There’s one thing every Chief Financial Officer (CFO) and Financial Director (FD) should have on their agenda. Compliance. If your organisation doesn’t comply with relevant laws for the countries and sectors you operate within, the financial and reputational consequences will hit you hard.
One major area of compliance you need to keep in mind if your organisation handles customer or supplier data is KYC (Know Your Customer). Why? To answer this, we ask: What is KYC?
Fighting financial crime
Financial institutions are a major target for criminals, simply because of the sheer amount of money they handle. With the rise of online tech, this has only become more of a problem. A big issue for any CFO or FD in this day and age is money laundering. Figures gathered by Barclays show that criminals around the world launder £1 trillion each year – equal to 5% of the globe’s GPD. This adds as much as 10% to the cost of doing business, damaging your organisation’s ability to turn a profit.
KYC is perfectly designed to help you fight financial crimes such as money laundering. How?…
KYC: Know your customer
A basic definition might be a good place to start. KYC refers to regulations that require organisations – especially financial institutions like banks – to verify the identities of the people and companies they do business with. Organisations are supposed to use various mechanisms to figure out the level of potential risk that would be involved in creating and maintaining business relationships.
KYC rules are basically designed to make sure you don’t do business with anyone dodgy. These measures should be applied to tasks like opening bank accounts and taking out loans.
Spotlight on the UK
KYC is a global phenomenon. There are various KYC frameworks in different countries across the world. To flesh out our understanding of the concept, let’s look at the UK as a case study.
Under UK law, organisations are obligated to carry out customer due diligence checks in various situations. This includes when you’re creating a business relationship, a term UK law defines as one “where both of you expect that the relationship will be ongoing”. There are other circumstances where you’re supposed to carry out due diligence e.g. when you suspect money laundering.
For KYC purposes, organisations are overseen by different regulatory bodies. Let’s turn back to the UK. In terms of KYC, the Financial Conduct Authority (FCA) is responsible for banks, financial services and some other industries, but not all. HM Revenue & Customs is the KYC body for sectors such as estate agencies, while some e.g. gambling and law, are overseen by their own industry bodies.
Paying attention to details
Now to the crux of KYC. What checks do you have to carry out? According to PwC, organisations are required by KYC rules to prove the other party’s identity – but there are different ID checks required for dealing with people and businesses. Let’s turn back to our UK example to illustrate the point…
The ID you need when dealing with people are the obvious suspects. It’s full name, date of birth and residential address – ideally supplied by a government-issued photo I.D. like a passport. It’s similar for most businesses. When dealing with them, you’ll need their full business name, registration number, the address of the registered office in their country of incorporation, and business address.
There are extra requirements for private/unlisted companies. This includes the names of all directors, the names of individuals who own or control over 25% of shares/voting rights, as well as the names of individuals who otherwise exercise control over the company. The firm dealing with this private/unlisted company also needs to confirm that it exists by searching for them on the relevant company register or by asking them to supply a copy of their Certificate of Incorporation.
Avoid major consequences
What does this mean from a compliance point of view? You need to keep any info used for KYC checks safe. If cyber-criminals gain access to this info they could commit ID theft. They could, for example, take out a loan on your behalf or on behalf of your customer. Both would be disastrous.
ID fraud is very real and has very real consequences. There’s data that suggests ID fraud costs the UK £5.4 billion each year, yet people still aren’t carrying out basic measures needed to tackle the problem. The numbers show that 40% of those polled don’t have antivirus software installed on their devices, and 27% of people use the same password for multiple accounts.
Then there’s the GDPR angle to consider. This EU regulation places the burden on organisations to safeguard personal customer data – the exact kind of data gathered in KYC checks. If they don’t, they face a fine of either 5% of their revenue or €20 million – whichever is higher.
The Essential GDPR guide for Finance Directors –CEO & Marketing Director from AccessPay sat down with data experts from Manchester-based solicitors Turner Parkinson, to discuss the implication GDPR will have on finance professionals.
Keys to compliance
Here comes the big question. What can you do to make sure any KYC-related info remains safe?
There are the common-sense measures of course. Make sure all devices have anti-virus software, shred sensitive documents, set complex passwords etc. Also, educate staff on external threats like social engineering (where individuals are tricked into giving away sensitive info via their online accounts). A great tool here is uSecure, which offers short online courses on key security topics.
For an added layer of security, store data in the cloud. Cloud-based storage solutions are very secure, hosting the servers that hold your data in data centres. These centres have the resources to invest in heavy-duty security features e.g. high-grade firewalls, as well as back up servers that offer continued access to your data in the case of an emergency e.g. if the original server is damaged.
Let AccessPay lend a hand
One area you need to look at especially when considering KYC compliance is payments. Just think of how many sensitive customer and supplier details e.g. addresses, run through your payments ecosystem. What would happen if there was a data-breach or a case of internal fraud?
It’s a wise idea to manage your payment processes through a cloud-based platform, such as the one supplied by AccessPay. Offering features such as role-based access and enhanced workflows, while serving as a file system agnostic solution which easily integrates with back-office applications like ERP-systemer (Enterprise Resource Planning), our platform can help you meet KYC requirements.
We offer best-in-class sikkerhedsværktøjer as well. This includes solutions that bar anyone other than those with the correct authorisation from seeing or handling data like two-factor authentication, data masking and enhanced workflows. Then there are tools like real-time alerts, audit trails and detailed reporting, which allow you to track activity across payments processes so it’s easy to spot any anomalies. Armed with this arsenal of tools, we can help you meet your KYC requirements with ease.