SECTOR SPOTLIGHT: Digital Onboarding in Banking (KYC, KYB, ID Verification)
Flooded by banking, investment, crypto apps and their sleek designs, it’s easy to overlook user onboarding. How do banks and fintech platforms truly decide which users are able to open an account?
For those outside of the financial services space, acronyms such as KYC, KYB, AML and policies for identity verification and user screening are unknown. Multiple processes form a necessary function in complying with regulation, building trust (between user and platform), risk mitigation, and the ability to transact digitally.
It was only 15 years ago when online account opening and mobile banking started to take off. Before 2008, banking was in-person at a bank branch — with a personal banker or teller. Working in bank branches for the early part of my career (2006 - 2019), I was very familiar with all the steps. Presenting a government ID (Driver’s License, State Identification Card, Passport), full Social Security Number (SSN), and credit score checks were the norm. Today, we balk at apps even asking us for the last 4 digits of our SSN!
Here’s a deep dive on why existing standards are in place for digital financial services, what’s taking place at time of account opening, the obligations in bank & fintech relationship, and what platforms need to balance in regards to user onboarding.
WHY BANKS & FINTECHS CARE ABOUT PROPER ONBOARDING
Just because user onboarding became increasingly digital in the last 10-12 years doesn’t mean required checkpoints went away. All banks (from traditional to neobanks) have the same compliance obligations when it comes to banking access, as part of functioning within the US financial system.
Know Your Customer (KYC) is a necessity for financial services firms in establishing (a) customer identity AND (b) identifying risk from that customer. Regulatory bodies first started to enforce procedures that combat financial crimes (such as money laundering) with the Bank Secrecy Act (BSA) of 1970. BSA listed requirements for recordkeeping and reporting by private individuals and institutions conducting transactions.
KYB (Know Your Business) follows similar goals in identifying & validating business entities, beneficial owners (aka UBOs), and controlling persons — especially individuals with over 20% of ownership control and/or a decision-making capacity.
Other laws took initial BSA obligations further:
Money Laundering Control Act (1986);
Anti-Drug Abuse Act (1988);
Annunzio-Wylie Anti-Money Laundering Act (1992);
Money Laundering Suppression Act (1994);
Money Laundering and Financial Crimes Strategy Act (1998);
Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act);
Intelligence Reform & Terrorism Prevention Act (2004);
Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (“CISADA”);
Iran Threat Reduction and Syria Human Rights Act of 2012.
For modern day financial services, the USA PATRIOT Act (following the 9/11 attacks) drives the most impact. Title III requires all financial institutions to meet two critical components for KYC: Customer Identification Program (CIP) for onboarding new users, Customer Due Diligence (CDD) for ongoing monitoring of existing users. CIP and CDD programs help reduce:
Identity Theft: by establishing proof of a customer’s legal identity. Validating personal user details prevents bogus account opening and account abuse from identity theft;
Money Laundering: by organizing criminal groups who often use bank accounts to receive funds from drug & human trafficking, racketeering, etc. and disperse to multiple accounts as a way to legitimize money movement via large purchases OR small dollar cash deposits & withdrawals (see graphic above);
Financial Fraud: preventing other fraudulent activities such as account takeovers and fake loans being processed;
Regulatory Action: lack of compliance with mandatory anti-money laundering (AML) guidance minimizes the likelihood of fines and reputation risk to financial institutions and bank partners.
Financial technology companies (without licensing or national charters) work with banks to offer the banking, savings, crypto, and credit apps we see today. Complying with BSA and other regulatory guidelines and reducing financial losses from fraud and criminal activity are paramount for both sides, especially in launching and maintaining a sustainable program.
While requesting full user details upfront helps reduce the above areas of risk and non-compliance, there’s an increase to user friction. New customers and program providers are looking to speed up the account opening process by asking for less information and a rapid approval response.
For digital-only firms, customer experience is the first (and possibly only) opportunity to win over new clients. It sets the stage for what a user can expect in working with a new platform. Both efficiency and ease from this initial interaction can build confidence with a customer to form a primary banking relationship (in which the majority of income and payments take place).
If users must undergo a lengthy process, go through multiple screens asking for personal information, and wait 1-2 days for account approval, there’s a high likelihood the onboarding process will be abandoned. Fintechs and companies offering embedded banking or finance must balance requirements to collect required user info and deliver a seamless account opening experience.
UTILIZING BANK-APPROVED VENDORS
Behind the majority of today’s financial services platforms are banks and financial institutions providing user accounts, holding deposits, facilitating payments, and issuing debit or credit cards.
Since many of these organizations now extend beyond directly serving their own users toward supervising 3rd party fintechs offering banking services, separate (non-bank) compliance programs must be approved and monitored. In other words, most bank partnerships do not include the BSA/AML program of the bank — companies must outsource vendors to build their own framework for identity verification, KYC, CIP, CDD, and data retention.
Financial institutions pre-vetted lists for fintechs to choose from. Using these vendors would be a condition of working with a bank, who has confidence in their capabilities and services meeting regulatory obligations. Companies wouldn’t be able to bring their own vendor or a proprietary compliance program since this would require bank partners to run a new, in-depth review and approval. An exception would be if a Banking-as-a-Service (BaaS) provider built and maintains its own compliance tech stack, which has approval from integrated financial institutions.
Here’s a list of recognized players in the space that are commonly listed by bank partners:
Alloy — global identity decisioning platform for onboarding and transaction monitoring; helps solve for fraud, compliance, and credit underwriting needs;
Jumio — end-to-end identity verification and eKYC platform with ‘identity proofing services’ that cover account opening to ongoing transaction monitoring;
Trulioo — identity platform focused on businesses; delivers regulatory compliance and verification services; comes with KYC, KYB, and watchlist screening;
Onfido — AI-powered identity platform that fulfills KYC and AML requirements by region, which helps banks and businesses working in multiple countries;
Persona — all-in-one platform with reporting, workflows, and verifications for companies in fintech, crypto, education, and healthcare;
Incode — offers a fully automated, end-to-end orchestration dashboard with built in biometric checkpoints;
As regulatory scrutiny increased over the last year, bank partners are looking for fintech & embedded finance platforms to go beyond minimum onboarding requirements and implement rigorous policies for user screening, monitoring, and fraud mitigation. When its all said and done, these platforms own and manage the user relationship and experience. The activity from customers is the responsibility of companies that are customer-facing (not banks or white-labeled BaaS solutions).
Many KYC vendors provide additional services for compliance oversight and risk controls. Adherence to AML protocols, improved screening for quality users, and continuous monitoring helps platforms sustain their banking programs and strengthen partnerships with banks.
Key learnings in Customer Onboarding
When it comes to balancing a smooth onboarding experience that fulfills both KYC and identity verification requirements, here are some best practices:
KYC
Keep it simple: provide clear instructions and minimize steps (and screens);
Mobile-first: optimize the process for mobile since most users are quick to download an app as a first step;
Rapid response: send real-time updates & feedback on user progress in the onboarding process;
User options for verification: allow customers to choose from a list of authentication methods & resources;
Ease of use: especially important in providing required documents — upload files or perform ‘liveness’ checks off of camera-enabled device;
Identity Verification
Multi-factor authentication: email, text, voice, and facial recognition should be options for users to choose from;
Security: personal user details need to kept secure at all times — sensitive information (such as SSN, date of birth) should be stored as encrypted until the point of verification;
Automation: processes can automatically run in parallel to other KYC checkpoints (ex. verifying SSN while also reviewing watchlists) to expedite the whole process;
In both KYC and identity verification, the user experience can be enhanced. With personalization, info collected on the user during onboarding can go towards tailored products and rewards. Making the entire process as seamless as possible is the overall goal. Platforms should periodically check required checkpoints are being met and user abandonment rate kept minimal.
WHAT’S NEXT for digital onboarding in financial services
For modern fintech apps, the balancing act still needs to be made between user experience (less friction) and regulatory thoroughness (more friction). As regulators become increasingly concerned about bank partnerships and effective oversight of 3rd parties, the emphasis is leaning towards comprehensive checks. The risk exposure to financial loss, regulatory action, and suspension is too high in supporting poor controls and user screening policies.
As more users establish banking relationships online, the vendors behind authentication and verification compile data warehouses of ‘good’ and ‘bad’ users. Analytics on this data can help predict which customers are more likely to participate in fraudulent activity resulting in losses for banks and fintech platforms. Reducing the likelihood of fraud and prevention costs means more runway for companies (especially early-stage startups) to grow their program. Companies in the KYC and ID verification space are looking to collaborate with one another toward this goal.
In the not too distant future, identity details of a user can be securely stored in a global repository with customer controls in deciding which companies can access. This setup can enable faster onboarding, lower the risk of data compromise, and level up the entire process. Blockchain networks and protocols come to mind in this type of discussion (i.e. ‘ID on Blockchain’) — however, the effort needed to pull it off needs to come from a combination of technology providers, regulators, and government databases.
Join our community @FinTechtris for more industry content & insights (including deep dives & sector spotlights).
As a bonus, access our subscriber-only resources for evaluating and building the next generation of financial services. Signup today —>