What do insurance companies, real estate agents, car dealerships, accountants, auction houses and banks have in common? Well probably a lot, but for the purpose of this blog we’ll just highlight that they are all well known channels for criminals to launder money.
As such, companies in these industries are obligated by law to perform a risk assessment and have anti money laundering (AML) processes in place to try to minimise the likelihood that their operations are used to launder money and/or finance terrorism (also known as AML-CTF). One of the processes they must have is called Know Your Customer, or KYC for short.
What is KYC?
The purpose of KYC is to gather information to ascertain whether your customer - new or existing - is legitimate. This is done for both customers that are individuals as well as companies, but in slightly different ways. KYC processes can be divided into three different parts which work together to provide a clear picture of the customer:
- Identity Verification
- Customer Due Diligence
- Ongoing monitoring
First, in order to know your customer, you have to be sure who exactly they are. This is typically done by having the customer provide some sort of official identification to verify that they are who they claim to be.
Different companies will have different processes for this and they depend greatly on the inherent risk of that company's operations. A bank with many different products, operating across several countries, will probably have a more stringent approach than a used car dealership in a small town where all of the customers are locals.
Companies that must comply with AML laws might also be required to collect a copy of the customer’s ID to prove that they have verified their identity.
Customer Due Diligence (CDD)
Once you’re sure who you’re dealing with, the next step is to assess the overall risk they pose as a customer. Again, this will vary among companies but can consist of sending customers questionnaires to collect information such as:
- Their nationality / country of business
- Whether they’re politically exposed (PEP) (are they or have they themselves or someone close to them been heads of state, ministers, members of parliament, judges, foreign ambassadors or in other similar roles)
- The purpose of business (a.k.a. what are they buying from you)
- The origin of funds (a.k.a. where did they get the money they will be using in the transaction)
- Whether they’re conducting business on behalf of a third party
Once this information has been gathered it’s important to verify it, for instance: by checking if they are on any public lists for PEPs or if their country of origin is on a list of high risk countries (which might for instance indicate that financial monitoring in their country is not sufficient).
This is also a good time to collect further information such as checking if the individual or company is on any sanctions list. Once all the data has been gathered, it should be closely examined for any red flags. Are there any discrepancies or does something simply not make sense?
Finally, it’s time to assess the overall risk of the customer and see how it fits into the company's risk tolerance (just because a customer poses a high risk, doesn’t automatically mean they can’t be customers, but some extra mitigation may be required).
Lastly, KYC is not a one-and-done kind of thing. An individual that posed little risk 6 months ago might have a vastly different risk profile today, since they started dealing drugs. Therefore, it’s super important to have ongoing monitoring of customers.
Monitor if they suddenly become politically exposed, if they appear on sanctions lists, if their transactions with your company start showing increased flow of money without any logical reason, or if they routinely have transactions that are just below the reporting threshold.
A good rule of thumb is to have the CDD interval match the risk score, but another good rule is to do random audits of customers outside of the regular intervals. People that are involved in money laundering typically try to present themselves as low risk, so if you don’t look at them for a long period of time between CDD intervals, this could give them ample time to abuse your operations to their advantage.
How can Taktikal help?
So glad you asked! Taktikal has been helping companies in various industries that need to comply with AML to set up their KYC processes. Taktikal offers:
- Customer Due Diligence Questionnaires
- PEP lookups in databases with more than 1.4 million profiles (that comply with the requirements of AML5, FATF, UNCAC, JMLSG, UK/FCA and Wolfsberg Group)
- Lookup in various Sanctions databases (OFAC, UN, HM Treasury, EU and more. See full list here)
- Adverse Media Relations checks
- ID verification service (with more than 11K covered IDs in over 230 countries) that provide copies of IDs with each verification.
All of Taktikal’s solutions have been designed with the end user experience in mind and to support companies complying with AML laws.
So how can you build a successful KYC risk programme? Think of it like putting a cat on a diet - if the cat keeps getting fatter even though you're measuring all their food - there’s a good chance the cat is eating something you’re not noticing. Maybe it’s your houseplants, maybe it’s the dog’s food. In any case - something smells fishy, and needs further investigation.