CIP and KYC are vital procedures and guidelines to help keep customer data secure while also verifying a customer’s identity.
What is KYC CIP? Know your customer and customer identification procedures both relate to identifying someone based on their activities or information.
What Is Know Your Customer?
Know your customer laws are requirements around customer identification and verification imposed on financial institutions to address fraud issues. Several laws intersect customer identity and verification, leading to KYC. KYC laws were initially part of anti-money laundering laws, put into place to mitigate laundering and fraud in investment firms and other high-value financial institutions.
The goal? To ensure that financial institutions know who their customers are, follow reasonable procedures to verify their identities, assess their suitability and trustworthiness, and continue monitoring their behavior for any warning signs of malicious or fraudulent activity.
Note that “customers” here does not refer to day-to-day consumer interactions. Rather, it refers to businesses, investment firms or other individuals/organizations (fertile grounds for fraud and money laundering) looking to open business or investment accounts.
KYC programs contain three core components:
Customer Identification Program
Customer identification programs are a way to use customer documentation to verify that the customer is who they claim to be—a process defined and mandated by law. We will go into more detail about CIP in the next section.
Customer Due Diligence
Once the customer has been verified, the financial institution must perform due diligence to determine the trustworthiness of that individual. More specifically, the institution will perform background checks and verifications with professional references to determine that the customer isn’t a criminal or politically exposed person.
There are three different levels of due diligence:
- Simplified Due Diligence: When the risk of fraud or theft is low, the organization may perform SDD. At this level, there is no required identity document verification required. This approach will only be used when the customer poses little or no risk of fraud.
- Basic Customer Due Diligence: At the level of CDD, your organization must collect some basic forms of information from the customer to compare against criminal databases or other third-party sources of information.
- Enhanced Due Diligence: Some customers pose heightened risks for fraud—they may have a criminal background or they may be a PEP potentially vulnerable to bribery or blackmail.
In this case, banks must conduct EDD procedures that could include collecting more background information, verifying their source of funding, requesting documentation on their wealth and its structure, or researching media reports and interviewing third parties.
Just because the customer passes the initial screening doesn’t mean they will remain honest forever. Financial institutions must implement continuous monitoring activities around their customers to ensure the bank’s security and prevent future incidents of bank fraud.
Some of the factors that the organization may monitor as part of such a program include the following:
- Unusual expenditures or transfers, typically much larger than average
- An increased volume in transactions
- Transfers or deposits to or from foreign banks
- Transactions with anyone on a criminal or sanction list
Such activity may trigger filing a suspicious activity report. At a bare minimum, banks should have regularly updated risk reports to demonstrate the financial and legal risks they are taking and the steps they’ve taken to mitigate unlawful activities.
What Are Customer Identification Procedures?
Customer identification procedures are internal procedures that financial institutions implement as part of their verification process under KYC. The Bank Secrecy Act of 1970 officially stated that financial institutions must maintain an internal CIP to aid the government in stopping money laundering. The U.S. The Patriot Act of 2001 expanded and codified the law for banks, savings and loans, and credit unions.
The goal of any CIP is to effectively and within the bounds of compliance verify a customer’s identity. This first step of the KYC process is critical for security purposes and all the steps that follow.
There are a few basic steps for any CIP process:
- Data Collection: The bank must collect, at minimum, the name, date of birth, address, and Social Security number. However, to appropriately identify the customer, the bank may (and usually will) collect other information, typically documentation with photographic identification included.
- Identity Verification: The institution verifies the customer’s identity. While the specifics of this process aren’t set into stone for every organization, they must be sufficient to ensure the customers’ identity reasonably. This can include comparisons against third-party databases, biometric authentication, document verification, and identity assurance procedures.
- Record Authorization: In addition to document verification and identification, the bank should compare the customer against government databases, no-fly lists, or known terrorist lists to determine criminal culpability.
- Record-Keeping: The bank must document all their procedures for document verification and authorization. This means maintaining documents of records requests, secure storage of identifying information, explanations of discrepancies of data collected, and steps made towards resolution.
- Record Retention: Banks must store and keep customer records for five years after the date the account or accounts are closed or, in the case of credit cards, after the account becomes dormant.
- Customer Notice: The bank must provide adequate notification to customers about their document collection and identification processes, including the information they are collecting.
1Kosmos Supports KYC and CIP Protocols
The federal government has established clear and rigorous laws around authenticating and verifying identity in both in-person and remote contexts. Rather than sacrifice flexibility with other identity management platforms, use 1Kosmos BlockID to ensure that you can meet these guidelines while meeting the modern challenges of authentication.
BlockID is certified to the National Institute of Standards and Technology 800-63-3 standard for asserting and authenticating identity, including certification in IAL2 identity assurance and FIDO2 authentication.
With 1Kosmos, you get the following features to support modern KYC and CIP requirements:
- SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
- Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
- Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
- Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
To learn more about 1Kosmos and KYC, learn more about our Customer Onboarding and Know Your Customer (KYC) features. Also, sign up for our email newsletter to stay up to date on 1Kosmos products and services.