Fintech Guide to Building U.S. KYC/KYB Operations
If you work in fintech, the odds are you’ve heard the phrase “know your customer” — the set of customer identification and verification practices that are required for most fintech applications.
Many fintech companies need to build a compliance function in order to reasonably ensure that the company is complying with all applicable laws, rules, and regulations.
In this guide, we explain common KYC requirements and highlight areas that you’ll likely need to consider as you build up your KYC operations.
- Partner banks and regulators will require you to maintain a compliance program with appropriate staffing and tooling.
- Many fintechs are required to have a customer identification program (CIP) that collects identifying information about customers and verifies customers’ identities.
- This CIP process is typically called “Know Your Customer” (KYC) when a customer is an individual and “Know Your Business” (KYB) when a customer is an entity.
- KYC and KYB programs are slightly different, but both rely on collecting and verifying the Personally Identifiable Information (PII) of natural persons.
- Previously, companies like PayPal, Square and Stripe had to build their KYC/KYB operations from scratch. There are now many third-party tools that make the CIP process a lot easier to manage and help reduce your need for headcount (especially in your early days).
What is KYC (Know Your Customer)?
KYC is a set of procedures for verifying a customer’s identity before and while doing business with banks and other financial institutions.
Many fintechs are required to have a customer identification program (CIP) that collects identifying information about customers and verifies customers’ identities. This CIP process is often referred to as Know Your Customer (KYC) when a prospect is an individual and Know Your Business (KYB) when a prospect is an entity.
Proper KYC compliance can help keep money laundering, terrorism financing, and other fraud schemes at bay, by identifying and verifying a customer’s identity and purpose.
Where do KYC and KYB come from?
The U.S. Bank Secrecy Act and related laws deputize financial institutions to be the eyes and ears for law enforcement and assist in detecting and preventing money laundering.
Part of this deputization is a requirement that financial institutions create and operate customer identification programs. These programs allow financial institutions to form a reasonable basis to know who their customer is, and as needed, report on that customer’s activity to law enforcement and federal intelligence agencies.
Banks and other financial institutions will pass CIP requirements onto their fintech partners. In some cases, fintechs with their own regulatory licenses (e.g., MSBs and money transmitters) are required to have their own CIPs to conduct KYC screening and verification.
If you need an AML and Sanctions Policy template, visit our Legal Library.
Who has to KYC or KYB customers?
Banks, money services businesses (MSBs), securities broker-dealers, insurance companies, and others are required to perform KYC/KYB on their customers. For fintechs, the bank and MSB categories matter most. Banks pass their KYC/KYB obligations onto the fintechs they partner with. And fintechs themselves can count as MSBs if they’re not careful.
What does KYC require?
KYC requirements will vary by product type and underlying financial partner. But most programs require a fintech to collect the following.
- Name of the customer
- Address of the customer
- Date of Birth (or “DOB”) of the customer (for natural persons)
- Identification number such as a taxpayer ID (e.g., SSN)
Some fintech programs that serve specific populations, such as recent immigrants, or companies with foreign owners, will also need to examine the nuances in U.S. KYC requirements. For example, sometimes a passport number is acceptable in lieu of a social security number.
Understanding these nuances can help a fintech open up new customer segments. Non-US citizens can typically provide:
- An individual taxpayer identification number (ITIN)
- Passport number and country of issuance
- Alien identification number
- The number and country of issuance from any other government-issued document that shows nationality or residence and has a picture or similar safeguard
KYC requirements also dictate that fintech verify the collected information. There are some nuances here, as regulations generally require the underlying financial institution or program manager to know the customer within a reasonable basis and on a reasonable amount of time within account opening.
What about KYB requirements?
KYB will also involve some type of information collected about the company, which typically includes the following:
- The entity/business name (e.g. Marqeta, Inc.)
- The main physical location
- Employer identification number (EIN)
Depending on the risks of your product (and size of your customer) you might also collect corporate formation documents and doing-business-as aliases.
Some businesses are sole proprietorships or individuals that don’t have a legal entity set up for their business. For KYB purposes, these customers still need to go through KYB. But they use their individual name instead of business name, their SSN instead of EIN if they don’t have an EIN, and only need to list themselves as a control person.
Banks are required to keep records of the information they used to KYC or KYB customers for at least five (5) years from when a customer closes their account. As a result, fintechs that partner with banks are also expected to keep records for at least 5 years.
KYB control person and beneficial owners
In the United States, FinCEN and federal banking regulators require the collection of personal information from a control person and each beneficial owner with 25% or more ownership interest in a privately held company.
Some bank sponsors will require you to collect beneficial ownership information down to a 10% threshold, so it's a good reminder to pick your sponsor (and BaaS partner) wisely.
What is a control person?
An individual that has a significant ability to control, manage, or direct the entity’s activities. This could be, for example, a CEO, CFO, managing member, general partner, president, vice president, or treasurer.
What is a beneficial owner?
Any individual or entity who owns 25% or more of the legal entity. If no one owns 25% or more, then you don’t need to identify any beneficial owner. And if you identify any entity owners, you need to identify any 25%+ owners of those owners, on and up the chain until there are no 25% owners.
For beneficial owner purposes, ownership is based on equity. Generally, this means shareholders of a corporation, members of an LLC, or partners of a partnership.
Beneficial ownership calculations include both direct ownership (e.g., a shareholder) and indirect ownership (i.e., shareholders of shareholders).
For example, let’s say Business A is owned 10% by Person A, and 90% by Business B. Business B is 100% owned by Person A. In this case, Person A is a business owner that would need to be reported for Business A because, while Person A only directly owns 10% of Business A, they indirectly own the rest of it through Business B. Fintechs often deal with this by asking applicants to identify any “direct or indirect owners of 25% or more.”
Practically, financial institutions must ask for beneficial owner information. But many businesses do not have any owners that need to be listed. So companies generally do not have an obligation to verify whether there are any unreported beneficial owners, as long as they’re not aware of any facts that would suggest that.
Certain entities do not need to provide beneficial ownership for KYB purposes, including (but not limited to) banks, public companies, insurance companies, non-profits and others.
How can vendors help you with KYC?
Previously, companies like PayPal, Square and Stripe had to build their KYC operations from scratch. This often meant undergoing onerous diligence and contracting with large database providers like LexisNexis. This also meant spending previous software development cycles on non-differentiated functions.
Thankfully, the world has changed and most fintechs now leverage a host of third parties to move more quickly (APIs, typically).
Lithic customers, for example, can leverage our existing KYC solutions so they don’t need to spend money on an extra vendor.
Some third-party KYC solutions that stand out:
- Alloy.com: Alloy’s flagship product is their KYC offering, which comes complete with vendor settings and a web-based portal for operational staff to action alerts and KYC mismatches. We use Alloy for part of our internal stack at Lithic, and love how their dashboard helps our operational teams.
- Persona: Built by former Square employees who dealt firsthand with the pain points of verifying small business customers and their owners. Their product works so well, Square opted to leverage the product in addition to its own home-grown stack. Brex and other large Fintechs also use Persona.
- Cognito: Now owned by Plaid, Cognito is another Lithic super power that helps you verify your customers’ information (Name, Address, DOB, SSN). We’re particularly fond of their sanctions and watchlist screening products.
- IDology: IDology is well known by bank partners, and often already approved by their compliance and IT staff. They offer helpful features like fuzzy matching logic, so you don’t automatically fail customers when they fat finger their date of birth or other key identification data point.
Fintech founders and operators can leverage these and other tools to automate some of your customer screening processes. You’ll also want to work with your vendor(s) so they provide a list of customers who failed screening and the reasons why.
Building and managing your own workflows
If your KYC and KYB vendors don’t offer helpful web portals to manage working queues, the next thing you’ll want to do is develop some internal tooling.
Established companies will often have an internal administrator portal to interact with customers, and might leverage internal tooling teams to build new compliance views and dashboards into that dashboard.
For everyone else, you might want to consider a no- or low-code option such as Retool.
Once you have your internal tooling, we recommend you build the following:
- An internal job to fetch results when a customer doesn’t automatically pass your KYC screening.
- A tool to create a queue with these failed customer results.
- A tool that allows operational staff to click on cases in the queue and get to a dashboard view of the customer.
- Tools within the dashboard view that allow the operational staff to do the following:
- Mark the customer as OK under the KYC policy, enabling them to use your product.
- Engage with the customer’s profile to update and cure bad information (e.g., fix a fat-fingered date of birth).
- Reject the customer and mark a reason why (e.g., fraud, underage, outside target geo).
Operational teams that have access to this type of tooling can often leverage the KYC vendor(s) to conduct manual reviews and cleanup of customer profiles. This allows operational teams to work with your customer support function and obtain missing information, in order to cure mismatches under your KYC policy.