Handling financial transactions in the United States requires your company and financial institution to follow “Know Your Customer (KYC)” guidelines, a financial guideline around knowing basic information about the customer. No, this is not a joke, and “Knowing Your Customer” needs to be taken seriously in order to limit the amount of financial fraud that can occur on a financial network.
Know Your Customer (KYC) rules apply specifically to banking and ACH transactions. So if you are facilitating ACH transactions through an ACH payment API, KYC protections need to be in place.
This article will give you a better sense of what KYC is and why it’s so important if you want to facilitate financial transactions.
What are Know Your Customer (KYC) regulations?
Know Your Customer (KYC) regulations, otherwise known as the 2090 rule, are a set of regulations that are used in financial services requiring a financial institution to verify the identity of their customers and clients.
These regulations originally stemmed from the banking Anti-Money Laundering (AML) policy have evolved and are primarily in place to release financial liability from the financial institution in the case of identity theft or financial crime incurred during the financial transaction process. AML regulations still apply to KYC as part of the verification process and to stop money launderers from tapping into the electronic payment process.
An outdated form of bank account and customer verification was customer due diligence (CDD), which ensured that the attached beneficiary was cleared for completing financial transactions. Some older financial institutions still abide by CDD or refer to it, but KYC is now mandatory for all banks and financial institutions.
KYC regulation covers customer identity acceptance and identity verification, risk management assessment, and transaction monitoring, and it will encompass the following:
- All sensitive data, such as bank account number, bank account holder name, and routing number must be stored on hardware and software that is approved to be Payment Card Industry Data Security Standard (PCI DSS).
- A risk assessment is regularly performed in order to ensure that the beneficial owner of the bank account or debit card is not connected with suspicious activity, such as terrorist financing, loan fraud, risky international banking, and suspicious wire activities, among others.
- The ability for regulators, such as Federal Reserve bank compliance officers and AML auditors, to confirm and verify the bank’s customer identification procedure.
- Processes in place for mitigating and stopping fraudulent ACH processing activity, money launderers, and suspicious wire activity.
While KYC regulations are recognized worldwide, the individual governance procedures will vary based on the geographical location of the bank or financial institution and the remittance capabilities of that bank.
In the U.S., KYC regulations are governed by the USA Patriot Act of 2001. It also conforms to the customer identification program (CIP), which can be reasonably individualized for each bank.
It is also worth noting that KYC regulations do not only protect ACH transfers, but they are also in place to protect wire transfer processes, ATM withdrawals, loans and lines of credit, investing, and debit card transactions.
Importance of KYC regulations for ACH transfers
Other than being mandatory in order to be a bank or financial institution, KYC verification is extremely important so that banks and financial institutions can minimize financial crime and identity theft and further secure the U.S.’s Automated Clearing House (ACH) network and ACH payment processing networks.
While ACH transactions and the ACH network is fairly secure, KYC also regulates payment data usage and storage so that payment data and sensitive account holder information is kept secure.
With proper checks in place and secure KYC technology, banks can and fintech companies minimize financial crime for each submitted electronic payment, enable fraud detection, and reduce criminal activity from occurring during the ACH process.
KYC works in combination with a number of other U.S. regulations. In the U.S., KYC also requires that the bank follows the regulations set out by the National Automated Clearing House Association (NACHA), Regulation E of the Electronic Funds Transfer Act, the Office of Foreign Assets Control (OFAC) of the U.S. government, and the GPRA and CCPA.
Therefore, by recognizing the level of financial security needed to process ACH payments and other financial transactions, it is clear that the KYC regulations are extremely important as they are one of the barriers to financial crime and allow financial institutions like banks and fintech companies to process ACH payments quickly and with near-guaranteed high-level security.
Challenges with KYC regulations and ACH transfers
KYC procedure requires that financial institutions inform customers of the varying financial regulations as well as confirm the use of their personal data.
Many of the challenges associated with financial security in institutions is ensuring that the physical and cybersecurity of the financial institution is verified. KYC regulations require that financial institutions use encryption, authentification, and authorization in order to ensure customer privacy compliance.
Compliance includes the processing and storage of sensitive banking information through the following:
- All data must have secure storage on physical hardware prior to being stored through the cloud or any other type of software
- Sensitive data should be sent over an encrypted HTTPs protocol network
- Sensitive data copies can be securely stored on the cloud (i.e., Amazon A3)
- Privileged accounts must be created to ensure restricted access through multi-factor authentication (MFA)
- Any use of outside parties must undergo extensive testing and be verified as a PCI DSS Validated Entity
- All electronic storage of credit card account information and cardholder data and phone recordings must be encrypted.
Banks maintain a compliant KYC process typically through regular assessments (either with NACHA or OFAC) as well as through regular personal re-assessments. With regular re-assessment, the bank is decreasing its chance of financial risk and will survive a random assessment without major fines.
In order to process an ACH transfer, the bank must provide proof that the personal data is securely stored, that any sharing of the data online is encrypted and securely transferred, and that data processing is protected.
Best ways to ensure KYC compliance for ACH payments
Banks typically ensure KYC compliance through a tested and proven system of verifying that all sensitive payment data is collected and stored properly. Veteran institutions also regularly verify that this information is correct with on-staff or reliable compliance professionals who come in and verify that the financial institution is protected under all the necessary regulations.
However, if your company is a new payment processor or you are an online financial institution or entity, it can be hard to maintain this form of compliance without regular oversight. One way to ensure KYC compliance is to regularly complete the appropriate self-assessment questionnaire to see if your storage of payment data is PCI DSS compliant.
To stay PCI DSS compliant, you’ll also need to complete the Attestation of Compliance (AOC) form and maintain yearly PCI compliance with the Quality Security Assessor (QSA) and Approved Scanning Vendor (ASV). KYC, CDD or AML auditors may regularly come through to verify compliance so it is important to stay up to date and comply with all the regulations that your financial institution falls under.
Banks who are KYC compliant might implement a KYC technology that facilitates the collection and secure storage of this sensitive information. KYC technology can also provide a suspicious activity report, similar to monitoring software so that your security team can stay on top of suspicious activity and properly mitigate it when it happens.
You can also achieve KYC compliance by outsourcing that portion of your business and by working with a fintech company like Sila that provides business owners and startups with the tools to create their own fintech app that decentralizes banking processes.