Dan Cerceo, CISO boberdoo.com/Assumed
Love is in the air this Valentine's, and so is our passion for Know Your Customer practices! The Know Your Customer or KYC concept has been a buzzworthy topic recently. Ultimately, KYC guidelines lead you to understand the risks of doing business with specific customers, clients, or other companies. With this understanding, you can better manage these risks and create a mutually beneficial relationship with your customers. You want your customers to have a good experience with your company and realize the total value of the goods or services that you are providing. But you also want your customers to be profitable while minimizing the risk of doing business with them. If you truly know your customers, you will maximize the value of your relationship and keep risk to a minimum or acceptable level.
The Origins Of Know Your Customer Guidelines
Know Your Customer guidelines and regulations have their roots in the financial industry. For example, businesses operating in the banking industry are subject to FINRA rules that require these companies to implement KYC practices primarily intended to verify the identity of customers and the risks associated with doing business with them. This was mainly intended to identify the risks related to anti-money laundering and counter-terrorism financing regulations.
The KYC rules have been around for quite a while, over ten years. However, renewed attention has been placed on the concepts that apply beyond the financial sector as companies of all shapes and sizes are required to do more regarding the security of their business practices and the protection of the privacy of their customers.
What Are The Requirements of KYC?
"The Financial Industry Regulatory Authority (FINRA) Rule 2090 states that financial institutions must use reasonable diligence to identify and retain the identity of every customer and every person acting on behalf of those customers."
KYC has three main components: an intermediary step and ongoing vigilance.
- Customer identification - This is the information you need to verify a customer or business partner's identity sufficiently. Are they who they say they are?
- Customer due diligence - CDD is the research you conduct to collect information about the customer relevant to your business. Is the customer requesting a credit line but also going through bankruptcy proceedings? Red flag.
- Risk Assessment - Based on what you discover during customer identification and due diligence, you can assess the risk of doing business with this client or partner.
- Enhanced Due Diligence - If deemed high or unacceptable risk, you must conduct additional research and information gathering to determine if this business relationship is safe and desirable.
- Ongoing monitoring - It's not enough to "set it and forget it." You'll need to regularly monitor your customers to ensure the risk of doing business with them is within your acceptable limits.
To assist with your efforts on the above initiatives, you can create checklists of KYC requirements that are best suited to your business.
For example, you'll want to be sure to collect relevant customer identification data points such as:
- Registered business name
- Relevant business aliases and affiliates
- Primary address
- Primary phone number
- Location of business (HQ address and operations locations)
- Locations of data partners/vendors/buyers, etc. (countries)
- Years in business
- Relevant industries/verticals served
You may already have much of this information or gather it through a customer onboarding questionnaire or conversation.
Next, you'll need to do your due diligence; in other words, research the customer or business partner. What information can you find out about the customer that will raise red flags or level up your confidence in a fruitful relationship? Examples include determining if the customer is going through bankruptcy or other litigation that may increase risk or whether the partner presents a privacy policy on their business website. Can you trust they will do the right thing if faced with a security breach? Your due diligence checklist might include the following:
- Online footprint (primary website address, domains of relevant aliases and related sites)
- Domain reputation check
- Privacy policy present
- ToS - Terms of Service present
- Point of contact for reporting security incidents
- Relevant security/privacy certifications, attestations, reports: SOC2? ISO27001? PCI?
- Does the partner have cyber insurance?
Trust But Verify
I don't recommend annoying your customers with endless questions that might make them feel like you don't trust them or create undue burdens that may put your business relationship at risk. Much of the customer identification information may be already in your hands or can be acquired during onboarding conversations. For some of the due diligence, you will need to do some research on your own. For ongoing monitoring, you may need to implement tools to help you automate the monitoring process so you are not burdened with the chore.
For example, you might use some of the following tools to gather more information about your customer or business partner:
- Conduct a domain reputation check to assess the reputation of their online footprint - https://talosintelligence.com/reputation_center/
- See if they are accredited with the BBB - Better Business Bureau lookup - https://www.bbb.org/
- Are they involved in active litigation? - FTC Legal Library lookup - https://www.ftc.gov/legal-library
- Search online reviews to determine how reputable they are or identify red flags:
- G2 lookup, if software - https://www.g2.com/
- Trustpilot lookup - https://www.trustpilot.com/
- Check Google reviews
- View known social media presence to see how they present themselves in public and how others view their reputation
Is Your Company Subject To KYC rules?
Maybe. If you are a bank or other financial institution - certainly. If you are in a related industry - probably. Suppose you don't fit in the former. In that case, we can all agree that minimizing financial risk suits businesses and their customers or partners. While the regulations that deem KYC necessary may not strictly apply to your business, Know Your Customer guidelines can be relevant to companies of all types and sizes. The risk of a data breach applies to most companies and has real financial implications that shouldn't be ignored.
KYC can be good for your business. KYC is similar to other regulations because its benefit is broadly applicable and has become a de facto best practice. For example, the US lacks a national law or rules on privacy and security. Instead, we have a patchwork of state laws that intend to address the issue. The CCPA out of California is an excellent example of a sufficient proxy for a national privacy law. After all, California is the most populous state and a good representation of best practices to follow. Similarly, while KYC was originally applied to financial institutions, the concept is increasingly applied to businesses in almost every industry. It's considered a best practice and simply the right thing to do.
Never Assume Anything
While questionnaires and due diligence research can go a long way in knowing your customer, that data is only as good as the source - assuming the source is trustworthy. You may need the capability to verify that what you have learned about the customer is reflected in reality.
Using a monitoring and validation tool like Assumed DLM can help you keep an eye out for indicators of data leaks, assist in vetting your customers and data partners, and aid in validating their practices vs. their policies. (What they say they do vs. what they do)
You can assume that what you have learned is accurate and truthful, or you can verify. The latter goes a long way in truly "knowing your customer" to establish trust and minimize risk for all parties involved.