- What Is KYC, How It Works and Why It Is Important
- What Is KYC and AML Policy and Why They are Necessary
- The Process of KYC
- Data Storage Problem. Impact of GDPR
What Is KYC, How It Works and Why It Is Important
Financial institutions, accounting and law firms, banks, and trading platforms should remain loyal and customer-oriented. But at the same time, the modern world is increasingly striving to remove anonymity from financial circulation for security reasons.
This can be determined by such factors:
- people do not want to lose their money;
- governments have been fighting money laundering and financial terrorism.
That is why in the early 2000’s in the financial and business sphere, the concept of KYC has appeared.
What Is KYC and AML Policy and Why They are Necessary
KYC stands for Know Your Customer or Know Your Client. This is a set of activities of financial institutions obliging them to identify the customer before conducting a financial transaction. In other words, you need to make sure that your clients are actually those they claim to be.
KYC and AML: what’s the difference?
The AML concept is broader than the KYC. AML stands for Anti-Money Laundering and refers to political, legal, and regulatory acts.
Nonetheless, KYC and AML are related. This shows that the launch is legal. If the project complies with the rules of AML and KYC, it has more potential to begin successful cooperation with the banking sector. Why would they do this? Many digital exchanges try to get a bank account for simplified global financial transactions. Banks struggle to trust digital exchanges in terms of AML. This is where KYC and transparency come into play and are so important, as they help to:
- verify the identity of the user;
- reduce the risk of money laundering and financial terrorism;
- understand the source of income and the legitimacy of the business relationship.
Therefore, banks, financial institutions, and cryptocurrency platforms are compelled by regulators to implement strict KYC processes.
The Process of KYC
First, you will be asked to specify if you are going to act on your behalf or you are representing a company. KYC flow has its specifics for each of those types.
If you are an individual, you will need to fill the form with personal data. The most important documents for verification are proof of identity and proof of address. So for this step, in most of the cases, you’ll need to provide personal data such as:
- your full name,
- date of birth,
- your residential address,
- ID number.
To prove your address, you may use the following documents to submit the place you live in:
- utility bill, e.g. electricity bill, gas bill;
- bank account statement;
- letter from the employer, bank manager of scheduled commercial banks.
Some platforms can suggest ID video verification. For this, you will need internet access, a computer with a webcam or a smartphone or tablet, and your valid identity document.
Corporate accounts require KYC procedures as well. This procedure is well known as the process of KYB (Know Your Business). It is similar to individual verification flow, but still has some specifics. Transaction volumes, turnover, and other risk factors are usually more signified so the procedures are more involved.
If you’re a business owner, at first you need to complete a personal identity verification, because it’s a prerequisite to verifying corporate accounts.
Regarding the verification flow, the document required for this process will depend on your business type:
1. Sole proprietorship – the individual owns, manages, and controls the business. Depending on platforms requirements you may need to provide one of the following documents:
- GST registration certificate,
- Excise registration certificate,
- Value Added Tax (VAT) registration certificate,
- Turnover tax registration certificate,
- Professional / commercial tax registration certificate,
- Certificate/license issued by the municipal authority under the Shops and Establishments Act (Gumastha License) or Municipal Trade/Tax bill
- Small Scale Industries registration certificate / Entrepreneurs Memorandum (Part II)
- Importer Exporter Code Number certificate.
2. Partnership Firm – two or more people run a business under a firm name. Documents remain the same as for an individual entrepreneur. The only additional document is a copy of the partnership act, as well as a certificate of registration.
3. Limited Liability Partnership – a hybrid entity, with elements of a partnership firm and a corporation. Some or all partners may have limited liability towards the business or other partners. This requires:
- An LLP agreement
- A Certificate of Incorporation
4. Private or Public Limited Company – two or more people can start a Private Limited Company, along the ownership is closely held amongst the directors. The list of documents that can be used to pass the verification:
- Certificate of Incorporation,
- Memorandum and Articles of Association,
- Board resolution to open and operate the bank account, and for activities as specified in the application form of the bank,
- The latest list of directors,
- A company search of the file at Company Registry,
- Certificate of Commencement of Business (for public limited companies).
The process of document verification can be manual or automated and each one has its pros and cons.
Manual verification takes a lot of time and is time-consuming because you need to use hired employees to check all documents. It’s clear that KYC procedures, in particular, need to be faster and more affordable, with increased security and accuracy. This is why many companies have been changing the processes of identifying and verifying customers from manual to automated.
Automatic verification speeds up and optimizes the KYC process. Of course, artificial intelligence can not always recognize and identify a person, namely, in 10% of cases, you will need to resort to manual verification.
In addition to a one-time check, you need constant monitoring of your client. This must be done to know the following points:
- Is the account valid?
- Does the type and number of transactions match the stated purpose of the account?
- Does the risk level match the type and amount of transactions?
Data Storage Problem. Impact of GDPR
According to GDPR, financial institutions have to control the storage of data. Financial organizations that carry out the KYC process and hold private information about customers have to be completely transparent about what happens to those data after they have been used.
The protection of data has always been prioritized for the financial sector, but the hard impact of GDPR will be definitely felt. Recent surveys found that only 29% of businesses are prepared for GDPR, while 71% of respondents are unaware of the fines they might face if found in breach of the new rules.
Under GDPR, KYC can only be performed if the individual has definitely agreed to the processing of his data. Consent must be given intentionally and unambiguously and in an understandable legal language. After obtaining this consent, a person’s personal data can be stored and used for various purposes, including verification of identity.
But what does compatibility with GDPR mean? At the very least, a business should be able to show that:
- User explicitly agrees to data collection;
- Consent to cookie has been given;
- User age has been verified;
- A data breach action plan has been drawn up.
GDPR Policy Violation
Violation of the GDPR policy (Data leak) entails many potential problems. The main penalty is the use of administrative fines. These fines can range from relatively inexpensive to very expensive.
The total amount of fines depends on individual criteria that are used to establish the level of data leakage:
- Intention: Was the violation intentional or caused by negligence?
- Mitigation: What actions have been taken to mitigate damage to data subjects?
- Preventive measures: What organizational and technical measures have been taken previously to ensure compliance?
- The nature of the violation: how many people were affected? What damage was caused during the violation and how long did it last?
- History: Have there been any violations that occurred in the past and can be considered related to the occurrence of the current violation?
- Collaboration: How open is a company to collaborate in order to eliminate the violation?
- Data Type: What data have been affected?
- Violation notification: was the violation reported to the property authorities in a timely manner?
- Certification: Does the company have previously approved certificates and compliance?
- Other: Are there other factors, such as the financial impact on the company, that should be taken into account?
- 2% of the company’s annual turnover, or $12 million USD (whichever is higher);
- 4% of the company’s annual turnover, or $24 million USD (whichever is higher).
For example, in July 2019, the British Airways were issued a €204,6 million fine for violation of Article 31 of GDPR. The British Airways’ website diverted users to a hacker website. As a result, personal data of more than 500.000 customers were stolen.
In 2020, the leading position among GDPR fines was taken by Google, which issued 50 million euros to the French National Commission on Informatics and Liberty or CNIL. The fine was issued because Google representatives couldn’t explain how the data were harvested from data subjects and used for ad targeting.
The list of violators is long and for sure will add new companies till the end of the year. For this reason, we have prepared technical recommendations to GDPR compliance, which we will share with you in our next article. Don’t miss it – it is worth knowing!