Know your customer or know your client (KYC) underpins many of our financial institutions today. From traditional banks, credit unions and private lenders to the nascent cryptocurrency space and fintech applications, a certain amount of information must be collected from an individual to confirm their identity prior to opening an account. Financial institutions taking a risk-based approach to their business have an emphasis on KYC compliance for a reason—thorough knowledge of a customer base helps mitigate concerns around accounts being used to facilitate illegal and/or terrorist activity, both of which thrive in anonymous environments where adherence to KYC protocol is lacking.
Financial institutions are being required by federal law to adhere to KYC requirements of increasing complexity as part of their due diligence when assessing customer risk and verifying their identity. In simple terms: is the customer who they claim to be? Some of the credentials being verified as part of the KYC process include, but are not limited to, things like:
- Identification verification (examples include driver’s license, state identification, voter identification card)
- Proof of address/residency (examples include driver’s license, utility bill, credit card statement)
- Biometric verification (fingerprinting, iris recognition/scanning)
- Face verification (photograph/selfies)
KYC typically has three elements, composed of a Customer Identification Program (CIP), Customer Due Diligence (CDD) and continuous monitoring of a customer. To comply with CIP, an institution will request identification verification to certify the customer’s identity. For CDD, an assessment is done on a customer’s risk level, including reviewing the types of potential transactions the customer will make so any anomalies are readily apparent and can be acted upon swiftly. The level of CDD conducted may vary depending on the value of an account, with higher net worth or politically connected customers requiring more information. Finally, continuous monitoring is the ongoing monitoring that financial institutions conduct to identify any suspicious activity of an existing account.
KYC is its own requirement but works in tandem with broader federal Anti-Money Laundering (AML) laws. Compliance with these laws is a requirement of financial institutions and safeguards against customers engaging in illegal activity while using their services.
With the increase in mobile phone usage, there have been different challenges related to KYC. On mobile devices, photographic capture may take the form of a selfie, which may require liveness detection—that is, confirmation the picture came from a live person. Within biometrics, liveness detection is a system’s way of ensuring a photograph or a fingerprint comes from a real person physically present at the point of capture. Usually this includes technical features that can counter spoofing attacks of biometrics like silicon face masks or fingerprint molds. Financial institutions are being tasked daily with remaining a step ahead of individuals determined to circumvent KYC protocols to perpetuate fraud.
The importance of knowing your customer and preventing fraud by evading these requirements is an international concern. Thus, the ISO(International Organization for Standardization) and IEC (International Electrotechnical Commission) have released a joint directive ISO/IEC 30107-1 Information Technology – Biometric Presentation Attack Detection as a framework for specifying and identifying PAD. This standard covers anti-spoofing and liveness detection techniques to address some of the challenges around the world related to biometric PAD. While this standard does not advocate a specific method of PAD, it does describe the type of attacks that may occur at the sensor when collecting biometric data. Additionally, NIST (National Institute of Standards and Technology) published Special Publication 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing to provide federal agencies specific technical requirements for digital authentication when verifying an individual’s identity.
Compliance with KYC regulations have increased in complexity as institutions endeavor to remain a step ahead of those with the intent of committing illegal financial activities. A risk-based approach to KYC will ultimately keep both financial institutions and their customers safe from fraud.