What are "KYC" and "AML"?

How these acronyms work to keep your customers and your company safe

As technology marches on, digital financial companies pop up seemingly every day. Each offers customers ways to handle their banking chores via mobile devices—saving them time and sparing them the aggravation of waiting in lines.

The rapid emergence of the fintech sector and the disruption it brings to a brick-and-mortar industry has come with some new concerns about security, however. Companies new and old are taking cybersecurity measures much more seriously—especially ones that can protect banking customers from fraud and institutions from bad actors looking to make their ill-gotten gains appear legitimate. Fortunately for startups and other institutions, a host of entities–banks, governments, and international bodies—have developed policies, regulations, and standards to make banking transactions cyber-safe and keep them on the up-and-up.

Chief among these are know-your-customer standards—or “KYC.” Designed to protect consumers and companies from fraud and money laundering, KYC has become a critical function of banking institutions, including those that operate digitally. During an era of increasing cyber-criminality, KYC practices often involve technology for identity verification and security.

Banking institutions and fintech companies that handle large sums of money supplement their KYC practices--legally mandated practices that focus on a customer’s identity--with anti-money laundering procedures, known in the industry as “AML.” As opposed to KYC, AML focuses more on the safety and security of financial institutions and of society at large. The goal of AML policies is to ensure that cartels, criminals, drug gangs, fraudsters, and terrorist groups aren’t using legitimate financial institutions to “launder” dirty money so it can be put to other purposes.

This post will explain the terms ‘KYC’ and ‘AML’ and how identity verification plays a role in these important security best practices.

What is KYC?

Simply put, KYC gives banking institutions a better idea of who their customers and end users actually are. KYC paints a fuller picture of customers, verifying their identity, often by providing data on them.

“KYC, as we’ve come to know it, checks an important box when it comes to banking policy,” says Alec Randall, a fintech industry consultant. “It can prevent fraud and protect your customers’ information. You want to make sure that bad actors don’t get into your platforms. Trust is everything in banking.”

Companies are under increasing pressure to verify the identity of each customer, starting with the sign-up (or “on-boarding”) process. Besides confirming identity, some fintech institutions also want to analyze customer data to improve their operations and prevent losses. Mostly, they want to reduce the time a customer spends getting authenticated and to avoid lengthy reviews of a customer’s request. To do all that with confidence, they need to take KYC measures.

Bankers typically think of KYC as a system that incorporates elements of identity verification, along with customer due diligence (research on who the person is), and enhanced due diligence for higher-risk customers.

By moving beyond the traditional username-and-password model and instituting stronger measures, such as multi-factor authentication, companies can more completely verify a customer’s identity. Such authentication efforts improve institutions’ security.

Conversely, antiquated KYC practices can leave institutions at risk of fraud. Mobile devices that digital customers use for banking are especially attractive to cyber-criminals, with so-called mobile-account takeover fraud rising by 650 percent in just one year (in 2020), and with nearly four in 10 consumers reporting that they have become victims.

What is AML?

AML, the acronym for anti-money laundering, represents compliance programs for financial institutions that feature several types of protection, chiefly ones that detect when criminals and other bad actors are attempting to use the banking system to legitimize holdings they have reaped illicitly.

Typically, institutions are required to report transactions of $10,000 or more to regulators and keep extensive records on just about every single financial transaction. Still, they do constant battle with criminals who often make multiple withdrawals or transfers just under the $10,000 threshold, or who find artful ways of entering the financial system. Once inside, many launderers create shell companies or hire paid consultants to avoid detection as they move money.

AML measures, largely standardized around the world, are used to wage battles daily with such criminals. They take up much more of an institution’s bandwidth—in cost, staffing, and time—than do KYC measures. And the stakes to institutions and society at large are much higher: The United Nations estimates that money laundering could account for up to five percent of global GDP.

What is the difference between KYC and AML?

KYC rules represent the regulatory steps a financial institution must take to verify the identity of a customer before they grant them access to a service. That process often starts when a would-be customer fills out an application or opens an account. A strong KYC process allows companies to better understand their customers and manage their finances in ways that minimize risk. Examples of verification measures include behavioral monitoring, biometric scans, credit-history checks, and the use of AI-driven facial-recognition software.

AML involves a deeper level of regulation, staffing, and vigilance. Institutions must take several actions to prevent being used by perpetrators of financial crimes. “KYC is much more immediate,” says Randall. “It’s something you deal with up front. AML plays out over time and requires constant monitoring.”

What do KYC and AML have in common?

Banks and other financial institutions use both to mitigate fraud and make sure they know who they’re dealing with, as well as to comply with government regulations.

What are the major KYC AML compliance regulations?

The USA PATRIOT Act, passed in 2001 not long after 9/11, requires banking institutions to develop clearly stated KYC AML policies. ID verification measures must include the gathering of certain types of information about customers, including their names, addresses, dates of birth, and tax identification numbers.

Companies are required to follow through on their policies and review them regularly, Randall says. Banking compliance departments are also subject to annual exams on ways to detect money laundering and follow best practices for preventing it. Laws governing AML are much more multi-layered and stringent than KYC rules.

The Bank Secrecy Act of 1970, also known as the Currency and Foreign Transactions Reporting Act, is a U.S. law requiring financial institutions to work to detect and prevent money laundering.

The Financial Action Task Force, formed in 1989 by a group of countries and organizations, codified international AML standards. FATF recommendations offer guidance on how to detect and prevent the flow of money involving corruption, drug dealing, illegal goods, market manipulation, tax evasion, or terrorism.

Key among regulations is a provision that requires financial institutions to report suspicious activity to a financial investigations unit and, ultimately, to governmental officials. The United Nations Convention Against Transnational Organized Crime also offers direction regarding the detection and prevention of money laundering.

Even when following well-established standards, institutions that battle money laundering are often presented with headaches. “Both detecting and preventing money laundering are very difficult,” says Justin Liang, a compliance expert with experience at several of the nation’s largest tech companies. “Criminals can be surprisingly sophisticated.”

To be in compliance with AML, companies must also include basic KYC measures, screen international watch lists of individuals and organizations that have laundered money, monitor all bank transactions, and regularly create external and internal reports on what their efforts to identify and forestall money laundering have yielded.

Companies also need to retain a team of trained analysts to continuously review alerts and red flags. “Even with the most advanced technologies, you cannot rely on algorithms or AI to conduct all your transactional reviews,” Liang adds.

Is KYC AML compliance important?

Adherence to KYC and AML laws and regulations—which exist at the federal, state, and global levels—is required for virtually all financial institutions. Not only can strong compliance policies and practices keep a financial company and its customers safe from criminality, they can eliminate the possibility of considerable penalties that regulatory bodies can levy.

Global authorities levied nearly $8 billion in fines in just the first four months of 2019 for inadequate AML practices, according to a report from ComplyAdvantage. In 2012, HSBC, an international bank, was fined nearly $2 billion for allowing itself to be used to launder money by a Mexican cartel and Middle Eastern terrorists, a penalty that chilled the banking industry. “That was a big scare, seeing a major institution penalized like that,” Randall says.

As disruption-minded financial technology (fintech) companies continue to enter the industry, they should consider reaching the same level of compliance as traditional banks. “The financial system is becoming more digital, and most online platforms have some controls in place,” says Liang, adding that the cost of complying with AML regulations, while necessary to protect company assets and customers, has mushroomed in recent years. “But those controls may not be as robust as those of traditional banks. Fintech companies often aren’t registered as banks and, early on, may not be fully subject to the same stringent AML obligations as their bank partners. That may make them more attractive to fraudulent actors and money launderers.”

Beyond heeding the necessity to follow the law and avoid penalties, companies should view compliance as good business. Customers expect strong practices. Compliance measures can build trust with customers, save companies’ staff time and money, and help them avoid reputational hits that can affect their ability to maintain market share.

Customers who fall prey to criminals who take over their accounts or use other methods to steal their identity and property often blame the bank for their troubles. They often take their business to a competitor, leaving companies already victimized by fraud with fewer customers.

What technologies are institutions using to improve KYC AML?

Many fintech companies seek out help from third-party technology providers. That includes Berbix, which utilizes artificial intelligence and machine learning to determine whether a would-be customer is who they say they are. Clients of Berbix know they can use their phone to take a selfie, and then a facial-recognition algorithm will compare that photo with the picture on their driver’s license to see if they are a solid and secure match.

Institutions can also use tools created by tech companies to monitor whether a customer’s behavior is consistent and characteristic—or not. Such technology resembles the purchase-tracking software that credit card companies use.

“You can build a customer identity around a phone number now,” says Randall. “By looking at how they are banking, institutions can learn if they’re behaving as they usually do. If they’re not, then it could be a sign of fraud.”

Maintaining high KYC standards comes at a cost to companies. Still, a majority are willing to pay for ID verification technology because reviewing each new customer’s credentials manually is too time- and labor-intensive. What’s more, lengthy review processes can chase away consumers. By using digital verification safeguards, companies can reduce KYC AML compliance costs by up to 70 percent, according to a report from GSMA, a group that represents the interests of global mobile operators.

A majority of consumers prefer digital verification methods that are secure and transparent—even if they provide some inconvenience. “Using a little friction to gain trust is important,” says Randall. “The customer expects there will be some checks to make sure they’re safe. They appreciate them, on some level.”

A wide range of tech solutions are also available to institutions looking to streamline their AML operations. Because solid AML practices involve continuously monitoring massive datasets for suspicious activity, they are often costly in terms of cost and labor. “AML programs often require large teams of analysts who specialize in everything from forensic accounting to suspicious activity report writing,” says Liang.

Most institutions now integrate AML software to save money and time. “There is a lot of technology being developed because the AML space is ripe for innovation,” Liang adds. Tech solutions offered by several companies can quickly detect the presence of a series of suspicious bank transfers or large withdrawals that may indicate illegal activity.

Is there anything else to keep in mind regarding KYC AML?

Keeping customer data safe from criminal enterprises and maintaining strict customer privacy controls should be made part of institutions’ security plans--if they’re not already--right alongside KYC AML, Randall and other experts say.

“We see fintechs using customer data to build out their products,” says Randall. “It matters now more than ever to create a wall of security around customer data, via encryption or by making sure you don’t store what isn’t absolutely necessary,” a practice Berbix maintains.

Liang agrees. “To get where they need to be, institutions should develop a strong culture of compliance and build strong foundational controls that include privacy and security in addition to AML,” he adds. “If you enhance the overall control environment, along with the tone from the top, you can strengthen your AML efforts appreciably.”