Understanding KYC

What is KYC?

KYC?is the acronym for Know Your Customer and refers to the set of processes that both financial institutions and companies, subject to regulation, must carry out to verify the identity of their customers and know the nature of their activities, as well as determine the degree of risk that this client would be able to carry out illicit activities such as money laundering or the financing of terrorism.

KYC was born as a result of the need to verify that the clients of the entities of certain sectors are who they say they are, and that they are not enacting fraud or identity theft.

Complying with KYC procedures and regulations is mandatory for certain sectors, such as finance. However, the strong acceleration of digital transformation has led other industries to rely on these processes to improve the security and usability of their own processes, protect the integrity of their customers and the transactions carried out.?

According to Finanso.se, 56% of Europeans have experienced at least one type of fraud in the last two years, with a third of these frauds being identity theft (the second most widespread type of fraud in Europe).

Although in recent years there has been an exponential leap in adopting technologies and solutions against identity theft, it is still a global problem that has been aggravated after the strong digitalization suffered as a result of Covid-19.

The?main objective?behind identity theft by?cyber criminals?is to access services or purchase products through digital platforms pretending to be someone else. That is why companies that check identities play a key role in fighting this crime, by providing the main defensive shield against these attacks.

Although initially it may be thought that the main victims of this type of crime are the people whose identity has been stolen to use it for malicious purposes, those who really suffer a severe blow to their financial health are the companies that offer services in digital environments. , being helpless when it comes to being able to demand responsibility.

A deeper knowledge of the techniques used by identity theft networks, as well as growing concern on the part of society, have motivated a series of changes in international protocols and legislation in recent years.

Complying with KYC measures

The process of?Know Your Customer?begins at the moment that a person or entity contracts a product or begins a business relationship with a regulated entity. From that moment there are several important steps that must be carried out to achieve compliance with the KYC requirements.

One of the first steps is to verify that a client can really be trusted.?CDD (Customer Due Diligence)?is a set of steps that allow optimal management of the degree of risk that a transaction has by identifying the client that carries it out. This is an extra layer of security to avoid business relationships with criminals, terrorists and politically exposed persons, who may represent a risk.

The steps to follow to comply with due diligence programs, are determined by the degree of risk that each operation has, as well as the main business on which the company is based. Depending on the country and the sector, there are different levels with different requirements.

In some sectors, such as?Gambling and Online Betting in Spain, the obligation to carry out an identity verification by the gaming operators used to be done at a later stage when the player wanted to withdraw their prizes.However,?since March 2019, the regulations have become more restrictive, forcing new players to verify their identity during the onboarding process.in the early stages.

Therefore, depending on the sector and the regulations that are applied, one different requirements are demanded during the registration process. Nevertheless?KYC checks usually include the following points::

• Determine the identity of the client, through the collection and analysis of reliable national documents, normally valid passport, driver’s licence, national identity document or certificate of citizenship. In the case of a legal entity, it would be necessary to identify the real owner of the company.
• Know the location / address of the client, with the usual way to check being through public services such as bank statements, utility bills such as electricity, gas or water as well as tax receipts.
• Depending on the process that the client is accessing, it may be mandatory to know the status of the client’s economic activity, where two well-defined categories appear, such as:
• No income,?including circumstances where the client is a student, a minor, unemployed…
• With income, whether you are employed or self-employed, activity sector, seniority, income range…
• When verifying the identity of a client, the?risk category?to which it belongs is also usually?classified in terms of money laundering, identity theft, fraud or even financing of terrorism, in order to know if it is necessary to carry out more rigorous due diligence measures with respect to that client, or even veto access to the service or product.
• Verification of the client’s identity against third-party lists, or national databases?in order to check if they belong to lists of defaulters, check if they have a criminal record, whether fiscal or of any other nature, if they have gambling problems…
• The processes of?CDD?must be updated periodically since a client’s personal or financial situation changes over time, and they may move to higher risk categories.?
• Keep a record of all processes performed on or by customers. In Europe it is mandatory to keep this documentation for up to 10 years after the end of the business relationship.
• Follow-up of a client’s transactions?and verification of the origin of payments.
• In addition, in certain processes, where a client makes a legal declaration, the?client’s signature?is necessary.

Types of KYC according to the risk of the transaction

The?“Know Your Customer”?procedures are inherent in regulations such as the?Anti Money Laundering?legislation, which has been established at a European level. One of its pillars is to leave anonymity behind in order to ascertain the identity of the clients and users known as reporting entities, in order to establish secure business relationships, as well as mitigate the impact of money laundering and the financing of terrorism. In this way, greater transparency and security are achieved.

The law on the prevention of money laundering and financing of terrorism in Spain establishes different categories for specific entities and individuals that have the status of regulated entities due to their work activity. Due to this, they will have to implement different protocols for prevention, detection and communication of suspicious activities.

The obligations in terms of identification of the different players that interact with these obligated subjects are called?due diligence measures, and have as their object the?Identification and knowledge of those natural or legal persons who intend to establish business relationships with these subjects.

The main due diligence measures required to be carried out by these reporting entities are:

1. The obliged subjects will identify as many natural or legal persons intending to establish business relationships or intervene in any operations, as well as verifying the “identity of the intervening parties through reliable documents”
2. The regulated entities will identify the beneficial owner and will adopt appropriate measures to verify their identity prior to establishing business relationships or executing any operations.
3. The regulated entities will obtain information for the purpose and expected nature of the business relationship, with the aim of corroborating whether the provision provided is in line with the activity declared by the client.
4. The obligated subjects will apply continuous monitoring measures to the business relationship, so that the operations carried out are in accordance with the data collected from the client.

Depending on the level of risk that a client may present to an entity, different measures are enacted in order to guarantee security in critical transactions

In Spain, according to?Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism?classification is for two perfectly differentiated groups:

• simplified due diligence measures, which are carried out with low-medium risk clients,
• reinforced due diligence measures?for situations that entail greater risk.?

Although most regions of the world that have due diligence measures tend to make the same distinction between these two groups, in this section we are going to focus on Spanish regulations:

Simplified due diligence measures

These are the measures that can be carried out when the level of risk is low or medium. For this reason, the use of these measures will never be implemented when there are indications or certainty of money laundering and they must be consistent with the risk that there are suspicious activities of money laundering or financing of terrorism. The possible measures to be adopted by the regulated entity, in substitution of the normal due diligence measures, could be:

1. Verify the identity of the client or owner in the case of a legal person, when a quantitative threshold is exceeded after the establishment of the business relationship.
2. Reduce the frequency of the document review process.
3. Do not collect information about the client’s professional or business activity.
4. Reduce the monitoring of the business relationship and the scrutiny of operations that do not exceed a quantitative threshold.

These measures will be carried out by the regulated entities with respect to the following products or operations:

1. Insurance policy?whose annual premium does not exceed 1,000 euros or whose single premium does not exceed 2,500 euros.
2. group insurance?that ensure commitments for pensions, and pension funds
3. life insurance policies?that exclusively guarantee the risk of death
4. Electronic money when it cannot be recharged and the amount stored does not exceed 250 euros, or when, if it can be stored, the total amount available does not exceed 2,500 euros in a calendar year.
5. Postal money orders of the public administration?or its dependent agencies and official money orders for postal service payments
6. Charges or Payments derived from commissions?generated by reservations in the tourism sector that do not exceed 1,000 euros.
7. Syndicated loans in which the agent bank is a credit institution domiciled in the EU or in an equivalent country.
8. Credit card contracts whose limit does not exceed 5,000 euros.

Enhanced Due Diligence Measures

Characteristics of the operation, business relationship or distribution channelIn cases of higher risk or that have been determined by the regulated entity according to its risk analysis, the regulated entities will have to verify in any case the activities declared by their clients and the identity of the beneficial owner,?in addition to a series of risk-based measures::

• Update the data obtained in the customer acceptance process..?
• Obtain documentation or additional information about the purpose and nature of the business relationship.?
• Obtain documentation or additional information on the origin of the funds.?
• Obtain documentation or additional information on the origin of the client’s assets.?
• Obtain documentation or information on the purpose of the operations..?
• Obtain managerial authorization to establish or maintain the business relationship or execute the operation.?
• Carry out a reinforced follow-up of the business relationship.
• Examine and document the consistency of the business relationship or operations with the documentation and information available on the client.
• Examine and document the economic logic of operations.?Sepblac?21
• Require that payments or income be made into an account in the client’s name, opened in a credit institution domiciled in the European Union or in equivalent third countries.
• Limit the nature or amount of the operations or the means of payment used.

These measures will be carried out by the regulated entities with respect to the following?products or operations:

1. Private banking services.
2. Money transfer operations whose calendar quarter amount exceeds 3,000 euros.
3. Foreign currency exchange operations whose amount per calendar quarter exceeds 6,000 euros.
4. Business relations and operations with companies with bearer shares.
5. Business relationships and operations with clients from countries, territories or jurisdictions at risk, or that involve the transfer of funds from or to such countries, territories or jurisdictions, including in any case, those countries for which the?Financial Action Task Force (FATF)?require the application of enhanced diligence measures.
6. Transfer of shares or participations in pre-incorporated companies

In addition, the regulated entities may determine in the internal control procedures other situations that, according to their risk analysis, require the application of enhanced due diligence measures.

To determine these higher risk assumptions, companies will take into consideration, among others, the following factors:

a) Customer characteristics:?

1. Customers not resident in Spain.
2. Companies whose shareholding and control structure is not transparent or is unusual or excessively complex.
3. Societies of mere holding of assets

b) Characteristics of the operation, business relationship or distribution channel:?

1. Business relationships and operations in unusual circumstances.
2. Business relations and operations with customers who habitually use bearer payment methods.
3. Business relations and operations executed through intermediaries.

KYC in the world

Just as we are enjoying unprecedented levels of digitization today, KYC has also become more relevant globally.

In that sense,?the EU has been a pioneer in legislative matters, marking the standards that have been replicated in the regulations of other regions of the planet.

However, despite the existence of a common base, the international regulations of Know Your Customer can differ a lot from one country to another.

In Spain we have Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism. Furthermore, within the financial environment, the?Sepblac?is the supervisory authority in matters of prevention of money laundering and prevention of terrorism, while in the online gaming and betting sector it would be the?DGOJ (Directorate General for the Regulation of Gambling), the one in charge of issuing the different resolutions that regulate the activity of the game.

European regulations (KYC / AML)

Among the different regulations, in Europe we have the?Directive of the (EU) 2018/843 of the?European Parliament and Council of Europe?regarding the prevention of the use of money laundering or the financing of terrorism.

The European Directive?AMLD5 is a renewal of the previous anti-money laundering law AMLD4, which promotes a set of tools based on the prevention of the use of the financial system for money laundering from illicit activities.

It is a directive aimed at the financial sector and aims to establish measures that allow banks to shield themselves and protect themselves against these threats.

AML5 affects companies from multiple sectors, including online gaming providers, cryptocurrency platforms, providers of cryptocurrency wallets and insurance policies,?which are required to identify and verify the identity of customers through remote or electronic identification processes.

Do you want to know what AML5 consists of and how it affects you? Download our Guide on the AML5 regulations to learn about it in depth!

Regulatory framework of KYC and AML regulations in Latin America

Similarly, in Latin America, the implementation of laws and regulatory frameworks that allow the practices of Know Your Costumer and Anti-Money Laundering measures have been carried out:

Mexico

In Mexico in October 2012?the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (LFPIORPI), known as the “Anti-Money Laundering Law” came into force.

It is a very demanding and rigorous law that obliges regulated entities to provide information to the government, not only for banks, stock market companies, credits and other financial entities, but also art galleries, real estate agencies, car dealerships, etc.

The management and supervision of compliance with its stipulations depends on the?The Attorney General’s Office (PGR), the Ministry of Finance and Public Credit (SHCP), the National Banking and Securities Commission (CNBV) and the Financial Intelligence Unit (UIF)?among other organisations.

?

Chile

The main law in Chile’s regulatory framework against?money laundering and identification of the nature of funds?is the?Law 19,913, enacted in 2003 creating the Financial Analysis Unit, the institution in charge of supervising the Chilean financial system, whose objective is to prevent and impede the use of financial instruments to carry out crimes of money laundering and financing of terrorism.

?

Peru

There is a Plan to Fight Money Laundering and Terrorism, promoted by the State, which favours the implementation of KYC and AML measures in the country. In order to protect the integrity and stability of the nation’s economic-financial system, as well as to reduce the economic power of organized crime and terrorism, and to fight corruption.

Reforms and updates to the?Criminal Law Against Money Laundering?and the creation of the?Financial Intelligence Unit?(FIU) are some of the measures that have been developed by the program.

The body in charge of supervising and managing information in Peru is the FIU, whose main function is to analyze and share information for the detection of Money Laundering and the financing of terrorism.

?Next up: KYC in Colombia, ...

Ready for more? Follow the rest of this guide on Mobbeel's blog >