KYC Guide UK

A comprehensive guide to KYC

and AML compliance in the UK

Copyright c Shufti Pro Ltd. All Rights Reserved.

Table of Contents

02 Introduction

03 What is Know Your Customer?

04 What is AML?

09 Regulations for KYC, AML, and Data Privacy for the

Businesses Operating in the United Kingdom

09 Know Your Customer

10 Anti-Money Laundering

14 Data Privacy

16 A case of AML Compliance failure

18 Industries Requiring To Comply With Regulations

20 Financial Sector
21 FinTech
22 Gaming
23 Cryptocurrency
24 Real Estate
25 E-Commerce

26 Methods to perform KYC and AML

26 Private or o#icial database

26 Online verification from ID documents

27 Two-factor authentication

27 Knowledge-based authentication

1
Introduction

As technology has connected beyond traditional barriers of languages and distance, it has created a
world of unprecedented economic opportunity. But in doing so it has also significantly increased the
risks for doing business both globally and locally. Businesses are under immense regulatory pressure to
perform robust customer due diligence, especially to diminish the international threat of money
laundering and terror financing. This regulatory pressure manifests itself as Know Your Customer (KYC)
regulations and Anti Money Laundering (AML) directives.

KYC and AML requirements are a key focus for organizations to ensure they are following compliance
requirements for meeting the increasing regulatory demands. While these regulations vary from region
to region and in some countries, even state to state, major compliance requirements are mainly
uniform across the international business environment and are under the supervision of the Financial
[1] . Any organization doing business internationally also needs the agility to
Action Task Force (FATF)[1]
meet KYC and AML requirements in a specific region.

This comprehensive guide will provide you an overview of how to achieve KYC and AML compliance in
the United Kingdom.

1. FATF 2
What is Know Your Customer?
Knowing your customer (KYC) in simple words is and analyze the information correctly.
verifying customers to confirm they are who
they claim to be and that they aren’t a potential It is an organization’s responsibility to ensure its
risk to your business. Finding KYC information KYC compliance. This involves verifying the
has been tiresome and di"icult. information that a customer provides and
analyzing the risk involved in dealing with certain
Even so, financial institutions are required to customers, including the funding sources and
gather this information around the world for business details. Failure to do so brings with it
over a decade. Lending money to or servicing a significant risk in terms of financial cost,
person who presents a high risk, or who may be reputational damage, and potential judiciary
involved in illegal activities, can be incredibly consequences.
damaging for any bank or financial institution.
At a minimum, organizations are generally
Many other industries are also now required to required to verify clients’ identity, business type,
ensure KYC compliance and unfortunately this is source of funds and wealth, the purpose of
an entirely new activity for many organizations, specific transactions, and the expected nature
especially for small businesses and startups, and level of transactions.
leaving them unsure of how to acquire, collate

There are four primary objectives when gathering KYC information, using a risk-based
approach:

Identify the customer

Verify the client’s true identity

Understand the customer’s activities and source of funding

Monitor the customer’s activities regularly

Customer Due Diligence (CDD)

[2] is the control procedure that financial services apply to exist and new
Customer Due Diligence[2]
customers to identify and prevent risks. CDD plays an important role in eliminating risks related to
money laundering, terrorist financing, fraud, corruption, arms trade, bribery, drug tra"icking, and other
illegal financial activities.

When opening a customer account according to legal requirements, a number of checks are required
to follow the Know Your Customer procedures. One of the control methods implemented for risk
assessment is a sanction, PEP, and adverse media screening.

2. UK Govt - Money Laundering guidelines 3

Identity Verification

Verification is performed to check the authenticity of the information provided by the customers. The
whole process of verifying identity is very important. It begins with authenticating the user i.e.
verification of ID documents. After identity verification, the business checks whether it poses any threat
to them. In this way, companies can conduct due diligence, prevent money laundering, and terrorist
financing. Since businesses are mostly operating online manual identification is exhausted,
cumbersome and in most cases impossible to perform so the financial institutions use an online
identity verification.

What is Anti Money Laundering?

Money laundering is the process of hiding the Money laundering is a serious financial crime
source of money earned from illicit crimes to and there are rules and regulations on both
bring a legal image to this income. Anti-Money global and local levels to prevent criminals from
Laundering (AML) refers to rules and regulations making illegal funds run into mainstream legal
implemented to hinder criminals from money financial systems. Apart from global regulations,
laundering. It also includes laws and procedures each country has its own AML policies.
to identify and counter financing terrorism Companies have to comply with these
(CFT). regulations else they will be subjected to
criminal sanctions imposed by regulators.

4
In the year 2019, only 58 AML fines were issued by the regulators worldwide and the
total amount for these fines summed up to $8.14 billion. Out of these 58 fines, regulators
in the United Kingdom imposed 12 fines totaling $388.4 million. (Fintechfutures)
Fintechfutures

The Financial Action Task Force (FATF) is responsible to provide comprehensive global AML regulations
and policies recommendations. The purpose of the establishment of FATF is to build an international
standard for the prevention of money laundering and FATF has 37 member jurisdictions and 2 regional
organizations representing major financial centers in all parts of the globe.

AML Screening and Monitoring

AML screening and monitoring are some of the basic requirements of a comprehensive AML program.
Audits and penalties by the regulators are expected to increase further. The sanctions and PEP lists are
growing and changing every day in the world. Due to the dynamic nature of these lists, businesses
need to scan sanctions, PEP, and Adverse Media data regularly. The following checklists could be
applied for AML screening and Monitoring:

The Risk-based Approach

In the risk-based approach, the organization performs AML controls according to its risk perception
and the risk level of their customers. The risk perception and risk level for each firm and every customer
are different. It will be insu#icient to apply the same AML controls for every customer. Therefore,
organizations should take 2 basic steps for a risk-based approach. The first one is the assessment of the
risk and the second is the implementation of the control processes appropriate to the risk levels.

Enhanced Due DIligence

Enhanced Due Diligence (EDD) is required when a customer is deemed to be a higher risk than the
expected. These high-risk customers normally include Politically Exposed Persons (PEPs) or anyone
originating from the high-risk countries list as outlined in the Fifth Anti-Money Laundering Directive
[3]]. EDD measures usually include high monitoring of customers.
(5AMLD)[3

The most e#icient way to become AML compliant is to conduct through customer screening. That
being said, it can be di#icult and time-consuming to execute these processes consistently at scale. To
address these issues, automation plays an increasingly large role in AML compliance.

3. UK Govt - Transposition of Fifth Money Laundering Directive 5

Sanction Checks

Individuals or institutions that do not comply with laws and rules are served with penalties and these
penalties are called sanctions. Usually, the sanction decisions are made by governments or global
regulators. Sanction checks are special searches from a list of different governmental and international
databases to identify persons banned from certain activities or sectors. Political exposure, terrorism,
money laundering, and corruption are the most popular reasons for sanctions. Businesses must verify
that the customer they are dealing with isn’t on any of the sanction lists and this process should be
ongoing because sanctions lists are updated regularly.

Politically Exposed Persons Check

An individual with a high profile political role, or has been entrusted with a prominent public function is
known as a Politically Exposed Person (PEP). As they have a high position in a country or jurisdiction,
they are more open to bribery, corruption, and other offenses related to money laundering. This doesn’t
always mean that they are offenders but to be on the safe side they are declared as high-risk
customers.

According to FATF, government o"icials, close family members of these o"icials,

senior executives of state-owned businesses, and leaders of large political
parties all come in PEP lists and are considered high risk. (FATF)
FATF

If an enterprise encounters any of these as their customers they should be put in high-risk profiles and
should be screened against sanction lists and their transactions should be monitored on an ongoing
basis.

Ultimate Beneficial Ownership

The legal entities of a company whether a corporate or an individual are Ultimate Beneficial Owners
(UBOs). Financial institutions have to identify UBOs in order to prevent money laundering and terrorist
financing. People with at least 25% shares in the capital of a legal entity, have 25% of voting rights
inboard or are beneficiaries of at least 25% of the capital of a legal entity acquire UBO status. According
to FATF, UBOs carry potential ML/TF risks, so financial institutions must have important obligations and
[4] .
information regarding UBOs[6]

4. FATF- Best Practices On Beneficial Ownership For Legal Persons 6

Adverse Media Screening

Any negative information about the customer or business from various sources in the commercial
world is adverse media. These are mostly news covering the individual or a business. It reveals whether
a person or a business is involved in any criminal or illegal activities that could affect your organization if
you do business with them. This is why it is important to perform adverse media screening.

Do you know?
FATF emphasizes on adverse media screening of high-risk customers to
identify the customer reputation.n(FATF)
FATF

AML Transaction Monitoring

Monitoring transactions is one of the crucial AML and anti-fraud security processes. Transaction
monitoring helps in detecting suspicious transactions and determining the risk level of transactions
carried out by the customers. Financial sectors like money service businesses (MSBs), Insurance
corporations, financial services, money transfer companies mediate a large number of financial
transactions on a daily basis. Transaction screening is one of the crucial AML obligations to detect any
suspicious transaction. Ongoing transaction monitoring is necessary to meet AML obligations.

Suspicious Activity Report

Suspicious Activity Report (SAR) is used to track suspicious activity that will not be flagged normally in
normal monitoring. The main purpose of SAR is to check for illegal activities such as money laundering,
terrorist financing, tax evasion, and other financial frauds.

In the UK, alone, the number of Suspicious Activity Reports rose 9.6% between
2017-2018. In the US economic crime increased by 17% between 2016 and 2018.
(National
National Crime Agency)
Agency

7
Currency Transaction Report

Currency Transaction Report (CTR) is generated by banks to help prevent money laundering.
According to AML laws in most countries, the CTR report is an AML compliance obligation for financial
[5] .
institutions. Banks use CTR to report any bank transaction exceeding $10,000 to relevant regulators[5]
This is a crucial part of AML transaction monitoring failing to report could lead to fines and penalties.

5. Investopedia - Currency Transaction Report 8

Regulations for KYC, AML, and Data Privacy for
the Businesses Operating in the United Kingdom

The UK has the most robust KYC and AML regulations and is named as “Global leader in promoting
[6] is well known for its risk-based
corporate transparency” by FATF. Financial Conduct Authority (FCA)[6]
approach to innovation. This means that in general, it focuses on the outputs rather than specific AML
laws and rules. Firms must have policies and procedures in place for KYC and AML compliance. Here
are some practices suggested by the regulatory bodies;

Know Your Customer

Know Your Customer compliance is obligatory for businesses dealing in finance. The businesses are
required to collect evidence of identity from the individual as well as corporate customers.

According to FCA, evidence of identity can be in From corporate clients, a firm should collect this
documentary or electronic form. From individual information:
clients this identity information is required:
a. Full name

a. Full name b. Registration number

b. Date of birth c. Government-issued identity document

c. Residential address (Passport, Driving License with a photo)

d. Government-issued identity document d. For Private/unlisted companies additional

(Passport, Driving License with a photo) data is required:

e. A supported second document either i. Names of all directors

issued by a government or a judicial
ii. Name of individuals who own or
authority, a public sector body, or any
controls over 25% of companies share
other FCA regulated firm in the UK
financial services sector iii. Name of any individual with otherwise
exercise control over company
management

6. Financial Conduct Authority 9

The firm should verify the existence of the corporation either confirming the company's listing on a
regulated market, conducting a search of the relevant company registry, or obtaining a copy of the
company's Certificate of Incorporation. For private/unlisted companies, the firm may decide, following
a risk assessment, to verify one or more of the directors as appropriate in line with the CDD
requirements for individuals. In respect to beneficial owners, the relevant person must take risk-based
and adequate measures to verify the identity of the beneficial owner(s).

Anti-Money Laundering

The UK anti-money laundering regime requirements are set out in the Proceeds of Crime Act 2002
[7] (as amended by the Serious Organised Crime and Police Act 2005 (SOCPA)[8]
[8] ), the Money
(POCA)[7]
Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR
[9] and the Terrorism Act 2000 (TA 2000) [10]
2017)[9] [10] (as amended by the Anti-Terrorism, Crime and
[11] and the Terrorism Act 2006 (TA 2006)).
Security Act 2001 (ATCSA 2001)[11]

As per the Financial Conduct Authority (FCA), a firm has to fulfill the following responsibilities under
money laundering supervision:

You must apply customer due diligence measures:

When you establish a business When you have doubts about a

relationship with a customer (or another customer’s identification information that
party in a property sale) you obtained previously

When you suspect money laundering or When it’s necessary for existing
terrorist financing customers - for example, if their
circumstances change

7. UK Govt - Proceeds of Crime Act 2002 10. UK Govt - Terrorism Act 2000
8. UK Govt - Serious Crime and Police Act 2005 11. UK Govt - Anti Terrorism Act 2001
10
9. UK Govt - ML, TF Regulation 2017
 As a high-value dealer, when you: If you are not a high-value dealer when
you carry out an ‘occasional transaction’
Make a payment to a supplier worth
worth €15,000 or more
€10,000 or more
Carry out an ‘occasional transaction’
worth €10,000 or more

Establishing a business relation:

A business relationship is one that you enter into with a customer where both of you expect that the
relationship will be ongoing. It can be a formal or informal arrangement.

When you establish a new business relationship you need to obtain following information:

The purpose of the relationship

The intended nature of the relationship - for example where funds will come from, the
purpose of transactions, and so on

You need to obtain this type of information:

Details of your customer’s business or The source and origin of funds that your
employment customer will be using in the relationship

Copies of recent and current financial The changing circumstances of your

statements customers

The expected level and type of activity Details of the relationships between
that will take place in your relationship signatories and any underlying beneficial
owners

You need to keep up-to-date information on your customers so that you can:

Amend your risk assessment of a Carry out further due diligence measures
particular customer if their if necessary
circumstances change

In case of following changes you may need to update your information:

A big change in the level or type of A change in the ownership structure of a

business activity business

Carrying out enhanced due diligence:

In some situations, you must carry out ‘enhanced due diligence’. These situations are:

When the customer is not physically When you enter into a transaction with a
present when you carry out identification person from a high-risk third country
checks identified by the EU

11
 When you enter into a business Any other situation where there’s a
relationship with a ‘politically exposed higher risk of money laundering
person’ - typically, the non-UK or
domestic member of parliament, head of
state or government, or government
minister and their family members and
known close associates

If the customers are not physically present you may need to take following enhanced due diligence
measures:

Obtaining further information to establish Finding out where funds have come from
the customer’s identity and what the purpose of the transaction
is
Applying extra measures to check
documents supplied by a credit or Making sure that the first payment is
financial institution made from an account that was opened
with a credit institution in the customer’s
name

While dealing with politically exposed persons you need to take following enhanced due diligence
measures:

Making sure that only senior Taking adequate measures to establish

management gives approval for a new where the person’s wealth and the funds
business relationship involved in the business relationship
come from
Carrying out stricter ongoing monitoring
of the business relationship

12
In the UK there are multiple anti-money laundering regulatory bodies for different sectors. For example,
the banking and financial sector are looked over by the Financial Conduct Authority (FCA).

Regulatory bodies governing AML and KYC compliance in different

industries

Similarly, there are multiple bodies for the non-financial sector:

FCA is the supervisory authority for trust or company service providers who are
authorized persons.

Money service businesses and trust or company service providers are all
underlooks by HM Customs and revenues.

These include high-value dealers, bill payment service providers, and

telecommunications digital and IT payment service providers, estate agency
businesses and accountancy service providers.

Casinos and online gaming are supervised by The Gambling Commission.

The Institute of Chartered Accountants in England and Wales (“ICAEW”) is the

supervisor for Chartered Accountants.

The latest money laundering regulation Laundering, Terrorist Financing, and Transfer of
amendments were made in 2019 that were to Funds (Information on the Payer) Regulations
ensure that the United Kingdom’s money 2017 (MLR 2017). These include extending the
laundering regulations are in place with the scope of the regulated sector, changes to
European Union’s 5th AML Directive and are in customer due diligence, and enhanced due
line with FATF’s money laundering regulation diligence, in particular, a new requirement to
standards. make reports to Companies House concerning
discrepancies between information collected
These regulations make some limited but during customer due diligence and information
important amendments to the existing Money on the Persons with Significant Control register.

13
Data Privacy

Customer data protection is a serious issue. You Data security is not purely an IT problem, nor is it
are responsible for securing your customer data just a problem for large firms. Firms of all sizes
and protecting it from fraudsters. Customer should think carefully about how they secure
data is any identifiable personal information held their data. Having good data security policies
in any format, for example, National insurance and appropriate systems and controls in place
records, addresses, dates of birth, family will go a long way to ensuring customer data is
circumstances, bank details, and medical kept safe. However, you need to make sure your
records. This information must be kept securely employees understand the policies and
to comply with your obligations under the Data procedures and your firm keeps up-to-date
[12]
Protection Act 1998[12] , but also because when people move on.
criminals can use it to commit offenses such as
identity theft.

Since the United Kingdom is a part of the European Union as of now, General Data Protection
[13] are also applicable to businesses of all sizes operating in the United Kingdom.
Regulations (GDPR)[13]
At its heart GDPR identifies seven key principles for the way personal data should be:

a. processed lawfully, fairly, and b. collected for specified, explicit, and

transparently concerning individuals. legitimate purposes and not further
“lawfulness, fairness, and transparency”. processed in a manner that is
incompatible with those purposes;
further processing for archiving purposes
in the public interest, scientific or
historical research purposes, or statistical
purposes shall not be considered to be
incompatible with the initial purposes
(‘purpose limitation’).

12. UK Govt - Data Protection Act 1998

14
13. GDPR
c. adequate, relevant, and limited to what is f. kept in a form which permits
necessary with the purposes for which identification of data subjects for no
they are processed (‘data minimization’). longer than is necessary for the purposes
for which the personal data are
d. accurate and, where necessary, kept up processed; personal data may be stored
to date; every reasonable step must be for longer periods insofar as the personal
taken to ensure that inaccurate personal data will be processed solely for
data, having regard to the purposes for archiving purposes in the public interest,
which they are processed, are erased or scientific or historical research purposes
rectified without delay (‘accuracy’). or statistical purposes subject to the
implementation of the appropriate
e. processed in a manner that ensures
technical and organizational measures
appropriate security of the personal data,
required by the GDPR to safeguard the
including protection against
rights and freedoms of individuals
unauthorized or unlawful processing and
(‘storage limitation’).
accidental loss, destruction or damage,
using appropriate technical or
organizational measures (‘integrity and
confidentiality’).”

15
A case of AML Compliance failure
Commerzbank fined £37 million by FCA

On June 17, 2020, the Financial Conduct Authority said that it had placed a penalty of £37,805,400
[14] . The reason for imposing this fine was
against the Frankfurt-based Commerzbank’s London Branch[14]
the failures in Anti Money Laundering systems and controls between October 2012 and September
2017. The firm received a 30% discount on the fine under the FCA’s settlement agreement as the bank
agreed to solve the matter at an early stage, FCA’s final notice states. The original amount of fine before
the discount would have been £54,007,800.

In the Final notice FCA specifically identified the followings:

There were shortcomings in The Skilled Person identified instances

Commerzbank London’s financial crime where the way that Commerzbank
controls applicable to intermediaries (i.e. London identified and considered the
introducers and distributors). risks associated with politically exposed
persons (“PEPs”) was inadequate.
Certain business areas did not always
adhere to Commerzbank London’s policy There was no comprehensive
of verifying the beneficial ownership of documented process or criteria for
clients, including high-risk clients, from a terminating a relationship with an
reliable and independent source. existing client for financial crime risk.

Risk and issue owners were not clearly Commerzbank London’s automated tool
articulated or understood by for monitoring money laundering risk on
Commerzbank London’s committees. transactions for clients was not fit for
This led to a “lack of clarity around purpose and did not have access to key
responsibilities”, which impacted the information from certain of
Front O"ice, CLM, and Compliance. Commerzbank’s transaction systems.

14. FCA - Commerz Bank fines 16

 A significant backlog of existing clients An exceptions process put in place from
being subject to timely refreshed know- May 2016 to permit existing clients to
your-client (“KYC”) checks developed continue to transact with Commerzbank
during the Relevant Period, in part London despite not having been subject
because Commerzbank London’s first to timely periodic KYC checks, became,
and second lines of defense tasked with as at the end of 2016, out of control, with
carrying out key AML controls were, both senior branch management and
throughout the Relevant Period, Compliance lacking understanding and
understaffed. adequate awareness of the process.

In one example, a high-risk client, who

was nearly 5 years overdue KYC refresh,
entered into 16 transactions with
Commerzbank London whilst overdue
KYC refresh, with Commerzbank London
generating net revenue of £273,799 from
these transactions.

Significant takeaways from this penalty

This penalty is significant for financial institutions because they are reassured that it is important to
meet the expectations of their regulatory bodies and that authorities are always ready to promptly
address any issues that are identified. In particular, the regulators remain focused on ensuring that:

1. Banks dedicate enough resources for AML compliance.

2. Financial institutions should formally document and clearly define the roles and
responsibilities for AML compliance programs.

3. They should properly measure the transactions to monitor any suspicious activity. institutions
should formally document and clearly define the roles and responsibilities for AML
compliance programs.

Moreover, the notable amount levied that even though no evidence of the financial crime is identified
by FCA but the risk of financial crime is as serious as the crime itself. This means that FCA considers the
risk of crime important. Nonetheless, the FCA emphasized that Commerzbank London’s conduct
created a meaningful risk that the firm might be used to promote financial crime.

Also, this conduct from FCA stresses that the firms need to fix issues identified by the regulators at their
earliest. In this case, even though the bank initiated significant measure in 2017, the FCA charged the
organization for not moving fast enough to update automated transaction monitoring systems, remove
the backlog of customers requiring to perform KYC Checks at the London branch, and compliance
team management concerning the AML compliance program.

17
Industries Requiring To Comply With Regulations

Fenergo posted a report towards the end of for the whole decade sits at $15.7m (approx.
2018 revealing that there were $26bn (or £12.2m).
£20.2bn) in fines related to AML and KYC
legislation, and regulations in the decade HM Revenue and Customs (HMRC) oversees
following the financial crisis [15]
[15]. There were 83 compliance with AML regulations by businesses,
fines issued in Europe alone, with a total of and between 2017-2018 they fined companies a
$1.7bn (approx. £1.3bn). The majority of these total of £2.3 million, which is double than of the
fines were imposed by the Financial Conduct previous year when £1.2m of fines were issued.
Authority (FCA) with the UK being the most On average, businesses were fined just under
active issuer of AML and KYC fines in the whole £2,500 per breach. Many of the fines have been
of Europe, accounting for 24%. The average fine issued to corporations in the property sector.

Damages of non-compliance

£163 million charge ($203.83 Million) – Deutsche Bank

In January 2017, the FCA levied £163 million ($203.83 million)[16]

[16] in fines against

the German lender Deutsche Bank – the most significant penalty the FCA has ever
applied. Due to a lack of customer due diligence, along with other deficiencies,
the bank was abused by unidentified customers who transferred approximately
$10 billion from Russia to offshore bank accounts in a way that is highly suggestive
of financial crime.

15. Skillcast - The Biggest Fines for Financial Crimes

18
16. FCA - Deutsche
 £102,163,200 — Standard Chartered Bank
[17] for Anti-Money Laundering
FCA fined Standard Chartered Bank £102,163,200[17]
(AML) breaches in two higher risk areas of its business. This is the second-largest
financial penalty for AML controls failings ever imposed by the FCA.

£215,000 fine — Countrywide estate agents

[18] to
HMRC on March 4, 2019, imposed a fine of £215,000 (about $283,000)[18]
Countrywide estate agents for failing to conduct due diligence, proper
verification, and record-keeping, and failing to ensure compliance with policies
and controls in violation of the UK money laundering regulations.

Every industry sector has a different threshold, standard, and regulators so it’s imperative to understand
the specific requirements for each sector individually.

17. FCA - Standard Chartered

19
18. BBC - Countrywide
Financial sector
Banks and financial institutions in the UK are required by law to comply with AML and KYC regulations
to stop criminals, terrorists, and fraudsters from using financial products or services to store and move
[19] . In the UK these requirements come primarily from the Money Laundering
around their money[19]
Regulations Act 2007 (MLRs) and apply across a range of sectors and institutions.

Customer Due Diligence

Under the updated 2017 AML regulations, the financial organizations are required to
perform three due diligence measures, such as:

Identify and verify the customer’s identity through documents, data or information
obtained from a reliable and independent source

Identify any beneficial owners (where applicable) and verify their identities on a
risk-sensitive basis

Obtain information about the purpose and intended nature of the business
relationship and things like source or origin of funds. Also, perform enhanced due
diligence for Politically Exposed Persons (PEPs), specifically around the source of
their wealth.

Under the risk-based approach, financial entities have to obtain su"icient data to develop a
comprehensive profile of the customer and beneficial owners and to understand the risks associated
with the business to ensure it’s within the risk appetite of the financial entity.

19. Better Business finance - AML and KYC obligations 20

FinTech
The UK is ranked as one of the most ‘fintech friendly’ regions in the world.

[20] and ‘regulatory

The initiatives like the Financial Conduct Authority (FCA)’s ‘project innovate’[20]
sandbox,’ in the UK have helped companies to introduce and test new financial projects and
distribution methods, which in turn, has helped establish the UK as a leader in fintech and a global
authority on fintech regulation.

Currently, there are no specific laws for fintech companies, which fall under the existing body of UK
financial regulation. Fintech firms will fall within the regulatory limits if they perform certain regulated
operations including traditional financial services, such as the provision of banking, consumer credit,
insurance services, and crowdfunding.

UK regulatory fintech sandbox

[21] is open to authorized and unauthorized firms that require authorization, and
FCA’s sandbox[21]
technology businesses. For eligibility, companies need to show that they will deliver innovation that is
either a regulated business or supports regulated business in the UK financial services market.

Other requirements include the need to show that:

The innovation is ground-breaking or a significantly different offering in the marketplace

The innovation offers a good prospect of identifiable benefit to consumers (either directly or
via heightened competition)

There is a genuine need to test the innovation in the FCA’s sandbox

20. FCA - Project Innovate

21
21. Baker McKenzie - International Guide to Regulatory Fintech Sandboxes
Gaming
Gaming operators in the UK must adopt e!icient verification tools to provide a quick and convenient
onboarding experience to users while meeting compliance requirements at the same time.

Here’s what you need to know about these requirements:

Customer Due Diligence

The UK Gambling Commission has placed a general rule for remote casinos to perform CDD
on a risk-sensitive basis ( tailored to the risk attributed to the specific customer), but due
diligence is mandatory in respect of all customers who trigger the CDD threshold of
[22]
€2000[21] .

To fulfil these identity verification requirements, gaming operators must:

Verify the name, address, and date of birth of a customer before any gaming or
gambling activity

Ask for any additional verification information promptly

Inform customers about what identity documents or other information is required

before they can deposit funds, the circumstances in which the information might
be required, and how it should be provided to the licensee

Take appropriate steps to ensure that information on their customers’ identities

remains accurate.

Age verification

The new rules set by the commission prohibit new users from any gaming activity before the age
verification process, obligating gaming operators to refrain from accepting any bets before the user’s
age is verified. These new verification rules also apply to “play-for-free” games, which look and feel like
gambling but do not involve any stakes.

22. Gambling commission - Review of online gaming 22

Cryptocurrency
Any crypto asset business that is carrying out the activities listed below must comply with the MLRs
[23] . These activities include:
2017[23]

Crypto Asset exchange provider [including Cryptoasset Automated Teller Machine (ATM)]

Peer to Peer Providers

Crypto exchanges e.g Initial Coin Offering (ICO) or Initial Exchange Offerings

According to FCA, any crypto-asset business or other institutions, such as existing financial services
firms, e-money institutions, or payment services businesses undertaking crypto-asset activity are
required to register under FCA.

Customer Due Diligence

All registered businesses under FCA must follow the following guidelines for verification of
their customers.

Identify and assess the risks of ML and TF which their business is subject to

Have policies, and controls to mitigate the risk of the business being used for money
laundering or terrorist financing

Appoint an individual who is a member of the board or senior management to be

responsible for compliance with the MLRs

Perform CDD when entering into a business relationship or occasional

transactions

Apply enhanced due diligence for high-risk customers, including clients who fall
under PEP definition.

Perform ongoing monitoring of customers according to the customer’s business

and risk profile.

23. FCA - Cryptocurrency 23

Real estate
According to the comprehensive guidance produced by HMRC (Her Majesty's Revenue and Customs)
[24] department in the UK, the estate agents and real-estate companies have to comply with the KYC
[24]
and AML regulations to combat money laundering activities.

Customer Due Diligence

The key obligations that these businesses or individuals have to follow are:

Identify and verify clients, and perform additional checks on ‘high risk’ clients including
the understanding of their source of wealth. Both buyer and seller need to perform
these checks.

For entity clients, beneficial ownership must also be established, and there must be an
individual assessment of the AML risk posed by each customer.

Perform regular monitoring and appoint an o!icer for identifying unusual activity
or transactions by customers and reporting it to the relevant authorities

Maintain adequate records of CDD and other documentation of clients

Train your staff to ensure they understand their obligations and are equipped to
spot money laundering and terrorist financing by clients

When should CDD be performed

HMRC considers that CDD should be performed when the terms are agreed, normally on the signing of
a Memorandum of Sale in residential sales or Heads of Agreement in commercial sales. Other
requirements related to systems, controls, policies, and procedures include the following:

Prepare a written risk assessment to identify risks of ML and TF

Monitor the effectiveness of the compliance program and keep it updated.

Perform enhanced due diligence on PEPs, and individuals entrusted with prominent public
functions, held in the UK or abroad

24. Gov.uk 24
E-commerce
E-commerce stores in the UK have to follow the regulations in place for verifying the age of customers
who want to purchase age-restricted goods online. Selling these products to minors is a major crime.
The minimum age for purchasing alcohol in the United Kingdom is 18, and the minimum age for
[25] . The maximum penalty for selling to a minor is a fine of
purchasing liqueur confectionery is 16[25]
£20,000 and a forfeiture of your license. These penalties vary for different age-restricted products
online.

Customer Due Diligence

The online retailers should take positive steps to verify the age of the purchaser when selling
age-restricted products. Here are some of the checks that are traditionally performed by
retailers.

Relying on the customers to confirm their age

Using simple disclaimers to make an assumption

Using an accept statement for the users to confirm that they have read all the
terms and conditions and are eligible to purchase their product

Accepting payments through credit card without verification that the card
belongs to the person making purchases.

Placing tick boxes to ask customers to confirm that they are of legal age

Age verification checks that retailers can adopt

There are a few age verification checks that online retailers can adopt for additional verification:

Retailers could use age verification checks at the point of delivery by ensuring that delivery
drivers request valid proof of age

Requiring the customer to provide a valid/acceptable proof of age, which can then be
appropriately checked.

Introduce collect in-store policy. (This strategy may work for some of the retailers having both
online and street presence)

25. Hampshire County Council 25

Methods to perform KYC and AML

There are various methods to perform KYC and AML that businesses employ for the verification of their
customers or clients. Let’s discuss a few of the most common methods.

Private or o!icial database

Databases are systems that house data previously collected and verified as part of a registration
system. They can be private databases run by profit organizations or public databases run by
governments. For example, private databases include credit bureaus and telephone directories and
public databases include government identifiers (social security, tax or voter numbers) or the DMV
(Department of motor vehicles) that houses driver’s license data and numbers. While using databases
for identity verification, certain things must be considered first including the cost of access, the fact
that previous data breaches (if any) may have compromised the credibility of the data, and whether it
can be used commercially under current privacy regulations.

Online verification from ID documents

In online verification, various techniques including artificial intelligence, human intelligence, and facial
recognition, are used to determine if a government-issued id document belongs to the user trying to
enrol in the system. This method typically requires users to provide a picture of themselves holding an
ID document in their hands. By comparing the unique facial features of the live picture with the photo
in the ID card we can confirm the facial similarity and the authenticity of the user.

Government-issued ID documents might include:

National identity card

Driver’s license

Passport

Residence permit

Voter identification document

Tax identification document

There are several ways to evaluate the ID and user, which can help identify possible tampering and
impersonation from multiple perspectives:

Document template comparison: Comparing the submitted ID image against the known document
template can identify errors or fake formats.

26
Font anomalies: Scammers often try to change fields of data but will leave behind font inconsistencies
while doing so.

Security features: All ID documents have some form of built-in security features which while
evaluating can ensure authenticity or reveal errors.

To further explain how this method is or can be performed, let’s take Shufti Pro – Identity verification
solution -- as an example. Shufti Pro requires the end-user to capture a live picture by showing their
face to the camera. Then by using 3D liveness detection, it ensures the presence of the user. After
performing all facial checks a facial signature is created which is verified against the image on the
document. And being a highly equipped KYC solution it can perform certain other functions as well as
anti-spoofing checks, fake image detection, human face attributes analysis, AI mapping techniques,
and microexpressions analysis.

Two-factor authentication (2FA)

This method requires users to provide a form of personal identification, also known as a token, in
addition to the usual username and password details before they can access an account. The token is
like a code that can be a number or an alphabet that the user receives from the authenticating agency
during the sign-up or login process. 2FA is particularly useful for creating accounts and resetting
passwords, however, this method typically requires users to have their cellphones with them during the
authentication process. Most identity verification solutions including Shufti Pro offer 2FA as a security
feature. It allows businesses to integrate an extra layer of security for customer onboarding and
verification.

Knowledge-based authentication (KBA)

KBA verifies a person’s identity by requiring an answer to security questions. These questions are
generally designed to be easy for the user’s to easily remember them. For additional safety, this
method allows you to place a requirement for users to answer the questions within a specified time
limit. KBA being the easiest verification method for users to understand has a drawback, as it is getting
increasingly easy for hackers to discover the answers via social networking sites and other more
traditional forms of social engineering.

27
Conclusion

To avoid penalties, businesses need to follow KYC and AML laws in the UK. With the financial growth in
every sector the crime ratio is increasing as well. Hence, the regulatory authorities are increasing the
scrutiny to keep bad actors in check. With the availability of technologically advanced verification
solutions, KYC and AML compliance operations have now become effortless. These technologies
perform verifications in seconds and help in regular monitoring and record keeping of your customers,
and ensure that your business does not fall prey to any criminal activity.

28
 Want to fulfill your KYC needs?

Contact our Expert

Test our services yourself for 15 days

Get Free Trial

www.shuftipro.com sales@shuftipro.com

29
 True Identity Builds Trust

Expanding services to 230+ countries and territories in a short period of time, Shufti Pro
envisioned playing a pivotal role in creating cyberspace where every transaction is verifiable
and secure. With enough experience in technologies like machine learning (ML), OCR, artificial
intelligence, and Natural Language Processing (NLP), Shufti Pro strives to provide the best
identity verification services to verify customers and businesses online.

Shufti Pro’s cost-effective solutions help businesses to prevent fraud and illicit crimes that can
ruin the integrity and brand reputation of your business. Our perfect solution suite consisting
of KYC verification, AML screening, ID verification, Facial Recognition, Biometric
Authentication, Video KYC, OCR, and KYB helps to improve your company’s fraud prevention,
Know your Customer (KYC) and Anti Money Laundering (AML) regulatory efforts by
automating the workflow. With single API integration, Shufti Pro empowers you to verify
customers with document checks from hs3000+ IDm / templates and business entities from 200
t t p s : / /
huftipro.co
s u p p o r t e d -
https://
million companies data.
shuftipro.c
om/know-

Disclaimer: No warranty or claim is herein provided that information contained in this

document is accurate, up-to-date, and/or complete. All information provided in this document
is limited for general informational purposes only. In no circumstance(s), does such
information constitute as legal or any other advice. Any individual or company who intends to
use, rely, pass-on, or re-publish the information contained herein in any way is solely
responsible for the same and any likely outcomes. Any individual or company may verify the
information and/or obtain expert advice independently if required.