The three layers of KYC: which should you own?

Introduction

In our Guide to Banking Infrastructure, we explore three different ways to build financial features into your product offering. In this guide, we’ll take things one step further. Once you’ve decided on an approach, how should you structure and implement a KYC process flow? Put another way, which parts of KYC should you “own?”

KYC stands for “Know your customer.” It’s the set of procedures that financial-service providers deploy during onboarding to verify their customers’ identities, thereby mitigating the risk of things like fraud and money laundering. In the broadest terms, KYC is a systematic way to onboard the kinds of customers you want while keeping bad actors out. 

It’s also required by law—and not just for banks. If you’re planning to offer financial services (e.g., cards, accounts, lending) to your customers, then you’re legally required to have a compliant KYC process flow.

If you’re a founder or product manager who’s thinking about how to approach the problem of KYC, this post is for you. In it, we’ll discuss:

• How an intelligent KYC process flow can set your company apart
• The three “layers” of KYC and which make sense for you to own
• What’s involved in designing a KYC process flow
• Two approaches to implementing KYC and how to get started

A note on terminology: in this article, we use the term “KYC” to refer to identification flows for both consumers and businesses (corporations, LLCs and more). In the case of businesses, the term KYB (Know Your Business) is sometimes used as well, but we’ll keep it simple.

What is KYC in banking and why is it important?

Remember the last time you applied for a bank account? First, you provided your personal information to the bank—things like your name, address, date of birth, and social security number. Then, the bank checked that information against public, private, and proprietary databases to make sure you were who you said you were. All of that—and much more—falls under the KYC umbrella. (More on this later.)

In the past, some financial-services providers have viewed KYC as little more than a box to check in the rush to get a product live. But a raft of recent headlines has called out the weakness of such an approach. After their accounts and cards were repeatedly associated with instances of ACH fraud, several leading digital banks were blocked by prominent retailers, who would no longer accept their transactions.

The truth is that KYC isn’t just a way to keep bad actors off your platform; it can also be a key driver of growth. In addition to mitigating the risk of fraud and money laundering, a well-structured and well-managed KYC process flow has the potential to impact:

• How quickly you go to market
• How many people you need to hire (including vendors and contractors)
• Which applicants you auto-approve, auto-decline, and manually review
• Your customer experience, especially during the onboarding process
• How quickly you can pivot your product in the future
• What you’re paying, both upfront and on an ongoing basis

As a founder or product manager, the key decision you’ll have to make is how to approach implementing a KYC process flow. It comes down to a question of which parts of KYC it makes sense for you to “own.”

The three layers of KYC (how to think about it)

Over the last few years, we’ve worked with hundreds of companies who are designing KYC flows. On the basis of that experience, we’ve developed a fraud risk framework. It's made up of three components or layers that you should think about when setting up your own flow.

• Anti-money laundering
• Universal fraud risk management
• Fraud risk management with vertical-specific data

To illustrate, let’s use an example. Say you’re the CEO at Lando, a company that helps landlords manage their rental properties. Today, you offer your customers features like applicant screening, contract signing, and tenant communication. In the near future, you’re planning to offer financial features: things like business bank accounts, custom debit cards, rent payments, and automated savings for tax payments.

Before you can launch your financial features, you’ll need to implement a KYC process flow. But which layers should you “own” (i.e., build and manage)? Where should you partner with a platform or other provider, who can build or manage it for you?

KYC documentation: what your applicants provide

Let’s start with what your applicants provide. For each layer of KYC, you’ll need to process applicant inputs that might include (but are not limited to) the following:

• Personal identification document(s) from the business owner
• The business’s Employer Identification Number (if applicable)
• Business name, industry, address, email, and telephone number
• Registration certificates, business licenses, and/or articles of incorporation

The first layer of KYC: preventing money laundering

• Contributes to competitive advantage? No
• Differentiated? No
• Time to build: 6 months
• Setup cost: $10,000–$50,000
• Ongoing cost: $0.50–$1 per check individuals, $2+ for businesses
• Expertise required: 2–5 full-time compliance hires, including specialized leadership

The most basic KYC measures are instituted to prevent money laundering and the financing of terrorism. They are universal and don’t vary between companies: things like verifying identification documents against public, private, and proprietary databases.

To prevent money laundering and the financing of terrorism, Lando will want to check those documents against state and local databases to ensure that they’re valid, as well as checking applicant information against lists of known terrorists and money launderers (i.e., the Office of Foreign Assets Control’s list of Specially Designated Nationals and Blocked Persons).

The second layer of KYC: universal fraud-risk management strategies

• Contributes to competitive advantage? No
• Differentiated? No
• Time to build: 3-6 months
• Setup cost: $10,000–$50,000
• Ongoing cost: $0.50–$2 per check for individuals, $2–$3  for businesses
• Expertise required: 5–25 full-time compliance hires, including specialized leadership

The next tier of KYC measures are designed to keep fraudsters off your platform, regardless of what industry you’re in. A few examples of preventing KYC fraud include:

• Checking applicant information against databases of known fraudsters
• Checking to make sure that the name and address submitted by the applicant match the name on the applicant’s linked outside bank account
• Checking the age of outside bank accounts: nearly all bad actors use newly-created accounts when attempting to commit fraud
• For B2B clients, checking public databases to ensure that they’ve registered as a business and obtained the appropriate business licenses

It’s possible to set up the first and second layers of KYC at the same time. That said, the costs are additive. In other words, you’ll need to pay separately for KYC measures to prevent money laundering and those to prevent fraud.

These costs can add up quickly, which is why it’s so important to have experienced leaders guiding the process. In general, adding more vendors and KYC checks will cost more and increase the proportion of applicants you deny—but at a certain point, they won’t be adding much in the way of fraud-risk mitigation.

Although you can dial up or down the riskiness of the customers you decide to onboard, in general, the second layer of KYC is like the first: undifferentiated and hard to build. That said, for a narrow subset of businesses (e.g., crypto exchanges), building and managing the second layer can make sense, as it can contribute to their competitive advantage.

The third layer of KYC: fraud risk management strategies using vertical-specific data

• Contributes to competitive advantage? Yes
• Differentiated? Yes
• Time to build: 2–3 months
• Setup cost: $0–$10,000
• Ongoing cost: $0–$1 per check
• Expertise required: 0-2 full-time hires, as well as a deep understanding of your vertical

Additional indicators of fraud—and the tools to prevent them—are industry-specific. For example, a banking platform for artists and creators might want to verify social media accounts as an additional way to check that their applicants are, in fact, who they say they are.

For Lando, there would be several industry-specific ways to verify that applicants are actually landlords and not scammers. First, they could leverage proprietary data by checking to see how long a given landlord has been a loyal Lando customer. (Landlords who signed up years before banking features were offered are unlikely to be scammers.) As a way to assess the risk of a given customer and assign them to the appropriate product tier, they could check to see how many buildings a given landlord owns, what kinds of occupancy/vacancy rates they typically experience, and what percentage of their tenants pay rent on time.

In addition to proprietary data, there are also public data sources that are potentially useful. Lando could check rental listings on Zillow, Redfin, and apartments.com. For larger multifamily buildings, they could check for reviews on Google Maps.

These are just a few ideas. Here are the important takeaways:

1. Industry-specific KYC measures are a critical tool for mitigating fraud. Fraudsters are notoriously crafty, but very few will go so far as (for example) to become a landlord and start accepting rent payments from tenants.
2. You are in the best position to own this layer of KYC. Your bank won’t require you to implement any KYC measures beyond the second layer. But your knowledge of your industry and your proprietary data enable you to go the extra mile in keeping bad actors off your platform. Indeed, you’re often the only one who can own this layer.
3. Owning this layer is a relatively light lift. Developing anti-money-laundering expertise or building out a non-industry-specific fraud prevention program can take years and require millions. But vertical-specific fraud management, which you are best placed to own, can be built in a matter of weeks, for $0–$10K.

For these reasons, it’s important for you to own and manage industry-specific fraud mitigation. It’s highly differentiated and can contribute powerfully to your competitive advantage. Thinking about it now: how could you leverage your proprietary data and knowledge of your industry to keep bad actors off your platform?

Two ways to implement KYC

Now that you’ve identified which parts of KYC it makes sense to “own,” it’s time to implement your KYC process flow. Broadly speaking, there are two ways to go about it:

1. Build all three layers of KYC. This approach requires that you “own” all three KYC layers: anti-money-laundering, universal fraud risk management, and vertical-specific fraud risk management. It involves hiring a compliance team of 10–50, writing policies and procedures, integrating with vendors, getting approved by your partner bank, handling manual reviews, and completing periodic audits and re-certifications. Time to go live is typically 6–12 months.

2. Partner with a platform that can deliver the best results in layers 1+2, then focus your KYC efforts on layer 3. Under this approach, you “own” vertical-specific fraud risk management, which the platform will help you set up. Meanwhile, the platform streamlines the other two: anti-money-laundering and universal fraud risk management. Time to go live is typically 3 months, and you needn’t hire anyone. In terms of staffing, it can require as little as fractional time from one full-time team member, who will manage the partner relationship.

‍In short, if you build your own KYC process flow from scratch, it’ll be a much bigger lift. Not only that, you’re likely to get a worse outcome. As a new entrant into the field of KYC, you’re unlikely to hire the best talent, or to develop systems and processes that rival those of established players. As a result, you could miss out on good customers because you don’t recognize them. On the other hand (which is worse), you could end up onboarding bad actors.

A real-world example: if you decide to "own" layers one and two, you’ll have to become an expert on (among other things) the financing of terrorism. Say there’s a 70% match between one of your applicants and the name of a known terrorist. Someone on your team will have to go out and research additional inputs as a way to make a decision about whether or not to onboard that applicant.

Are you prepared to find and hire that compliance team? Because decisions like this one will come up multiple times per day.

If you partner with a platform, you’ll go to market more quickly and spend fewer resources. This will enable you to focus on other priorities that are unique to your business. Generally, KYC-as-a-service platforms are compensated based on usage, so their incentives are aligned with yours. (Provided you’re compliant, they want you to onboard as many users as possible.) 

Finally, because KYC is such a big part of their job—and because they streamline it for so many different customers—platforms tend to be great at it. A sustained focus on compliance enables them to aggregate the people, tools, and processes necessary to support industry-leading KYC process flows. Plus their datasets are enormous, which enables them to do a better job of recognizing bad actors.

How vertical-specific KYC can create happier customers

To demonstrate what’s possible when you focus on excellent, vertical-specific risk management, let’s return to Lando. It’s important to note that KYC doesn’t have to be a “yes” or “no” decision. By using what you know about your industry to intelligently assess the risk of individual applicants, it’s possible to assign them to different tiers within your financial offering.

For example, based on what they learned during their KYC process flow, Lando may want to differentiate between older, more established landlords (lower risk) and those who are just starting out (higher risk). Established landlords could be assigned to a tier with high account limits and enticing rewards. Newer landlords might be offered lower limits and less favorable terms. Finally, high-risk applicants could be kept off the platform entirely. Here's what that might look like:

Intelligent product tiering allows you to offer a better experience to low-risk customers while reducing your exposure to higher-risk customers. And here’s the good news: you don’t have to build from scratch to get product tiers. Any modern platform should be able to help you set this up.

Choose an approach and start building

During a first call, founders often say, “We need to own KYC.” But what do you need to own, really?

As a general rule, save your “build” resources for those aspects of your product that are unique to your business and contribute to your long-term competitive advantage; buy everything else. In this case, that means “owning” vertical-specific risk-management (differentiated and relatively easy) and leaving the other two KYC layers (undifferentiated and hard) to well-qualified partners.

When deciding on an approach to KYC, ask yourself questions like these:

• Which aspects of my KYC process flow are differentiated and can contribute to my competitive advantage?
• Which are undifferentiated and hard to build?
• For each layer: if I try to build it myself, will I get a better outcome?
• Will it be worth the additional inputs of time, expertise, and money?
• Is it possible to get what I want with a less costly approach?

If you are interested in learning more about how Unit can help you structure and implement a world-class KYC flow, contact us to book a demo or sign up for sandbox.