What Constitutes KYC: The KYC Regime in Fintech

KYC, also known as Know Your Customer, is a vital set of identity-verification best practices required for most fintech apps.

But what is KYC? And why is it so important?

This blog breaks down KYC and what fintech owners need to know about it.

What is KYC?

Know Your Customer (KYC) or Know Your Business (KYB) is a set of identity verification processes that banks and financial institutions must follow. This entails an identity verification check of all individuals and businesses who want to work with that financial institution so that they are safe and eligible to operate within the financial system.

KYC and KYB are data-driven regulations that must be followed by all users when using common payment networks like the ACH network and the federal reserve system. These measures primarily protect against major financial crimes like tax evasion and terrorist financing.

The ACH network is a trillion-dollar financial network that has seen significant growth in recent years. Managing 29.1 billion payments in 2021 valued at $72.6 trillion, this network is extremely valuable and needs to be protected against malicious financial crimes.

KYC and KYB aim to protect the ACH network. By completing KYC and KYB for every client, fintech firms will be confirming that their clients:

  • Are who they claim to be
  • Fulfill the requirements necessary to use the financial services provided
  • Don’t use the financial product to commit a financial crime
  • Maintain a trustworthy, low-risk business relationship with the provider

KYC and KYB are required any time a financial business accepts a new customer. This means that each customer will have a profound identity check executed on them, and they may be required to supply certain documents and key personal data. It is up to the financial service provider to keep this data safe.

Is KYC a Regulatory Requirement?

According to the USA Patriot Act of 2001, KYC is mandatory for all US banks. This process must conform to a customer identification program (CIP).

What are the Three Components of KYC?

At its core, KYC contains three basic components: an identification check with an ID card, face verification, and document verification.

What Documents Count Under KYC?

Documents may need to be checked for KYC to verify proof of address and biometric verification.

The following documents are eligible to verify identity:

  • Government-issued passport
  • Government-issued driver’s license
  • Other types of government-issued photo ID

The following documents are eligible to verify address. Note that with each document, the account name must match the name provided on the government-issued identity card:

  • Bank account statement
  • Utility bills
  • House purchase documents
  • Employer’s proof of residence
  • Other valid documents containing residency status

What are the 4 Key Requirements of KYC Policy?

Fintech businesses must have their own KYC policy as well. This policy must contain the following four key elements:

  • Customer Acceptance Policy
  • Customer Identification Procedures (CIP)
  • Monitoring of Transactions/ On-going Due Diligence (CDD, EDD, SDD)
  • Risk Management

What are the Basic Requirements of KYC?

So in addition to the key components mentioned above and the key requirements of KYC, it is essential that your KYC program establishes your customer’s identity. This is the most basic requirement of KYC.

Furthermore, KYC requires an understanding of the nature of the customer’s financial and business activities so that the service provider can satisfy that the source of the customer’s funds is legitimate.

And in the end, the program will assess money laundering risks associated with that customer through ongoing monitoring of customer activities.

What is Continuous Monitoring for KYC?

If you’ve successfully and appropriately onboarded each client, your role in KYC is far from over. Continuous monitoring is part of the KYC process. This means that a fintech company must continue to monitor client risks, fraud levels, and the business relationship and reassess the client’s eligibility, identity, or verification authorization periodically. This is very similar to a zero-trust security policy, which regularly aims to re-verify already approved clientele to ensure further safety.

Risk management, due diligence, and the continual analysis of transactions are crucial to KYC.

So what happens if something unusual pops up? Here, a new KYC evaluation process begins. In simple terms, this means that the client must go through the same, if not more intensive, KYC process that they did when onboarding.

The same applies when there are significant changes to a person. Business- or finance-related changes that come up will require a KYC evaluation. These include:

  • Changes in the client’s occupation
  • Changes in the client’s business
  • If the client wants to give other parties permission to use the account

The 4 Levels of KYC for Fintechs: CIP, CDD, SDD, and EDD

KYC measurements can be further broken down into four successive levels of thoroughness: Customer Identification Programs (CIP), Customer Due Diligence (CDD), Simplified Due Diligence (SDD), and Enhanced Due Diligence (EDD).

Each process is followed by continuous monitoring and transaction documentation, especially in high-security cases.

Customer Identification Programs (CIP)

You may have come across the CIP when referring to KYC in digital banking. CIP refers to the baseline measures of KYC that a financial company is taking to verify the identity of a new customer. CIP might encapsulate multiple types of KYC processes (including KYB, which can differ), but it still sets the foundation for these core processes.

CIP refers to the measures that financial companies take to verify their new customers. The program requires basic data like the customer’s name, address, and contact information. This information gets counterchecked in identification and criminal records databases.

For clarifying any information, customers may need to provide additional information. Individual customers may have to state their profession and financial flows. Corporate entities may have to provide information like:

  • The type of organization they belong to
  • The organization’s business model
  • The industrial sector or market they belong to
  • The industry code
  • The property, size, and structure of the organization
  • The financial ratio

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is the requirement that all financial companies are diligent when it comes to accepting new customers. This means that each financial company is accountable for the customers they accept and for the activity of these customers. If a customer performs criminal activity while using the financial services of a company, then the financial service provider is held accountable.

So how does CDD fit here?

Within the CIP model, each new client’s identity is checked. This identity check and detailed analysis follow the CIP protocols and allow the client and business to be compliant with anti-money laundering (AML) legislation. The focus here is on risk assessment and understanding the customer’s transaction habits.

Within CIP and KYC, CDD is a medium-risk sphere within fintech. This is the most common form of customer due diligence / KYC. If individuals are low risk, then they can be checked under simplified due diligence. Similarly, high-risk evaluations are EDD.

Simplified Due Diligence (SDD)

Simplified Due Diligence (SDD) is a faster due diligence process that identifies and verifies low-risk clients.

What “low-risk” might look like can be a little complicated, but generally, low-risk are individuals looking for products that are very unlikely to be subject to fraud or if the product is of a lower value. These products would also not have any connections to high-risk jurisdictions, for example.

However, SDD is only an option if the circumstances are right. Often, many bootstrapped fintech firms want to use SDD because it is quicker and gives the customers a better experience. However, this is not the case.

Clients must go through a detailed assessment of their risk profile before they can even get to the question of SDD, EDD, or CDD. So, this means that no matter which due diligence process a client is eligible for, fintech firms still need to conduct thorough KYC practices.

Enhanced Due Diligence (EDD)

And, of course, we have Enhanced Due Diligence, which is only necessary when the customer and their activities and/or business are potentially risky. EDD is very common with Politically Exposed Persons (PEP), or individuals in positions of power with greater exposure and higher opportunities for bribing, corruption, or money laundering, to name a few.

High-risk individuals bring added risk to companies, so this is an assessment that fintech firms first need to make for themselves. Are they set up to handle EDD?

EDD will require fintech firms to collect additional data on the high-risk customers’ identity and business activities. Screening broadens to include press coverage of the client, data on wealth sources, and more. In the end, the screening should reveal how likely the customer would commit or fall victim to money laundering, identity theft, or terrorist fundraising.

Challenges of KYC Compliance for Fintechs

Given the evolving practices of cybercrime, its prevalence, and its importance (which we talk about below), staying up to date with KYC can be challenging for fintech startups.

Many fintechs think that they can get all the RegTech for compliance features and they are set, but really fintech firms need to do KYC properly to be successful. This involves the way fintech firms reconcile KYC requirements and provide a satisfying customer experience.

Here are some challenges that fintechs come across with KYC compliance:


Fintech compliance is already expensive and, unfortunately, costs are slated to rise in the next five years. Between AML, CTF, and KYC compliance, fintechs spend a lot of money annually on compliance.

Thomas Reuters estimated that the annual KYC compliance costs in 2016 were up to $60 million, with some financial firms spending more than $500 million. And these costs are continually increasing.

Unfortunately, these budgetary restraints aren’t uniform across the board. Large banking institutions might be able to handle some of these costs, but fintech startups or SMEs will struggle. This is especially true if new to the market or fundraising. While businesses can offer fewer features that require more advanced compliance requirements, this leaves them at a disadvantage.

When done right, modern RegTech solutions provide opportunities for reduced compliance. Efficient KYC software and strong bank partnerships can allow bootstrapped fintechs the leverage and compliance tools they need to get off the ground and excel.

This is one reason why Sila’s partnership with Evolve Bank & Trust has worked so well; our status as a bank agent has helped numerous fintech startups when before, the money just wasn’t there.

Customer and Business Onboarding

Other challenges within KYC come with registration and KYC onboarding. KYC is often the first thing that financial businesses must require. However, this comes into direct conflict with the frictionless onboarding process that makes a good first impression and secures long-term, recurring customers.

Unfortunately, bad experiences with KYC can impact clientele experience. In 2016, Thomas Reuters reported that 89% of clients had a bad experience with KYC, with 13% of clients changing to another service provider as a result.

Despite a digital KYC experience, there are still frustrations that emerge, such as the time-consuming process and the finicky technology. Banks take about 24 days to onboard the average customer, and 120 for the average corporate customer. That’s a lot of time to change their minds.

Faster KYC, like Sila’s speedy onboarding, will improve this experience.

Trust and Data Protection

Another important dimension to KYC is trust. Both the financial company and customers must trust that the data being shared is accurate and protected.

Companies have the ability to check on customer data, to a limited extent, but customers do not have much control over the data that a company collects from them.

Financial companies must still follow data handling best practices, which might vary based on the country and vertical they are in.

While the US does not have a big data protection law like the GDPR, businesses must follow the Privacy Act of 2001 and other laws regulating the sharing of sensitive data in the financial industry.

KYC Technologies

And finally, we have technology. It’s no surprise that banks and fintech companies go to great lengths to assure compliance. However, with the adoption of more online payment options, businesses are seeing a lot of new challenges with KYC technologies.

Exacerbated by the lockdowns of the COVID 19 pandemic, the KYC market is just now getting a face lift. More businesses are paying attention to these innovative KYC technologies, like Sila’s KYC API integration for seamless compliance, and ensuring that security is also met.

And it’s about time. These modern technologies allow KYC remotely, providing innovative ways for collating ID and verifying customer data.

The following regulatory technologies (RegTech) are now available for KYC:

  • Voice and face identification over video chat
  • Biometrics identification
  • CDD and EDD by evaluation of social media activity (social biometrics)
  • Approval of documents via self-learning algorithms and artificial intelligence (AI)
  • Context-sensitive analysis of finance-related texts, also known as semantic analytics
  • Sharing of KYC related data without intermediaries over blockchain

Modern technologies like biometrics and semantic analytics give companies new ways to become compliant with KYC requirements – but also new regulations to adhere to, such as data protection and data security rules.

The Importance of KYC

While this might seem like a lot of work, it’s important to understand how crucial KYC is. KYC is set up as a guideline for banks to use to help prevent financial crimes like money laundering.

KYC law is increasingly complex and applies to most financial payments systems. Banks and other monetary service providers must also adhere to international security standards for identity verifications and anti-money laundering regulations. Nationally, within each payment system, and internationally, banks and other financial institutions are following these regulations, monitoring activities, and reporting them to form a collaborative effort at battling financial crime.

Without these monitoring procedures in place, overseeing financial bodies would have a difficult time tracking financial crimes and stopping these activities. This not only weakens the system but also contributes to lost money. In 2020, it was estimated that the gross amount of money laundering worldwide was about $800 billion, around 2 to 5% of the global gross domestic product (GDP).

Other reports suggest that the US is the venue of choice for money launderers; when investigators found reports of up to $2 trillion in suspicious activity being reported to FinCEN (the Treasury Department’s Financial Crimes Enforcement Network), it became clearer just how prolific money laundering was. This means that, just based on these reports, $2 trillion in US dollars may be used for money laundering in our current financial systems.

KYC laws are continually being modified to improve their effectiveness. The Patriot Act of 2001 was modified to include the Bank Secrecy Act, a more comprehensive law for KYC. And internationally, the European Banking Authority (EBA) published a series of Anti Money Laundering Directives to overrule national practices and provide cohesive legislation for all EU bodies.

KYC Through Sila

While KYC processes might differ depending on the financial service provider itself and the nature of the client, KYC still seeks to improve the transparency of client-business relationships and roles. The 4th EU Directive, for example, asks for Know Your Customer’s Customer (KYCC), an essential link in the chain for many fintech apps, as a viable way of filling these gaps.

In addition to security measures, KYC can help banks and other financial institutions better understand their customers. Not only will this allow them to assess the clients and to manage their risks better, but it can also give banks the opportunities to serve them better.

The importance for KYC is clear, but the demand can weigh heavy on small, bootstrapped fintech firms. This is where fintech partnerships can prove useful.
Working with Sila makes KYC far easier. With the KYC API, even bootstrapped fintech startups have access to embedded compliance and KYC technology. Reach out to our sales team or take part in our weekly demo to learn more!