Businesses of many types employ various processes and procedures in order to observe “Know Your Customer” requirements – that is, performing checks to verify the identity of prospects and clients, and assessing whether there are material risks that any of them are attempting to conduct business with the organization for illegal purposes. The rise of cryptocurrencies – a technology abused by many criminal enterprises for both transacting business and laundering money – has ushered in a greater need than ever before to perform KYC. Yet, simultaneously, recent developments in the realm of privacy regulations have complicated KYC requirements, as organizations must now perform KYC processes while affording great privacy protections to clients and prospects; failure of deliver adequate security can lead to stiff fines under the new General Data Protection Regulation (GDPR) and other laws.
Yet, while many businesses are familiar with the concepts of KYC and privacy, few carefully analyze the risks associated with the mechanisms by which they actually perform KYC. Here are some of the questions that businesses should ask themselves:
1. How are you complying with regulations to protect all of the data that you collect?
2. Will your KYC solution scale as your number of new customers per day grows?
3. If you are using a third party’s services as part of the KYC process, do you know who is receiving the data that you or your representative/s collect, and how such information is stored and used?
4. Are you prepared to address the varying data protection regulations in all of the jurisdictions in which you do business?
5. Are you prepared to address inevitable situations in which regulations change?
6. Does your KYC approach truly verify that a person is who he/she claims to be (e.g., John Smith) – or does it just confirm that the party knows some basic information about the subject (e.g., John Smith) that anyone can obtain from public records?
7. Does KYC stay current – if information about a person changes, will your KYC solution accurately reflect that change?
8. What if money is laundered through your business despite your KYC efforts – are you prepared to demonstrate to regulators that you practiced Due Care?
9. After you perform the KYC process for your clients, should you store the user’s data (which you may need to substantiate that you properly performed the KYC process), or does doing so put you at risk for lawsuits, regulatory fines, and bad publicity if you are breached?
(For full disclosure: I am a member of the Advisory Board at Clears, which is developing blockchain-based technology to help companies protect KYC data, remain compliant with local and international regulations, and ensure the ongoing integrity of their KYC information.)