What is Know Your Customer?

What Is Know Your Customer?

Know Your Customer -- almost always referred to as KYC -- is the process of verifying who your customers are before you do business with them. It sounds straightforward, and at its core it is. But the practical reality involves a structured set of checks and procedures that businesses in the financial services and payments industry are legally required to follow.

KYC exists because financial systems are only as trustworthy as the people using them. If a bank, payment provider, or merchant cannot confirm who they are dealing with, they become vulnerable to fraud, money laundering, terrorist financing, and a host of other financial crimes. KYC is the first line of defence -- it is the process of making sure that the person or business you are transacting with is who they claim to be.

The Legal Background

KYC requirements stem from anti-money laundering (AML) legislation. In the UK, the primary regulations are the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017). These regulations require businesses in regulated sectors to carry out customer due diligence (CDD) before establishing a business relationship or carrying out certain transactions.

The Financial Conduct Authority (FCA) supervises KYC compliance for financial services firms, and failure to carry out adequate KYC can result in significant fines, enforcement action, and even criminal prosecution. This is not a box-ticking exercise -- regulators expect firms to genuinely understand who their customers are and what risks they present.

The Three Levels of Customer Due Diligence

KYC is not one-size-fits-all. The depth of checks required depends on the risk profile of the customer and the nature of the business relationship:

Simplified Due Diligence (SDD)

For low-risk customers and transactions, a lighter-touch approach is permitted. This might apply to small, routine transactions or customers that present a clearly low risk of money laundering. However, businesses must be able to justify why they have applied simplified measures -- it is not a shortcut for skipping checks altogether.

Standard Customer Due Diligence (CDD)

This is the baseline level of verification that applies to most customers. It involves verifying the customer's identity using reliable and independent sources (such as a passport or driving licence), verifying the customer's address, understanding the purpose and intended nature of the business relationship, and identifying beneficial owners for corporate customers (that is, the individuals who ultimately own or control the business).

Enhanced Due Diligence (EDD)

For higher-risk customers, more thorough checks are required. This might apply to politically exposed persons (PEPs), customers from high-risk jurisdictions, or unusually complex or large transactions. EDD involves deeper investigation into the customer's background, source of funds, and the rationale for the business relationship. It also requires more frequent ongoing monitoring.

What KYC Involves in Practice

For most businesses in the payments space, KYC is something that happens at the onboarding stage -- before a new customer or merchant is allowed to use the platform. A typical KYC process might look like this:

• Identity verification -- Collecting and verifying identity documents such as passports, driving licences, or national ID cards. For businesses, this extends to company registration documents and identification of directors and beneficial owners.
• Address verification -- Confirming the customer's address through utility bills, bank statements, or official correspondence. Some providers use electronic verification services that check addresses against public databases.
• Screening -- Checking the customer against sanctions lists, PEP databases, and adverse media sources. This helps identify individuals or entities that present a heightened risk.
• Risk assessment -- Assigning a risk rating to the customer based on the information gathered. This determines the level of ongoing monitoring required.
• Ongoing monitoring -- KYC does not end after onboarding. Businesses must continue to monitor the relationship, update customer information periodically, and watch for changes in transaction patterns that might indicate suspicious activity.

Why KYC Matters for Businesses

Beyond the legal obligation, KYC makes good business sense. Knowing who your customers are helps you prevent fraud before it happens rather than dealing with the fallout afterwards. It protects your business from being used -- knowingly or unknowingly -- to facilitate financial crime. It builds trust with customers, partners, and regulators. And it reduces the risk of costly fines and enforcement action.

There is a practical dimension too. Payment processors and acquiring banks require their merchants to have adequate KYC procedures in place. If your KYC is found to be inadequate, you could lose your ability to process card payments -- which for many businesses would be catastrophic.

Relevance to Telephone and Phone Payments

KYC and phone payments intersect in a couple of important ways. First, if your business onboards customers over the phone -- perhaps signing them up for a service, opening an account, or setting up a payment arrangement -- you need to be able to carry out KYC checks remotely. This might involve collecting identity information during the call and verifying it electronically, or directing the customer to complete verification through a separate secure channel.

Second, the nature of phone payments (where the customer is not physically present) means there is an inherent identification challenge. The business cannot check a physical ID document at the point of payment. This is one reason why phone payments are classified as "customer not present" transactions and carry a higher risk profile from a fraud perspective.

Secure phone payment technology can support KYC objectives by creating a clear audit trail for each transaction. When a customer enters their card details via their phone keypad rather than reading them aloud, the transaction is recorded cleanly without sensitive data entering the voice channel. This makes it easier to tie transactions to verified customer identities and maintain the kind of records that KYC regulations require.

For businesses that take repeat phone payments from established customers, KYC is typically carried out once at the start of the relationship, with periodic reviews thereafter. The key is to ensure that the initial verification was thorough enough and that ongoing monitoring catches any changes that might affect the customer's risk profile.

Practical Considerations

• Establish clear KYC procedures that are documented, consistently applied, and proportionate to the risk level of your customer base
• Use reliable identity verification tools -- electronic verification services can speed up the process while maintaining accuracy
• Screen all customers against sanctions lists and PEP databases before onboarding, and re-screen periodically
• Train staff who interact with customers (including call centre agents) to understand KYC requirements and recognise red flags
• Keep detailed records of all KYC checks for at least five years after the business relationship ends
• Review and update your KYC policies regularly to reflect changes in regulation and guidance from the FCA
• Remember that KYC applies to the relationship, not just the first transaction -- ongoing monitoring is a regulatory requirement, not a nice-to-have

KYC can feel burdensome, especially for businesses that just want to get on with serving their customers. But it is a fundamental part of operating in the payments industry. Done well, it protects your business, your customers, and the wider financial system. Done badly -- or not at all -- it puts everything at risk.