In our Guide to Banking Infrastructure, we explore three different ways to build financial features into your product offering. In this guide, we’ll take things one step further. Once you’ve decided on an approach, how should you structure and implement a KYC process flow? Put another way, which parts of KYC should you “own?”
KYC stands for “Know your customer.” It’s the set of procedures that financial-service providers deploy during onboarding to verify their customers’ identities, thereby mitigating the risk of things like fraud and money laundering. In the broadest terms, KYC is a systematic way to onboard the kinds of customers you want while keeping bad actors out.
It’s also required by law—and not just for banks. If you’re planning to offer financial services (e.g., cards, accounts, lending) to your customers, then you’re legally required to have a compliant KYC process flow.
If you’re a founder or product manager who’s thinking about how to approach the problem of KYC, this post is for you. In it, we’ll discuss:
A note on terminology: in this article, we use the term “KYC” to refer to identification flows for both consumers and businesses (corporations, LLCs and more). In the case of businesses, the term KYB (Know Your Business) is sometimes used as well, but we’ll keep it simple.
Remember the last time you applied for a bank account? First, you provided your personal information to the bank—things like your name, address, date of birth, and social security number. Then, the bank checked that information against public, private, and proprietary databases to make sure you were who you said you were. All of that—and much more—falls under the KYC umbrella. (More on this later.)
In the past, some financial-services providers have viewed KYC as little more than a box to check in the rush to get a product live. But a raft of recent headlines has called out the weakness of such an approach. After their accounts and cards were repeatedly associated with instances of ACH fraud, several leading digital banks were blocked by prominent retailers, who would no longer accept their transactions.
The truth is that KYC isn’t just a way to keep bad actors off your platform; it can also be a key driver of growth. In addition to mitigating the risk of fraud and money laundering, a well-structured and well-managed KYC process flow has the potential to impact:
As a founder or product manager, the key decision you’ll have to make is how to approach implementing a KYC process flow. It comes down to a question of which parts of KYC it makes sense for you to “own.”
Over the last few years, we’ve worked with hundreds of companies who are designing KYC flows. On the basis of that experience, we’ve developed a fraud risk framework. It's made up of three components or layers that you should think about when setting up your own flow.
To illustrate, let’s use an example. Say you’re the CEO at Lando, a company that helps landlords manage their rental properties. Today, you offer your customers features like applicant screening, contract signing, and tenant communication. In the near future, you’re planning to offer financial features: things like business bank accounts, custom debit cards, rent payments, and automated savings for tax payments.
Before you can launch your financial features, you’ll need to implement a KYC process flow. But which layers should you “own” (i.e., build and manage)? Where should you partner with a platform or other provider, who can build or manage it for you?
Let’s start with what your applicants provide. For each layer of KYC, you’ll need to process applicant inputs that might include (but are not limited to) the following:
The most basic KYC measures are instituted to prevent money laundering and the financing of terrorism. They are universal and don’t vary between companies: things like verifying identification documents against public, private, and proprietary databases.
To prevent money laundering and the financing of terrorism, Lando will want to check those documents against state and local databases to ensure that they’re valid, as well as checking applicant information against lists of known terrorists and money launderers (i.e., the Office of Foreign Assets Control’s list of Specially Designated Nationals and Blocked Persons).
The next tier of KYC measures are designed to keep fraudsters off your platform, regardless of what industry you’re in. A few examples of preventing KYC fraud include:
It’s possible to set up the first and second layers of KYC at the same time. That said, the costs are additive. In other words, you’ll need to pay separately for KYC measures to prevent money laundering and those to prevent fraud.
These costs can add up quickly, which is why it’s so important to have experienced leaders guiding the process. In general, adding more vendors and KYC checks will cost more and increase the proportion of applicants you deny—but at a certain point, they won’t be adding much in the way of fraud-risk mitigation.
Although you can dial up or down the riskiness of the customers you decide to onboard, in general, the second layer of KYC is like the first: undifferentiated and hard to build. That said, for a narrow subset of businesses (e.g., crypto exchanges), building and managing the second layer can make sense, as it can contribute to their competitive advantage.
Additional indicators of fraud—and the tools to prevent them—are industry-specific. For example, a banking platform for artists and creators might want to verify social media accounts as an additional way to check that their applicants are, in fact, who they say they are.
For Lando, there would be several industry-specific ways to verify that applicants are actually landlords and not scammers. First, they could leverage proprietary data by checking to see how long a given landlord has been a loyal Lando customer. (Landlords who signed up years before banking features were offered are unlikely to be scammers.) As a way to assess the risk of a given customer and assign them to the appropriate product tier, they could check to see how many buildings a given landlord owns, what kinds of occupancy/vacancy rates they typically experience, and what percentage of their tenants pay rent on time.
In addition to proprietary data, there are also public data sources that are potentially useful. Lando could check rental listings on Zillow, Redfin, and apartments.com. For larger multifamily buildings, they could check for reviews on Google Maps.
These are just a few ideas. Here are the important takeaways:
For these reasons, it’s important for you to own and manage industry-specific fraud mitigation. It’s highly differentiated and can contribute powerfully to your competitive advantage. Thinking about it now: how could you leverage your proprietary data and knowledge of your industry to keep bad actors off your platform?
Now that you’ve identified which parts of KYC it makes sense to “own,” it’s time to implement your KYC process flow. Broadly speaking, there are two ways to go about it:
In short, if you build your own KYC process flow from scratch, it’ll be a much bigger lift. Not only that, you’re likely to get a worse outcome. As a new entrant into the field of KYC, you’re unlikely to hire the best talent, or to develop systems and processes that rival those of established players. As a result, you could miss out on good customers because you don’t recognize them. On the other hand (which is worse), you could end up onboarding bad actors.
A real-world example: if you decide to "own" layers one and two, you’ll have to become an expert on (among other things) the financing of terrorism. Say there’s a 70% match between one of your applicants and the name of a known terrorist. Someone on your team will have to go out and research additional inputs as a way to make a decision about whether or not to onboard that applicant.
Are you prepared to find and hire that compliance team? Because decisions like this one will come up multiple times per day.
If you partner with a platform, you’ll go to market more quickly and spend fewer resources. This will enable you to focus on other priorities that are unique to your business. Generally, KYC-as-a-service platforms are compensated based on usage, so their incentives are aligned with yours. (Provided you’re compliant, they want you to onboard as many users as possible.)
Finally, because KYC is such a big part of their job—and because they streamline it for so many different customers—platforms tend to be great at it. A sustained focus on compliance enables them to aggregate the people, tools, and processes necessary to support industry-leading KYC process flows. Plus their datasets are enormous, which enables them to do a better job of recognizing bad actors.
To demonstrate what’s possible when you focus on excellent, vertical-specific risk management, let’s return to Lando. It’s important to note that KYC doesn’t have to be a “yes” or “no” decision. By using what you know about your industry to intelligently assess the risk of individual applicants, it’s possible to assign them to different tiers within your financial offering.
For example, based on what they learned during their KYC process flow, Lando may want to differentiate between older, more established landlords (lower risk) and those who are just starting out (higher risk). Established landlords could be assigned to a tier with high account limits and enticing rewards. Newer landlords might be offered lower limits and less favorable terms. Finally, high-risk applicants could be kept off the platform entirely. Here's what that might look like:
Intelligent product tiering allows you to offer a better experience to low-risk customers while reducing your exposure to higher-risk customers. And here’s the good news: you don’t have to build from scratch to get product tiers. Any modern platform should be able to help you set this up.
During a first call, founders often say, “We need to own KYC.” But what do you need to own, really?
As a general rule, save your “build” resources for those aspects of your product that are unique to your business and contribute to your long-term competitive advantage; buy everything else. In this case, that means “owning” vertical-specific risk-management (differentiated and relatively easy) and leaving the other two KYC layers (undifferentiated and hard) to well-qualified partners.
When deciding on an approach to KYC, ask yourself questions like these:
March 21, 2022