In brief:
- The “Know Your Customer” (KYC) rule requires businesses to verify their customers, whether they are individuals or entities, are who they say they are at onboarding in order to assess the compliance risk that a customer presents.
- For businesses, the KYC process is often known as “Know Your Business” (KYB). The KYB rule requires businesses to verify that other businesses they have as customers actually exist and are operating legitimately. This includes verifying the identity of the business, checking the entity is a registered business, and ensuring compliance with regulatory requirements such as sanction checks.
- The KYC rule in the US is composed of several related regulations, including FINRA rules 2090 (“Know Your Customer”) and 2111 (“Suitability”).
- Core parts of a KYC system include having a standardized Customer Identification Program (CIP), using Customer Due Diligence (CDD) to analyze client risk on multiple fronts, and monitoring clients on an ongoing basis in case their risk profile changes.
- Other best practices for complying with KYB and KYC rules include pulling data from multiple valid sources for CDD (and EDD, if necessary); having policies in place if a KYB or KYC check fails, and automating parts of the process to reduce errors and save resources.
Several US laws and regulations – including the Bank Secrecy Act, the Patriot Act, and FINRA rules – require businesses to “know their customers”. So what does this specifically mean, and how do businesses follow the relevant requirements? We’ll answer both of these questions in this guide.
The first step in how to meet KYC rules is to know what they are and where they come from.
While the KYB process is critical at onboarding, it's important to ensure you conduct adequate KYB checks at every stage of the customer's lifecycle.
The Know Your Customer Rule is a legal and ethical obligation for financial institutions (FIs) to know and verify their clients’ identities. This is to ensure clients are truthfully representing themselves, are receiving services appropriate to their scenarios, and aren’t involved in illegal activity.
A separate but related concept is the Know Your Business Rule. This applies when a financial institution’s customer is a business instead of an individual person. In these cases, an FI’s responsibilities are the same, it has to ensure that the client business’s identity and operations are legitimate, but the information required is so unique to business customers that a unique term was coined. To adequately know your business, it also requires to verify the identities of the business’s beneficial owners, and confirm they aren’t involved in any unlawful behavior or resultant sanctioning.
The “KYC Rule” is actually a series of US federal laws and rules from US regulatory agencies (such as the Financial Industry Regulatory Authority, or FINRA). We’ll discuss some of the most relevant ones below.
FINRA Rule 2090: Know Your Customer
This is the primary FINRA “know your customer” rule. It states that any financial institution, when opening or maintaining a client’s account, has to exercise reasonable due diligence in determining and storing critical identifying information about the client.
In cases where the client is a business, this also includes information on any person authorized to deal with the financial institution on behalf of the business.
Information collected must be related to the following four purposes:
- Performing necessary functions regarding the client’s account
- Following any specific instructions for how the account is to be managed
- Understanding the authority of person acting on behalf of the customer
- Complying with any other FINRA rules, as well as any applicable regulations and laws
FINRA Rule 2111: Suitability
This FINRA KYC rule states that financial institutions must give advice that serves a customer’s best interests, based on what the FI knows about their financial situation. That includes their age, tax status, investment experience, investment goals (including timelines for reaching them), risk tolerance (including liquidity needs), and any pre-existing investments.
In addition, financial institutions must have reasonable evidence that a customer – or a third party authorized by them – understands the advice being given to them. The customer or their representative must also show sufficient capability of evaluating the situation-specific pros and cons of acting on that advice.
These rules are meant to avoid financial institutions or employees taking advantage of their customers, or intentionally acting to the benefit of some customers at the expense of others. They’re also meant to prevent criminals from impersonating customers and acting in their own interests instead of the customer’s.
None of this can be achieved unless a financial institution knows essential facts about a customer, their financial situation, and their transaction activity. This lets an FI give a customer advice that fits their needs, while also being able to spot out-of-the-ordinary financial behavior for the customer that might be indicative of fraud.
NYSE Rule 405: Diligence as to Accounts
This was a rule from the New York Stock Exchange that was the precursor to FINRA’s current KYC rules. It required financial institutions to learn and document fundamental information regarding customers, transactions, and accounts they managed. In cases where businesses were customers, this also included gathering information on anyone authorized to manage an account on behalf of a business.
This information would be required to be given to an appropriate employee in the FI authorized to open an account for a customer. This would allow them to understand the customer’s financial situation and intentions in opening the account before choosing whether or not to give written approval for the account to be opened. It would also aid the FI in the mandatory monitoring of the accounts it managed for suspicious or illegal activity.
As of 2012, this rule is no longer in use, as its provisions are now by-and-large covered by the two rules above.
USA PATRIOT ACT Section 326: Verification of Identification
This is considered the “know your customer” rule in the USA PATRIOT Act. It establishes minimum standards for US financial institutions verifying their customers’ and partners’ identities, including mandating each business create a customer identification program (CIP). This system has to outline how to open an account at a US bank, including what personal identifiable information will be collected from a customer in the process.
The CIP also has to explain how the financial institution will verify the identities of its customers, taking into account the risks particular to that FI. These could be associated with the FI’s account types, account opening procedures, scope of PII access, geographic location, clientele size, and average customer risk profile.
Middesk Verify ensures that you meet all KYB and KYC requirements by validating businesses you plan on starting a B2B relationship with.
“Know your business” and “know your customer” rules are very open-ended, which can make it difficult to know if you’re meeting the intent of the rule. So as a starting point, here are five suggestions on how to put together effective and compliant KYB and KYC programs.
1. Establish company-specific standard policies and procedures
At least in the US, KYB and KYC rules aren’t overly specific as to how each individual organization has to implement them – as long as they fulfill the basic intention. This means there’s a bit of wiggle room in how an organization sets up its KYB and KYC systems, in terms of how much risk it wants to tolerate or expects to encounter.
With that said, all organizations are required to have a written and documented CIP. It should outline things such as what information will be collected from individuals and businesses, as well as who will be in charge of compliance operations at the organization. In short, it should set standards for all employees to follow in terms of how the company runs its KYB and KYC processes.
2. Verify information across multiple valid sources
Often, a jurisdiction will have more than one credible source of information on a person or business. So it can be useful to look for a customer’s details in more than one of these places. This can help to reveal and resolve discrepancies if some of the information happens to be incorrect or outdated.
3. Employ ongoing monitoring to adapt to changing circumstances
KYB & KYC aren’t one-time processes done when onboarding new customers. Especially in KYB, when dealing with companies owned and/or run by multiple people (and, sometimes, in multiple places), relationships tend to change frequently.
For example, the company could hire, let go of, promote, or demote employees, shifting its corporate structure and who has authority over management. Purchases or sales of stocks in the company can change who is a beneficial owner and who is not. Both of these situations can turn someone into a politically exposed person (PEP) who requires enhanced due diligence. Or the company could begin operating in a high-risk jurisdiction.
All of these scenarios can modify the amount of risk a person or company presents as a customer or partner. An organization should be aware of these transitions in case it needs to adjust how closely it monitors an associated party, or needs to make a decision on whether to continue the business relationship altogether. So KYB and KYC should be continual processes, ideally tracking changes in real time.
4. Have a plan in place for how to handle failed checks
Hopefully, most customers won’t pose any problems in terms of identity verification and authentication. But occasionally, a customer may have identity credentials that appear suspicious or are otherwise beyond an organization’s risk tolerance. So the organization needs to have, as part of its standard KYB and KYC policies, a plan for if this situation comes up.
For example, what are the procedures for conducting enhanced due diligence (EDD)? If the customer has already been onboarded, are they not allowed to use their account – or allowed to use it only in a limited capacity – while the KYB/KYC process finishes? At what point does the organization decide to deny or terminate the business relationship with the customer? The organization must take applicable laws and regulations, as well as its own risk profile and tolerance, into account when making these decisions.
5. Automate checks to save time & money, and reduce errors
Meeting KYB & KYC rules and regulations is difficult – if not impossible – using manual processes alone. It not only is time-consuming and expensive, but also introduces a greater possibility of human error. The latter can cost an organization even more time and money if it causes them to inadvertently work with a dishonest customer, or lose a legitimate client because they were accidentally flagged as being too risky.
Investing in automated KYB and KYC processes provides many benefits. For instance, information on a (prospective) customer can be checked from multiple credible sources in just a few seconds. In addition, data science and machine learning techniques pose less risk of important data being overlooked, improperly copied, or incorrectly rewritten.
Middesk's Business Verification solution provides an easy solution for automating KYB compliance. It checks several official US business data sources at once to provide the information needed for business identity verification. That includes beneficial ownership, PEPs, and whether the business is in a restricted industry, involved in litigation, or (has associated people) on a sanctions list.
If you’d like to see what it can do for your organization, schedule a demo with our sales team today.