Chapter 6 Key Takeaways
KYC Fundamentals: Identity Verification at Scale
The Big Picture
Know Your Customer is the foundation of financial crime compliance. The obligation to verify customer identity and maintain that verification is both a legal requirement and a practical necessity — you cannot detect suspicious activity without first knowing who your customers are. Technology has transformed KYC from a 19-day manual process to a largely automated journey that most customers complete in minutes.
Essential Points
1. KYC Has Three Levels
| Level | What It Requires | When Required |
|---|---|---|
| CIP (Customer ID Program) | Name, DOB, address, ID number | All customers; legal minimum |
| CDD (Customer Due Diligence) | Business purpose, risk assessment, ongoing monitoring | All customers; proportionate to risk |
| EDD (Enhanced Due Diligence) | Additional verification, source of wealth, more frequent review | High-risk customers: PEPs, high-risk jurisdictions, complex ownership |
2. Four Technology Approaches to Identity Verification
| Method | How It Works | Best For | Limitation |
|---|---|---|---|
| Document verification | Computer vision authenticates document images | All segments; required for high risk | Won't catch stolen documents |
| Biometric/liveness | Facial match + liveness detection | Anti-impersonation; medium-high risk | Sophisticated deepfakes can defeat some systems |
| eIDV | Multi-source database matching | Established customers; low-medium risk | Fails for thin-file customers (new to country, young adults) |
| Orchestration | Risk-based routing combining above | All segments; scales efficiently | Requires careful calibration of risk thresholds |
3. Deepfake Risk Is Real and Growing
Biometric liveness detection can be defeated by sophisticated deepfake attacks. This risk will grow as deepfake technology improves. Compliance teams should: - Verify their vendor's deepfake detection capabilities explicitly - Maintain human review for high-value or high-risk onboarding - Monitor FCA/FinCEN guidance on acceptable biometric verification standards
4. Ongoing Monitoring Is Part of the KYC Obligation
KYC is not a one-time event. Key ongoing monitoring requirements: - High-risk customers: annual review - Medium-risk: every 2–3 years or on triggering event - Triggering events: address change, PEP status change, adverse media, unusual transactions
5. The Business and Compliance Case for Automation Are Aligned
KYC automation is one of the rare cases where compliance improvement and business improvement reinforce each other. Faster onboarding reduces customer abandonment. Better verification quality reduces compliance risk. The two objectives are not in tension.
Maya's KYC Progress at Verdant
| Metric | Pre-Automation | Post-Automation |
|---|---|---|
| Median onboarding time | 19 days | 4 days |
| Automated approvals (no human review) | 0% | 73% |
| Analyst capacity for judgment-intensive cases | Minimal | Substantial |
| FCA assessment | "Not commensurate with growth" | "Material improvement" |
Self-Check Questions
- What are the three components of modern KYC, and what does each require?
- A digital bank serves many students opening their first bank account. Why might eIDV be a less reliable verification method for this customer segment?
- Explain the difference between document verification and biometric verification. Under what circumstances would you deploy both?
- What is a KYC "triggering event" and why does it matter for ongoing monitoring?
- A vendor claims their biometric verification system is "deepfake-resistant." What questions should you ask before accepting this claim?