Know Your Customer (KYC)

What is Know Your Customer?

KYC is the process of verifying that a customer is who they say they are, and by extension, that a financial organization is able to legally conduct business with that customer. KYC roots are in legislation laying out requirements for financial entities to protect against money laundering and the financing of terrorism. This includes the USA Patriot Act and the European Anti-Money Laundering Directive, among others.

KYC procedures need to be followed from the start of any business relationship. This includes verifying the identity of the customer as part of a customer identification program (CIP). In the case of businesses, this extends to identifying the ownership structure and ultimate beneficial owner (UBO) of the organization. Customers, organizations or UBOs may not be on any sanctions lists. Other steps include identifying the customer’s business activities, verifying a legitimate source of funding and assessing money laundering risks. All of these steps are parts of due diligence.

However, this process does not end once a customer is onboarded. This is an ongoing process. Depending on the customer’s risk profile, the customer needs to be reviewed periodically, with higher risk clients reviewed more frequently.

Who does KYC apply to?

In general terms, KYC applies to financial and credit institutions, though this definition is broad. For example, the EU imposes an upper limit of EUR 50 on the value of pre-paid anonymous cards that may be sold. This is to prevent these cards from being abused for illegal purposes.

Legislation governing KYC differs from jurisdiction to jurisdiction. Two of the most important pieces of legislation are the USA Patriot Act and the EU’s Anti-Money Laundering Directive.

The EU’s Anti-Money Laundering Directive refers to “obliged entities” who must implement KYC. These include insurance companies, investment firms, credit institutions and financial services. The most recent update to the directive, Anti-Money Laundering Directive 5, also added wallet service providers and crypto companies to the list of obliged entities.

In the USA, the Patriot Act applies to banks and financial institutions, including those based in other countries who maintain correspondent accounts with banks and financial institutions in the US.

What does KYC look like in practice for payment providers?

When onboarding merchants, payment facilitators must collect information on the merchant. This information is then used to verify the identity of the merchant, for example against government and industry databases.

As well as establishing the identity of the merchant, the provider must ensure that the merchant is not on any sanction or watch lists. This includes lists like Mastercard’s Member Alert to control High Risk Merchants (MATCH) list, a collection of merchants terminated by other payment providers.

What is eKYC?

eKYC stands for “electronic KYC”. It refers to the process of using the internet or other digital means to verify the identity of a customer. Necessary documents can be submitted digitally, and the identity of a person established using a variety of methods. These include video or photo verification in conjunction with a physical ID, or purely electronic verification using electronic signatures.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months

Glossary

Know Your Customer (KYC)