an unusual amount, or unusual behavior from the customer, you need to keep a record, potentially file a SAR, or sever services to the customer. All of these discussions need to be filtered up to the board of directors so they’re fully aware of what’s going on.
18. Once you decide a user is suspicious, you must speak with them
This way you can find out whether or not their behavior is normal. Out-of-band (OOB) mechanisms are important.
19. OOB mechanisms should be built-in to the user experience
OOB mechanisms are most effective when they are a natural part of the KYC process and user experience. If implemented well, your users won’t feel added friction in the validation process.
20. Just the fact that they respond to OOB questions, even if they weren’t correct, can be used as a positive
Even simply responding to OOB questions is a good sign, even if the answer they give you isn’t correct, or if the data doesn’t match.
The IdentityMind™ on-demand platform provides real-time risk management and compliance automation for leading fintech companies, traditional banks and online merchants around the world.