A lot of good KYC data can be collected simply by asking to see an ID.
Here’s what to look for, and what might potentially require you to decline a transaction.
For anyone new to AML compliance, topics like Know Your Customer/Customer Due Diligence (KYC/CDD) can sound daunting. This doesn’t need to be the case.
While we always recommend that business owners solicit an AML consulting firm like BitAML to work through the nuances of bitcoin compliance, we believe in encouraging basic understanding of these concepts in the cryptocurrency ecosystem (hence resources like our compliance 101 blog series).
We’ve written extensively about KYC in the past, particularly in the context of thwarting crypto scams and sharing best practices for information gathering. But we still get a fair amount of questions from businesses about how to go about collecting customer information in the first place.
The good news is it’s simple: A lot of good KYC starts with simply asking for an ID.
Don’t misunderstand: We’re not saying KYC is simply a matter of asking to see customer identification. You will still need a robust KYC/CDD policy with tiered procedures based on transaction size and other considerations.
What we’re saying is that getting a lot of the information that FinCEN requires you to gather from your customers starts with asking for their identification.
Just as important, sometimes merely glancing at a customer identification is all you need to refer them for enhanced due diligence (EDD) or even decline their transaction completely. There are several red flags that can pop up at this stage that would prevent you from legally doing business with some customers at all.
It’s important to know what to look for at this stage, and that’s what we’ll cover more in-depth below. But first, let’s look more closely at how checking a potential customer’s identification fits into KYC and your overall AML compliance requirements.
Why the ID matters for KYC, cryptocurrency requirements overall
KYC/CDD has one major goal — to prevent businesses like yours from being used by financial criminals to launder their ill-gotten gains. It refers to policies and associated procedures that help businesses gather information about their prospective customers and understand their financial dealings.
Basically, it’s the information you gather to establish a level of confidence that your customer is who they say they are, and making a purchase of bitcoin or another altcoin for their own benefit and with their own money.
If the customer is lying about or omitting information that would help you establish their identity, or is otherwise resistant to questions about the source of their funds (in the case of an unexpectedly large transaction), it may be indicative that the prospective customer is trying to keep a low profile to disguise illicit activity.
“A lot of good KYC starts with simply asking for an ID.”
Following on that last bracketed point, KYC policies and procedures are typically risk-based and tiered based on the transactional amount. A customer making a purchase at a bitcoin ATM with a $100 bill will not require as much KYC as a customer attempting to make a purchase with $1,200 in cash.
Be mindful that KYC also has its own recordkeeping requirements.
Now, a valid customer ID gets you a lot of the information you need to do proper KYC. It provides a name, an address, a photo, and date of birth, and for customers that require watchlist screening, it is a document that will help you make potential matches.
Other KYC information you will need to record will include things like the transaction date and amount, and other institutional information. You’ll want a phone number from the customer, and potentially, at higher levels, a documented short customer interview.
If all goes well, you can feel confident in executing the transaction.
But like we mentioned in the introduction, sometimes a glance at a customer ID is all you need to decline a transaction entirely, and potentially even add that customer to a permanent block list.
What would you need to look for to make this determination?
That’s next, but first, if you have any questions about KYC, do not hesitate to reach out for clarification. KYC is a big topic in regulatory compliance; you definitely want to get it right.
5 reasons to decline a customer from just looking at their ID
It’s important to note that there should be no exceptions to your KYC policy and procedures. They should always be enforced consistently, otherwise, they’re simply not effective.
That means drawing a firm line on things like customer ID. While this is not an exhaustive list, if the customer’s ID meets any of these criteria, you should not execute the requested transaction.
Is the ID expired?
This one is fairly straightforward. Just like an expired ID can’t get you a bottle of wine (though it can get you a traffic ticket), it cannot be honored for a transaction.
An expired ID isn’t a reason to block a customer from transacting ever again — so long as they return with a valid and unexpired ID and pass all of your other KYC checks, they should be good to go.
Is the ID government-issued?
No library cards! In all seriousness, only accept government-issued forms of ID. Examples include a driver’s license, passport, and possibly a state ID.
Again, so long as the potential customer can return with a valid form of government-issued identification and pass the rest of your KYC checks, there’s no need to block them from doing business with you.
Is it a photo ID?
This should be obvious, but since government forms of identification also include things like birth certificates and social security cards, we want to point out that a government-issued identification is only worthwhile to your KYC efforts if there’s a photo on the ID and the photo is clearly of the person presenting the identification.
If you wouldn’t sell them beer on the ID they hand you, you must decline a transaction.
Pro tip: some businesses will even ask for a “selfie” as part of their KYC protocols, or a unique photo of the customer holding up their ID. Imagine you’re a bitcoin ATM operator — this is as simple as capturing a photo using the kiosk’s native camera.
Does the ID give you a reasonable belief as to the true identity of the customer?
If there is any reason to doubt that the ID you’re looking at doesn’t belong to the customer presenting it, decline the transaction.
There are many resources online to help you spot a potentially fake ID, and in some cases, you may be presented with a legitimate ID, but one that belongs to a lookalike or relative.
Regardless, if you cannot form a reasonable belief as to the true identity of the customer, decline the transaction, and depending on your reasons for doing so, you may want to block the customer.
Are you familiar with the ID?
You may occasionally have a customer from out of state attempt to transact with your business. If they produce an ID from a state you’re not familiar with, how can you know it’s real?
No one expects you to be an expert in what a driver’s license looks like in every state. But, take the time to conduct online searches and familiarize yourself with an ID from a state that you don’t see every day.
Research online. Take that extra time. Show regulators in a potential review that you went that extra mile.
Key takeaways for bitcoin compliance
Keep in mind that some customers might not be able to provide an ID at all, which should result in an automatic decline. Generally, if a customer fails any of the requisite information gathering steps at any stage of your KYC policy, you should decline the transaction.
But for customers who aren’t instantly turned away due to a problem with their ID, the document is an important source of much of the information you will need to collect to perform proper KYC.
Most critically, if a prospective or even an existing customer either refuses to provide any of the information your KYC procedure requires upon request or appears to have intentionally provided misleading information, do not conduct the transaction.
Depending on the risks that customer poses, you may want to block all future transactions with them. In either case, let your BSA Compliance Officer know.
Like we said, KYC is a complex topic and many businesses, especially early in operations, may need help fully wrapping their heads around it. If that sounds like you, please reach out. We’re here to help!