Implementing a comprehensive and effective KYC/CIP program for your business is critical to staying compliant with regulators. Too often the focus is strictly on “checking the box” to achieve compliance and avoid penalties, but that approach isn’t enough. While compliance is mandatory, and the fines for non-compliance can be high, the steepest penalty of all is one that often goes unnoticed – lost revenue from good customers being turned away because you don’t have the right KYC strategy and tools.
Unlike regulatory fines, turning away good customers is not a one-time event. Rather, it’s a daily, compounding problem that inhibits your growth, creates a massive opportunity cost, frustrates potential customers, and ultimately puts your organization at a competitive disadvantage. Fortunately, establishing and using the right KYC compliance process doesn’t have to be a burden to your customers, nor onerous to your business.
Steps to Ensure KYC Compliance
Every organization that onboards customers digitally from a fintech in search of a solution to achieve compliance, to an established financial institution, needs a review of an existing KYC program, or a design framework for a new one, to unlock new customer growth while bolstering compliance.
This checklist provides the framework to guide you through a comprehensive examination of your KYC program. To architect your approach, it is imperative to bring all stakeholders from compliance, risk, IT, and customer growth teams to the table to ensure needs are assessed, goals established, and a path forward is agreed upon. After completing this comprehensive assessment, your organization will be well positioned for success.
1. Determine the regulatory framework applicable to your business
Financial institutions are required to comply with KYC/CIP regulations, with collection of name, date-of-birth, address and a taxpayer identification number as the minimum requirements. While not specifically mandated in existing regulations, organizations outside of traditional financial services also have a responsibility to know their customers to safeguard their business from risk and avoid becoming the target of bad actors.
Adjacent industries such as cryptocurrency are experiencing rapid growth resulting in a lack of defined regulation. Preparing for forthcoming regulations can demonstrate a good faith effort to regulators and ensure your organization is ready when regulations catch up.
Gaming is another related business that may have less stringent customer onboarding requirements depending on the state in which the business is operating. This might enable less data collection from a customer, which would also reduce friction.
There is no one-size-fits-all approach when considering your approach to regulatory compliance, but it is important to establish a framework that will allow you the agility to adapt to business needs, while adhering to regulations.
2. Determine the risk posture appropriate for your organization
As mentioned, the industry your business operates in will largely dictate what you must do and areas you can exercise some discretion. For example, a fintech startup and a large financial institution are both required by law to adhere to KYC/CIP regulations, but each face a different risk posture. A BNPL firm that focuses on small installment loans is less likely to be targeted by third party bad actors for fraud or money laundering at scale and has less stringent needs than a major credit or personal loan issuer.
eCommerce and retail organizations are not specifically required to comply with KYC/CIP rules, however they are increasingly targeted by bad actors and face the risk of incurring losses from any chargeback fraud that results.
3. Codify a detailed customer acceptance policy
Your organization’s specific compliance needs and risk posture should be used to inform a specific customer acceptance policy with well-defined levels of customer risk that will result in an approval, review, or rejection decision at onboarding for your business.
KYC/CIP regulations state that you must form “a reasonable belief of the true identity of each customer” leaving it up to individual organizations to determine how stringent they must be. Your organization may choose to require strict matching of all customer data, or consider allowing partial matching on certain PII elements. A specific policy will also reduce ambiguity in situations where a manual review is required.
4. Deploy modern KYC solutions
Selecting the right KYC solution is the lynchpin to executing a successful strategy. Legacy KYC solutions have poor customer approval rates of around 72% as they were originally designed decades ago to solve a different set of challenges than we face for today’s digital-first economy. Seek out solutions that are highly-automated, purpose-built for today’s needs, and well positioned to address evolving threats.
Appropriate solutions should be inclusive drawing from a comprehensive and diverse set of data sources, with particular importance to not be overly reliant on credit header data that often misses hard-to-identify segments, including Gen-Z, millennials, credit-invisible, thin-file, new-to-country, and other groups vital to the future of your business. Look for AI/ML centric technology that can enable identity clustering, fuzzy matching and offer precision in results.
5. Verify the identity of all customers at onboarding
To be compliant, it is imperative to have reasonable assurance of the identity of every customer you do business with. If you can prevent bad actors from entering your portfolio, there is a reduced chance that you will face problems later.
6. Engage in continuous monitoring of customer accounts
Regular re-evaluation of your customers is a required part of any KYC program to flag suspicious transactions, or to halt doing business with those added to a government sanctions list. While periodic re-screening may be acceptable in some cases, the best practice in today’s dynamic regulatory environment is to deploy a watchlist solution with continuous monitoring so your organization can take immediate action to any adverse alerts in real-time.
7. Maintain records for auditability
All customer records should be stored digitally, with appropriate safeguards in place for data security. If adverse information arises on existing customers, updating customer information based on new risk factors and having an audit trail to prove appropriate action was taken can be the difference between passing an audit or putting a charter at risk.
8. Conduct regular risk management evaluations
Achieving the best possible outcome requires dedicated effort at the onset, as well as periodic reviews to ensure adjustments to your program for new threats that may emerge.
Bad actors know which organizations are most vulnerable and will attack those that represent the highest probability of success. Regular risk assessment can keep you one step ahead.
9. Train staff in operational procedures
View your staff as strategic partners by investing in them with training and knowledge to be successful and solicit their knowledge from being “in the trenches.” Regularly review their most common review cases that ultimately result in approvals to make adjustments and automate as much as possible. Small tweaks can result in material revenue gains at scale.
With the right tools and strategy in place, you’ll realize savings in reduced manual reviews and back-office expenses. However, there will still be a need for some reviews. How fast your staff can respond represents the difference between a satisfied customer, or one that seeks out a competitor.
Carefully crafting your organization’s KYC strategy will deliver strong ROI with a lift in good customer approvals and revenue, while simultaneously reducing operational expenses. Socure is best positioned to deliver on the compliance needs for your business.
Socure KYC is a modern, customer-centric KYC solution optimized on maximum approval of good customers while fully satisfying compliance requirements. Our KYC solution is powered by the industry-leading ID graph and uses advanced AI/ML and search analytics achieving up to 98% auto-approval rates with the highest match accuracy in the industry, including Gen Z and underserved consumers. We power KYC solutions for most of the largest card issuers, 4 of the 5 top banks, and fintech service providers in the U.S.
Additionally, Socure’s Global Watchlist with Monitoring can deliver true continuous monitoring of your customer accounts with sophisticated matching algorithms, proprietary data, and industry-leading accuracy for uninterrupted compliance with CIP regulations.
Socure can even host your customer approval logic to get up and running quickly, eliminating the need for burdensome tech stacks and staffing. All of this is delivered through one simple API.
To learn more about how Socure can enable best-in-class KYC/CIP programs for your organization, request a demo.
Matt is the Director of Product Marketing for KYC and Global Watchlist solutions at Socure. Prior to Socure, Matt established and led the product marketing efforts for fraud and identity solutions at TransUnion.
CIP vs KYC: What is a Customer Identification...
Customer Identification Program (CIP) and Know Your Customer (KYC) are related...
New-to-Country Consumers Represent Trillions in Economic Value. But...
The potential impact of immigration on US economic growth is astounding....