3 Key Components of Effective KYC/AML Compliance

What is anti-money laundering (AML) for crypto?

Cryptocurrency anti-money laundering (AML) encompasses the laws, regulations, and practices designed to stop criminals from converting illegally obtained cryptocurrencies into fiat currencies.

How does crypto AML work?

The Financial Action Task Force (FATF) sets the standards for AML laws globally. FATF began publishing guidance on cryptocurrency AML in 2014, and policymakers in FATF’s member jurisdictions quickly took action; today, FinCEN, the European Commission, and dozens of other regulatory bodies have codified most of FATF’s cryptocurrency AML recommendations into law.

From there, the baton gets passed on to virtual asset service providers (VASPs)—a group that FATF defines to include crypto exchanges, stablecoin issuers, and, on a case-by-case basis, some DeFi protocols and NFT marketplaces. These businesses do the heavy lifting to stop money laundering by employing AML compliance officers, requiring know-your-customer checks, and continuously monitoring cryptocurrency transactions for suspicious activity.

What is KYC?

Know Your Customer (KYC) refers to a set of practices and procedures that are used to understand a customer’s identity and activities and assess their risk from an Anti-Money Laundering (AML) perspective. Implementing effective KYC is often required by law for many companies such as Financial Institutions (FIs), Virtual Asset Service Providers (VASPs) and other regulated businesses.

How well do you know your customer? For FIs and other regulated businesses, the answer should be quite well. The risks of not having an accurate understanding of who a customer is and the nature of their financial activities and transactions can be measured in potential regulatory fines, sanctions and reputational damage if an FI is used as a conduit for money laundering, terrorist financing and other forms of financial crime.

KYC for regulated businesses usually involves the following processes:

• Establish a customer’s identity
• Understand and verify the customer’s activities and the legitimacy of their source(s) of funds
• Establish a risk profile for the customer based on key AML factors such as their activities and location. 

Effective KYC programs – whether they are for individual or corporate customers – are made up of three key components: Identity Verification (IDV), Customer Due Diligence (CDD) and Ongoing Monitoring. Let’s take a look at each one in some more detail.

1) Identity Verification (IDV) 

Knowing who someone forms the basis of any relationship of trust. In a time when identity theft and identity fraud is rampant, businesses that provide sensitive and regulated services – such as FIs and VASPs – have a pivotal need to understand and verify that a customer is who they say they are.

IDV is a process of identifying and verifying who a customer is. In the US, it’s known as a Customer Identification Program (CIP), and is set out in regulations such as the Patriot Act as a key element of preventing money laundering, terrorist financing and other financial crimes such as fraud and corruption.

Other countries and jurisdictions have their own versions of IDV enshrined in their AML regimes. The vast majority of countries in the world have committed to implementing the recommendations from the Financial Action Task Force (FATF), a global financial regulatory watchdog that develops AML and other financial regulatory advice.

Countries that fail or demonstrate a willingness to implement the FATF’s recommendations face being blacklisted and effectively having their access to the global financial system restricted or blocked. Faced with this threat, a global approach to AML compliance has taken shape – even if certain countries demonstrate varying degrees of implementation.

Beyond authenticating a customer’s identity, the next major objective of IDV is to establish a foundation for establishing an accurate risk assessment and profile for them.

A customer’s risk profile will depend on many different factors, including but not limited to their location, the source of their funds, and the nature of the services they are seeking access to. As such, while there are general guidelines for establishing a risk profile, the ultimate way it is determined will depend highly on the unique aspects of the onboarding business.

Some of the basic pieces of information required to perform IDV include:

• Name
• Date of birth
• Address
• Identification document

2) Customer Due Diligence

Establishing and verifying the identity of a prospective customer is the first, key step in a comprehensive onboarding process. Once an FI knows who a potential customer is, it’s time to determine what risk they carry.

CDD is a cornerstone for anti-money laundering (AML) compliance, and helps businesses to protect themselves from being used for criminal activity.

The process involves assessing all of the risks associated with a client or business relationship. It includes carrying out Know Your Customer (KYC) checks, which are then followed by analyses overall client conduct, their transactional history and behavior and other key indicators. This should determine if a customer’s activity and/or status is suspicious and indicative of heightened risk to your business – such as if they are classified as a politically exposed person (PEP) or are on any international or national watch lists and sanctions lists.

Companies that offer financial services are usually obliged to carry out CDD as part of their AML compliance and anti-fraud protocols.

CDD can be separated into three tiers:

• Simplified Due Diligence (SDD) is carried out on individual or business customers that are deemed to present a low AML risk, such as those with low value accounts in highly regulated and transparent jurisdictions.
• Basic Customer Due Diligence (CDD) refers to the process of collecting baseline information on customers to verify their identity and assess their associated risks.
• Enhanced Due Diligence (EDD) involves carrying out more detailed checks on a customer and their background, and is usually reserved for those that are deemed to be high risk. EDD can involve searching relevant litigation records, credit histories, PEP, sanctions and watchlist screenings, and adverse media searches.

Determining which type of CDD to carry out on a prospective customer should be carried out using a Risk-Based Approach (RBA). In basic terms, this involves classifying customers as low, medium or high risk, and applying the relevant checks on them accordingly.

The RBA is recommended by the FATF as it allows companies to allocate their compliance resources where it is needed instead of attempting to carry out extensive CDD on all customers – a difficult and resource-intensive objective for most regulated businesses.

In determining what level of due diligence is required (CDD vs EDD), an onboarding firm needs to search for ‘Red Flags’ associated with the following:

• Customer’s address/location (country of operations, country of registration)
• Actual or anticipated account activities
• Account type (e.g., cash, trading, savings, and investing)
• Type of business in which the customer is engaged in (export, manufacturing, high-risk industries such as tobacco/alcohol, gaming, etc.)
• Type of entity (foreign bank, nonbank financial institution, domestic/foreign corporation, trust, individual, corporation, LLC, partnership, etc.)
• Their source of wealth or source of assets
• Purpose of the account
• Presence of involvement of any Politically Exposed Persons (PEP), their immediate family members or close associates

3) Ongoing monitoring

Once a customer has been onboarded, it is necessary to keep track of their behavior and risk status. Put simply, just because a customer is onboarded as low or medium risk does not guarantee that their status changes in the future.

As noted, the RBA determines whether a customer is low, medium or high risk based on certain thresholds and classifications that are determined internally by the onboarding entity. Ongoing monitoring involves carrying out periodic checks to identify risk factors such as:

• Sudden fluctuations in transactional activity
• Unusual cross-border activity
• Transactions involving sanctioned entities or individuals or those on watchlists
• Adverse media references

If suspicious activity is detected, this might prompt further EDD and/or the submission of a Suspicious Activity Report (SAR) to relevant regulatory authorities.

Automated KYC

As we’ve seen, carrying out efficient, effective and robust KYC on individual and business customers is not a simple or straightforward process, with multiple complicating factors affecting the degrees and levels of KYC/CDD that should be carried out. In addition, the need to carry out Ongoing Monitoring can be an onerous task for smaller FIs or VASPs with minimal internal compliance resources.

The good news is that these processes can in most cases be covered by automated digital KYC technologies that quickly carry out multiple necessary checks on customers, smoothing and expediting the onboarding process. This makes for both better customer experiences and allows FIs, VASPs and other regulated businesses to scale both in their home countries and in new foreign markets.