What is a KYC document? Know Your Customer rules explained for businesses
- What is a KYC document?
- Proof of Identity (POI)
- Proof of Address (POA)
- KYC & Anti-Money Laundering (AML)
- Who Regulates KYC/AML Compliance?
- Businesses requiring KYC
- KYC for your business
What is a KYC document?
KYC stands for Know Your Customer. KYC documents are required for businesses to know your customer. These documents are normally divided into two distinct categories:
- Proof of Identity (POI) document – requires a photo of the individual
- Proof of Address (POA) document – cannot be dated older than 3 months.
Why are KYC documents relevant to the identity verification industry? When a business digitally onboards new customers, they are usually required to ensure that they can accurately proof the identity of their customer using KYC checks. Please note: identity verification is a must when onboarding customers in the financial services sector. When opening a bank account, for example.
It is important to note that the same document cannot be used to confirm both the customer's identity (POI) and their place of residence (POA). Thus, at least two documents are required for the KYC process.
The KYC documents that are deemed acceptable vary depending on the jurisdiction where the KYC process is being performed. Some of the more generally recognized documents are listed below.
The first half of a KYC document must be an official government issued ID. This document must include a photo. There are a variety of IDs that are allowed to be used for POI purposes.
In 2016, Pricewaterhouse Coopers published a very useful Quick Reference Guide on KYC documents (available here as a PDF). Some commonly accepted POI examples from around the world are:
- Passports – universally recognized
- National Identification Cards – Aadhaar in India, DNI in Argentina, SIN/SSN in Canada/United States, HKID in Hong Kong, BSN in the Netherlands
- Driving License – United States, Canada, the Netherlands
- Voter ID card – INE in Mexico, India, Jamaica
- Health Card – Canada
How PXL Vision checks POI
Every company that performs proof of identity (POI) checks should have a comprehensive KYC guide that describes the process and requirements for the user.
PXL Vision's solution works via the customer's smartphone camera to scan and extract information from the identity document in order to automatically determine the authenticity of the document. Customer's just need to point their camera at the document, and follow the onscreen instructions to help line up the document. PXL's technology detects the document type and extracts information from it.
Most documents have machine-readable code line(s) (MRZ) on the back side of the document. We extract the information and run various checks on the MRZ itself. We then extract further information from the rest of the document known as the visual inspection zone (VIZ). However, purely extracting information from the document is not enough, we also want to ensure that we are dealing with a real document and not a fake. To assess the authenticity of a document, we analyse hundreds of different visual key features and run a variety of security checks, such as detecting holograms.
More and more identity documents now come with a biometric NFC chip. Using the smartphone NFC reading capabilities (if available), we are also able to read the information from the document and check whether the chip in the document has been tampered with. This technology provides the highest security in document verification.
In case the fully automated checks fail then, based on the security requirements of our customers or the regulations in place, there are steps in place to manually verify the identity documents. PXL Vision has built an easy to use tool, PXL Ident, that guides our customers’ back office employees through a simple manual verification process.
The proof of address (POA) KYC document is often vaguely defined. It is, however, one of the essential requirements for KYC checks. Officially issued documents, which have the individual’s name and current address on it, are key. Most POA documents require an issue date in the last 3 months.
Just like with POI documents there are a wide variety of documents that can be used for POA purposes; which are acceptable and where is also determined on a jurisdictional basis.
Most documents should be dated to within three months to show that the address is current. Some commonly accepted POA examples from around the world are:
- Utility bills such as Landline Telephone Bills, Gas bill or Electricity bill (usually not more than three months old)
- Bank Account Statement or Passbook entries (usually not more than three months old)
- Proof of residence issued by a Notary public or a Government Authority
- Identity card or document with an address that is issued by a Central or State Government
- Maintenance bills from official companies (usually not more than three months old)
How PXL Vision checks POA
PXL Vision’s identity verification platform is able to implement an API from another service provider to perform the POA check. For instance, in Switzerland where PXL has a large customer base, an API is used from the Swisspost to check POA documents.
If performing a manual POA check for your business, here are a few pointers to properly verify the documents:
- First, and if applicable, inspect the document for watermarks and security features to see that they are intact.
- Next, look for any signs of photoshopping or other alterations.
- If it is a bank statement, utility bill, maintenance bill or government issued correspondence have a look at the date to ensure that it is no older than 3 months.
- Make sure that the document has the person’s name on it.
- Check if the document has the address (the more specific the better) and confirm it’s existence with an online search of Google Maps.
- If the applicant submits the address without the apartment number while living in a block of flats, the compliance officer must request them to specify the flat as well. Postal boxes are not allowed.
The submission of KYC documents and the process of checking them is partial to an anti-money laundering (AML) framework, which banks and financial institutions are legally obliged to follow. The goal of AML is to verify with a high degree of assurance that customers are who they say they are and that they are not likely to be engaged in criminal activity.
The U.S. has had some form of know your customer / anti-money laundering (KYC/AML) legislation in place since the early 1900s; which it initially began doing in order to fight organized crime. However, this existing legal framework was completely overhauled and expanded following the September 11th, 2001 terrorist attacks in New York City.
The updated KYC/AML legislation is encompassed in the 2001 USA Patriot Act (.pdf), specifically found in Title III: International Money Laundering Abatement and Antiterrorist Financing Act of 2001. Numerous countries around the world base some or even most of their own anti-money laundering legislation on the stipulations and requirements found in the Patriot Act.
In addition to the legislation outlined in the US Patriot Act, a variety of other oversight bodies around the world implement and regulate KYC/AML compliance. Some of these oversight bodies are:
- Australia (AUSTRAC – 1989)
- Canada (FINTRAC – 2000)
- Germany (BAFIN – 2002)
- Switzerland (FINMA – 2007)
- Italy (Banca d’Italia – 2007)
- Mexico (Federal Law for the Prevention and Identification of Operations with Resources from Illicit Origin – 2013)
- United Kingdom (The Money Laundering Regulations – 2017)
- India (Reserve Bank of India – 2002)
- South Africa: The Financial Intelligence Centre Act 38 of 2001 (FICA)
Other political organizations, such as the EU, Asia-Pacific countries (APAC) and others have built upon or created their own compliance frameworks. In addition to GDPR regulations, the EU has a new regulatory requirement, PSD2, to reduce fraud and make online payments more secure, as well as the 6th EU Anti-Money Laundering Directive (6AMLD).
Also, numerous countries and international bodies follow the G7’s Financial Action Task Force which is in turn supported by the G20.
As mentioned, KYC is mandated by international law for banks and other financial institutions, at least to the extent that they want to participate in the global financial system. However, as governments around the world are beginning to hold financial institutions to ever higher standards, these institutions are in turn requiring the companies they do business with to also be more accountable.
So while banks and financial institutions are required to comply with KYC to limit money laundering and terrorist financing, these banks are now passing on some of the burden to the companies that they do business with.
If your business deals with money transactions in any way, now would be a good time to get in front of these potential future regulations.
At any rate, there is a good argument to be made that some businesses in the non-financial sector should voluntarily implement KYC procedures anyway in order to signal their trustworthiness and protect their business and customers from fraud. We recently published an article on the sharing economy, which demonstrates a solid use case for a KYC procedure where one is not yet mandated.
As businesses and institutions continue to move their services online and grow their user base, solutions for fast, easy and low cost online identity verification are needed.
Individuals want the convenience of signing up through digital channels, and they want the process to be quick and painless. Businesses and institutions, on the other hand, have to manage the realities of complying with KYC regulations and factor in the cost of whichever solution they go for.
The right online identification verification solution needs to be able to:
- Extract data from a wide variety of ID documents such as passports, driver’s licenses and other government-issued IDs
- Verify the authenticity and validity of the ID document
- Capture facial biometric data from the customer
- Compare the biometric data and the ID document to validate the customer’s identity
- Securely meet these technical objectives, while being scalable and cost-effective for large, international companies.
- Provide a simple, seamless user experience
Learn how PXL Vision is able to offer this with a flexible, modular approach to online identity verification. Contact us today.
European regulators have adopted new online identity verification processes. They are actively promoting new solutions to address specific compliance challenges. Furthermore, they have developed a common approach for a consistent application of standards across the EU known as the electronic IDentification, Authentication and trust Services regulation (eIDAS). The intent of eIDAS is to drive innovation towards using higher levels of information security and innovation.
The European Commission has recognized built-in computer applications that automatically identify and verify an individual from a digital image or a video source (facial biometrics) and built-in security features that can detect presentation attacks.
Know Your Customer regulations already places a cost burden on businesses operating in the financial industry. Out of concern for money laundering and terrorist financing, governments and banks are making their KYC processes even more stringent.
Some of the extra cost for this tightening of regulations is being shifted to businesses not directly involved in the financial sector but still availing themselves of financial services.
If you are one of these businesses, get in touch with us and find out how we can help you reduce these costs and drive customer conversion with a fully-automated, customizable solution from PXL Vision.