With KYC, your users will all have names
The journey of an organisation and its customer should begin with the identification of that customer to ensure the safety of both parties. With this KYC guide, you will understand the importance of knowing your client and complying with legal requirements.
What is KYC?
KYC is the acronym for Know Your Customer and refers to the set of processes that both financial institutions and companies, subject to regulation, must carry out to verify the identity of their customers and know the nature of their activities, as well as determine the degree of risk that this client would be able to carry out illicit activities such as money laundering or the financing of terrorism.
KYC was born as a result of the need to verify that the clients of the entities of certain sectors are who they say they are, and that they are not enacting fraud or identity theft.
Complying with KYC procedures and regulations is mandatory for certain sectors, such as finance. However, the strong acceleration of digital transformation has led other industries to rely on these processes to improve the security and usability of their own processes, protect the integrity of their customers and the transactions carried out.
According to Finanso.se, 56% of Europeans have experienced at least one type of fraud in the last two years, with a third of these frauds being identity theft (the second most widespread type of fraud in Europe).
DDC: Customer Due Diligence. The process by which relevant information about the client is collected and evaluated for any potential risk to the organization or money laundering/terrorist financing activities.
FATF: Financial Action Task Force. The Financial Action Task Force (FATF) is an intergovernmental institution created in 1989 by the then G8. The purpose of the FATF is to develop policies that help combat money laundering and the financing of terrorism. The FATF Secretariat is at the OECD headquarters in Paris. (Source: Wikipedia) (Source2: Sepblac – GAFI)
Sepblac: The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (Sepblac) is the Financial Intelligence Unit of Spain, being the only one in the entire national territory. Sepblac is also the Supervisory Authority for the prevention of money laundering and the financing of terrorism. (Source: Sepblac)
Although in recent years there has been an exponential leap in adopting technologies and solutions against identity theft, it is still a global problem that has been aggravated after the strong digitalization suffered as a result of Covid-19.
The main objective behind identity theft by cyber criminals is to access services or purchase products through digital platforms pretending to be someone else. That is why companies that check identities play a key role in fighting this crime, by providing the main defensive shield against these attacks.
Although initially it may be thought that the main victims of this type of crime are the people whose identity has been stolen to use it for malicious purposes, those who really suffer a severe blow to their financial health are the companies that offer services in digital environments. , being helpless when it comes to being able to demand responsibility.
A deeper knowledge of the techniques used by identity theft networks, as well as growing concern on the part of society, have motivated a series of changes in international protocols and legislation in recent years.
Complying with KYC measures
The process of Know Your Customer begins at the moment that a person or entity contracts a product or begins a business relationship with a regulated entity. From that moment there are several important steps that must be carried out to achieve compliance with the KYC requirements.
One of the first steps is to verify that a client can really be trusted. CDD (Customer Due Diligence) is a set of steps that allow optimal management of the degree of risk that a transaction has by identifying the client that carries it out. This is an extra layer of security to avoid business relationships with criminals, terrorists and politically exposed persons, who may represent a risk.
The steps to follow to comply with due diligence programs, are determined by the degree of risk that each operation has, as well as the main business on which the company is based. Depending on the country and the sector, there are different levels with different requirements.
In some sectors, such as Gambling and Online Betting in Spain, the obligation to carry out an identity verification by the gaming operators used to be done at a later stage when the player wanted to withdraw their prizes.However, since March 2019, the regulations have become more restrictive, forcing new players to verify their identity during the onboarding process.in the early stages.
Therefore, depending on the sector and the regulations that are applied, one different requirements are demanded during the registration process. Nevertheless KYC checks usually include the following points::
- Determine the identity of the client, through the collection and analysis of reliable national documents, normally valid passport, driver’s licence, national identity document or certificate of citizenship. In the case of a legal entity, it would be necessary to identify the real owner of the company.
- Know the location / address of the client, with the usual way to check being through public services such as bank statements, utility bills such as electricity, gas or water as well as tax receipts.
- Depending on the process that the client is accessing, it may be mandatory to know the status of the client’s economic activity, where two well-defined categories appear, such as:
- No income, including circumstances where the client is a student, a minor, unemployed…
- With income, whether you are employed or self-employed, activity sector, seniority, income range…
- When verifying the identity of a client, the risk category to which it belongs is also usually classified in terms of money laundering, identity theft, fraud or even financing of terrorism, in order to know if it is necessary to carry out more rigorous due diligence measures with respect to that client, or even veto access to the service or product.
- Verification of the client’s identity against third-party lists, or national databases in order to check if they belong to lists of defaulters, check if they have a criminal record, whether fiscal or of any other nature, if they have gambling problems…
- The processes of CDD must be updated periodically since a client’s personal or financial situation changes over time, and they may move to higher risk categories.
- Keep a record of all processes performed on or by customers. In Europe it is mandatory to keep this documentation for up to 10 years after the end of the business relationship.
- Follow-up of a client’s transactions and verification of the origin of payments.
- In addition, in certain processes, where a client makes a legal declaration, the client’s signature is necessary.
Download the KYC Guide
Download the comple KYC Guide in PDF
Types of KYC according to the risk of the transaction
The “Know Your Customer” procedures are inherent in regulations such as the Anti Money Laundering legislation, which has been established at a European level. One of its pillars is to leave anonymity behind in order to ascertain the identity of the clients and users known as reporting entities, in order to establish secure business relationships, as well as mitigate the impact of money laundering and the financing of terrorism. In this way, greater transparency and security are achieved.
The law on the prevention of money laundering and financing of terrorism in Spain establishes different categories for specific entities and individuals that have the status of regulated entities due to their work activity. Due to this, they will have to implement different protocols for prevention, detection and communication of suspicious activities.
The obligations in terms of identification of the different players that interact with these obligated subjects are called due diligence measures, and have as their object the Identification and knowledge of those natural or legal persons who intend to establish business relationships with these subjects.
The main due diligence measures required to be carried out by these reporting entities are:
- The obliged subjects will identify as many natural or legal persons intending to establish business relationships or intervene in any operations, as well as verifying the “identity of the intervening parties through reliable documents”
- The regulated entities will identify the beneficial owner and will adopt appropriate measures to verify their identity prior to establishing business relationships or executing any operations.
- The regulated entities will obtain information for the purpose and expected nature of the business relationship, with the aim of corroborating whether the provision provided is in line with the activity declared by the client.
- The obligated subjects will apply continuous monitoring measures to the business relationship, so that the operations carried out are in accordance with the data collected from the client.
Depending on the level of risk that a client may present to an entity, different measures are enacted in order to guarantee security in critical transactions
In Spain, according to Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism classification is for two perfectly differentiated groups:
- simplified due diligence measures, which are carried out with low-medium risk clients,
- reinforced due diligence measures for situations that entail greater risk.
Although most regions of the world that have due diligence measures tend to make the same distinction between these two groups, in this section we are going to focus on Spanish regulations:
Simplified due diligence measures
- Verify the identity of the client or owner in the case of a legal person, when a quantitative threshold is exceeded after the establishment of the business relationship.
- Reduce the frequency of the document review process.
- Do not collect information about the client’s professional or business activity.
- Reduce the monitoring of the business relationship and the scrutiny of operations that do not exceed a quantitative threshold.
- Insurance policy whose annual premium does not exceed 1,000 euros or whose single premium does not exceed 2,500 euros.
- group insurance that ensure commitments for pensions, and pension funds
- life insurance policies that exclusively guarantee the risk of death
- Electronic money when it cannot be recharged and the amount stored does not exceed 250 euros, or when, if it can be stored, the total amount available does not exceed 2,500 euros in a calendar year.
- Postal money orders of the public administration or its dependent agencies and official money orders for postal service payments
- Charges or Payments derived from commissions generated by reservations in the tourism sector that do not exceed 1,000 euros.
- Syndicated loans in which the agent bank is a credit institution domiciled in the EU or in an equivalent country.
- Credit card contracts whose limit does not exceed 5,000 euros.
Enhanced Due Diligence Measures
Characteristics of the operation, business relationship or distribution channelIn cases of higher risk or that have been determined by the regulated entity according to its risk analysis, the regulated entities will have to verify in any case the activities declared by their clients and the identity of the beneficial owner, in addition to a series of risk-based measures::
- Update the data obtained in the customer acceptance process..
- Obtain documentation or additional information about the purpose and nature of the business relationship.
- Obtain documentation or additional information on the origin of the funds.
- Obtain documentation or additional information on the origin of the client’s assets.
- Obtain documentation or information on the purpose of the operations..
- Obtain managerial authorization to establish or maintain the business relationship or execute the operation.
- Carry out a reinforced follow-up of the business relationship.
- Examine and document the consistency of the business relationship or operations with the documentation and information available on the client.
- Examine and document the economic logic of operations. Sepblac 21
- Require that payments or income be made into an account in the client’s name, opened in a credit institution domiciled in the European Union or in equivalent third countries.
- Limit the nature or amount of the operations or the means of payment used.
These measures will be carried out by the regulated entities with respect to the following products or operations:
- Private banking services.
- Money transfer operations whose calendar quarter amount exceeds 3,000 euros.
- Foreign currency exchange operations whose amount per calendar quarter exceeds 6,000 euros.
- Business relations and operations with companies with bearer shares.
- Business relationships and operations with clients from countries, territories or jurisdictions at risk, or that involve the transfer of funds from or to such countries, territories or jurisdictions, including in any case, those countries for which the Financial Action Task Force (FATF) require the application of enhanced diligence measures.
- Transfer of shares or participations in pre-incorporated companies
In addition, the regulated entities may determine in the internal control procedures other situations that, according to their risk analysis, require the application of enhanced due diligence measures.
To determine these higher risk assumptions, companies will take into consideration, among others, the following factors:
a) Customer characteristics:
- Customers not resident in Spain.
- Companies whose shareholding and control structure is not transparent or is unusual or excessively complex.
- Societies of mere holding of assets
b) Characteristics of the operation, business relationship or distribution channel:
- Business relationships and operations in unusual circumstances.
- Business relations and operations with customers who habitually use bearer payment methods.
- Business relations and operations executed through intermediaries.
KYC in the world
Just as we are enjoying unprecedented levels of digitization today, KYC has also become more relevant globally.
In that sense, the EU has been a pioneer in legislative matters, marking the standards that have been replicated in the regulations of other regions of the planet.
However, despite the existence of a common base, the international regulations of Know Your Customer can differ a lot from one country to another.
In Spain we have Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism. Furthermore, within the financial environment, the Sepblac is the supervisory authority in matters of prevention of money laundering and prevention of terrorism, while in the online gaming and betting sector it would be the DGOJ (Directorate General for the Regulation of Gambling), the one in charge of issuing the different resolutions that regulate the activity of the game.
European regulations (KYC / AML)
Among the different regulations, in Europe we have the Directive of the (EU) 2018/843 of the European Parliament and Council of Europe regarding the prevention of the use of money laundering or the financing of terrorism.
The European Directive AMLD5 is a renewal of the previous anti-money laundering law AMLD4, which promotes a set of tools based on the prevention of the use of the financial system for money laundering from illicit activities.
It is a directive aimed at the financial sector and aims to establish measures that allow banks to shield themselves and protect themselves against these threats.
AML5 affects companies from multiple sectors, including online gaming providers, cryptocurrency platforms, providers of cryptocurrency wallets and insurance policies, which are required to identify and verify the identity of customers through remote or electronic identification processes.
Regulatory framework of KYC and AML regulations in Latin America
Similarly, in Latin America, the implementation of laws and regulatory frameworks that allow the practices of Know Your Costumer and Anti-Money Laundering measures have been carried out:
In Mexico in October 2012 the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI), known as the “Anti-Money Laundering Law” came into force.
It is a very demanding and rigorous law that obliges regulated entities to provide information to the government, not only for banks, stock market companies, credits and other financial entities, but also art galleries, real estate agencies, car dealerships, etc.
The management and supervision of compliance with its stipulations depends on the The Attorney General’s Office (PGR), the Ministry of Finance and Public Credit (SHCP), the National Banking and Securities Commission (CNBV) and the Financial Intelligence Unit (UIF) among other organisations.
The main law in Chile’s regulatory framework against money laundering and identification of the nature of funds is the Law 19,913, enacted in 2003 creating the Financial Analysis Unit, the institution in charge of supervising the Chilean financial system, whose objective is to prevent and impede the use of financial instruments to carry out crimes of money laundering and financing of terrorism.
There is a Plan to Fight Money Laundering and Terrorism, promoted by the State, which favours the implementation of KYC and AML measures in the country. In order to protect the integrity and stability of the nation’s economic-financial system, as well as to reduce the economic power of organized crime and terrorism, and to fight corruption.
Reforms and updates to the Criminal Law Against Money Laundering and the creation of the Financial Intelligence Unit (FIU) are some of the measures that have been developed by the program.
The body in charge of supervising and managing information in Peru is the FIU, whose main function is to analyze and share information for the detection of Money Laundering and the financing of terrorism.
The regulations in Colombia for the protection of the country’s financial system, as well as the prevention of money laundering is reflected in different decrees, laws and measures.
Among them are the Law on the treatment and protection of personal data and the Law of Transparency and the Right of Access to Information. As in the previous countries, Colombia has a Financial Information and Analysis Unit (UIAF), in order to prevent and identify money laundering.
In Guatemala there are two main laws that advocate safeguarding the financial stability of the country: the Law against laundering of money or other assets, and the Law to Prevent and Repress Financing of Terrorism as well as their respective regulations.
The Superintendence of the Banks of Guatemala is also an important regulatory entity.
The Financial Investigation Unit (FIU) is the office attached to the Attorney General of the Republic, to generate financial intelligence to prevent and combat the crime of money laundering (ML), financing of terrorism (FT) and financing of the proliferation of weapons of mass destruction (FPADM).
Since 1998, in El Salvador they have a Specific law against money and asset laundering which aims to prevent, detect, punish and eradicate the crime of money and asset laundering, as well as its cover-up in the country.
The Financial Information Unit (UIF) and the Superintendence of Insurance of the Nation are the Argentine organizations in charge of the analysis, treatment and transmission of information for the purpose of preventing and impeding money laundering.
Among laws that regulate the financial system, with the intention of preventing money laundering and the financing of terrorism, there is the Law 25.246/00 on “Concealment and laundering of assets of criminal origin”.
It has been five years Brazil have had regulations allowing the opening of new accounts through digital channels, also allowing optimization of the process of simplified KYC accounts and a better exchange of information thanks to an open data portal that allows accounts to be opened quickly.
The analysis, treatment and transmission of information to prevent money laundering are carried out by the Financial Activities Control Council (COAF). This body’s mission is to produce financial intelligence and promote the protection of economic sectors against money laundering and terrorist financing.
In July 2022, la Superintendencia de Bancos launched a new regulation (Circular 011/12) establishing the guidelines that Financial Intermediation Entities must comply with the onboarding of new customers through automated or semi-automated mechanisms in digital environments.
The new law enables digital onboarding processes to be used for contracting new products and services and current customers. Furthermore, it requires Financial Intermediation Entities to ensure the security and trust of contracting, considering:
- Customer identification, verification and authentication.
- Customer funds origin.
- Anti-fraud checks.
La Superintendencia de Bancos y Seguros enacted general rules for financial system institutions in Ecuador. These rules refer to due diligence and KYC procedures. Specifically, Article of V Section 12 states that financial system institutions must apply due diligence procedures and comply with certain obligations, such as establishing mechanisms for collecting, verifying and updating their customers´ identities.
KYB: Know Your Business
Until 2016, financial entities did not have the need to identify the parties as well as the companies to which they provided services. But in 2016 everything changed due to the diligence measures for companies or know your business. As with the KYC, they need to verify the subject, which in this particular case would be the legal officers of companies.
KYB makes it mandatory for reporting entities to verify the name of the beneficial owner of a company, as well as the rest of the company’s directors who have 25% or more shareholding in the company.
Going into more detail, banks, payment companies or any other company in the financial sector that deals with capital transfers are required to carry out these measures, as are a large part of the BusinessB2B (Business to Business), which must carry out a verification of the companies with which they enact any business activity.
Among the requirements that are usually requested when carrying out a KYB process are:
- Company registration
- Business licences
- Identity of owners and directors
- Date of birth of owners and directors
- Bank statement
- DNI, driving licence or passport
- As well as carry out reviews against different databases depending on the country, risk of the transaction or nature of it.
From the European Union and thanks to AMLD4 (Anti Money Laundering 4), this process was facilitated where member countries were given the responsibility of keeping classified records of the constitution and ownership of companies and keeping them accessible to all entities in order to verify their legal status and other requirements.
KYB solutions have a direct impact on the company’s internal processes, betting on more scalable models that allow fixed costs to be reduced as well as making their identity verification processes more robust.
eKYC,Digital KYC, Digital Onboarding
Companies are constantly seeking to increase their customer base in increasingly digital environments, minimizing acquisition costs. In turn, customers want to access their services in the most comfortable, fast and secure way possible.
Both companies and customers are facing restrictive regulatory environments and rising cybercrime, presenting a major obstacle to achieving these goals. This climate means that companies, in order to comply with KYC regulations, have to make their clients wait for hours or even days to give access to these services or even force face-to-face registrations to verify identity manually, causing great friction and therefore loss of customers and profits.
In this framework, what was until then an option has become an obligation: comply with KYC processes digitally.
The Digital KYC or eKYC consists of carrying out the Know Your Customer processes in a completely digital environment, where the collection of all the documentation and its verification is based on a technological base, allowing due diligence measures to be carried out online.
This is where Digital Onboarding solutions come into play, allowing a complete KYC process to be carried out in digital environments.
With the use of these tools, users can register on a platform completely online from any device, anytime, anywhere, collecting their personal data through an identity document that verifies their identity, in addition to verifying that the person who is carrying out the process is who they say they are.
The three fundamental aspects on which a digital onboarding solution must be based are:
- Accurately extract information from official identification document (passport, driver’s licence, identity card)
- Check the authenticity and validity of the identity document.
- Verify through biometric recognition that the person presenting the document and carrying out the registration process is the same as the one that appears in the photo of the document presented.
The appearance of the digital onboarding technologies has caused traditional sectors such as finance to adapt their processes to the new times, changing the way of carrying out transactions or managing financial platforms.
Where just a few years ago you could only open a bank account in a branch in person, now it can be done in a matter of minutes from any device and anywhere.
The Digital Onboarding / eKYC solutions that allow you to carry out a digital KYC process have come to stay, providing security and scalability.
Thanks to this technology, companies can comply with legislation, while offering their customers a total user experience.
Benefits of eKYC or Digital KYC
Some of the many benefits of using digital KYC processes are:
Digital onboarding can carry out the entire KYC process in a matter of minutes. On the other hand, a face-to-face process or one without automation can cause an element of friction that, in addition to providing a bad user experience, implies the loss of many clients.
The eKYC systems have high precision when carrying out the data extraction processes, obtaining the information of all the fields of the identity document in a matter of seconds, at the same time that it verifies that it is an original document and not been tampered with in any way.
Although digital onboarding systems have a cost, in the medium term they turn your business model into a much more scalable process. These tools allow you to replace or reduce the number of agents, providing greater speed and accuracy to carry out more transactions.
We know that regulations and the needs of companies are constantly evolving, which is why digital onboarding solutions like Mobbeel’s are structured in a modular way and are very flexible. In addition, by modifying a set of rules or parameters, they can be adapted to the needs of each business.
The eKYC solutions are directly integrated into the flow that the client requires, giving the possibility of sharing data and documentation to the report generation, analysis, audit systems… which allows the company’s internal processes to be optimized.
These technologies not only provide speed, accuracy and comply with legislation, but also offer a unique experience to the user, minimizing friction when registering on a platform.
It is a very intuitive and guided process, which makes the user feel a “WOW” experience knowing that they are using state-of-the-art technology, in addition to avoiding having to go in person to physical branches to deliver documentation, allowing them to carry out a 100% digital process.
Mobbeel KYC Solutions
MobbScan, Mobbeel’s KYC/AML solution enables verification of a customer’s identity by automatically scanning their identity document in both web and mobile environments.
To do this, information is extracted from the identity document (DNI, passport or driver’s licence) by means of OCR or NFC and its authenticity is verified by means of a series of validations carried out on the document itself.
Later it can be verified that the person who is carrying out the process is who they say they are through facial recognition.
In addition, MobbScan allows you to comply with legislation that requires companies to record the entire process on video.
What do we take into account from the point of view of document verification when carrying out a Digital Onboarding process?
Well, that’s what we at Mobbeel call VAPT (Validity, Authenticity, Property and Traceability):
- Validity, the document is automatically detected and the information it contains is validated.
- Authenticity, that it is not a forged document.
- Property, that the person presenting it is its rightful owner.
- Traceability, that we comply with the Know Your Customer / Anti-money Laundering regulations.
Video demonstration of the whole KYC process of digital onboarding where the identity of the ID document holder is verified with facial recognition. MobbScan.
Download our KYC guide in PDF
Download our Know Your Customer guide to learn about the requirements depending on the risk and the different regulations in Spain and Latin America.
What will you discover in the KYC / Know Your Customer guide?
- What is KYC?
- Types of KYC depending on the risk.
- KYC regulations in Spain
- KYC regulations in Mexico, Chile, Peru, Colombia, Guatemala, El Salvador, Brazil and Argentina.
- What is eKYC and its benefits.