KYC: The complete guide to securing your customer onboarding

KYC (Know Your Customer) is the customer identification process that has become essential within the financial ecosystem. Yet, striking the right balance between regulatory requirements and user experience remains a challenge. An in-depth look at a process that now goes far beyond traditional banking and applies to a wide range of players.

KYC, or “Know Your Customer”, refers to all the procedures used to verify the identity and activity of your clients in accordance with current customer due diligence regulations. In practical terms, this involves collecting and analysing certain user data before granting access to your financial services.

This process operates within a strict legal framework: Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT). The figures speak for themselves: according to the Directorate of Legal Affairs, money laundering is estimated to represent 1.3% of European GDP*, amounting to hundreds of billions of euros. Faced with this reality, regulatory requirements have been significantly strengthened.

Beyond its legal obligation, KYC is also a key tool for preventing fraud, identity theft, financial loss and operational risks that can seriously impact a company’s business and reputation.

If you think KYC only applies to banks or traditional banking services, think again. The list of organisations, institutions and entities subject to these obligations has grown considerably with successive European directives.

In particular, the following are concerned (non-exhaustive list, in accordance with Article L.561-2 of the French Monetary and Financial Code):

• Financial institutions (credit institutions, payment institutions, electronic money institutions)
• Insurance companies and mutual insurers
• Investment firms
• Crypto-asset service providers
• Gambling operators
• Dealers in works of art, precious stones and precious metals
• Regulated professions (chartered accountants, lawyers, notaries)

KYC is part of a long series of European anti-money laundering directives (AMLD), the first of which dates back to 1991. Since then, the framework has continued to evolve, most recently with:

The 5AMLD (5th Anti-Money Laundering Directive), which came into force in July 2018, harmonised KYC practices across Europe and introduced, for the first time, fully secure digital identification methods. In concrete terms, clients can now interact with you online without having to attend to submit supporting documents physically.

The 6AMLD, which came into force in December 2020, further strengthened the framework by harmonising the definition of money laundering across the EU. It provides a detailed list of 22 predicate offences, ranging from tax fraud to cybercrime and environmental offences.

The eIDAS Regulation (electronic IDentification, Authentication and trust Services), adopted in 2014, defines Trust Service Providers (TSPs), whether qualified or non-qualified, with only qualified providers being subject to enhanced requirements. It establishes a European legal framework for electronic identification and online trust services, such as:

• Qualified electronic signatures to sign legally binding documents
• Electronic seals to provide proof of origin on a document
• Electronic time stamps to certify the date and time of an action
• Electronic registered delivery services to guarantee the sending and receipt of a document
• Electronic archiving to ensure long-term, secure and integrity-protected storage

In France, the PVID framework (Remote Identity Verification Provider) defines the technical and organisational requirements for providers offering remote identity verification solutions. Established by ANSSI (the French National Cybersecurity Agency), this framework guarantees a level of security equivalent to an in-person identity check.

PVID-listed providers must, in particular:

• Verify the authenticity of identity documents (fraud detection)
• Ensure the physical presence of the individual (liveness detection)
• Verify consistency between the document and the person
• Securely store verification evidence

For a fintech, selecting a PVID-certified provider is often the safest way to ensure compliance with the KYC process.

Implementing an effective KYC process, ensuring compliant and sustainable customer due diligence, requires rigour and adherence to several key and iterative steps depending on the context:

• Onboarding: verification of all new partners
• Ongoing due diligence: regular checks on existing partners
• Standard customer due diligence: simplified checks for low-risk partners
• Enhanced due diligence: exhaustive checks for high-risk partners

The first step is to gather essential data about your client.

For an individual, this includes:

• Full identity (surname, first name, date and place of birth)
• Postal address
• Email and telephone number
• Valid identity document (national ID card, passport, residence permit)
• Proof of address

For a legal entity, the list differs, and the process is referred to as KYB (Know Your Business):

• Company incorporation documents
• Recent company registration extract (Kbis equivalent)
• Articles of association
• Identification of beneficial owners, as defined in Article R.561-1 of the French Monetary and Financial Code (ownership of more than 25% of capital or voting rights, or effective control by any other means)
• Information on directors and officers

Once documents have been collected, verification begins. This step may be:

• Automated: AI algorithms analyse documents to detect forgeries (hologram checks, font consistency, etc.)
• Manual: a specialised operator reviews the file for consistency

With live video (video KYC), the client records themselves in real time, presents their identity document from various angles and proves that they are indeed who they claim to be.

Is your client listed on an international sanctions list? Are they a Politically Exposed Person (PEP)? These checks are also mandatory.

You must cross-check your client’s profile against:

• International sanctions lists (UN, EU, OFAC)
• Asset freeze registers
• PEP lists (individuals holding prominent public functions)

Based on the results, the institution assigns a risk level according to its internal classification methodology. This scoring determines monitoring frequency and any enhanced due diligence measures required.

KYC does not stop at onboarding. It also involves continuous monitoring to:

• Detect unusual transactions
• Update customer information
• Respond to changes in circumstances (change of address, change of directors, etc.)
• Renew expired documents

All documents and verification evidence must be retained, generally for five years after the end of the business relationship, unless longer specific obligations apply. This documentation protects you in the event of an inspection by the ACPR (Prudential Supervision and Resolution Authority).

From the user’s perspective, the typical journey has been significantly simplified thanks to digitalisation.

Your client visits your application or website to create an account and enters basic information: first name, surname, email, telephone number and date of birth. Simple and quick.

The client photographs or scans their supporting documents:

• Front and back of their identity document
• Proof of address

To make the process easier, some solutions offer smart capture that automatically detects document edges and optimises image quality.

A key step: the client launches a video session (live or recorded, depending on the chosen solution) during which they:

• Show their face to the camera
• Perform a few movements to prove physical presence (liveness detection)
• Present their identity document from different angles
• Sometimes, read out a random phrase to strengthen the evidence

Once all elements have been submitted, your system and/or teams validate the file. The client receives a notification:

• Approval: the account is activated and services are accessible
• Request for additional information: a document is missing or unreadable
• Rejection: inconsistencies or an excessively high risk have been identified

Through simple and non-intrusive reminders, you will periodically ask clients to update their accounts: amend and/or confirm their information and renew expired documents.

According to a 2023 study**, global investment banks spend an average of USD 2,598 on a single KYC review, and 48% have lost clients due to inefficient onboarding. These figures illustrate the dilemma you face.

A poorly optimised KYC process can become a financial drain. Verification technologies, compliance teams, rejections and drop-offs all add up quickly.

An overly long or complex journey drives customers away. In a mobile-first world, a cumbersome KYC process can cause you to lose up to half of your prospects.

In the context of AML/CFT regulations, supervisors are demanding. A lax KYC process exposes you to regulatory sanctions that can reach several million euros, not to mention reputational damage.

AI and machine learning technologies are transforming KYC. Automated document analysis, fraud detection and risk scoring enable most cases to be processed without human intervention.
However, it is not a silver bullet: the success of such projects relies on strong collaboration between business teams, compliance and IT.

Live video is widely used in the financial sector to strengthen identification security without compromising user experience.

Combining KYC with a qualified electronic signature (eIDAS-compliant QES) allows you to execute contracts as soon as identity verification is completed. You save time while benefiting from maximum legal certainty.

If you are a growing fintech, relying on a Banking-as-a-Service partner that natively integrates KYC into its infrastructure can save you months of development and compliance work.

To find the right balance between compliance, security and user experience when implementing your KYC process, feel free to contact us.

Sources:
* Lettre de la DAJ – Rapport de la Cour des comptes sur l’évolution du dispositif de lutte contre le blanchiment de capitaux – 09/03/2023
** Fenergo Global KYC Trends in 2023