The importance of KYC processes in building reliable and secure FinTech products

One of the crucial aspects of developing a FinTech product is building a solution that will maintain the company’s positive image and foster customer trust. To establish that, companies focus on fraud and financial crime prevention, as those are the most common reasons for monetary loss.

A report by the Federal Trade Commission states that impersonator scams were the most reported type in 2022 among financial services companies and resulted in $2.6 billion in losses. That’s why implementing a robust identity verification procedure is crucial when building modern banking infrastructure.

A proven way to do that is by embedding a know-your-customer (KYC) check into your FinTech product. A KYC check is a sequence of steps performed during the sign-up process to verify whether a customer is a real person and that they are not involved in suspicious activities.

Once a customer is verified, KYC requirements are met through ongoing monitoring of their profile to make sure the customer maintains a good reputation, their ID is not stolen, the account is not sold to another customer, etc. This article focuses on the reasons why is KYC important at the sign-up stage.

Having streamlined KYC in finance does a lot for financial institutions:

• Helps verify customers’ identities and pinpoints individuals involved in illegal activities or terrorism financing
• Makes compliance easier for FinTech companies by adhering to anti-money laundering (AML) regulations
• Provides the ability to perform KYC checks online without the need to verify customer identities in person, which improves the onboarding experience
• Enhances security of banking products and services
• And more

In this article, we explore the main things to consider before implementing know your customer in banking products, outline the onboarding process for different types of customers, and find out how a KYC check can help you prevent money laundering and manage risk.

The cost and complexity of KYC processes in finance are rising. According to a 2016 Thomson Reuters survey among 800 financial institutions, 89% of their corporate customers have had a negative KYC experience. Meanwhile, the compliance costs for KYC solutions have hit $500 million annually.
On the one hand, financial institutions need to comply with strict FinTech industry regulations; on the other hand, a lengthy verification procedure might result in customer loss. Let’s explore how these factors may impact the scope of KYC financial project implementation.

Adhering to local and global compliance requirements

First things first. The importance of knowing your customer is in identifying your customer according to global standards, country- and region-specific laws and regulations, and even the nature of your business clients (sole proprietorship, LLC, corporation, etc.).

For instance, in the EU, the main rules regarding financial security and KYC compliance are set out in the Anti-Money Laundering (AML) Initiatives provided by the European Banking Association.

In the US, KYC procedures are governed by two laws: the Bank Secrecy Act and the Patriot Act of 2001. However, each state has its own laws, standards, and regulations that you should also take into account.

To ensure your FinTech product complies with a country’s legal requirements, you need to learn about applicable compliance requirements and how you can meet them before you begin the development process. Here are the few ways you can do this:

• Consulting with a fraud or compliance officer. Hiring a compliance officer for a consultation may help you with following requirements and regulations in a region you plan to operate. However, for a deeper understanding of KYC procedures, it’s better to have an on-site fraud and compliance officer who knows the nuances of your business and can quickly address issues.
• Asking a vendor to set up your KYC service. If you have a tight budget, you can consult with the vendor you’ve chosen to integrate your KYC finance solution. Most vendors include support fees, and they can set up the KYC service in accordance with local and regional compliance requirements.

Overcoming technological limitations and scalability issues

As the number of clients using your financial application grows, it may put a load on your infrastructure. Moreover, growth in sign-up requests can happen unexpectedly — for instance, if you hold a successful marketing campaign and more users decide to try your application.

To keep KYC verification running smoothly on your side and on the vendor’s side, make sure you accurately estimate the number of requests that the vendor will need to process. It’s a good practice to estimate the load for both peak and quiet hours to cover all scenarios.

Ensuring a hassle-free customer experience

Since you cannot underestimate the importance of KYC in banking software and avoid it completely, you need to make sure that it’s easy and convenient for your customers to follow. Here are a few tips on how to achieve that:

• Make it easy for customers to provide necessary data
• Collect only the information that’s required to pass basic verification for your particular case
• Consider using pre-fill options

A lifehack from our expert:

Next, let’s discuss the preparations you need to do as a business owner before you decide on a vendor.

Establishing a proper KYC process: A checklist from our expert

Rather than building a KYC verification process from scratch, you can connect with a KYC provider that integrates their solution with your existing products. Usually, this consists of the following steps:

• Assessing your current environment. Evaluate the current infrastructure of your financial system and identify areas where banking know your customer compliance is needed.
• Evaluating and selecting your KYC provider. Take a look at a vendor’s reputation, solutions they provide, and how these solutions align with your expectations.
• Mapping infrastructure and data. All data in your current environment should be mapped and aligned with KYC processes to ensure smooth exchange of data inside it.
• Integrating the API. Most KYC providers offer API integration, which means you only need to write code to connect your existing software with the chosen KYC solution.
• Synchronizing customer data. Establishing processes for automated data synchronization between systems will help you maintain up-to-date records and quickly pinpoint inaccuracies.
• Testing and compliance checks. Thorough tests will help to ensure data accuracy, security, and compliance with KYC requirements. They will also help to verify that the KYC solution performs necessary identity verification, screening, and customer due diligence checks.
• Training users. Train your personnel to use the new solution effectively and make sure they understand the updated verification procedures.
• Monitoring and maintenance. Continuously monitor for any updates or changes in laws or regulations, and make adjustments to the integration as needed.

Now that we’ve discussed integrating KYC functionality with existing solutions, let’s consider another scenario. How can you approach KYC implementation if you’re only starting to develop your financial application?

The best advice in this case is to include KYC regulations into your scope and outline the depth of verification procedures before you start looking for a vendor. That’s because as you expand the features for your financial product, you might need to implement new forms of customer identification that your current vendor of choice might not offer.

Now, let’s examine the core processes you need to take care of while preparing for KYC implementation.

Evaluate your vendor’s solution portfolio

The first thing you should do when selecting possible vendors is to look at which solutions they offer and how those solutions correspond with your needs.

Next, check compliance requirements and the list of regions and countries that are covered by the vendor. That’s especially important if you plan to work in several financial markets, as one vendor might state that they provide ID check services for everyone when in fact they cover only North America, Western Europe, and Japan.

Then, if possible, browse the vendor’s API and documentation while considering the following:

• How clear and straightforward is their documentation?
• Which technologies are used, and do they match with your current technology stack?
• How many API calls can the vendor support per week? Per month?

Integration and maintenance processes significantly impact the implementation process and cost, so don’t wait to get an engineer’s evaluation until after the contract is signed.

It’s also important to understand how information will be exchanged. Will the vendor notify you once a KYC check is processed, or will you need to retrieve the results yourself? This affects the architectural approach and, thus, the integration speed and efforts.

Estimate the integration time frame

As KYC in finance is something you cannot avoid in your minimum viable product (MVP), consider the time and efforts you need to integrate the KYC solution. Although you might want to launch your new product as soon as possible, a vendor with a shorter time frame for integration might cost you more than you have in the budget.

For example, say you have a better offer from a vendor with an average integration time of 12 weeks and a worse offer from a vendor that plans three to four weeks for integration.

Recommended solution: If you can afford it, it would be best to choose the 12-week time frame and implement more features into your KYC check. However, if you have a strict time to market, you might go for the vendor with a shorter integration time frame, though this might require you to re-adjust your KYC feature or re-evaluate the scope of features you plan to implement.

Additional recommendations from our expert:

• Some payment processors and brokerage vendors offer built-in KYC services. Using these is not the best decision in the long-term perspective, as it takes control over KYC processes away from you and makes you even more tied to your vendor, but it’s a good choice if you want the fastest kick-off. But keep in mind that this option lacks flexibility, so there’s a chance you might want to switch to a more flexible vendor later.
• Make sure the integration is testable. The vendor should provide a sandbox or test account and have an option to test all scenarios: positive, negative, undefined, no response, etc. If your development team has already checked docs, you can involve them in this conversation so that QA specialists and backend developers can make sure they can conduct all necessary testing.

If you plan to integrate the KYC solution into an established business, you need to take into account factors that can prolong the integration time frame, such as:

• the volume and complexity of customer data that has accumulated over the years
• legacy systems and complex IT infrastructure
• the need to update existing verification checks to align with KYC policies
• more extensive testing due to system complexity
• more time needed for staff training and change management

Think about scalability

Most big vendors can handle tons of requests and easily work with high-load systems. But just to be on the safe side, don’t forget to confirm with your vendor that they will be able to handle your expected load.

Make sure that if your marketing team runs a huge campaign, not only your infrastructure but also your vendor’s infrastructure can cope. Otherwise, your campaign may be ruined due to the failure of a third-party service to process a sufficient number of requests.

Outline the costs

Generally, most vendors offer more or less the same pricing for KYC services. However, there is always space for evaluating the market and saving money. When choosing a KYC vendor, you’ll typically encounter a few pricing models:

• Model A: A better price per call, but it’s fixed no matter how many calls you make.
• Model B: A higher price per call, but the vendor provides you with discounts for a larger number of calls.
• Model C: A monthly fee for using the admin panel and a certain number of calls per month.

Below, we compare these three pricing models for different monthly customer volumes.

As you can see, model A is a good choice for products with smaller numbers of customers, whereas shifting to model B can be great as your number of customers grows.

Figure out the support process after implementation

Finally, make sure that you can easily get in touch with your vendor in case something goes wrong. Determine which channel will be optimal for easy communication and find a person who will be responsible for solving any issues that might arise.

Considering that issues during KYC onboarding may affect the customer conversion rate or influence the financial fraud rate, addressing them quickly is vital. Ongoing vendor assistance during implementation is a proven way to minimize potential errors.

Now, let’s find out how you can vet your vendor according to each aspect of developing a KYC process: from establishing a project scope to performing post-release support.

Once you establish a workflow with a vendor, they will likely present you the results of a KYC check in one of two ways:

• A conclusion based on the vendor’s findings. In this case, once the customer fills in the verification info, the vendor processes it and presents a conclusion. For instance, they can define customer risk levels as low, medium, or high, with further explanations of the factors that influenced the results, such as residential address check or SSN records.
• A report with all insights from the vendor but without a conclusion. In this case, the vendor breaks down which customer information has passed the check and which hasn’t. You can then use those insights to decide whether the customer has low, medium, or high risk on your own. As a business owner, you should have some rules on your side on how to process this information and decide if a customer passes.

In both cases, getting initial insights from a vendor will help you establish the level of KYC check thoroughness, also known as the customer due diligence program. Let’s discuss three possible levels of due diligence checks and their connection to customer risk levels.

Low-risk customers: Simplified due diligence (SDD)

A low-risk customer is someone who poses minimal risk to financial institutions. These customers usually have transparent transaction patterns that correspond with their income and occupation, a stable employment history and a good credit score, and are not associated with high-risk countries or industries.
For low-risk customers, a financial institution can adopt a simplified due diligence procedure, which takes less time compared to a basic one. However, very few FinTech companies go for simplified due diligence because it puts them under scrutiny by financial regulators.

Moreover, risk factors can change over time, and what appears to be a low-risk customer or transaction at one point may evolve into a higher-risk scenario. This means that financial institutions still need to constantly monitor and reassess low-risk customers, which impacts the response time and costs of verification procedures and makes it more reasonable to use basic due diligence as a default.

Medium-risk customers: Basic due diligence (BDD)

Medium-risk customers have the same profile as low-risk customers with a few variables. For instance, they might transfer money internationally or have occasional transactions that do not fit their usual profile and increase associated risks.

Generally, financial institutions treat most customers as medium-risk and offer basic due diligence as a mandatory process for verifying a customer’s identity and projecting their transaction habits.

High-risk customers: Enhanced due diligence (EDD)

High-risk customers present a significant potential risk to the financial institution. They might have connections to countries known for money laundering or terrorist financing, for instance. Or, they might work in an industry prone to financial crimes, such as gambling or offshore trading.

Another category of high-risk customers are politically exposed persons (PEP). PEP describes someone in a position of power, who has greater exposure to bribing, corruption, and money laundering.

If the standard customer identification program (CIP) identifies a high-risk customer, it switches to an enhanced due diligence procedure. EDD broadens the data collection pool to include a customer’s sources of wealth, business relationship to high-risk industries, and press coverage to help identify potential legal violations.

New FinTech startups are magnets for fraudsters. They know you haven’t spent years establishing your data security practices and that there are definitely some holes in your product. By using the tips below, you’ll always be on the lookout and have a plan in case of increasing fraud.

• Monitor chargeback and ACH return rates. If you don’t have a dedicated team yet and haven’t integrated anti-money laundering (AML) systems, at least establish monitoring of chargeback rates and Automated Clearing House (ACH) return rates. Aside from generating direct monetary losses, a high rate of ACH returns puts you at risk of being blocked by payment processing networks, payment providers, brokerage vendors, and others. Also, make sure you check wire transfers thoroughly and monitor transactions for big amounts of money to reduce money laundering risks.
• Have a plan for strengthening business rules/risk thresholds. While deciding on the initial set of verification rules, make sure that you can adjust something quickly if needed. For example, if your identity provider (IDP) sends you scores in the check result, put these scores in your admin panel so that you can adjust the verification threshold fast if the fraud rate increases. If your provider sends you a result such as “good/mid/fraud,” talk with them about what they can do in case you need to adjust the threshold. The same logic applies for business rules: if you make a decision based on a combination of insights from the IDP provider, make a preliminary decision as to which verification rules will change depending on the customer’s risk level and fraud rate.
• Prepare a flexible solution. If you decide to add an extra layer of protection, aim to build a flexible solution that allows you to switch providers fast with minimum errors during the transition. Your KYC process should be a pipeline which works independently and interacts with the KYC provider only as part of it. This will ensure a smoother transition and enable you to use several vendors without creating a mess of your data and confusion among the support team.
• Extra layers of security. No vendor has a solution that will give you 100% accurate results right out of the box. So if you are entering a risky domain, you can think about chaining vendors and types of checks.
• Consider using a knowledge-based authentication (KBA) solution. Some vendors, such as IDology, provide questionnaires for customers whose risk level is undefined or mid. This will not only help you identify more fraudsters but also will avoid false positive declines, as questionnaires give customers a chance to prove they are trustworthy.

Having a reliable and secure KYC process is fundamental for FinTech companies. It enhances customer security and trust and helps financial institutions comply with varying regional compliance requirements. Along with that, a carefully planned KYC pipeline reduces fraud risk and suspicious behavior, streamlining the customer onboarding process and thereby improving retention rates.

As the global financial landscape evolves, the need for ongoing monitoring and adaptation in KYC practices increases. By monitoring new laws and regulations, upgrading security measures, and communicating their needs with vendors, financial institutions can ensure that their bank know your customer processes remain robust, compliant, and customer-centric. This helps to foster long-term success in the competitive financial industry and improves your company’s reputation in the long run.