The Red Flag Group®

Organisations that should implement a KYC process

Organisations that should implement a KYC process

Laws and regulations across various jurisdictions have required banks, insurance companies and other financial institutions to develop strong know-your-customer (KYC) processes. These laws are in place because financial institutions face several risks, including money laundering and terrorist financing.

While there are regulatory requirements for banks and insurance companies to ‘know’ their customers, there is generally no legal obligation for non-financial organisations to conduct integrity screening or due diligence on customers.

KYC checks are now entering the mainstream, and commercial organisations involved in various industries, such as retail, manufacturing and services, need to build customer checks into their screening processes. A robust KYC process involves more than just screening end-user-type customers; it also extends to the companies organisations engage to provide goods or services to the end customer (for example, retailers and online marketplaces that sell products on behalf of third-party sellers to end customers should screen those third-party sellers before agreeing to sell their products). Non-financial organisations may not always be legally required to screen customers, but the reputational damage that could result from engaging or associating with a high-risk customer underscores the need for an effective KYC process.

The following are some examples of commercial organisations that should adopt a screening process to validate the integrity of their customers.

  • An airline company, car-rental company or similar that allows customers to register for a mileage programme, to ascertain whether customers are subject to sanctions by governments, banned from travel on no-fly lists, or known to be the subject of integrity or security violations.
  • A transportation network company that allows people to provide professional driving services would need to validate the veracity of a candidate’s driving credentials and find out whether the driver has been involved in illegal activity, has a mental illness or has had restrictions on their activity. Likewise, potential drivers may need to be screened to determine whether they are sanctioned or are wanted for any illegal activity, or have the propensity to use the vehicle for some illegal activity.
  • An online marketplace that utilises third-party sellers to sell products or services should conduct background checks on sellers to ensure they are not selling illegally-acquired, counterfeit, grey-market or stolen material, or other material that is inappropriate for certain audiences.
  • Any organisation using a web-based technology service (i.e. SaaS) should screen users’ past criminal history to prevent such technology being used to facilitate a crime. It should also ensure that persons that have economic or other sanctions imposed on them or their company do not use the technology.
  • An accommodations website that allows customers to rent houses or rooms might want to screen potential renters to lower the risk of them using the location for an illegal purpose.
  • Web-service companies that recommend tradespeople or other service providers who have been ‘pre-approved’ to provide reliable services should screen the tradespeople to determine whether their experience and certifications are genuine, and to ensure they are not involved in illegal activity.
  • Companies that sell their products to collectives or cooperatives where the end user of the product is unclear and could be on-sold illegally or sold to overseas markets in part of a grey market should screen customer collectives/cooperatives to learn more about their selling practices and conditions and geographies of distribution, and whether they apply any screening practices of their own on downstream customers.
  • Companies that are selling high-end or highly-technical equipment should screen for buyers that appear to not have ongoing operations that would suit the purchased goods and would more likely be a front for another purchaser or a government that could reverse engineer the product or technology.
  • Organisations dealing with companies acting as buyers should check for buyers that have been recently created and lack any substantive information regarding their operations or executives. These businesses could have been created to avoid certain bans placed on earlier versions of the company.
  • A healthcare company selling drugs to a hospital should screen the hospital to assess the hospital’s knowledge and experience so they are satisfied that the hospital will use the drugs correctly and keep them in a secure environment.
  • A medical-device company should screen the doctors that buy its products to make sure that they have the requisite experience to use the products and check that they aren’t involved in some form of trading of products for resale.
  • An electronics company should screen any customers that order products that are prone to being ‘broken down’ and dismantled to sell for parts in competition with the electronic company’s parts-supply business or in a way that does not protect against the integrity of the products.
  • Organisations that have ties to markets where sales are restricted due to product quality or classification issues (often around export control). The customer could be the United States operation of a company located in Iran or Sudan and without checking the name or domicile of the United States company against a database the inherent risk may never be identified.
  • An organisation selling a product that is highly toxic or dangerous should screen buyers of the product to make sure they will not use the product for illegal means (for example, as a source of material for dangerous activity or some form of destruction).
  • A supplier of building materials selling to a customer that is constructing a building or provides products towards buildings should screen to make sure that their materials will not be used for an illegal service.

Many organisations will attempt to indemnify themselves against customer misconduct or disassociate themselves from future wrongdoing related to a customer through terms and conditions attached to the purchase of products or services or as a prerequisite to entering a business relationship. These terms and conditions will contractually place the blame on the customer and have them warrant that they are not doing anything that creates risks for the seller organisation. While having these terms in place is a good start, they do not provide the base to execute a truly effective KYC screening programme. Additionally, it is rare that an organisation will rely on the contract and enforce it to some degree. It is also hard to convince a regulator or other stakeholder that an indemnification or warranty clause was the best way to screen a customer or protect the organisation against the conduct giving rise to the breach.

Simply saying ‘we have a contract’ is not enough, especially when the risks are apparent and effective screening can be fairly easily conducted using the information the organisation has already gained during the sales or relationship-building process, along with some investment in separate external screening tools.