Regulated financial institutions are required to manage and adhere to regulations that are often changing. Adapting to these changing regulations is one task, but keeping up with your customer base across the lifecycle can be a whole other challenge. Know Your Customer (KYC) at the point of onboarding is essential, but it’s only the starting point.
What is Re-KYC?
In KYC onboarding, a relevant risk score is assigned to each new user. In Re-KYC, a process is initiated that equips financial institutions to "know their customer" after the onboarding phase, in an effort to have the latest and most accurate user information in their databases. Standard regulations require that a customer deemed "low risk" undergo KYC every three years following onboarding. A "medium risk" classification means a customer will be KYC’d every two years and every year for "high risk" users. Throughout the customer lifecycle, a user's risk profile may change, identity documents may need updating to meet new regulations, or suspicious transactions may trigger red flags that require account authentication. Enterprises who don't know their customer at any moment, risk having fraudsters in their customer base: leaving them vulnerable to money laundering, terrorist financing, and regulatory violations. Re-KYC is often seen as just another box to be ticked when it comes to compliance. But shifting the understanding of Re-KYC from a tedious, retroactive task to an essential, proactive tool could set enterprises up for long-term success.
Re-KYC as a tool in identity monitoring
Identity monitoring, also known as Continuous KYC, is knowing who your user is throughout their entire time as a customer of your business. In addition to the standard periodic reviews every 1-3 years, financial institutions can customize certain triggers for Re-KYC. For instance, specific red flags can raise a Re-KYC based on a user's activity or can be triggered if a user's documents have expired.Without the proper mechanisms in place, monitoring a customer throughout their lifecycle can be costly and labor-intensive. Enterprises that have fragmented KYC and AML products across different vendors risk creating siloes of customer data and information, making staying on top of Re-KYC requirements harder than it needs to be. Companies who choose to undertake identity monitoring in-house could be creating a massive volume of manual work. Fourthline found that the bulk of the costs and challenges lie in the back office: where manual processes are error-prone and expensive.
A practical guide to re-KYC
The first step to leveraging Re-KYC to its full potential is understanding its optimal uses.
1. Continuous KYC to mitigate re-KYC
If a regulated financial institution applies a range of Continuous KYC products from day zero, the KYC information will always be up to date, and hence a "formal" Re-KYC is not required.
How it works: A risk score is assigned to a user during onboarding. This risk score considers the profile of a customer, the products or services being used, and relevant country or regional regulations. Users can be asked to confirm their identity and provide a selfie (e.g., every quarter) depending on an enterprise’s risk appetite or in the instance of suspicious activity. Also, clients can be asked to update their ID if a new product is offered and the document on file has expired.
Pros: Accurate information at any time during the lifecycle
Cons: Requires a full range of products, which most financial institutions don't have in-house; Partnering with a specialist would be required
2. Reconfirming information on file
This solution requires the financial institution to solely rely on the account user to confirm if their information on file is correct.
How it works: On a specified date, and linked to their risk rating, the user is shown their core data and asked to reconfirm its accuracy. In the case of incorrect core information, a process will be triggered that asks the customer to provide new information.
Pros: Lowest possible friction for the user
Cons: Limited reliability on whether the data is correct, proven, or up to date
Users are asked to review information at a glance, but there is no action taken to verify that the account user is the account holder, exposing a risk for money muling. If the quality of the existing information is subpar, this becomes a missed opportunity to have up-to-date customer information while potentially leaving risk, like money mules, undetected.
3. Low friction validation
The option asks the user to actively validate information on a need-to-know basis and validate the rest passively.
How it works: The user's whereabouts and device data can be validated passively by comparing it to the sign-up data. The user is asked for a selfie to ensure the account user is the same as the account holder. The validity of the ID on file is checked and only if expired is a user asked to provide proof of an updated document.
Pros: Low friction for the user, accurate and validated information ensured
Cons: Users may need to be informed on why their data requires validation to avoid confusion or hesitation with having to undergo a process they have a limited understanding of (such as a regulatory requirement). It may be easier to request this information in conjunction with another initiative (e.g., a new product offering) to encourage participation from the user.
4. Full validation
This approach treats Re-KYC the same as an initial KYC.
How it works: The user will be asked to complete the same flow as on day zero, including all information such as an ID (even if it’s the same as the one on file).
Pros: The most robust case for regulators; Provides a complete and high-quality file irrespective of when a client signed up
Cons: Creates friction for users, although it can be communicated as a measure to keep their account safe from bad actors
Solving user friction with automatic data extraction
The purpose of a proper Re-KYC is to comply with regulations (most notably the 5AML) and avoid any remediation requirements. Fourthline reported that remediation could result in enterprises putting the burden on clients, recruiting expensive and untrained staff, building a file with patchwork data, and relying on manual processes. At Fourthline, remediation is done automatically without any action needed from the user. Customer records are extracted by reading customer data from identity documents already on file. Data is cleansed of contradictory information to create a single, accurate, and up-to-date customer data record, complete with an entire audit trail.Good UX and an accurate database don't have to be mutually exclusive. And being proactive in your Re-KYC strategy could mean harnessing the full potential of identity monitoring across the customer lifecycle and having a database clear of fraudsters and regulatory pitfalls.