What is a KYC document?
KYC stands for Know Your Customer. Documents which are required for businesses to know your customer are KYC documents. These documents are normally divided into two distinct categories:
- Proof of Identity (POI) document – requires a photo of the individual
- Proof of Address (POA) document – cannot be dated older than 3 months.
Why is this relevant within the identity verification industry? When a business digitally onboards new customers, they are required to ensure they can accurately proof the identity of their customer using KYC checks.
It is important to note that the same document cannot be used to confirm both the user’s identity and the place of residence. At least two documents are required for the KYC process.
The acceptable KYC documents vary depending on which jurisdiction the process is being performed in. Some of the more generally recognized documents are listed here.
Proof of Identity (POI)
The first half of a KYC document must be an official government issued ID. This document must include a photo of them. There are a variety of IDs that are allowed to be used for POI purposes. Which are acceptable and where is determined on a jurisdictional basis.
In 2016, Pricewaterhouse Coopers published a very useful Quick Reference Guide on KYC (available here as a PDF). Some commonly accepted POI examples from around the world are:
- Passports – universally recognized
- National Identification Cards – Aadhaar in India, DNI in Argentina, SIN/SSN in Canada/United States, HKID in Hong Kong, BSN in the Netherlands
- Driving License – United States, Canada, the Netherlands
- Voter ID card – INE in Mexico, India, Jamaica
- Health Card – Canada
How PXL Vision checks POI
Every company that performs proof of identity (POI) checks should have a comprehensive KYC guide that describes the process and requirements for the user.
PXL uses the smartphone (or any other) camera to scan and extract information from the identity document in order to determine the authenticity of the document in an automatic way. Users just need to point their camera at the document, our solution then detects which document it is and extracts information from the document.
Most documents have machine-readable code line(s) (MRZ) on the back side of the document. We extract the information and run various checks on the MRZ itself. We then extract further information from the rest of the document known as the visual inspection zone (VIZ). However, purely extracting information from the document is not enough, we also want to ensure that we are dealing with a real document and not a fake. To assess the authenticity of a document, we analyse hundreds of different visual key features and run a variety of security checks, such as detecting holograms, on the document.
More and more identity documents now come with a biometric NFC chip. Using the smartphone NFC reading capabilities (if available), we are also able to read the information from the document and check whether the chip in the document has been tampered with. This, today provides the highest security in document verification.
In case the fully automated checks fail then, based on the security requirements of our customers or the regulations in place, there are steps in place to manually verify the documents proving identity. PXL Vision provides an easy to use tool for guiding customers’ back office employees through a simple manual verification.
Proof of Address (POA)
The proof of address (POA) KYC document is often vaguely defined. It is, however, one of the basic requirements for KYC checks. Officially issued documents, which have the individual’s name and current address on it, are key. Most POA documents require an issue date in the last 3 months.
Just like with POI documents there are a wide variety of documents that can be used for POA purposes; which are acceptable and where is also determined on a jurisdictional basis.
Most documents should be dated to within three months to show that the address is current. Some commonly accepted POA examples from around the world are:
- Utility bills such as Landline Telephone Bills, Gas bill or Electricity bill (usually not more than three months old)
- Bank Account Statement or Passbook entries (usually not more than three months old)
- Proof of residence issued by a Notary public or a Government Authority
- Identity card or document with an address that is issued by a Central or State Government
- Maintenance bills from official companies (usually not more than three months old)
How PXL Vision checks POA
PXL Vision’s identity verification platform is able to implement an API from another service provider to perform the POA check. For instance, in Switzerland where PXL has a large customer base, an API is used from the Swisspost to check POA documents.
If performing a manual POA check for your business, here are a few pointers to properly verify the documents:
- First, and if applicable, inspect the document for watermarks and security features to see that they are intact.
- Next, look for any signs of photoshopping or other alterations.
- If it is a bank statement, utility bill, maintenance bill or government issued correspondence have a look at the date to ensure that it is no older than 3 months.
- Make sure that the document has the person’s name on it.
- Check if the document has the address (the more specific the better) and confirm it’s existence with an online search of Google Maps.
- If the applicant submits the address without the apartment number while living in a block of flats, the compliance officer must request them to specify the flat as well. Postal boxes are not allowed.
KYC within the broader scope of Anti-Money Laundering (AML)
The submission of KYC documents and the process of checking them is partial to an anti-money-laundering (AML) framework, which banks and financial institutions are legally obliged to follow. The goal of AML is to verify with a high degree of assurance that customers are who they say they are and that they are not likely to be engaged in criminal activity.
The U.S. has had some form of KYC/AML legislation in place since the early 1900s; first rolled out to fight organized crime. However, this existing legal framework was completely overhauled and expanded following the September 11th, 2001 terrorist attacks in New York City.
The new KYC/AML legislation is encompassed by the USA Patriot Act of 2001(PDF), specifically in section: Title III: International Money Laundering Abatement and Antiterrorist Financing Act of 2001. Numerous countries around the world base some of their own KYC/AML processes on the stipulations and requirements found in the Patriot Act.
Who Regulates KYC Compliance?
In addition to the legislation outlined in the US Patriot Act, a variety of other oversight bodies around the world implement and regulate KYC/AML compliance. Some of these oversight bodies are:
- Australia (AUSTRAC – 1989)
- Canada (FINTRAC – 2000)
- Germany (BAFIN – 2002)
- Switzerland (FINMA – 2007)
- Italy (Banca d’Italia – 2007)
- Mexico (Federal Law for the Prevention and Identification of Operations with Resources from Illicit Origin – 2013)
- United Kingdom (The Money Laundering Regulations – 2017)
- India (Reserve Bank of India – 2002)
- South Africa: The Financial Intelligence Centre Act 38 of 2001 (FICA)
Other political organizations, such as the EU, Asia-Pacific countries (APAC) and others have built upon or created their own compliance frameworks. In addition to GDPR regulations, the EU has a new regulatory requirement, PSD2, to reduce fraud and make online payments more secure, as well as the 6th EU Anti-Money Laundering Directive (6AMLD).
Also, numerous countries and international bodies follow the G7’s Financial Action Task Force which is in turn supported by the G20.
Businesses requiring KYC
As mentioned, KYC is mandated by international law for banks and other financial institutions, at least to the extent that they want to participate in the global financial system. However, as governments around the world are beginning to hold financial institutions to ever higher standards, these institutions are in turn requiring the companies they do business with to also be more accountable.
So while banks and financial institutions are required to comply with KYC to limit money laundering and terrorist financing, these banks are now passing on some of the burden to the companies that they do business with.
If your business deals with money transactions in any way, now would be a good time to get in front of these potential future regulations.
At any rate, there is a good argument to be made that some businesses in the non-financial sector should voluntarily implement KYC procedures anyway in order to signal their trustworthiness and protect their business and customers from fraud. We recently published an article on the sharing economy, which demonstrates a solid use case for a KYC procedure where one is not yet mandated.
Compliance with KYC Requirements through digital identity verification
As businesses and institutions continue to move their services online and grow their user base, solutions for fast, easy and low cost online identity verification are needed.
Individuals want the convenience of signing up through digital channels, and they want the process to be quick and painless. Businesses and institutions, on the other hand, have to manage the realities of complying with KYC regulations and factor in the cost of whichever solution they go for.
The right online identification verification solution needs to be able to:
- Extract data from a wide variety of ID documents such as passports, driver’s licenses and other government-issued IDs
- Verify the authenticity and validity of the ID document
- Capture facial biometric data from the customer
- Compare the biometric data and the ID document to validate the customer’s identity
- Securely meet these technical objectives, while being scalable and cost-effective for large, international companies.
- Provide a simple, seamless user experience
KYC verification: Innovative approaches welcomed
European regulators have adopted new online identity verification processes. They are actively promoting new solutions to address specific compliance challenges. Furthermore, they have developed a common approach for a consistent application of standards across the EU known as the electronic IDentification, Authentication and trust Services regulation (eIDAS). The intent of eIDAS is to drive innovation towards using higher levels of information security and innovation.
The European Commission has recognized built-in computer applications that automatically identify and verify an individual from a digital image or a video source (facial biometrics) and built-in security features that can detect presentation attacks.
KYC for your business
Know Your Customer regulations already places a cost burden on businesses operating in the financial industry. Out of concern for money laundering and terrorist financing, governments and banks are making their KYC processes even more stringent.
Some of the extra cost for this tightening of regulations is being shifted to businesses not directly involved in the financial sector but still availing themselves of financial services.
If you are one of these businesses, please get in touch with us and find out how we can help you reduce these costs and drive customer conversion with a fully-automated, customizable solution from PXL Vision.