A core tenet of building account-based financial products that are compliant and safe is ensuring you know your customers. The primary purpose behind Know Your Customer regulations is to protect against money laundering and fraud. Modern KYC rules evolved out of the Patriot Act. A primary goal of the Patriot Act is to limit money laundering, which terrorist organizations use to fund their activities. Money laundering is also frequently performed by criminal enterprises that use the financial system to clean, distribute, or move money around efficiently. The theory goes that if you know who your customer is, then you can prevent a known criminal from using your product.
Keeping criminals out may seem simple, but building KYC processes that separate the good cardholders from the bad ones is a huge challenge.
When I first entered the fintech space in 2006 as a Product Manager at Green Dot (at the time, a Series A company), one of the first projects I got involved in was aimed at improving our KYC product. In my last full-time role as President of Apto Payments, I spent a large share of two years overseeing investments in KYC enhancements. It doesn’t feel like much has changed in the intervening 17 years. Yes, the technology to perform the checks has improved (RESTful APIs are nice!), but approval rates are stubbornly stuck in the 85-95% range, and thousands of inaccurate results occur daily. While many folks in the industry have general familiarity with KYC, it also still appears that far fewer have a deep understanding of its nuances.
KYC is a legal and regulatory imperative for all card programs, but to this day, it remains a complex puzzle for many in the industry. As an industry, we can learn from how KYC has worked historically and move to a more comprehensive process that better sorts the valid identities from the invalid ones.
KYC Checks: Past and Present
Banks have traditionally fulfilled Know Your Customer requirements by inspecting physical documents in person. If you needed to open a consumer checking account, you would visit your local bank branch, present a government ID, and, if the address on your ID didn’t match your actual address, provide an additional document like a utility bill.
This process wasn’t flawless, but it worked pretty well. In 2004, I moved to California from New Mexico. I had previously banked with a local two-branch institution and needed to open a new account. The staff at Washington Mutual couldn’t find a match for my New Mexico license (nor did they have records for many other New Mexicans, for that matter) in their big book of state identification cards and denied me the account. I was who I said I was.
This scenario is what we call a false negative. The bank denied a customer an account because they couldn’t identify them. In doing so, they also likely ruined future business opportunities with that customer due to the hassle and poor experience (I never did open a Washington Mutual account).
Today, we primarily use centralized databases to perform KYC checks.
Suppose a new consumer-focused fintech, Rylan Card, is building a modern debit card product. The folks at Rylan Card want to grow, onboard more users, and perform more transactions daily than they did the previous day.
The Rylan Card team knows they must follow federal regulations and know their customers. To achieve this, they set up a workflow to capture a user’s name, social security number, date of birth, physical address and send that information to an identity verification provider. Companies like Alloy, ComplyAdvantage, Lexis-Nexis, Plaid/Cognito, Veriff, and others capture data from credit bureaus (who receive data from lenders), government agencies, and other sources, then match the information provided by Rylan Card with an identity in the database.
If things mostly match, then the user passes. If the confidence level (e.g., below 90%) of the match is too low, the user fails the check and cannot open the account.
At this point, some companies will perform a manual review, in which case users can scan and upload documents such as a driver’s license or utility bill to verify their identity.
Challenges
There is an inherent push-and-pull challenge in KYC. Companies want to say yes to as many people as possible with minimal false negatives. However, they also want to ensure they have no false positives; that is, they let people sign up for the product (the Rylan Card in our example) who aren’t who they say they are. False positives can arise from either identity theft or synthetic identity fraud, the latter being when real and fake information is combined to create a new identity. (Why use a synthetic identity? Because it’s harder to track down as there is no singular victim to report it).
This database approach has benefits compared to the physical document review process illustrated in my Washington Mutual example. First, fintech companies don’t have branches, so they have no other choice but to manage KYC digitally. Second, many data sources exist, enabling companies to waterfall applications through several providers to find the user and reduce those false negatives.
You’re not guaranteed to win here, though. Surprisingly, I have another personal identity failure story: While working at Green Dot, I signed up for what felt like every single prepaid card on the market (one of my responsibilities was maintaining our competitive matrix). Upon leaving, I was concerned about identity theft. I asked Lexis-Nexis, whose database sits underneath most KYC checks, for my name to be removed for marketing purposes, limiting the amount of junk mail these signups caused.
Unbeknownst to me, this also made me invisible in KYC checks. I could quickly get a new credit card or loan because lenders use the credit bureaus (Experian, Equifax, and TransUnion) directly to do lookups. However, when I tried to apply for a debit card from Simple, an early innovator in the neobank category, my application was denied. Thinking perhaps their software wasn’t great, I simply moved on. Years later, I attempted to open an investing account at Merrill Lynch and got a call from one of their representatives that opened with: “We’ve never seen this before, but you don’t exist, and we need a load of documents.”
The plus side of working in fintech is that I found a contact at Lexis-Nexis who helped me restore my identity. Now, I can sign up for neobanks again with no problem!
These personal anecdotes speak to the fundamental challenges companies face in performing KYC. In addition to inaccuracies in their databases, such as intermingled or missing records, KYC entails collecting a lot of information from applicants– a lot of sensitive information in a world where consumers are told to protect their data. Consumers are also far less likely to make it through an onboarding funnel when there are a lot of questions, so many companies go to great lengths to limit the number of steps and data entry points during signup.
Performing a compliant KYC process frequently causes teams to ignore UX best practices. However, a better process doesn’t mean that onboarding inherently has to be long and frustrating.
How we can improve the KYC experience
There are alternatives to traditional database lookups, depending on how you structure your product. One is to only trigger KYC for a consumer product at the point where the account can be funded more than once, and a personalized card is issued. For example, your average Visa gift card does not require cardholders to KYC because it doesn’t have these features by default.
While not supported by your common Banking-as-a-Service companies, you can build a product that starts as non-reloadable and is upgraded with the passing of KYC. Core Green Dot products sold at retail have operated this way for years out of necessity (you cannot personalize physical cards sold in-store, so a non-personalized card is activated at purchase, and a card with your name is mailed to you after the fact). This gives a consumer who initially deposited $20 the option to reload the card, but only if they pass KYC checks. If they don’t pass, the card could still be used as a gift card.
Neobanks could leverage this approach to get folks through the door and allow them to try before buying at a minimal marginal cost to the neobank.
Another alternative is to invest more heavily in a better KYC experience. There are a variety of ways to get a higher-quality identity match, such as a universal ID solution. Companies such as Gitcoin Passport, GlobalID, Proof of Humanity, Rollup ID, or Worldcoin are at work to provide every consumer with an identity credential. Like consumers are used to with “Sign in with Google” or other OAuth providers, these identity companies aim to have you self-authenticate using third-party identification.
Outside of a universal ID solution, there are identity add-ons that take several steps to reduce false negatives, false positives, and prevent fraud and identity theft, such as:
Government-issued ID scanning from companies like Jumio;
Facial Recognition from companies like OnFido or Persona;
Database confirmation;
Device and behavioral metrics.
Many universal ID solutions already deploy these types of tools to create a higher-quality (higher-confidence) identity. Financial providers that thoroughly vet a universal identity company can move to trust these companies to verify a user without forcing that user through the KYC process again.
A better flow isn’t imaginary; some companies, and especially some government software applications, have implemented something like this:
ID Capture: You are asked to scan your government-issued ID, which includes your name, address, birth date, and photo;
ID Verification: The ID is verified for legitimacy through algorithms, and the data is extracted;
Liveness Detection: You are asked to take a selfie with liveness detection, allowing the algorithm to match your face to your ID and ensure you and your ID are in the same place at the same time (note that facial recognition has substantial draw-off as the universe of faces grows, but can reliably make close one-to-one matches);
Database Verification: Your data is sent to one or more databases to scan for accuracy changes (e.g., address changes) and matched against blocklists like the Office of Foreign Assets Control list or other global sanctions lists;
Device Analysis: Your device provides specific metrics about the speed of typing, errors made, phone type, location, etc., to ascertain if you are demonstrating any suspicious behavior e.g., doing all of this in the wrong country.
The upside of this flow is increased accuracy. The downsides include cost, increase in complexity, and some limitations for people who need proper government ID.
Consumers rarely experience this more comprehensive approach. Because of the tension between ease of onboarding and reducing false identities, many fintech companies opt to detect fraud post-onboarding rather than make it harder to get a card. It doesn’t have to be a choice between these poor options; progressive verification and better KYC processes can ensure both a simple onboarding and reduced likelihood of false negatives.
It’s important to note that KYC doesn’t single-handedly address ongoing fraud risk. Fintech card companies routinely see massive amounts of fraud from accounts that pass KYC; according to Sardine.AI, a fraud-prevention company, 90% of chargebacks come from fully verified identities. Rather, KYC is an ongoing responsibility fintechs bear as stewards of these card programs. Beyond preventing third-party fraud, maintaining proper KYC standards also ensures fintechs can avoid compliance violations and uphold bank partners’ trust. If I were building Rylan Card today, I would use the flow described above to ensure I could get the correct data and users. Running a clean ship will ultimately demonstrate higher growth and longer-term sustainability.
