Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Know Your Client (KYC): What It Is and 3 Key Steps

Leverage your existing third-party risk processes and technologies to assess and monitor institutional client risk.
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer
May 31, 2023
Blog kyc 0523

In an increasingly interconnected and complex global business landscape, banks and investment firms face a multitude of risks, from financial and regulatory to reputational and legal. To address these risks effectively, financial services companies must have a comprehensive understanding of internal risks, third-party vendor and supplier risks, and the risks presented by clients and counterparties. This latter category of risks is where Know Your Client (KYC) practices come into play.

In this post, we will:

  • Examine KYC, its components and regulatory requirements
  • Explore how banks and investment firms can leverage KYC to reduce risk
  • Identify important TPRM capabilities that can help achieve KYC objectives

What Is Know Your Client (KYC)?

Know Your Client, commonly referred to as KYC, is a process employed by financial institutions and businesses to verify the identity of their customers, assess their suitability, and understand the nature of the business relationship. KYC procedures involve collecting and verifying relevant information about clients' identities, financial activities, and risk profiles, as well as conducting ongoing due diligence to ensure compliance with regulatory requirements. For the purposes of this post, we focus on institutional clients, and not individual clients.

The primary goal of KYC is to prevent financial institutions and companies from being used by their clients for illicit purposes, such as money laundering, terrorist financing, fraud, and other financial crimes. By obtaining a comprehensive understanding of their institutional clients, organizations can mitigate risks associated with these activities, protect their reputation, and maintain regulatory compliance.

Key Components of KYC

KYC processes typically consist of three components: Identification and two levels of due diligence.

Customer Identification Program (CIP)

CIP involves gathering necessary documentation to verify the identity of clients, such as government-issued identification, proof of address, and other relevant information. This step ensures that companies have accurate information about their clients and reduces the risk of fraud.

Customer Due Diligence (CDD)

CDD involves conducting a risk assessment of clients, evaluating their company background, financial activities, and business operations. This step helps organizations identify potential risks associated with specific clients and determine the appropriate level of monitoring required.

Enhanced Due Diligence (EDD)

EDD is conducted for clients presenting a higher risk profile due to factors like their geographic location, occupation, or involvement in industries susceptible to financial crimes. EDD involves conducting more in-depth investigations to gather additional information, ensuring a higher level of scrutiny.

It is important to note that KYC is not a one-time process; it may be required at the beginning of a broker-client relationship, but it also requires continuous monitoring of client activities. By implementing robust monitoring systems, organizations can detect any suspicious behavior or changes in risk profiles promptly.

KYC Regulatory Requirements

Several regulatory bodies require KYC processes to be followed, including:

Reducing Risk Through KYC

Implementing KYC processes can reduce several types of risks throughout the organization and deliver multiple benefits.

Prevention of Financial Crime

KYC practices act as a critical defense against money laundering, terrorist financing, fraud, and other financial crimes. By diligently verifying the risk profile of institutional clients, companies can identify and prevent illicit activities before they occur.

Regulatory Compliance

Compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations is of utmost importance for businesses. KYC procedures ensure adherence to these regulations, protecting companies from severe penalties and legal consequences.

Reputation Protection

Associations with illicit activities can severely damage a company's reputation. KYC helps businesses avoid being inadvertently linked to criminal behavior, preserving their reputation and maintaining the trust of clients, partners and stakeholders.

Risk Mitigation

Understanding the risks associated with specific institutional clients enables organizations to tailor their risk management strategies accordingly. KYC practices provide valuable insights into the potential risks clients pose, enabling businesses to implement appropriate risk mitigation measures and make informed decisions.

Strengthening Customer Relationships

KYC is not just about mitigating risks; it also fosters transparency and builds trust with clients. By demonstrating a commitment to regulatory compliance and diligently protecting client information, companies can establish stronger and more enduring relationships with their customers.

Best Practices: Interagency Guidance on 3rd-Party Relationships

The U.S. Financial Interagency Guidance on Third-Party Relationships: Best Practices Guide examines the requirements that organizations should be prepared to address at each stage of a third-party relationship.

Download the Guide
Featured resource interagency guidance

Three Steps to Implementing KYC Processes with the Third-Party Risk Lifecycle

Financial institutions can leverage the same processes and technologies already in place for managing third-party vendor and supplier risks for assessing and monitoring KYC risks as well. Consider these capabilities at every stage of the relationship:

1. Build a Comprehensive Institutional Client Profile to Satisfy the CIP

Just as you conduct pre-contract due diligence into potential vendors or suppliers, you can also perform due diligence on potential institutional clients and investors – and, in some cases, even individual members of the institutional leadership team. To accomplish this, build a comprehensive profile that includes key identifying information, including:

  • Company demographics: Information such as beneficial ownership, legal name, year founded, number of employees, estimated revenues, industry, and sector of the client organization. This data should be automatically included in a comprehensive profile at time of client onboarding.
  • EIN (Tax ID): Having this information automatically rolled up into the client profile simplifies the process of setting up a new client in your client management system. It can also help you track court judgements and other legal proceedings.
  • Corruption Perceptions Index (CPI) scores: CPI scores rank countries/territories based on how corrupt a country’s public sector is perceived to be by experts and business executives. A CPI score is a composite index and is the most widely used indicator of corruption worldwide. Having a CPI score associated with every client institution helps to provide a baseline of information to help your organization take a firm stance on bribery and corruption.
  • Modern Slavery checks: More in line with reputational and legal risks, as part of the comprehensive client profile, conduct a check against public records to determine if the institutional client has published Modern Slavery statements. Having a client’s Modern Slavery statement means that your organization takes seriously the risk of slavery in all its forms.

This information provides a baseline to then conduct a more complete client assessment based on data gathered.

2. Perform Comprehensive Due Diligence

Once onboarded, instead of sending emails with spreadsheet questionnaire attachments to clients asking them to attest to their company’s ABAC and AML processes, automate the process with a centralized and targeted assessment integrated with your existing third-party risk management assessments. This will give you the ability to centrally review and approve assessment responses, and to automatically register risks or reject responses and request additional input or evidence uploads for attestation. An additional benefit is centralizing this information for all of your clients to simplify FINRA reporting.

3. Continuously Monitor for Changes in Client Financial, Operational and Reputational Status

A lot can happen between the time you initially onboard and assess a new client and when you have to perform your annual compliance reporting. Therefore, continuously monitor for client financial, operational, and reputational updates including:

  • Data breaches: Clients impacted by breaches can be exposed to bribery, blackmail or other crimes related to the misuse of their personal information.
  • Adverse media and negative news: A client’s reputational problems can quickly become your firm’s reputational problem. Understanding media coverage can be the first step in determining if further investigations should be conducted.
  • Global regulatory and legal sanctions: Doing business with a sanctioned individual or entity can result in government-levied fines and legal charges against company leaders. Government, regulatory, and financial organizations such as the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC), the UK Sanctions List, the EU Consolidated List of Sanctions, the Australian government, and many others maintain lists of sanctioned individuals and companies.
  • State-owned and government-linked enterprise activity: The U.S. Department of the Treasury Specially Designated Nationals (SDN) and Blocked Persons contains a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. Organizations should regularly check this list to ensure they are not doing business with blocked individuals.
  • Politically exposed persons (PEPs): Several government agencies, regulatory bodies, and information libraries such as the FFIEC and LexisNexis maintain PEP lists to counter money laundering activities.
  • Operational updates: Look for public and private sources of operational information, including M&A activity, business news, management and leadership changes, competitive news, and related information that can signal a shift in strategy.
  • Financial performance: A picture of the institutional investor’s financial performance data, including turnover, profit and loss, shareholder funds, credit ratings, payment history, bankruptcies, and investments will help to continually evaluate their health for informed lending decisions.

A common problem among many organizations is consolidating the insights from these various disparate and siloed sources and making sense of it all to act on risks in a timely fashion.

Take Action on Client Risks

Know Your Client (KYC) procedures serve as a fundamental risk management tool for businesses operating in a complex financial and regulatory environment. By verifying institutional client information, conducting due diligence, and implementing ongoing monitoring, your organization can reduce the risk of financial crimes, maintain compliance, protect its reputation, and strengthen customer relationships. Embracing KYC practices is not only a regulatory requirement, but also a strategic imperative that enables companies to navigate risk effectively and thrive in a rapidly evolving business landscape.

Prevalent enables companies to leverage the same solution used to assess and monitor their third parties to also assess and monitor institutional clients to enable a KYC program with comprehensive assessments, consolidated monitoring from multiple sources, and dedicated regulatory reporting.

For more on assessing your KYC program, request a demo or contact us today.

2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo