Key Takeaways:

• Know Your Customer (KYC) is a regulatory mandate requiring businesses to verify their clients’ identities to prevent financial crimes.
• The KYC process includes three primary components: Customer Identification Program (CIP), Customer Due Diligence (CDD), and Ongoing Monitoring.
• Electronic Know Your Customer (eKYC) digitizes the KYC process, allowing for more efficient, secure, and faster identity verification
• KYC compliance is mandatory across various sectors, including banking, finance, insurance, telecommunications, and, increasingly, in the cryptocurrency sector.

As businesses increasingly engage with individuals in the digital world, they actively find it easier to transact millions of dollars within seconds. However, not all transactions are legal or intended for their claimed purpose. Some involve stolen funds or illegal activities like terrorism, while others may be connected to identity theft, fraud, bribery, and more.

To address these concerns, governments, and regulatory bodies have implemented policies to make financial transactions safer. One such policy is KYC, or Know Your Customer, which requires businesses to verify the identity of their customers before engaging in financial transactions

What Is KYC Compliance?

KYC (Know Your Customer) compliance is a regulatory mandate that requires businesses to verify the identity of their clients. This involves analyzing clients’ financial histories, monitoring transactions, and assessing potential risks.

Regarded as “Effective KYC,” this comprehensive approach is critical, especially in the financial sector. Non-compliance with KYC regulations can lead to severe consequences, including penalties, sanctions, or reputational damage for a company, particularly if implicated in enabling financial crimes such as money laundering, terrorism financing, corruption, or other illicit activities.

Implemented globally, KYC serves as a crucial measure to combat financial crimes. It plays a vital role in safeguarding organizations from fraud and potential losses linked to illegal transactions and ensures the protection of other customers. Therefore, implementing KYC effectively and efficiently is imperative for businesses before onboarding new customers or engaging in financial transactions with them.

3 Components of KYC

The three components of KYC are:

• Customer Identification Program (CIP)
• Customer Due Diligence (CDD)
• Ongoing Monitoring

1. Customer Identification Program (CIP):

CIP was introduced under the USA Patriot Act in 2001. As per the “Customer Identification Program – CIP”, financial institutions must gather a minimum of four pieces of identification information:

• Name
• Date of birth
• Address
• Identification Number

While these are the foundational requirements, institutions often gather additional data, such as selfies, email addresses, phone numbers, and other personally identifiable information (PII) from authoritative databases.

Especially for high-risk customers, data like IP addresses might be collected. The type of data collected may vary depending on the company and its location. However, the four pieces of data listed above are typically the minimum requirements to establish a customer’s identity and comply with anti-money laundering (AML) and know-your-customer (KYC) regulations. 

2. Customer Due Diligence (CDD)

CDD is the process of collecting, verifying, and assessing a customer’s credentials to gauge their risk profile against suspicious activities. The Financial Crimes Enforcement Network (FinCEN) enforces CDD to bolster transparency in the financial sector and deter illicit activities.

FinCEN’s core requirements include:

1. Verifying customer identities.
2. Identifying and verifying company owners who hold 25% or more shares.
3. Understanding customer relationships to create risk profiles.
4. Ongoing monitoring to spot and report suspicious transactions.

Levels of Customer Due Diligence (CDD)

The determination of the level of CDD applied to each customer relies on their risk score. This score is calculated during the customer’s due diligence process. The following are the different levels of CDD:

• Simplified Due Diligence (SDD): A basic level of due diligence where customer identity verification isn’t mandatory. The emphasis is on monitoring the business relationship.
  
• Basic Due Diligence (BDD): This involves collecting and verifying customer data during onboarding.
• Enhanced Due Diligence (EDD): A comprehensive process for high-risk customers, including politically exposed persons and high-net-worth individuals. It requires additional data collection, continuous monitoring, and assessment of transactions with third parties.

3. Continuous Monitoring (CM)

Customer monitoring (CM) is another component of customer due diligence that involves monitoring users’ transactions and activities over time. If any suspicious activity is detected, a Suspicious Activity Report (SAR) must be filed with FinCEN and other relevant law enforcement agencies.

The SAR must be filed within 30 calendar days of detecting any facts that make up the basis for a suspicious activity report. The financial institution should include details of the suspect in the report. If the initial detection does not identify a suspect, the institution may actively monitor and detect the concerned customer or user for an additional 30 days. However, the financial institution must not, under any circumstances, delay the filing of the SAR for more than 60 calendar days after the initial detection.

This 2013 webinar was held by FinCEN to educate institutions on how to file Suspicious Activities Reports using the new  E-Filing System.

Overall, KYC main objectives are to:

• Verify a customer’s identity.
• Confirm the legitimacy of the customer’s funds.
• Evaluate and monitor the risk of money laundering or terrorism financing in line with AML protocols.

Benefits of KYC For Companies

KYC provides several benefits for companies, including:

• Understanding customers: KYC helps companies to understand their customers better, including their identity, risk profile, and needs. This information can be used to develop more targeted and effective products and services, and to build stronger customer relationships.
• Protecting customers and the organization: KYC helps companies to protect their customers from fraud and financial crime. It also helps to protect the company itself from reputational damage and financial losses.
• Compliance: KYC is a regulatory requirement for many businesses, particularly those in the financial sector. By complying with KYC requirements, companies can avoid fines and other penalties.

What is eKYC?

eKYC, also known as Remote KYC, provides a digital alternative to the traditional in-person KYC procedure that has been in use for decades. Although people often use eKYC and KYC interchangeably, eKYC specifically refers to digital KYC processes. The acronym “eKYC” stands for “Electronic Know Your Customer,” representing an online process that actively reduces the costs and bureaucratic hurdles that associate with in-person KYC procedures.

With eKYC, customers submit their identifying documentation electronically through a computer or mobile phone user interface, just as they would with in-person KYC. However, eKYC is faster, cheaper, and more secure than traditional KYC processes. Additionally, electronic systems generally incorporate robust fraud detection algorithms. These algorithms analyze identifying documentation for special security features that humans may overlook.

Who Needs To Be KYC Compliant

KYC compliance is a regulatory requirement for many industries, including:

1. Banking Sector and other financial institutions, including payment companies, fintech, credit unions etc.
2. Insurance Establishments/Organizations.
3. Regulated Industries, such as gambling facilities.
4. Digital Wallet Providers.
5. Real Estate Agencies.
6. Asset Management Firms.
7. Dealers Of High-Value Goods
8. Trust Formation Services
9. Cryptocurrency Exchanges.

The Cryptocurrency Industry and KYC

The KYC regulation previously did not apply to crypto exchanges or cryptocurrency generally, but in 2019, SEC, FinCEN, and CFTC made a collective statement that classified crypto exchanges as money service businesses (MSBs). This subjects crypto exchanges to KYC and AML policies and requirements under the Bank Secrecy Act of 1970.

Why Does The Crypto Industry Dislike KYC?

The intention for KYC is to be positive because it seeks to protect the citizens, companies and prevent illegal activities like terrorism funding and money laundering. However, the crypto industry generally dislikes KYC due to two main reasons: privacy and decentralization.

Privacy Concerns

Privacy is one of the key selling points of cryptocurrency. The transparent nature of the blockchain simplifies the process of “following the money.” Furthermore, the anonymous nature of cryptocurrency wallets facilitates transactions between one anonymous wallet and another. The anonymous nature of crypto, similar to the early Internet, was perceived as a disruptive shift from the status quo. It provided countless individuals with the opportunity to participate in transactions without government oversight, which was a compelling aspect of cryptocurrency. Consequently, KYC processes were often viewed as conflicting with the fundamental principles of the crypto ethos.

Decentralization

Decentralization, another key selling point of cryptocurrency, ensures that there’s no one entity that can monitor, block or deplatform a user. On the other hand, KYC typically means that a single centralized entity will hold numerous identities in its database. These databases of personally identifiable information (PII) often serve as honeypots, actively attracting hackers just like a pot of honey lures bears, bees, and other creatures. These centralized honeypots are also the antithesis of the cryptocurrency industry.

Impact of Increasing Regulations

The existence of KYC in cryptocurrency transactions isn’t the only reason for the dislike. It is that KYC actually serves as a symbol of more regulations in the future. Many early adopters of cryptocurrency were drawn to it because of its promise of freedom from governmental oversight and regulation. Yet, the landscape is evolving, with new regulations emerging.

For example, the “Digital Financial Assets Bill” which sought to increase scrutiny over crypto companies in California, was recently vetoed by the state’s Governor in September 2022. This bill would have mandated crypto businesses and exchanges to obtain a special license from the California Department of Financial Protection and Innovation.

This proposed California legislation mirrors New York’s “BitLicense” requirement for virtual asset service providers, and these aren’t isolated instances. In December 2020, the Treasury Department proposed a rule requiring centralized exchange users transferring cryptocurrencies valued at $3,000 or more to a private wallet to disclose the wallet owner’s personal details.

Furthermore, for transactions exceeding $10,000 in a single day, exchanges would be obligated to gather and relay transaction details to FinCEN. The request from the government for KYC led the way for most of these other regulations. This, apart from other valid reasons, is why there is a dislike for KYC in the crypto community. KYC serves as a symbol indicating that many regulations are on the way.

The introduction of KYC and similar regulations threatens one of cryptocurrency’s defining features: transactional anonymity. With KYC in place, not only is this unique attribute at risk, but users also face potential threats to their personal data. There have been instances where centralized data repositories, containing user information, have been breached by hackers. Such breaches can lead to identity theft, further underscoring the community’s concerns.

Decentralized Identity as the Solution

The fear or dislike in the cryptocurrency industry for KYC can be justified if viewed from the user’s perspective. This is where decentralized identity comes in, as it is private, secure, and decentralized. 

Decentralized Identity is an open-standards-based identity framework. It utilizes digital identifiers and verifiable credentials that are self-owned and independent, enabling trusted data exchange.

In simpler terms, decentralized identity is a growing technological solution that empowers users to control their online identity through the use of an identity wallet. Decentralized Identity also gives users complete control over the amount of information they choose to share with the requesting service. This way, the user can better manage their identity’s privacy online. For example, a user can prove to be a graduate of a UK University to a 3rd party service provider without disclosing his graduating grade (first class, second class, upper division (2.1) or second class, lower division (2.2) etc.). Another decentralized identity user can prove to a 3rd party service app or website that he is 30 years old without revealing his actual date of birth.

Identity.com 

This decentralized identity solution is one of the leading issues Identity.com has been working to solve. As members of the W3C and the DIF, Identity.com is building toward a secure, permissionless, and pseudonymous ecosystem. We give developers the toolkits they need to provide users with easy-to-verify, reusable and contextual digital identification that remains in their control.