What is KYC and why does it matter?

A closer look at how Know Your Customer rules work—and how they impact the financial system

Recently, the government has been holding financial institutions to ever higher standards when it comes to “Know Your Customer” (KYC) laws—but established finance firms don't bear that burden alone.

KYC regulations have far-reaching implications for consumers, and are increasingly becoming critical issues for just about any institution that touches money (so, just about every business). So while banks are required to comply with KYC to limit fraud, they also pass down that requirement to those with whom they do business.

And with pretty good reason. The idea is that knowing your customers—verifying identities, making sure they’re real, confirming they’re not on any prohibited lists, and assessing their risk factors—can keep money laundering, terrorism financing, and more run-of-the-mill fraud schemes at bay. The key is finding a balance so that these efforts are effective without penalizing innocent consumers—or being so onerous that upstarts can’t comply with them (and hence can’t compete).

The ABCs of KYC

KYC laws were introduced in 2001 as part of the Patriot Act, which was passed after 9/11 to provide a variety of means to deter terrorist behavior.

The section of the Act that pertained specifically to financial transactions added requirements and enforcement policies to the Bank Secrecy Act of 1970 that had thus far regulated banks and other institutions. These changes had been in the works for years before 9/11, but the terrorist attacks finally provided the political momentum needed to enact them.

Thus, Title III of the Patriot Act requires that financial institutions deliver on two requirements to comply with the stricter KYC: the Customer Identification Program (CIP) and Customer Due Diligence (CDD).


CIP is the more straightforward of the two components, and likely more familiar.

To comply with CIP, a bank asks the customer for identifying information. Each bank conducts its own CIP process, so a customer may be asked for different information depending on the institution. An individual is generally asked for a driver’s license or a passport.
Information requested for a company might include:

  • Certified articles of incorporation
  • Government-issued business license
  • Partnership agreement
  • Trust instrument

For either a business or an individual, further verifying information might include:

  • Financial references
  • Information from a consumer reporting agency or public database
  • A financial statement

Nonetheless, every bank is required to verify their customers’ identity and make sure a person or business is real.


The second component, CDD, is more nuanced.

In conducting due diligence, banks aim to predict the types of transactions a customer will make in order to then be able to detect anomalous (or suspicious) behavior; assign the customer a risk rating that will determine how much and how often the account is monitored; and identify customers whose risk is too great to do business with.

Banks may ask the customer for a lot more information, which may include the source of funds, purpose of the account, occupation, financial statements, banking references, description of business operations, and others. There’s no standard procedure for conducting due diligence, which means banks are often left up to their own devices.

In fact, the Patriot Act doesn’t even directly specify a CDD requirement, but rather specifies that a bank is required to file a suspicious activity report if it suspects or has reason to suspect such activity. But without knowing much about its customers, a bank won’t be able to meet this requirement—hence the CDD.

The Financial Crimes Enforcement Network (FinCEN) regulates—and strictly imposes—this aspect of KYC. FinCEN also manages other regulators for banks, including the Fed’s Board of Governors, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency of the U.S. Treasury. Other financial institutions can be regulated by the SEC, the U.S. Treasury, the IRS, or the National Credit Union Administration, among others.

As a result of due diligence, a bank might flag certain risk factors like frequent wire transfers, international transactions, and interactions with off-shore financial centers. A “high-risk” account is then monitored more frequently, and the customer might be asked more often to explain his transactions or provide other information periodically.

Why KYC matters

By first verifying customers’ identities and intentions and then understanding their customers’ transaction patterns, banks are able to more accurately pinpoint suspicious activities.

Money-laundering and terrorist financing often relies on anonymously opened accounts, and the increased emphasis on KYC regulation has led to increased reporting of suspicious transactions—though this doesn’t necessarily mean there’s more bad activity out there, just better detection of it.

In 2014, more than 1.7 million suspicious activity reports were filed with the Financial Crimes Enforcement Network, 35 percent more than in 2013.

Regulations are becoming stricter, meaning financial institutions have to spend more money to comply with them—or be subjected to steep fines. These fines are also dramatically increasing: $4.3 billion in fines were levied against financial institutions in 2013 and 2014, a sum that quadrupled the fines of the nine previous years combined.

As an example, JP Morgan and HSBC were recently each fined $2 million for a failure to report suspicious activity.

The cost of doing business?

Concerns abound about whether the increasing costs of anti-money laundering procedures are eventually going to become—or already are—prohibitive, keeping banks from effectively going about their daily business.

What’s more, many are wary of the regulations leading to greater friction with customers who don’t appreciate having transactions blocked or having to constantly provide additional information. Of course, as with anything, striking a balance between what customers want and what institutions need to do to protect the system is key.

Other businesses aren’t being regulated in the same way banks are, but knowing your customers is a good idea anyway. It lets you detect suspicious or potentially fraudulent customers before they get to the bank via your services, letting you stop the fraud before it happens. After all, if fraud is detected in your business’ bank account, you’ll likely be required to pay a substantial fine.

The challenge and the opportunity

The Consumer Financial Protection Bureau, which enforces high data quality among financial service providers, collected more than $80 million in fines in 2014.

What’s more, if fraud costs skyrocket, they could eat into more than just your margins: you might lose the partnerships of credit card companies or banks, for example, or get a bad reputation among customers.

There’s opportunity here, too: Because many KYC regulations were instituted before much of today’s technology existed, the means of collecting information about customers are woefully outdated. Fintech companies can help—and already are, in some cases—harness the power of big data to help big financial institutions collect more accurate data and comply even better.