Guide to KYC (Know Your Customer) and Identity Verification

What is involved in KYC (Know Your Customer) and Identity Verification Processes?

What is identity verification?

Identity verification is the process of confirming that someone is who they claim to be. This is often done in order to grant access to services, such as opening a bank account or participating in a marketplace involving financial transactions. This helps to protect against identity fraud and other forms of abuse. If your company operators some sort of financial platform or marketplace, chances are you need to have a robust identity verification process to protect your business against bad actors and comply with legal regulations.

At LogicLoop, we work with data from various identity verification providers to help our customers stay on top of identity verification by setting up alerts when user identities are incomplete, inaccurate, or suspicious. If you're interested in empowering your analysts to automate identity verification workflows and monitor bad actors without needing engineers, sign up here to learn more.

What is KYC?

KYC stands for "Know Your Customer." It is a process that is used by financial institutions and other organizations to verify the identity of their clients and assess their potential risks for money laundering or financing terrorism.

The KYC process typically involves collecting information about a customer's identity, including their name, address, and date of birth. This information is then verified using various methods, such as reviewing government-issued ID documents or checking public records. In some cases, additional information may also be collected, such as a customer's employment history or financial history.

The goal of the KYC process is to ensure that the organization is dealing with a legitimate customer and to help identify any potential risks associated with the customer's financial activities. This is an important step in helping to prevent financial crimes and ensuring compliance with regulatory requirements.

What is KYB?

KYB stands for "Know Your Business." It is a process that is similar to Know Your Customer (KYC), but it is focused on verifying the identity and legitimacy of a business rather than an individual.

The KYB process typically involves collecting information about a business, including its legal name, address, and the identities of its owners and key employees. This information is then verified using various methods, such as reviewing corporate records or checking public databases. In some cases, additional information may also be collected, such as financial statements or details about the business's products or services.

What are the different methods that can be used for identity verification?

There are many different methods that can be used to verify someone's identity. Most institutions will use at least one methodology, but layer in other methods as backups if the first methodology fails or returns incomplete information.

Document Verification

One common method of identity verification is to ask for a government-issued ID, such as a driver's license or passport. These documents contain a variety of information about the person, including their name, date of birth, and a photograph. This can be incorporated into your product by simply asking the user to upload or take a photo of their ID, which can be done conveniently using a mobile phone.

Biometric Analysis

Another method of identity verification is to use biometric analysis. This can include techniques like fingerprint analysis, facial recognition, or iris scanning. These methods are often more accurate than relying on ID documents, as they are based on physical characteristics that are unique to each person. However, they can also be more expensive and may require specialized equipment. The simplest version of this is to simply ask the user to take a selfie and utilize facial recognition technology to verify that their selfie matches their ID. More sophisticated fraudsters have caught onto some of these techniques by faking static selfies with AI generated photos. Platforms therefore have introduced more challenging checks by asking users to upload videos with particular prompts in order to analyze movements, textures, and voices in the video.

Knowledge-Based Authentication

Knowledge-Based Authentication (KBA) is a method of verifying someone's identity by asking them to provide specific information that only they are likely to know. This information may include personal details, such as their date of birth, mother's maiden name, or the name of their first pet.

KBA is often used as an additional layer of security in situations where it is important to confirm someone's identity, such as when accessing a bank account or making a purchase online. By requiring someone to provide information that is not easily obtainable by others, KBA helps to reduce the risk of identity fraud or unauthorized access.

There are a few different types of KBA that may be used, depending on the specific needs and requirements of an organization. These include:

  1. Static KBA: This involves asking a customer to provide information that does not change over time, such as their date of birth or social security number.
  2. Dynamic KBA: This involves asking a customer to provide information that is unique to a specific transaction, such as a one-time password that is sent to their phone or email.
  3. Out-of-Wallet KBA: This involves asking a customer to provide information that is not typically included on identification documents, such as the name of their first grade teacher or the make and model of their first car.

2 Factor Authentication (2FA) and One Time Passwords (OTP)

2FA is a process that is used to add an additional layer of security to online accounts and other sensitive systems. OTP is a type of code that is used as part of the 2FA process. 2FA works by requiring users to provide two different types of authentication in order to access an account or system. The first factor is typically something the user knows, such as a password or a personal identification number (PIN). The second factor is something the user has, such as a phone or a security token. One common method of 2FA is to use an OTP, which is a code that is sent to the user's phone or email. The user is required to enter the OTP in addition to their password in order to access their account. Because the OTP is only valid for a single transaction and is sent to a device that the user possesses, it adds an additional layer of security and identity verification. By requiring users to provide two different types of authentication, it is more difficult for unauthorized individuals to gain access. This helps to prevent identity fraud and other forms of abuse.

Vendor Services and additional data

In addition to these methods, there are also a variety of online identity verification services that can be used such as Jumio, Trulioo, and Experian. These services often involve verifying a person's identity by asking them to provide information such as their social security number or a copy of their ID document. They may also ask for information about the person's credit history or employment history in order to confirm their identity.

What are the outcomes? 

Identity verification checks can come back with a few different outcomes:

All clear: The first is a good outcome, where the user's identity is confirmed to be matched and not connected with any known fraudulent activities. This is the outcome you want most users on your platform to have.

Not enough information: Another outcome could be that there was not enough information to confirm a match. This could be due to reasons like the user's ID photos were blurry or there was a typo in the user's name. In this case, you will have to communicate with the user to ask them to re-upload their information.

Mismatch: Another outcome could be that there was a mismatch, the ID document the user uploaded was not matched to the name or account and instead matched to another person's account. This is often the case with stolen identities and indicative of bad actor activity.

Red flag: Finally, the user's identity could be flagged in connection with a known fraudulent account,  or by a number of watchlist screening processes such as: 

1. PEP Scanning: PEP stands for "Politically Exposed Person." A PEP is an individual who holds or has held a public office, such as a government official or senior executive at a state-owned enterprise. PEPs may present a higher risk for money laundering or corruption, as they may be more susceptible to bribery or other forms of illicit activity. PEP scanning is the process of identifying and monitoring individuals who are PEPs. PEP scanning may involve checking the names of individuals against a list of PEPs, which may be provided by a regulatory agency or obtained from a private database. The goal of PEP scanning is to identify and monitor individuals who may pose a higher risk for financial crimes, and to take appropriate steps to mitigate this risk. This may include implementing additional KYC and AML measures, such as enhanced due diligence or increased monitoring of financial transactions.

2. Adverse Media Lookup: Adverse media lookup is the process of searching for negative or potentially damaging information about an individual or organization. This may include news articles, social media posts, legal records, or other types of publicly available information.

3. Sanctions Lists: Sanctions screening is the process of checking whether an individual or organization is on a list of sanctioned entities. Sanctions are legal measures that are taken by governments or international organizations in order to restrict or prohibit certain activities. These measures may include freezing assets, banning financial transactions, or imposing travel restrictions. Sanctions lists are published by governments and international organizations and are often used as a tool to enforce sanctions and deter individuals or organizations from engaging in prohibited activities. Financial institutions and other organizations may be required to conduct sanctions screening as part of their Know Your Customer (KYC) and anti-money laundering (AML) efforts. The process of sanctions screening typically involves checking the names of individuals or organizations against a list of sanctioned entities. This may be done manually or with the use of specialized software. If a match is found, the organization may be required to take additional steps, such as freezing the account or refusing to do business with the individual or organization.

Enhanced due diligence: If a user comes back with a high risk for fraud, you will want to conduct enhanced customer due diligence. Enhanced due diligence (EDD) is a process of thorough, in-depth analysis that is used to assess the risks associated with a customer or a business relationship. It is typically more extensive than the standard due diligence process and is used in situations where there are higher risks or increased regulatory scrutiny. The goal of enhanced due diligence is to gather as much information as possible about an individual or organization in order to identify any potential risks or red flags. This may involve reviewing a wide range of information sources, such as financial records, news articles, legal records, and other publicly available information.

How do you balance the friction introduced by ID verification processes vs seamless user experience and product growth?

One of the consequences of implementing an identity verification process is that it will add friction to your user onboarding experience, which can decrease product growth rates. Some techniques to mitigate this include:

  1. Allow users to create an account without identity verification, and only require it when they are attempting to conduct an actual transaction or monetary transfer. This way, users can learn about your product and try it out without having to go through the IDV process.
  2. Enforce stricter identity verification controls for more suspicious users. If a user signs up for your platform, you should already have information on their name, email, IP address, device fingerprint, location and more. Based on that information, you can make an initial assessment as to how risky that user is and decide to enforce looser or stricter controls based on their risk probability. In some cases, if their information matches that of known bad actors, you can automatically deny them from even entering your platform to start.
  3. Implement your IDV process in layers. Instead of requiring all of your user's information upfront, you can collect just the bare minimum you need to start, and then ask for more information as the user continues to activate on your platform.

Why is identity verification important? 

Overall, identity verification is an important process that helps to ensure that people are who they claim to be. By using a variety of methods, it is possible to confirm someone's identity with a high degree of accuracy. This helps to protect against identity fraud and helps to ensure that only those who are eligible are able to access certain services. This helps increase platform security and decreases fraud by preventing someone pretending to be someone else from getting access to sensitive information.

Having an indentity verification process also helps companies ensure compliance with regulations. Many organizations are required to verify the identities of their customers in order to comply with laws and regulations. For example, financial institutions are required to follow Know Your Customer (KYC) guidelines in order to prevent money laundering and financing terrorism. Overall, identity verification is an important process that helps to protect against fraud, ensure compliance with regulations, and improve security.

Ongoing monitoring

Finally, it's not enough to just run an identity verification process just once. You will want to continuously monitor your customer's activities and transactions on your platform over time to stay on top of suspicious activities. You can use tools like LogicLoop to help you quickly set up custom rules on top of company data to monitor and act on suspicious behaviors and keep your platform safe and compliant.

Get started with a free trial

Improve your business operations today
Start Now
No credit card required
Cancel anytime