KYC: Know Your Customer

Know Your Customer is the foundational principle of AML compliance. You cannot comply with AML/BSA requirements if you don't know who your customers are and can't identify them. You also can't understand their behavior, can't assess their risk, and can't identify when their activity becomes suspicious. KYC consists of two regulatory frameworks: Customer Identification Program (CIP) and Customer Due Diligence (CDD). Understanding the distinction and implementing both correctly is essential.

I've spent more time dealing with KYC failures than any other compliance issue in money transmission. A company with weak CIP has customers whose identity is uncertain. A company with weak CDD onboards customers and then never understands what they're doing. Both create AML vulnerabilities and regulatory violations. Yet KYC is perceived by many operators as a compliance obstacle that slows customer onboarding. It is that, but it's also your first line of defense against using your business for money laundering.

CIP (Customer Identification Program) Requirements

CIP is the federal requirement to identify customers. It's not optional, it's not discretionary, and it applies to every money transmitter. CIP is detailed in 31 CFR 1020.210, which is the federal regulation for money transmitters. Every state that licenses money transmitters also incorporates CIP into its requirements, sometimes with state-specific additions.

The basic CIP requirements are to collect and verify customer identity information. For an individual customer, CIP requires: - Full name - Date of birth - Address (current residence) - Government-issued identification number (Social Security Number for US customers; passport or other government ID for non-US customers)

For a business customer, CIP requires: - Business name - Business address - Employer Identification Number (EIN) or other tax identification number - Principal officers' names and identification

CIP applies when opening a customer account. In money transmission, "opening an account" can mean different things. For a traditional remittance company, it means when a customer comes in and wants to send money. For a platform or app-based company, it means when a customer creates an account. For a money transmitter that processes B2B transactions, it means when a business customer begins using the service.

The distinction between documentary and non-documentary verification is critical. Documentary verification means you verify identity using a government-issued document (a passport, driver's license, or state ID) that you review in person or that you review through a digital identity verification service. Non-documentary verification means you verify identity through other methods, such as a credit report or a check of databases that contain identity information.

For in-person transactions, documentary verification is the standard. You ask the customer for a driver's license, you check that the name, date of birth, and address on the license match what the customer told you, and you record the information. For remote transactions (online), non-documentary verification is common. You use a service that checks the customer's information against databases (credit bureaus, public records) and returns a match or no-match result.

The federal regulations don't mandate a specific process as long as the company verifies identity and confirms that the customer is not on OFAC sanctions lists. Different states add requirements. New York requires documentary verification for in-person transactions. California allows non-documentary verification if the company uses adequate identity verification services.

If CIP verification fails—the customer doesn't match records, or the customer can't be verified—you must refuse to open the account. You cannot use CIP as a loose guideline that applies most of the time. It applies every time. A customer who can't be verified cannot do business with you.

I've seen operators try to work around this. A customer comes in and can't produce identification. The operator knows the customer (it's someone from the neighborhood) and makes an exception. That's a violation. The exception is sympathetic but impermissible. You either have a verification or you don't.

CIP also requires that you have a process to reasonably ensure that the information you're relying on to verify identity is reliable. This sounds abstract but it's important. If you're relying on a passport as identification, you need confidence that the passport is genuine. For many operators, this means using a third-party identity verification service that has processes to confirm document authenticity. If you're reviewing documents in-person, you need to train staff on what a genuine ID looks like and what a forged ID looks like. You need a procedure for handling customers whose identity documents appear questionable.

CIP and beneficial ownership identification are separate. For business customers, CIP requires identification of principal officers. Beneficial ownership rules (which came later under the Corporate Transparency Act) require identification of beneficial owners. A beneficial owner is someone who owns 25 percent or more of the business, or someone who exercises substantial control over the business. These requirements overlap but are not identical. An officer of a corporation might not be a beneficial owner. A shareholder who owns 30 percent and never comes to the office is a beneficial owner.

CDD (Customer Due Diligence) Requirements

CDD is the requirement to gather and understand information about customers to assess their risk and to ensure you're not facilitating money laundering. CDD goes beyond identification—it's about understanding who the customer is, what they do, and what they intend to do with your service.

Federal CDD requirements (31 CFR 1020.210) require that you gather information about the customer sufficient to understand the nature and purpose of customer accounts and the customer's anticipated transaction activity. For individual customers, this typically means: - Understanding their occupation or business - Understanding the source of the funds they'll be sending - Understanding the purpose of the transfers (personal, business, charitable) - Identifying the intended recipients and understanding the relationship to the customer

For business customers, this means: - Understanding the nature of the business - Identifying the beneficial owners - Understanding the customer's expected transaction volume and patterns - Understanding the customer's customer base and transaction flow

CDD also requires that you verify the information you gather, to the extent possible. You can't just accept what a customer tells you; you should verify key facts. If a customer says they work for Company X, you should at least confirm that Company X exists and that the customer's job title is plausible. If a customer says they're sending money to their brother in country Y, you should verify the relationship if possible.

Enhanced Due Diligence (EDD) is a more intensive version of CDD that applies to high-risk customers. EDD is required for customers in high-risk jurisdictions, customers in high-risk industries, customers with PEP (Politically Exposed Person) status, and customers whose activity is inconsistent with their profile. EDD means more intensive verification, ongoing monitoring of activity, and explicit documentation of why the customer is deemed high-risk and how that risk is managed.

I worked with a money transmitter that had a customer who identified herself as a homemaker but was sending $100,000 per month to a company in a high-risk jurisdiction. CDD would have identified the inconsistency. Enhanced due diligence would have required the company to either get more information about the source of funds and the purpose of transfers, or to refuse the customer. The company did neither. When the regulator reviewed the account during examination, it was flagged as a major deficiency. The company couldn't explain the activity, couldn't justify the customer, and faced a compliance finding.

The distinction between CIP and CDD is sometimes blurry because they happen around the same time. CIP is about confirming identity. CDD is about understanding the customer's risk profile and transaction patterns. Both are required. CIP without CDD means you know who the customer is but don't understand what they're doing. CDD without CIP means you understand their activity but can't confirm their identity. Both are necessary.

EDD Triggers and When Enhanced Diligence is Required

Enhanced Due Diligence is required in specific circumstances. Federal regulations identify some EDD triggers, and states add others.

A customer in a high-risk jurisdiction is an automatic EDD trigger. High-risk jurisdictions are typically identified by FATF (Financial Action Task Force), FinCEN, or the State Department as having deficient AML controls or as being sources of corruption or terrorist financing. Currently, this includes countries like Afghanistan, North Korea, and a few others. But "high-risk" is sometimes subjective. A regulator might consider Iraq, Yemen, or Syria high-risk based on political instability, even if they're not on an official list. The safest approach is to define high-risk jurisdictions in your AML policy and err on the side of caution.

A customer in a high-risk industry is an EDD trigger. High-risk industries in the context of money transmission include casinos, check cashing, currency exchange, import-export, precious metals dealing, and real estate. The rationale is that these industries are more susceptible to money laundering.

A customer with PEP status is an EDD trigger. A PEP is a foreign political figure, family member of a foreign political figure, or person closely associated with a foreign political figure. US politicians are not PEPs for AML purposes (there's a different regulatory regime for that). But a mayor of a Chinese city, a member of parliament in Germany, or a Russian oligarch with close ties to government would all be PEPs.

A customer whose activity is unusual or inconsistent with their profile is an EDD trigger. A customer who identified themselves as receiving small monthly payments from family but suddenly receives a $500,000 wire transfer. A customer who normally sends $1,000 per month to one country and suddenly opens accounts sending $50,000 to five countries. This inconsistency requires explanation.

A customer with no discernible legitimate purpose for using the service is an EDD trigger. A customer who opens an account but never provides clear information about what they intend to do. A customer who is vague about their occupation or the source of funds.

A customer who is a shell company or otherwise appears to be a vehicle for obscuring beneficial ownership is an EDD trigger. This is relevant for business customers or accounts opened by legal entities with unclear ownership.

EDD means you need to: - Conduct more intensive background investigation - Verify information more thoroughly - Document the customer's source of wealth and source of funds - Understand the legitimate business purpose for using your service - Implement enhanced transaction monitoring - Update monitoring more frequently - Document your assessment that the risk can be managed, or refuse the customer

EDD is not a barrier to onboarding a customer; it's a barrier to onboarding a customer without understanding their risk. If you conduct EDD and determine that you cannot mitigate the risk, you should decline the customer. That's a legitimate business decision, and it's required by your AML policy.

Documentary vs. Non-Documentary Verification

The method of verifying identity matters, and different jurisdictions have different standards.

Documentary verification means you review a government-issued document. For individuals, this is typically a passport or driver's license. For in-person transactions, you physically examine the document. You check that: - The document appears genuine (color, security features, no signs of tampering) - The name on the document matches the customer's claimed name - The date of birth on the document matches the customer's claimed date of birth - The address on the document is current (not outdated by years) - The photo on the document matches the customer (for photo IDs)

For remote (online) transactions, you can't examine a document in person. Instead, you either: - Request the customer to upload a photo of the document, which you review - Use a third-party service that uses AI/image analysis to verify document authenticity and match the document to the customer's image - Request a certified copy of the document

Documentary verification is more reliable than non-documentary verification. If you physically examine a government-issued document and confirm the customer's identity, you have strong confidence in that identity.

Non-documentary verification means you verify identity through other means. This typically includes: - A credit report check - A database search of public records - A check against multiple identity verification databases - Knowledge-based questions (questions about the customer's history that only they should know)

Non-documentary verification is common for online financial services because collecting documents from every customer is impractical. Many companies use a combination of non-documentary verification and fraud detection (if the account engages in suspicious activity, they request documentary verification before allowing withdrawals).

Federal regulations allow non-documentary verification provided that the company uses "a combination of methods and information that is sufficient to form a reasonable belief" about the customer's identity. What's sufficient depends on the risk. For a low-risk domestic customer with a long history and low transaction volume, non-documentary verification might be sufficient. For a high-risk customer or a customer requesting immediate access to funds, documentary verification is more appropriate.

States vary. New York tends to prefer documentary verification. California is more flexible on non-documentary methods if a reputable third-party identity verification service is used. Texas is in the middle.

The risk of relying solely on non-documentary verification is that the identity can be spoofed or falsified. The data that databases rely on can be fraudulent. A credit report check confirms that someone's credit history exists but doesn't confirm that the person requesting verification is actually the person whose credit history is being checked.

My recommendation is to start with non-documentary verification for lower-risk customer segments and require documentary verification for higher-risk customers or for customers requesting larger transactions or faster access to funds.

Beneficial Ownership Identification

The Corporate Transparency Act (CTA), passed in 2020, requires identification of beneficial owners of legal entities. This is separate from CIP but related.

A beneficial owner is someone who owns 25 percent or more of the business, or anyone who exercises substantial control over the business. For a typical business, this includes majority shareholders and members, C-suite executives with control authority, and board members.

The CTA requires that you collect beneficial ownership information for business customers. You need to identify: - Each individual who owns 25 percent or more - Any individual who exercises control over the company (CEO, CFO, board chairman, managing director)

For each beneficial owner, you need to collect: - Name - Date of birth - Address - Government-issued ID number

You also need to verify beneficial ownership information.

The tension here is that beneficial ownership information is often private and difficult to verify. A shareholder who owns 30 percent of a private company might not want to disclose their ownership. A board member in a private company might not want their identity shared. But the CTA is a federal requirement, and money transmitters must comply.

In practice, compliance with beneficial ownership rules means: - When you onboard a business customer, you collect information about the company's structure - You request disclosure of beneficial owners - You conduct reasonable inquiry to verify beneficial ownership - You document the beneficial owners in your account files

If a business customer refuses to disclose beneficial owners, that's a refusal to comply with your customer due diligence requirements. That should result in account closure.

Ongoing Monitoring Obligations

CIP and CDD are initial steps when you onboard a customer. Ongoing monitoring is the requirement to monitor customer activity to ensure it remains consistent with what you know about the customer and to detect suspicious activity.

Ongoing monitoring means: - Reviewing transaction patterns to ensure they're consistent with the customer's profile - Flagging transactions that deviate from the pattern - Identifying changes in customer behavior or activity that might indicate changing risk - Detecting transactions that match sanctions lists or involve high-risk jurisdictions - Updating customer information periodically to ensure records remain current

For many money transmitters, ongoing monitoring is implemented through transaction monitoring systems that analyze every transaction against the customer's profile and against predefined rules. I'll address transaction monitoring in detail in Chapter 15.

For smaller operators or those without sophisticated systems, ongoing monitoring might be manual—the compliance officer or a staff member periodically reviews customer files and activity to ensure consistency.

Ongoing monitoring has a specific frequency. For many companies, it's quarterly or semi-annually. For high-risk customers, it's more frequent (monthly or more often). For lower-risk customers, it can be less frequent (annually).

The point of ongoing monitoring is to catch changes. A customer who switches from sending $1,000 per month to sending $10,000 per month is a change. A customer who receives funds from a new source or starts sending to a new country is a change. These changes don't necessarily indicate suspicious activity, but they should trigger a reassessment of the customer's risk profile.

Technology Solutions for KYC

KYC is increasingly automated. There are third-party platforms that can manage much of KYC—collecting customer information, verifying identity, capturing beneficial ownership information, and monitoring for sanctions.

The main platforms used by money transmitters include services from companies like IDology, Socure, Jumio, Veriff, and others. These platforms have built-in connections to identity databases, credit bureaus, and sanctions lists. They can verify identity, flag potential matches to sanctions lists, and capture required information from customers.

Using a third-party KYC platform doesn't relieve you of responsibility. You're still responsible for verifying customer identity and ensuring that KYC requirements are met. But you can outsource the mechanics of verification to a company with specialized expertise.

The cost of third-party KYC platforms ranges from a few dollars per customer for basic identity verification to significantly more for enhanced services (ongoing monitoring, beneficial ownership verification, PEP screening).

For companies with low customer volumes or highly variable customer bases (a company that onboards thousands of diverse customers per year), a third-party platform is often more efficient than building internal KYC processes. For companies with consistent, known customer bases, internal processes might be more efficient.

The key decision is whether to use a platform or build in-house. If you use a platform, ensure it meets the specific requirements of your business model and the jurisdictions where you operate. If you build in-house, ensure the process is documented, consistent, and verifiable.

KYC for Different Customer Types

KYC procedures vary depending on the customer type. Money transmitters deal with different customer types, and each requires a slightly different approach.

For individual customers sending money, CIP and CDD are straightforward. You collect name, date of birth, address, and ID number. You understand their occupation and the purpose of the transfer. You're done.

For individual customers receiving money, the process is similar but sometimes simpler. You need to identify the recipient and confirm they can accept the funds. In some cases, you might not have a full relationship with the recipient—the sender provides the recipient's information. In those cases, you need at least basic identification of the recipient and need to screen the recipient against sanctions lists.

For business customers, KYC is more complex. You need to identify the business, the owners and operators, and the beneficial owners. You need to understand what the business does, who its customers are, and what transactions it expects to conduct. For a business that's a subsidiary or branch of a larger company, you need to understand the parent company's business and the relationship between the subsidiary and parent.

For agents (a company that acts as your agent for customer-facing transactions), you need to verify the agent's identity, understand the agent's business model, and verify that the agent is conducting proper KYC on end customers. Many money transmitters fail at this. They properly verify agents but don't verify that agents are actually conducting KYC on end customers. When regulators examine agents, they often find weak KYC. The main operator is responsible for agents' compliance.

For corporate customers with complex ownership (private equity holdings, multiple tiers of ownership), beneficial ownership identification can be challenging. You need to drill down to identify ultimate beneficial owners, not just the immediate parent company.

The Tension Between UX and Compliance

Here's the tension every money transmitter faces: customers hate KYC. Customers don't want to provide information, don't want to upload documents, and don't want to wait while you verify their identity. They want to send money immediately. But you're legally required to verify identity before accepting the transfer.

This creates a practical tension. The more stringent your KYC requirements, the more friction in your onboarding process. The more friction, the higher customer abandonment rates. But the less stringent your KYC requirements, the higher your compliance risk and your vulnerability to misuse.

The industry has responded by optimizing KYC for different customer segments. Domestic customers might be verified through non-documentary methods in minutes. International customers might face higher verification barriers. Repeat customers might have accelerated re-verification processes. Large transactions might require more intensive verification than small transactions.

Some money transmitters have figured out how to make KYC relatively frictionless by automating it and using user-friendly interfaces. Others have not. The companies that succeed are the ones that balance compliance with customer experience.

A company might collect required identity information through an automated intake form, verify identity in the background using third-party services, and inform the customer within minutes whether they're verified. If verification fails, the customer can provide additional information or documents. Most customers never notice the friction because the process is streamlined.

My recommendation is to view KYC as a competitive advantage, not an obstacle. Companies that can onboard customers quickly and reliably, with minimal friction, have an advantage over companies that have cumbersome KYC processes. Invest in streamlining your KYC processes, use technology to automate verification, and build a process that's both compliant and customer-friendly.