KYC and KYB Requirements for Payments Companies

Access to the financial system is a fundamental part of life for many people. Most of us open accounts to save the money we’ve earned and to pay other people for the goods and services we use.

The same goes for criminals, of course. People who are stashing their ill-gotten gains, spending money on illicit activities, or moving crime related funds to another party, want access to a system for doing so.

This places financial institutions on the front lines of detecting and preventing criminal activity. And that’s where KYC/KYB processes come in.

What do KYC and KYB mean? 

The acronym KYC stands for Know Your Customer while KYB refers to Know Your Business. Each refers to the policies and processes financial institutions must have in place to verify that their customers are a) who they say they are, and b) doing what they say they’re doing.

These processes detail the ways financial institutions seek to verify a customer’s identity (name, address, tax ID, phone number, and similar demographics), when they open an account, and then continue to monitor their activities on an ongoing basis to keep an eye out for signs that the customer isn’t who or what they have presented themselves as.

Think: the criminal organization that uses what appears to be a legitimate business – a retailer, for example – as a front. It hopes to disguise the proceeds from its illegal activity by running them through the legitimate business’s accounts. KYC processes are designed to provide the financial institution with reasonable assurance that the retailer in this case is what it claims to be and selling what it says it’s selling.

By preventing bad actors from opening accounts and reporting suspicious activity to authorities, financial institutions are able to help disrupt criminal activity.

Where do the requirements come from?

KYC and KYB requirements for financial institutions are primarily rooted in laws and regulations intended to prevent terrorist financing and money laundering.

One source of current requirements is what’s known as the Customer Due Diligence (CDD) rule. This rule was written in 2016 to strengthen and clarify parts of the Bank Secrecy Act (BSA), a 1970 law that targeted money laundering efforts.

The Customer Due Diligence rule requires financial institutions to verify the identity of their customers when they open accounts. It also requires financial institutions that offer business accounts to verify the identities of a company’s beneficial owners – the individuals who own, control and profit from the company.

The USA Patriot Act was passed in 2001 to further boost U.S. defenses against money laundering and to fight terrorist financing. This law is the basis for the Customer Identification Program (CIP) rule, which requires financial institutions to have written procedures for verifying the identities of their customers and making sure they’re not on any lists of known terrorist organizations.

Do payments companies – like Payfacs – need to do KYC and KYB?

Rules don’t assign responsibility to Payfacs specifically as they are not “registered financial institutions” under the law. But, these rules do apply to acquiring banks (the banks that offer merchant settlement accounts, facilitate the movement of funds on behalf of the Payfac, and provide access to card and financial networks).

Acquiring banks typically pass some of their own requirements on to the companies that are operating on their behalf or under their sponsorship. This includes companies such as Payfacs, ISOs and many others they’re sponsoring into the payments system.

Acquiring banks dictate exactly what they expect from a KYC/KYB program. So, if you are a Payfac, you’ll need to follow the overall KYC/KYB requirements provided to you by your own acquirer.  Because these requirements are driven by standardized laws and regulations, they may vary slightly, but will largely be the same from one acquirer to another.

How is KYC/KYB performed – what do the processes involve?

During the underwriting process, financial institutions and other payments providers (Payfacs in this case) collect identifying information from the businesses that are seeking accounts.

Payfacs then must verify that the information provided to them is true. And even if the information is valid, they need to make sure the individuals or organizations they’re dealing with are not known bad actors or represent an undue risk to the card brands or sponsoring institution.

To do this, the providers run checks of the information they’re provided against government and industry databases. They also perform a variety of other screenings, which can be more expansive or specific depending on the industries the provider supports.

So, for example, a provider might check websites and social media channels to get a sense of the merchant applicant’s digital footprint. Does the way they talk about themselves match up with the way they’ve presented themselves on the application?  Are their social media accounts well-established, or is their digital footprint brand new?

Another common check for businesses is verifying whether the phone number listed on their application matches what’s in phone company records.

You might also screen the information provided by an applicant against what appears in public voter records.  Has the individual been registered to vote in the location they put on their application?

Ultimately, providers are looking for discrepancies between the information the applicant provides and information that is otherwise available through databases and other private and public sources. They’re using these processes to provide themselves with a reasonable level of confidence that the actor is who they say they are.

What are the tools payments companies can use for KYC?

While these validations might seem like a lot to take on, there are resources available to streamline the process. Many service providers offer technology that can help automate the KYC/KYB process. Infinicept offers underwriting capabilities that conduct common identity verification checks automatically, flagging information that merits additional human review when the information provided on an application does not pass the “sniff test”.

Some service providers also have underwriting and risk experts on staff that can assist in determining how to comply with these requirements, and even manage KYC, KYB, underwriting, and risk monitoring for you.

Contact an expert at Infinicept to learn more about the industry-leading KYC/KYB tools available to payment facilitators.