Blueprint to an effective KYC process

February 2, 2023

Like it or not, the metaverse is here. 

Mitek Blueprint for KYCNow, I know what you’re thinking. We don’t all spend our time behind a VR headset slipping into an a la carte fantasy world, so how can the metaverse be here? It’s here because the metaverse isn’t only Facebook’s vision for a totally immersive digital reality. Instead, think of the metaverse as a bridge between physical and digital worlds. For many companies, it’s simply a continuation of the shift to digital operations. Today, companies can sell to customers around the world at the click of a button, and customers can interact with their favorite brands digitally. The tradeoff is that brands must earn the trust of their customers in our increasingly digitized world.

Trust carries different definitions for different people, so we’ll offer one here from McKinsey to keep us all on the same page. Trust in the digital era is: “confidence in an organization to protect consumer data, enact effective cybersecurity, offer trustworthy AI-powered products and services, and provide transparency around AI and data usage.”

Earning digital customer trust is especially important for financial services firms, where stakes are high due to the nature of the product and because identities must be carefully verified and safeguarded from malicious actors, all in the name of fighting fraud. If financial institutions are to continue honing physical-to-digital offerings from mobile check cashing to online service portals, they’ll need an effective know your customer (KYC) process to earn customer trust, as well as comply with ever-evolving laws and regulations. 

KYC processes empower employees like fraud managers with a risk-based framework for verifying customer identities. KYC frameworks are crucial and necessary tools in an anti-money laundering (AML) arsenal, helping to fight fraud and ensure a safe environment for customers. But implementing KYC processes can be a daunting task. 

Financial institutions (and any other organization that must adhere to rigorous digital identity verification regulations) can follow this blueprint for effective KYC processes. To earn customer trust in the digital world, firms must do all of these things very well. There are no shortcuts on the road to limiting fraud and earning customer trust in the metaverse era.


Unlock the KYC blueprint for your business


What are the major components of a smooth, compliant KYC process?

Following this blueprint requires understanding precisely what comprises strong KYC practices. Not having effective KYC processes represents enormous opportunity cost in the form of customer churn, as well as potential fines for noncompliance. The KYC blueprint includes the following major components of knowing your customer:

  1. Have a robust customer identification program (CIP) and maintain 100% compliance
  2. Perform stringent customer due diligence (CDD) and enhanced due diligence (EDD)
  3. Enact ongoing monitoring of customer risk profiles and identity-verification signals
  4. Ensure good data flows through software systems and other tools used to maintain KYC programs

And, though the name of the process references knowing one’s customer, companies can think of KYC as a foundation for earning and keeping their customer's trust. 

1. Having a robust customer identification program helps financial institutions maintain 100% regulatory compliance

No matter what the industry, keeping up with the regulatory landscape can be a major headache. The financial services industry regulations are especially dynamic, as more jurisdictions move to protect customer data. In the U.S. alone, four different federal regulations and a myriad of state-level laws govern how banks and other institutions handle customer data and report about anti-money laundering activity. In Europe, the arrangement is much the same, with EU-level directives layered over individual country laws. 

It's a dizzying web of regulations that can be hard for even the most seasoned fraud manager to keep up with. Ever-changing laws are a major reason firms need cutting-edge technology to keep KYC programs up to date, though we’ll touch on that later. Before making technology purchase decisions, financial institutions must develop written customer identification programs. These programs are frameworks for programmatic risk assessment

In the U.S., the minimum requirements of a CIP are the implementation of reasonable procedures for:

  • “Verifying the identity of any person seeking to open an account to the extent reasonable and practicable; 
  • maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information; and 
  • consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.”

What does this mean in practice? Firms must demonstrate they collect and maintain customer data and have done their utmost to verify the identity of every customer that uses their services. Say I create a new online banking account using fraudulent identification or have a history of criminal behavior. The bank allows me to open an account and transact on their platform. If, later, regulators find that the bank didn’t do a good enough job verifying my identity, that institution will face sanctions, even though I am the person conducting suspicious activity or financial fraud. 

When firms have a written process they follow for verifying customer identities, it becomes much easier to maintain compliance and create a security-first culture. Given that customers are more apt to trust institutions whose digital security they believe in, CIP is a VIP of any effective KYC process. 

2. Customer and enhanced due diligence programmatically assess customer risk

Robust CIP practices help organizations maintain compliance, even as laws change and new regulations arise. For firms that want to keep enduring and effective KYC practices, building upon the CIP foundation is the next step. This next step is where due diligence comes in. We’ll cover some of the basics here. For a deep dive, check out our blog on how enhanced due diligence helps financial institutions.  

Accurately identifying customers helps keep criminals and other suspicious actors from transacting on a bank’s platform. Due diligence practices are risk-based assessment tools that extend the functionality of customer identification programs. 

With CIP programs, financial institutions capture and maintain records of customer identity data. Due diligence programs monitor customer behavior for anomalous activity and alert banks to potential fraud that activity may signal. 

For example, a small business owner may open an account at a bank. That person, without a history of suspicious activity, uses their actual identity to create the account. But eventually, that person engages in money laundering with their new account. That institution becomes liable for that fraudulent activity in the eyes of regulators, even though the misdeeds happen after the person created their account. 

Enhanced due diligence builds upon CDD requirements by introducing risk-based assessments. If that customer begins making transactions outside of their usual pattern of doing business, those transactions alert the bank. If that person appears on a politically exposed persons (PEPs) or sanctions list, that appearance triggers an alert. From there, the bank can take corrective action. 

Like KYC and CIP programs, due diligence takes the form of a framework. The Federal Financial Institutions Examination Council (FFIEC) considers financial institutions with adequate due diligence practices to be those that have a “critical framework which enables the bank to comply with regulatory requirements including monitoring for, and reporting of, suspicious activity.” 

Customer identification programs and due diligence frameworks create a multi-layered approach to a bank knowing its customer. The bank verifies someone’s identity and can then monitor their activity based on their risk level, alerting the institution when something looks awry. 

3. Ongoing monitoring solidifies KYC programs against changes to risk profiles

No matter how thorough a customer due diligence or risk assessment program is, that program is unlikely to produce the desired results if it is not an ongoing exercise. Perhaps now it’s easier to understand why CIP and due diligence programs are frameworks: these programs guide fraud departments’ activities, which must continuously monitor for potential risks. They are not one-and-done checklist items. 

Think back to the example of a customer engaging in criminal activity after opening an account. That sort of diversion from expectation shows that customer profiles are dynamic. Details of a customer’s identity and whether they pose a fraud risk can change overnight. Institutions that notice these changes and act quickly can stave off the potential criminal activity and help indemnify themselves should something like money laundering or another financial crime occur.  

Because risk profiles change, banks must monitor data, such as identity verification signals, that may be precursors to fraud attempts. These signals include:

  • Personally identifiable information, such as name, social security numbers, and address changes. 
  • Online behavior, such as IP address changes, geolocation, or online footprint (like frequenting a dark web-related forum). 

We briefly touched on technology above, and we’ll refer to it again here. As the world becomes more digitized, new fintech platforms and ways to transact digitally will arise. Any bank that integrates with new technologies and new ways of accessing their online platforms must account for these new connections. AI-enabled technology is maturing apace and will be needed to keep up with the dynamic nature of the regulatory environment and customer risk profiles. 

4. High quality data makes a good KYC program great

Emerging technology platforms will make it easier to analyze data from connected devices, digital platforms and apps, as well as information associated with risk profiles. Yet, like the old saying goes, if poor data goes into risk-management platforms, poor information comes out. 

In current iterations of risk-assessment programs, old tracking technologies and dispersed financial systems account for much of the poor data quality that plagues banks today. Poor data leads to distorted metrics and insights that influence decision-making, resulting in reduced profitability and lost opportunities.

Data quality can only be enhanced by integrating disconnected processes and customer records across departments, improving data collecting methods across channels, and validating third-party data before it is used. How? With modern technology functionalities like intelligent automation.


Learn more about how to customize your KYC program


Get KYC right on day one and ensure it can evolve over time to meet changing compliance needs and new regulation

KYC processes are a lot to manage. Creating risk profiles, staying abreast of global regulations, continually checking and validating customer identities. Without an expert partner and sophisticated modern technology, it can be too much to ask, especially for smaller companies focused on growth. Creating effective KYC processes requires two major initiatives to create an ongoing, programmatic, and risk-based identity verification framework. 

The first activity stakeholders must consider is buy-in. For financial institutions to effectively consider customer risk, management and the board of directors must understand and coordinate compliance operations. Top-down directives to do things like eradicate data silos and strengthen customer due diligence programs will help create a culture steeped in a proper identity-verification mindset. With this mindset in place, financial institutions can more easily examine all essential KYC assets and ascertain where to begin strengthening the existing program. 

Even with buy-in, managing a modern KYC process will be challenging without tools, which is the second critical component to the framework. Tools to help automate all the moving parts of a customer identity-verification program, to securely manage the sheer volume of customer data that flows through various systems, and software platforms at a company’s disposal. 

The Mitek MiVIP platform is purpose built for these difficult challenges. The platform allows organizations to deploy identity verification journeys quickly and easily, with or without developer resources. Each journey is customizable to the customer and offers a risk-based approach that meets granular customer, product, or regulatory risk requirements. 

Mitek MiVIP considers a wide array of signals to empower robust anti-money laundering and anti-fraud identity verification, from database checks, PEPS and sanctions screens, facial and voice biometrics, liveness detection, ID document validation, geolocation or digital footprint analysis all in one place.

Establishing an effective KYC process can be difficult, but tools like Mitek MiVIP make creating customer identity-verification programs seamless. And lest we forget, accurately identifying customers and mitigating risk in the digital era is key to earning customer trust in the metaverse and beyond.


Check out how KYC can be simplified with MiVIP



Check out the new Gartner report: Market Guide for Identity Verification for more on digital identity and fraud prevention:

View complimentary report now