What should you look for in a modern, global Know Your Customer (KYC) compliance solution?
Randy Mills, VP of Identity & Risk Products, FIS
March 26, 2023
Know Your Customer (KYC) are standards designed to protect organizations against money laundering, terrorism financing, tax evasion, politically exposed persons and other corruption risks.
The meaning of KYC has rapidly evolved over the past decade. Whether there is a need to create an account and identify an individual or allow individuals and businesses to transact, the world we live in has become increasingly complex with a heightened focus on improving the customer experience and reducing friction. These scenarios can expose organizations to significant risk that can lead to reputational, regulatory and/or legal concerns. From strictly defined due diligence in the onboarding phase to meticulous monitoring and reporting demands, businesses can struggle to keep up with the new KYC laws, rising expectations and costs of compliance.
So what should you look for in a modern, global KYC solution?
THE FUTURE OF KYC COMPLIANCE SOLUTIONS
In the early days of KYC, prescriptive requirements were documented on the expectations of what type of information should be collected and verified as well as what constitutes performing the Customer Identification Process (CIP), Customer Due Diligence (CDD) and Specialized or Enhanced Due Diligence (SpDD or EDD). Processes often relied on collecting a customer’s driver’s license or passport and for the customer to legally attest that the information provided on their application was accurate and complete and did not mislead the reviewer. However, we now live in a world that is driven by e-commerce and online engagements that can facilitate fraudsters creating fake identities or even acting as someone else in an Account Takeover (ATO) scenario.
As a result of this rapidly evolving ecosystem, there are many challenges an organization must overcome to holistically comply with KYC expectations including vetting multiple vendors, navigating operational silos, fractured KYC solutions and increasingly changing regulations that market solutions just can’t keep up with.
COMPONENTS OF AN EFFECTIVE KYC SOLUTION
An effective KYC solution verifies both individuals and business entities and helps identity sanctions, adverse media and key identifiable traits that would warrant further review of a customer. A comprehensive solution is connected through a single API in a low-code/no-code approach that allows an organization to customize workflows to their needs. In addition to global verification of information collected on an individual or business, the following capabilities signify an enhanced offering that truly identifies the customer your business is engaging with:Watchlist monitoring
Watchlist monitoring is the ability to compare customer and transaction details against up-to-date lists of sanctioned parties and other government watch lists. Conducting business with individuals or organizations that are on sanctioned lists and deemed hostile to the United States can create exposure to significant fines that impact a business’s bottom line and reputation.
Watchlist monitoring should be driven by algorithms and forensic analytics, providing better detection. It is imperative to have a clear, consistent methodology behind sanctions due diligence and watchlist programs, enabling businesses to:
- Reduce false positives with smart scanning
- Improve analysis with detailed match forensics
- Empower faster decisions
- Achieve the right risk coverage without compromising result integrity
- Facilitate audit and examination reviews
A critical aspect of ensuring customers are who they say they are is verifying the documents they present. Identity verification in a KYC solution should include:
- Anti-spoofing algorithms that can detect printed documents or doctored documents on a digital display
- Computer vision technology that can compare presented documents to established document templates
- Machine-readable information such as barcodes and MRZ codes to determine the authenticity of each document
Some of the newest and most effective technologies in verifying your customers’ identity are biometric capture and tokenization. These technologies help prove the individual requesting services is truly the applicant, especially where the customer is providing information over an app-based application. Key functionality includes:
- Selfie comparison allows for anti-spoofing algorithms that compare photos on captured images to a consumer selfie
- Proof of liveness technology distinguishes a real human versus photos of masks, sculptures, etc., and seamlessly determines if the presented data belongs to a real person
- Synthetic identity detection includes robust matching algorithms that convert biometric images into an irreversible stored hashtag
- Fraud models should include logic that cross-references databases to determine unique identities without storing or revealing Personal Identifiable Information (PII)
- Tokenization helps verify that the applicant is physically present with the device they are using for the application
Device profiling gathers information on device types, operating systems, location and a wealth of other key metrics that can prove useful in verifying that your customer is the true owner of the device they are using to apply for services. Important considerations for KYC device profiling include:
- Ability to customizable rules with thousands of attributes
- Device scoring with GPS location, device fingerprinting, connection details, true IP, proxy, VPN, Agent, Velocity, etc.
- Context-based information that detects attacks and analyzes a user’s behavior for reliability to determine if the system is interacting with a human or bots
- Risk mitigation that protects your business from Man-In-The-Browser (MITB), Remote Access Trojan (RAT), high velocity/frequency bot attacks to low-and-slow attacks mimicking legitimate customer behavior, ransomware key logging attempts and more
- Technology to expose the use of location and identity cloaking services such as hidden proxies and VPNs, allowing businesses to see the true IP address, geolocation and other attributes
- Tools to detect the use of technologies such as hidden proxies and VPNs and help businesses detect payment fraud and see the true IP address, geolocation and other attributes of each event, backed by global identity data over time
- Means to identify returning users that wipe cookies, use private browsing and change other parameters to bypass traditional device fingerprinting tools
- Detection of user mobile device changes including porting and SIM card change scenarios
As technology, regulations and best practices in the KYC arena continue evolve, it is critical for organizations to effectively evaluate solutions that mitigate their risk and protect their ecosystem in a thoughtful way.