By James Cook, General Counsel at SentiLink and Parag Patel, Senior Associate at Orrick
This is the first part in a series of posts that seek to demystify and explain in simple terms the KYC requirements for financial institutions in the United States. In discussions with clients, we have found an inconsistent understanding of this crucial and evolving area of law and compliance. In this series, we will define what KYC means for financial institutions in the United States, discuss how the requirements came about, and provide a clear roadmap for compliance in the face of a changing threat landscape._______________________________________________
As the prophetic cartoon from the New Yorker has it: “On the Internet, nobody knows you're a dog.”
As products and services have moved online, it’s becoming both harder, and more important, to know who you are dealing with. The process of achieving this familiarity is the concept of identity verification, which is colloquially (and incorrectly) known as KYC, or "know your customer," and can range from simply providing a name and contact information all the way through to biometric authentication against a government-issued identification document, such as a passport.
In fact, KYC is industry jargon for the regulated subset of identity verification and describes the process of understanding customer attributes, ranging from the identity of the individual or business involved in an activity, to their wealth and sources of income, and potentially even digging into their expected patterns of behavior.
Identity verification can be used to satisfy many different requirements and business needs, all in service of building familiarity and comfort between two or more digital personas and can be split into regulated and unregulated forms.
Unregulated identity verification is typically used to build trust in communities and marketplaces. For example, public confidence in Uber and Airbnb depends on a belief that those companies know, to a reasonable level of confidence, the identity of the person driving the car or renting your house. But, for most of those inquiries, there are no specific laws or regulations that require those businesses to make those inquiries. Instead, the operators of those services devise and institute KYC processes in order to assure customers that their services are safe and secure. Business objectives, such as building consumer confidence or avoiding litigation, dictate the rigor of these processes.
On the other hand, regulated identity verification - KYC - is prescribed by laws and regulations. Some examples of KYC include processes undertaken by a bank when a customer opens a bank account or by a liquor store when a customer buys alcohol. KYC processes are typically well-documented, independently enforced, and mandatory, and are designed to prevent societal harms by impeding criminal activity. Failing to comply with KYC can create serious financial, legal and reputational jeopardy for an institution, and therefore this regulated form of identity verification tend to get most of the attention.
Institutions often mistake a generic solution for identity verification as being sufficient to meet KYC requirements, a fact exacerbated by indiscriminate use of language by solution providers. This is particularly true for financial services in the United States, where the requirements for KYC for financial institutions are both specific and divergent from the rest of the world, due to their reliance on the Social Security number as a core identifier.
These requirements for US financial institutions are known as the Customer Identification Program (“CIP”) Rules.
These rules have evolved over many decades to better respond to a range of crimes, including fraud, money laundering, and terror financing. The CIP Rules apply to traditional financial institutions such as national banks, many fintechs, and even some counterintuitive businesses which nevertheless are at risk of being used to commit financial crimes. We go into more detail on the rules in the second part of this series.
In 1970, Congress used the Bank Secrecy Act to direct the Department of Treasury to promulgate and enforce anti-money laundering rules. The Department of Treasury, in turn, delegated to the Financial Crimes Enforcement Network (“FinCEN”) the authority to promulgate regulations to implement the BSA and to exercise authority for enforcement of and compliance with the regulations. Among other requirements, FinCEN’s regulations promulgated under the BSA require financial institutions to establish a BSA/AML compliance program (including a CIP program) to prevent, detect, and report to the U.S. government suspected money laundering and terrorist financing. These rules have been refined and supplemented over time.
The federal financial regulatory agencies (i.e., the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and National Credit Union Administration (NCUA)), and the Internal Revenue Service, among other agencies, have the delegated authority to examine compliance with the BSA and FinCEN’s regulations. The OCC, FRB, and FDIC are the respective primary federal regulators of the following institutions: nationally chartered banks, state-chartered banks participating in the Federal Reserve System, and federally insured state-chartered banks not participating in the Federal Reserve System. The SEC is the primary federal regulator of broker-dealers, investment advisors, and other entities involved in the securities markets. The CFTC is the primary federal regulator of swap dealers, futures commission merchants, and other entities involved in the derivatives and commodities markets. The NCUA is the primary federal regulator of nationally chartered credit unions. The IRS has the delegated authority to examine all financial institutions, except brokers or dealers in securities, mutual funds, futures commissions merchants, introducing brokers in commodities, and commodity trading advisors, not currently examined by Federal bank supervisory agencies for soundness and safety. For example, the IRS examines money services businesses, which includes many financial technology companies, under this delegated authority.
So, while it’s important to review FinCEN guidance and rulemaking, it is also critical to keep in mind that a key relationship in demonstrating compliance with the CIP Rules will be with your examining agency, as it is they who will review the manner in which the rules are implemented, and as we shall see in part two of this series, the proper implementation of the CIP rules is highly dependent on context.
While the meaning of KYC is wide-ranging, regulated KYC for financial institutions is outlined in laws and regulations and enforced by government agencies. These requirements were established to prevent financial crimes, so generic implementation of KYC processes that don’t effectively prevent criminal activity may not be compliant with the intent of CIP Rules. The rest of this series will go into more details on the history and specific elements of the CIP Rules and how US financial institutions can comply.
 See for example: https://www.fincen.gov/news/news-releases/fincen-assesses-145-million-penalty-against-ubs-financial-services-anti-money
 The Anti-Money Laundering of 2020 (enacted on Jan 1, 2021), requires Treasury to conduct a “study” to analyze money laundering through art and, if appropriate, to make recommendations regarding potential regulations.
James Cook is General Counsel of SentiLink, where he has been leading the legal function since 2019. James has served as General Counsel for hyper-growth B2B SaaS start-ups since 2008, including 5 years supporting identity verification and fraud technology providers.
Parag Patel is a Senior Associate at Orrick focused on payments, financial technology and banking issues. He assists banks, non-bank lenders, payments and technology companies and their vendors with regulatory, compliance, supervision, enforcement, anti-fraud and anti-money laundering, and transactional matters.
Orrick is a global law firm focused on serving the technology & innovation, energy & infrastructure and finance sectors. Founded more than 150 years ago in San Francisco, Orrick today has offices in 25+ markets worldwide. Financial Times selected Orrick as the Most Digital Law Firm in North America of 2020. In addition, over the past five years, FT has named Orrick the Most Innovative Law Firm in North America three times and runner-up twice, including in 2020. For the sixth year in a row, Fortune named Orrick to its 2021 list of the 100 Best Companies to Work For.