Knowing who a user is at the time of login is a crucial part of identity verification which is the cornerstone of authentication – while this is sufficient for many apps, some apps require much more than a one-time process to validate a user. Building on the concept of authentication is KYC or Know Your Customer which is essentially an ongoing authentication mechanism to ensure the person using an account is an authorized individual.
There’s a time and a place for KYC, at least for the moment. Today, KYC compliance is an essential element in the investment industry to protect all parties but on some level, more services would benefit from incorporating some of the ideas in place for greater security. In the following, we’ll explain exactly what KYC is and why it matters then discuss the future of KYC as well as underlying concepts.
What is KYC?
While KYC sounds like some kind of customer service model, it’s a framework that’s implemented by financial institutions to protect both themselves as well as their customers. The framework is a byproduct of the 2001 Patriot Act that was simultaneously put into play in India at the same time and is now a global standard. It’s a part of the AML (Anti Money Laundering) compliance that intends to prevent a range of illegal activity like hiding assets, funding crime, market manipulation, and so on through risk management.
At its core, KYC is a system in which financial institutions are now obliged to comply to ensure the identity of an account holder. It has three main components or “pillars,” beginning with CIP (Customer Identification Program) which was the first to be rolled out. This means that banks and other financial entities like investment firms are required to collect a certain amount of verifiable information about a client such as their full, legal name as well as their date of birth, address, and ID numbers (e.g. social security number, driver’s license, etc.) at minimum.
Recording this information is now mandatory for all banking customers, even for simple checking and saving accounts. This is why if you open a new account with a bank in the United States, you’ll need to supply an official ID like a current driver’s license and proof of address in the form of something like a utility bill, lease, or mortgage statement. While it’s not perfect, this allows banks to be fairly certain that an individual is who they say as well as have some kind of documentation on file should other scenarios arise.
The next two pillars are CDD (Customer Due Diligence) and continuous monitoring, both of which apply to simple accounts but play a bigger role for investment and high-value accounts. Simple accounts are usually subject to what’s referred to as SDD (Simple Due Diligence) but EDD (Enhanced Due Diligence) comes into effect for high-value accounts that have the potential for being abused whether through infiltration from an outside user or the client who could use the account for nefarious means like money laundering, terrorism funding, or black market and other illegal transactions. Here, all transactions are monitored to log any kind of irregularity, allowing financial institutions to take action or report to authorities when necessary.
This leads us to the final pillar which is continuous monitoring which is an extension of the second pillar. For example, let’s say a commercial real estate investment account here in the US is used to purchase properties throughout the country for mostly retail purposes. There are certain transactions you’d expect to see in this realm but a sudden large purchase of a classic car collection might be seen as uncharacteristic. KYC gives these institutions the ability to intervene when a sudden anomaly arises to protect the customers in the event this is unauthorized.
Why is KYC important?
We’ve talked extensively about authentication as it serves as the bedrock for both platform and user security. For most apps and other digital products, the act of creating an account assumes that having a user either register with an email, through a phone number, or using a third-party connector like Sign in with Apple is sufficient enough to make sure there’s a real person on the other end. Even though these systems can effectively keep others from accessing and using an account, we know it’s certainly not perfect. Not only that, most sign-up processes don’t use any official means to connect an account with a living person – once a user login is established, it’s assumed that the person accessing the system is the account holder.
The fact the Internet hosts “a vast and troublesome population of bots” is one of many reasons that financial institutions have a specific system in place to check off boxes before an account is issued. These details allow an account to be linked to a real-life person or entity such that there’s something that can be held accountable on the other end. It further provides transparency that helps the institution understand risks as well as provides a foundation of trust for other businesses.
To be clear, KYC isn’t some official methodology or stack of definitive products and services, it’s a process that ranges in execution styles. As such, some implementations can feel cumbersome to the investor in cases where the investor or investors have a diverse portfolio, especially when outdated technology is used for the monitoring process. Over the past few years, the application of AI (Artificial Intelligence) in financial systems has helped by being able to recognize unconventional patterns that are indeed safe as well as uncover illegal activity from innocuous-looking transactions.
If you plan to offer a fintech solution, most like KYC will be required on top of other data compliance laws. It’s vital to ensure the identity of customers to prevent your system from being abused as well as to keep your users safe while allowing them to operate with minimal interference.
The future of KYC
More and more, continuous monitoring and the various levels of due diligence will benefit from advances in ML (Machine Learning) and AI by creating more dynamic profiles of an account holder. For example, many investment companies use past transaction history to understand their customer which is easy when there are infrequent transactions, a majority of purchases are with the same vendors, and incoming funding is from the same sources. However, more complex histories can be miscategorized by less-intelligent systems that mostly just match and sort information.
Using ML with more complex histories can help form associations and better predictions by interpreting more than just dollar amounts and where the money is coming from or being sent. Much like how early search engines mostly just matched keywords and a couple of other elements to decide where an indexed page should fall on a results page, monitoring systems for KYC will evolve like Google to better understand data meaning and relevance by also considering many other factors. ML and AI will provide better insights into past activity as well as real-time monitoring to give clients an ideal balance of freedom and protection while uncovering abusive behavior.
Outside of the financial world, elements of KYC will likely be applied to more services to better protect platforms and their users. A decent example of this is how Tinder uses a combination of facial recognition and the human eye to verify the identity of its users. This is essentially like the CIP pillar of KYC as it provides an additional layer to ensure that account holder is who they say, thus giving others on the platform a greater sense of safety. This is similar in concept to services like Checkr which we have used as a component in products like the on-demand marketplace we built for Hyer but less official.
Another element that will hopefully be picked up by everything from eCommerce to social media is continuous monitoring to check for abuse. Going back to the Tinder example, let’s say a certain user who is typically well-mannered is observed to sending offensive material to people they match with. An attacker with the means to access the account might not be caught until the user notices messages they didn’t send and Tinder might not be any wiser. However, continuous monitoring using NLP could easily detect major strays in communication patterns and even more subtle changes – a fake Tinder account could be a valuable tool for someone with a little patience who is looking to cause harm.
Find an agency that knows KYC when building a digital product
We seek out challenges in design and outcomes by embracing innovation and confronting the unconventional. The world demands security and convenience so your financial platform must incorporate KYC with the best possible technologies to keep users unencumbered and everything safe. Blue Label Labs also sees the value in applying some of the concepts to other digital products as well. If you’re looking to build a secure product whether for finance or otherwise, get in touch with us to learn about how we can create an optimal solution for your needs.
More in Development
Priority vs Severity: Don’t Confuse Bug Priority with Bug Severity
In app development, not all bugs are created alike and not every…
Android 12: New Features on the Horizon for App Developers
Just like Apple and the iOS operating system, Android 12 will soon…
New Features Coming to iOS 15
Roughly every year, a major update is released for iOS that packages…