Know Your Customer (KYC) requirements specify how organizations should validate the identity of customers and determine their risk score. Their primary aim is to prevent financial crimes, fraud, and sale of products to those who are not allowed to consume them. When implementing KYC, organizations are required to implement the three core components of KYC as well as location-based and industry applicable regulations.

The three core components of KYC compliance include the establishment of a customer identification program (CIP), performing customer due diligence (CDD), and implementing continuous monitoring. There are also location-based KYC requirements, including the Financial Crimes Enforcement Network (FinCEN), which is a core anti-money laundering (AML) regulator working in the U.S.

In this article:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such.  Information on this website may not constitute the most up-to-date legal or other information.

The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.

You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.

This article may contain links to other third-party websites.  Such links are just for the benefit of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.

Key Components of KYC

The three parts of KYC are as follows. 

Customer Identification Program (CIP)

To meet the requirements of a Customer Identification Program, a financial organization requests that customers provide identifying information. Each financial organization carries out its own CIP process according to its risk profile. Thus, a customer could be asked for different data according to the organization.   

For an individual, this data may include:

  • A passport
  • A driver’s license  

For an organization, this data might include:

  • Government-issued business license
  • Partnership agreement
  • Certified articles of incorporation
  • Trust instrument

Information for further verification could include: 

  • Financial references
  • A financial statement
  • Information from a public database or consumer reporting agency

Financial institutions have to check that this data is credible and accurate, using non-documentary verification, documentation or both.

Customer Due Diligence (CDD)

CDD is the process of collecting customer credentials for the purpose of verifying identity and evaluating their risk profile. Here are the two main tiers of CDD:

  • Simplified due diligence (SDD)—implemented for accounts at low risk for terrorism funding or money laundering. For example, low-value bank accounts or standard bank accounts.
  • Enhanced due diligence (EDD)—implemented for customers with a higher risk score. These are typically customers at a great risk of infiltration, terrorism financing or money laundering. The EDD process requires collecting further information on the customer and also implements transaction monitoring. By tracking the normal amount and frequency of transactions, you can detect irregularities. 

The financial institution is responsible for determining the risk profile of each customer and then deciding whether to use SDD or EDD.

Continuous Monitoring

Financial institutions have to monitor their clients’ transactions continually for unusual or suspicious activity. This is a risk-driven, dynamic approach to KYC. When unusual or suspicious activities are isolated, the financial organization has to complete a Suspicious Activities Report (SAR) to FinCEN and other law enforcement organizations.  

KYC Requirements and Regulations Around the World

Each jurisdiction has specific laws to meet, depending on the various government-issued driver license, identity cards, credit/debit cards, utility bills and passports it has. Industries including online gaming, gambling sites and finance have stricter KYC regulations and greater AML compliance obligations—and they often have their specific, devoted regulatory authorities. Countries make use of governmental agencies to manage compliance regulations.

The Financial Action Task Force (FATF)

FATF is an international organization that deals with terrorist financing felony and money laundering. It includes 36 member states across multiple jurisdictions. FATF has been providing the global standard regarding anti-money laundering compliance. It does this by monitoring customers under CTF and AML guidance. 

FATF has deemed it mandatory for financial organizations to undertake in-depth KYC processes, global sanctions screening, due diligence procedures and risk assessments prior to onboarding businesses and customers. 

Related content: Read our guide to KYC AML 

KYC Regulations in the US

The following regulations apply to financial activities in the US:

  • The Financial Crimes Enforcement Network (FinCEN)—the core AML regulator within the U.S. and functions under the jurisdiction of the U.S. Treasury Department. FinCEN is in charge of dealing with the terrorism financing, money laundering, and additional financial crimes, by survaying individuals, finanical organizations and banks, as well as studying suspicious payments and transactions. FinCEN works with federal and state law enforcement agencies, providing information to help in the war against financial crime.   
  • The Bank Secrecy Act (BSA)—the United States’ core anti-money laundering law, established in 1970. The BSA is designed to deal with money laundering and make sure that financial organizations and banks do not become complicit in or facilitate it. The BSA applies a variety of compliance obligations to organizations within US jurisdiction. This includes requirements to put in place a risk-based AML program with suitable screening measures plus customer due diligence (CDD), and to conduct various record-keeping and reporting tasks when handling suspicious customers and transactions.
  • USA Patriot Act—passed in 2001 after the September 11 attacks, this legislation focuses on financial crimes connected with terrorism. It broadens the reach of the BSA by providing law enforcement bodies with more investigatory and surveillance powers, introducing unique customer due diligence and screening requirements and establishing stricter penalties for individuals or organizations that are involved in terrorist financing. The Act features specific controls and provisions for cross-border transactions to deal with international financial crime and terrorism.

KYC Regulations in the UK

Following Brexit, the United Kingdom is adhering to the Sanctions and Money Laundering Act of 2018. According to the law, the UK will adhere to the United Nations sanctions in order to achieve national security and international policy objectives. 

All organizations must maintain current money laundering prevention and counter terrorism financing (AML/CFT) procedures. Finally, the Act of 2018 has put forward that organizations carry out due diligence examinations on every entity to meet the international standards of security and to retain domestic security.   

KYC Regulations within the EU

European law, generally speaking, features directives and regulations that are binding across the EU. The two key aspects of European legislation relevant for KYC are the GDPR and the fifth AML directive (also called the GwG). By transposing AML rules into national laws, countries may put stricter requirements in place. 

The most widely known example is the German use of the fifth AML, which requires a thorough video KYC process that stipulates in detail what a customer has to do to pass verification and identification. While this process is relatively successful in the German market, it affects conversion in different European markets.  

More instances of additional requirements incorporated into national law include:

  • France—requirement for a secondary ID document
  • Spain—requirement for enhanced liveness detection
  • Italy—requirement for seven additional risk checks

KYC Regulations within Australia 

The Australian Transactions Reports and Analysis Center (AUSTRAC) also changed the KYC/AML regulation following the outbreak of the pandemic. It has offered alternatives to make sure there is stronger compliance with identity verification protocols. 

AUSTRAC demands that electronic copies of ID documents issued by the government and other proof of identity be utilized for verification. If any of these alternatives don't work, video KYC should be carried out for identity verification.

Know Your Customer (KYC) Identity Verification with BlueCheck

BlueCheck’s industry leading identity verification infrastructure enables merchants to grow their business faster. Serving a wide variety of industries, our solutions are custom tailored to the unique needs of our customers, including PACT Act and eCommerce compliant offerings. 

Schedule a call with a BlueCheck specialist to learn more about our Age & ID Verification solutions. Ask about price savings when bundled with Payment Processing services.