The BSABSA - Bank Secrecy Act. (1) U.S. legislation aimed toward preventing criminals from using financial institutions to hide or launder money. (2) One of the Bond Studio Services handling KYC/KNB required by the Bank Secrecy Act. is a U.S. law requiring financial institutions in the United States to assist U.S. government agencies in detecting and preventing money laundering and terrorist financing.
Because it applies to our bank sponsor partners, Bond is contractually obligated to adhere to it because the banks outsource their BSA obligations to Bond (and Brands).
The BSA has been amended several times, including the USA PATRIOT Act of 2001, which requires that financial institutions comply with the stricter Know Your Customer (KYC) rules:
- Customer Identification Program (CIP) - bank required to form a reasonable belief that it knows the true identity of each customer
- Customer Due Diligence (CDD) - bank required to gather relevant info about the customer & evaluate for any potential risk for the organization or money laundering/terrorist financing activities
- Enhanced Due Diligence (EDD) - the process of gathering data & info to verify the identity of customers, but with additional information required to mitigate the risk associated with the customer
Until 2016, one major loophole in KYC remained; banks weren’t required to ID the stakeholders and beneficiaries of the businesses they served.
In practice, this meant that seemingly legitimate businesses could shelter bad actors’ identities while performing illegal, high-value transactions on their behalf.
The regulatory fix, titled “Customer Due Diligence Requirements for Financial Institutions,” is what we know as Know Your Business (KYB).
Banks are required to conduct due diligence on the beneficial owners of the business. There are two methods that are assessed to determine this:
- Ownership: Any individual, if any, who directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns 25% or more of the equity interests of a legal entity customer.
- Control: A single individual with significant responsibility to control, manage, or direct a legal entity customer. This includes, for example, an executive officer or senior manager, or any other individual who regularly performs similar functions.
There must be at least one individual identified for each of the ownership and control methods, but they can be the same person. In all cases, each legal entity will have between one and five beneficial owners (for for the control method and between none and four under the ownership method).
This is our most commonly asked question. It depends on the type of program (commercial or consumer) and the specific sponsor bank you've chosen to work with. The examples below are for illustrative purposes only and in reality, might be slightly different when you onboard your program with Bond.
Additionally, we support several methods for identity verification through a series of vendors based on what information your customer may or may not have, as well as the user experience you want to provide as you balance onboarding time versus risk.
Fastest onboarding time
Highest approval rates
Note that credit checks are only applicable to credit card products. If you are performing a KYC on a customer for the purposes of a deposit product such as a prepaid card, credit checks are not performed, and there is no pull on the customer's credit.
The non-documentary verification method requires that the customer has a critical identifier such as an SSN (social security number).
Other pieces of documents such as an ITIN (individual taxpayer-identification numbers) cannot be used instead. This is often an indication that your customer should be treated as a business rather than a person. With business information including an ITIN, your customer can go through a KYB flow.
For the scenario where the customer does not have an SSN and cannot be treated as a business (for example, an international student) you can use documentary verification.
In the non-documentary verification method, if a customer's submitted address partially matches the address(es) in database records, a Knowledge Based Authentication (KBA) process is triggered where the user would have to validate their identity through questions that are easy for them to answer but difficult for others to answer. The customer has three attempts to answer these questions correctly. After three failed answering attempts, the KYC process is stopped and the user has failed.
Unrelated to address mismatches, a user could fail KYC if their OFAC, SSN, IP or email validation does not meet the sponsor bank's acceptable thresholds. Either the user mistyped some information during submission, or they could be attempting to commit fraud. If KBA is not triggered but one of these validations fails, the customer is permitted additional KYC attempts pursuant to the specific sponsor bank's rules.
For documentary verification, this can be configured appropriately to the type of customers you have using your product. For instance, if the first document that was being verified was a driver's license, and it failed, a fallback can be configured to request a passport.
The states that apply to the KYC lifecycle are shown in the table below.
Successful KYC check.
The user's address partially matches so a KBA process was triggered to further validate the user.
If the user answers the KBA questions correctly, their KYC status will update to
One of the non-address validations did not meet acceptable thresholds, resulting in a failed KYC. The user can retry a few more times.
Possible manual review if determined by the sponsor bank.
For documentary and non-documentary verification, if there are multiple failures, pursuant to the specific sponsor bank's rules, the customer may proceed through manual review.
The CIP guidelines do not include any specific requirements to perform ongoing KYC/KYB validations. Instead, banks are expected to take a risk-focused approach and reverify identity on certain high-risk customers or in conjunction with suspicious activity monitoring.
When you are switching to Bond and the existing bank is not one of Bond's sponsor banks, we are creating a new relationship with the customer and the bank and we need to run KYC again.
That said, by designing simple and informative screens in your app, you might be able to reduce this burden for your end-users. We're happy to let you know about it when you contact your designated Compliance representative.
Updated 2 months ago